[SOLVED] HE.NET GIF tunnel never comes up.

[5SpeedFun]

Hey franco,

Just wondering if the new 22.1.2 incorpates the fixes you made for the tunnel.  Should I be testing from that or staing on dev channel?

Let me know!

[franco]

Hi 5SpeedFun,

It's still on devel for 22.1.2 but we plan to integrate it into 22.1.3. Unbound overrides code is still problematic so if you could give me more hints for that that would be highly appreciated.


Cheers,
Franco

[5SpeedFun]

Thanks, very nice to hear. :)

So yes you can compare the resulting config.xml (just export) where the new overrides should be stored under OPNsense/unboundplus tag. On your 21.7.8 system it is stored under "unbound".

If you don't mind you can also send me the old "unbound" portion to examine via mail franco@opnsense.org so I can see what's going on quickly.


Cheers,
Franco

Hey Franco,

I looked into this.

Basically, my

Code Select Expand

<unbound> sections on both 21.7.8 and 22.7.a_94 are identical.

However 22.7.a_94 also has an unboundplus section as follows:

Code Select Expand


    <unboundplus version="1.0.0">
      <service_enabled/>
      <dnsbl>
        <enabled>0</enabled>
        <type/>
        <lists/>
        <whitelists/>
      </dnsbl>
      <dots/>
      <miscellaneous>
        <privatedomain/>
      </miscellaneous>
    </unboundplus>


Maybe the

Code Select Expand

<unbound> section never got migrated for some reason?

I've e-mailed you my 21.7.8 unbound config.

[franco]

Uh, thanks, it means the migration failed which is also why the overrides appear to be gone. They are not gone, but they can't be used either. Should be easy to fix.


Cheers,
Franco

[5SpeedFun]

Uh, thanks, it means the migration failed which is also why the overrides appear to be gone. They are not gone, but they can't be used either. Should be easy to fix.


Cheers,
Franco

Yeah.  I think they are just "gone" in the sense they don't appear in the GUI.  I also don' t think they are loaded into unbound since they are in the wrong section.  But obviously if you download the opnsense configuration you can still see them there.

Always happy to help :)

5SF

[5SpeedFun]

Hey @franco, did you get my email with a list of overrides?  I haven't heard anything here or by email so not sure if you received it or it went into your junk folder  ;D

[franco]

Hi,

I was away with the family for a couple of days. I got your mail to be processed when I have crawled through all open mails and forum posts from the last week. :)

So with 22.1.2(_1) I prepared a backport for 22.1.3 and tested it a few times:

https://github.com/opnsense/core/commit/429b60c26

That should be the gist of your issue taken care of and you can easily try it out after upgrading to the 22.1.2 release (not development) and issuing:

# opnsense-patch 429b60c26

If you think that works we will go ahead and include it in 22.1.3 and the bonus is the unbound changes are not in 22.1.x yet so it keep working until we fix that one in another feature update or maybe 22.7 itself. Not sure yet.


Cheers,
Franco

[5SpeedFun]

Thanks Franco!  I'll give that a shot in the next day or two.  I'm due to re-clone my 21.7.8 "production" vm as I've made alias & other small changes. 

I am always worried if email from my personal domain goes to spam.  While it has been around 10+ years, it's still hosted at home 8)

[5SpeedFun]

Hi,

I was away with the family for a couple of days. I got your mail to be processed when I have crawled through all open mails and forum posts from the last week. :)

So with 22.1.2(_1) I prepared a backport for 22.1.3 and tested it a few times:

https://github.com/opnsense/core/commit/429b60c26

That should be the gist of your issue taken care of and you can easily try it out after upgrading to the 22.1.2 release (not development) and issuing:

# opnsense-patch 429b60c26

If you think that works we will go ahead and include it in 22.1.3 and the bonus is the unbound changes are not in 22.1.x yet so it keep working until we fix that one in another feature update or maybe 22.7 itself. Not sure yet.


Cheers,
Franco

i started at my 21.7.8 -> 22.1 -> 22.1.2_1 -> patch 429b60c26

Looking relaly good.  All my services are started & he.net tunnel works with no finangling and comes up @ startup.
My unbound dns overrides are there as well (I assume this is because the devel stuff I helped you with before, that previously broke, is only in the devel tree and/or after patch 429b60c26.

Overall this looks really good.  Excellent work!

Would you like me to help you test the unbound overrides on another thread or github?

Thanks for all your great work!

5SF

ALso: Can I stay on this version until next release and then upgrade cleanly or should I go back to 21.7.8 and wait until this patch is included in a release?

[franco]

Thanks, happy to hear.

The patch you applied will be part of 22.1.3 then. I did more testing this morning and it looks good from here as well. You can stay on what you have now if it works for you. :)

Yes, Unbound is still on devel. Will look at it later today so the devel version with 22.1.3 will hold that code to try out via snapshot. Still unclear on the unbound changes ETA so that would be just for snapshot hopping and helping us out if it looks better then.


Cheers,
Franco

[5SpeedFun]

Unfortunately I may have to roll back again.

The firewall doesn't nat traffic on startup.  I think it may be related to Configuring Firewal...failed.

Doing a packet capture across my "internet" and "lan" interface shows traffic exiting unnatted.  Connectivity from the firewall itself is ok, however.

Any suggestions on how to troubleshoot would be appreciated.

5SF

[franco]

It should land in logs... can you see the error?

# opnsense-log | grep "There were error"

Though I'm unsure if this is a transient error on boot that fixes itself later or not. Not loading pf rules at all would likely stop making LAN traffic work...


Cheers,
Franco

[5SpeedFun]

Sorry for the delay on this.

This is what showed up:

Code Select Expand

<11>1 2022-03-19T23:59:26-05:00 edge01.mydomain.net opnsense 532 - [meta sequenceId="52"] /usr/local/etc/rc.bootup: There were error(s) loading the rules: /tmp/rules.debug:580: syntax error - The line in question reads [580]: pass in quick on sfxge0_vlan99 route-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) reply-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) inet6 proto ipv6-icmp from {(sfxge0_vlan99:network)} to {any} keep state label "c76413485ed2ae88121270a76c0ee3fa" # : ICMP v6
<11>1 2022-03-19T23:59:28-05:00 edge01.mydomain.net opnsense 65537 - [meta sequenceId="56"] /usr/local/etc/rc.filter_configure: There were error(s) loading the rules: /tmp/rules.debug:580: syntax error - The line in question reads [580]: pass in quick on sfxge0_vlan99 route-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) reply-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) inet6 proto ipv6-icmp from {(sfxge0_vlan99:network)} to {any} keep state label "c76413485ed2ae88121270a76c0ee3fa" # : ICMP v6
<11>1 2022-03-19T23:59:32-05:00 edge01.mydomain.net opnsense 88213 - [meta sequenceId="10"] /usr/local/etc/rc.routing_configure: There were error(s) loading the rules: /tmp/rules.debug:586: syntax error - The line in question reads [586]: pass in quick on sfxge0_vlan99 route-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) reply-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) inet6 proto ipv6-icmp from {(sfxge0_vlan99:network)} to {any} keep state label "c76413485ed2ae88121270a76c0ee3fa" # : ICMP v6
<11>1 2022-03-19T23:59:33-05:00 edge01.mydomain.net opnsense 87533 - [meta sequenceId="15"] /usr/local/etc/rc.newwanipv6: There were error(s) loading the rules: /tmp/rules.debug:586: syntax error - The line in question reads [586]: pass in quick on sfxge0_vlan99 route-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) reply-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) inet6 proto ipv6-icmp from {(sfxge0_vlan99:network)} to {any} keep state label "c76413485ed2ae88121270a76c0ee3fa" # : ICMP v6
<11>1 2022-03-19T23:59:34-05:00 edge01.mydomain.net opnsense 41080 - [meta sequenceId="23"] /usr/local/etc/rc.routing_configure: There were error(s) loading the rules: /tmp/rules.debug:586: syntax error - The line in question reads [586]: pass in quick on sfxge0_vlan99 route-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) reply-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) inet6 proto ipv6-icmp from {(sfxge0_vlan99:network)} to {any} keep state label "c76413485ed2ae88121270a76c0ee3fa" # : ICMP v6
<11>1 2022-03-19T23:59:37-05:00 edge01.mydomain.net opnsense 20 - [meta sequenceId="25"] /usr/local/etc/rc.filter_configure: There were error(s) loading the rules: /tmp/rules.debug:586: syntax error - The line in question reads [586]: pass in quick on sfxge0_vlan99 route-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) reply-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) inet6 proto ipv6-icmp from {(sfxge0_vlan99:network)} to {any} keep state label "c76413485ed2ae88121270a76c0ee3fa" # : ICMP v6
<11>1 2022-03-19T23:59:48-05:00 edge01.mydomain.net opnsense 92965 - [meta sequenceId="33"] /usr/local/etc/rc.filter_configure: There were error(s) loading the rules: /tmp/rules.debug:586: syntax error - The line in question reads [586]: pass in quick on sfxge0_vlan99 route-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) reply-to ( sfxge0_vlan10 fe80::d094:2eff:fec4:27d2 ) inet6 proto ipv6-icmp from {(sfxge0_vlan99:network)} to {any} keep state label "c76413485ed2ae88121270a76c0ee3fa" # : ICMP v6

[franco]

Huh, I think it doesn't support reply-to and route-to at the same time, but I'm a bit confused how it ends up generating it?


Cheers,
Franco

[franco]

I've added additional validation: https://github.com/opnsense/core/commit/77594c8b99a39

You need to remove the reply-to option from this rule as it breaks the generated rule due to rule model trying to be more complex than it is.


Cheers,
Franco