GUI - Audit Connectivity Stuck

[ProximusAl]

I have a new issue with my OPNSense install of 22.7.10_2.

When I use the GUI to do a connectivity check I get the following:

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.7.10_2 (amd64/OpenSSL) at Sun Jan  8 13:02:55 GMT 2023
Checking connectivity for host: mirror.wjcomms.co.uk -> 212.13.198.41
PING 212.13.198.41 (212.13.198.41): 1500 data bytes
1508 bytes from 212.13.198.41: icmp_seq=0 ttl=55 time=8.133 ms
1508 bytes from 212.13.198.41: icmp_seq=1 ttl=55 time=8.109 ms
1508 bytes from 212.13.198.41: icmp_seq=2 ttl=55 time=8.101 ms
1508 bytes from 212.13.198.41: icmp_seq=3 ttl=55 time=8.079 ms

--- 212.13.198.41 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 8.079/8.105/8.133/0.019 ms
Checking connectivity for repository (IPv4): http://mirror.wjcomms.co.uk/opnsense/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 820 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror.wjcomms.co.uk -> 2001:ba8:0:1da::41
PING6(1548=40+8+1500 bytes) 2a00:XXXX:XXXX:XXXX::709 --> 2001:ba8:0:1da::41

--- 2001:ba8:0:1da::41 ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv6): http://mirror.wjcomms.co.uk/opnsense/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...

And then it hangs here forever.

What I find odd, is I can happily ping this IP address from the diagnostics in the GUI or the CLI:

# /sbin/ping -6 -c '3' 'mirror.wjcomms.co.uk'
PING6(56=40+8+8 bytes) 2a00:XXXX:XXXX:XXXX::709 --> 2001:ba8:0:1da::41
16 bytes from 2001:ba8:0:1da::41, icmp_seq=0 hlim=55 time=7.733 ms
16 bytes from 2001:ba8:0:1da::41, icmp_seq=1 hlim=55 time=7.745 ms
16 bytes from 2001:ba8:0:1da::41, icmp_seq=2 hlim=55 time=7.700 ms

--- mirror.wjcomms.co.uk ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 7.700/7.726/7.745/0.019 ms

This however from the CLI does not work:

ping6 -s 1548 mirror.wjcomms.co.uk

It looks like the GUI is doing a much higher count (PING6(1548=40+8+1500 bytes)) on the GUI than a normal diagnostic ping.

I have this in a couple of installs where I have IPv6 enabled.

This is a routing only firewall, no NAT or anything strange, and everything is routing great through the firewall, just this is annoying.

Does anyone know what the issue might be here?

Check for updates - Works fine
Run an Audit - Security - Works Fine
Run an Audit - Health - Works Fine
Run an Audit - Connectivity - As Above - Fails and hangs at Updating OPNsense repository catalogue.

Just to note, I had to enable "Prefer IPv4 over IPv6" in Settings to get Check for Update to work properly.

[ProximusAl]

It appears that ping6 -s 1452 is the highest I can go to get ping to work on IPv6

This is a leased line, not PPPoE or DHCP WAN, all static IPs

I’m not well versed in MTU/MSS, does anyone have any suggestions?

IPv4 seems to be fine on MTU 1500

[franco]

The ping for connectivity check is oversize to surface issues with fragmentation or larger packets seen in the wild from time to time. It's not entirely reliable and may be ignored but since your IPv6 repository update afterwards hangs as well it's clearly indicating the issue at hand.

WAN MTU must be set to work for IPv6 as well or perhaps set MSS values for TCP via Firewall: Settings: Normalization. I don't know which one works best for your case.


Cheers,
Franco

[ProximusAl]

Hi Franco,

As this is a leased line, it's all ethernet, so the MTU is 1500.

I haven't added the MTU as 1500 as I presumed, perhaps wrongly, it defaults to 1500?

I should add that IPv6 is working perfectly well, it's only this health check that is stuck.

IPv6 is flowing normally and working well with devices behind OPNSense.

Perhaps I can try a manual fetch from the CLI when I next get a chance to plug it in to the leased line. (Only get access at weekends as its in production)

[franco]

The failure is in

# pkg -6 update

I'm sure clients work fine but the firewall IPv6 connectivity might not be fully operational for whatever reason. I mean the ping you dispatched confirmed that.

I'd try the same ping size on your clients to at least confirm the consistency or oddity on the OPNsense.

This could be an issue with pkg/libfetch but either way that is not where we have much say in.


Cheers,
Franco

[ProximusAl]

Thanks for the pointers Franco.

I'll check it again from a client when I get the chance.