disable "Dynamic state reset" for VPN

Started by Wired Life, December 26, 2021, 04:35:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 26, 2021, 04:35:59 PM
Hey, i'm facing the same issue described here
https://forum.opnsense.org/index.php?topic=14946.0
is there a way to fix this?

thanks!
December 29, 2021, 08:35:28 AM #1
Hi
have you tried disabling "Dynamic state reset" option? is this causing any problem?
January 04, 2022, 11:08:44 PM #2
I need to keep this enabled because of VoIP.
The connections need to be killed on new IP but only on PPPoE not on VPN.
January 05, 2022, 04:12:23 PM #3
QuoteI need to keep this enabled because of VoIP.
I understand this, but some changes have been made and this option may no longer be needed
January 06, 2022, 08:39:07 AM #4
*on 22.1
January 07, 2022, 02:23:59 AM #5
Quote from: franco on January 06, 2022, 08:39:07 AM
*on 22.1

On 22.1 what happens? Is there a solution to our problem?
Can you describe what has been changed and how to use it?
January 07, 2022, 12:46:59 PM #6
I'll defer this question to 22.1-RC1 release notes...


Cheers,
Franco
January 07, 2022, 05:43:48 PM #7
Quote from: franco on January 07, 2022, 12:46:59 PM
I'll defer this question to 22.1-RC1 release notes...


Cheers,
Franco

ETA in sight? :-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 08, 2022, 04:03:19 PM #8
@franco
oops. my bad. did not check
January 10, 2022, 09:08:28 AM #9
January 11, 2022, 10:53:50 AM #10
So working on the release notes what changed is the following:

The kill state on gateway failure option is no longer available due to heavy-handed disruption of the implementation leading to a number of support issues over the years. It was since switched to disabled by default, but we haven't seen a good use case for it so now it will be removed for good. The GUI IP change full state killing doing the same thing when a WAN IPv4 changes, however, will remain for the time being.

On the other hand, the default state killing on a WAN IPv4 change when said option is not enabled will change as follows:

1. The cache file used to determine which address was previously configured is now exclusive to the script handling the address change meaning it will never miss an address change which was previously possible. This already helps in some cases to make it function properly.

2. In addition to killing all states from said cached address the default function will now also kill all states with the address as the destination, which should fix cases where the state kill triggered but wasn't working for incoming connections which led to use of the IP address change GUI option which kills every state of the firewall (also not optimal obviously).


Cheers,
Franco
Print
Go Up Pages1
User actions