22.1.6 Update - Cannot access certain websites/services

[BasilBasil]

Updated today to 22.1.6, however once I had done that I loose access to random areas of the internet.

Gmail/Exhange - Fine, iCloud/IMAP - Nope!
Certain websites load, others don't
DNS resolves to the IP correctly, but website itself doesn't load. I can ping it, just not visit it (starts to load, then stops).

Even opnsense can't even check for updates, rollback using opnsense-revert, just continually tries "....".

I've reverted back to 22.1.2 by reinstalling via USB and reloading my config.

Absolutely nothing in the logs to indicate anything wrong. But the problem now is I can't even install all my plugins as...

Installation out of date. The update to opnsense-22.1.6 is required.

However, if I update to 22.1.6 then it all falls apart again.

What has changed in the last two or three versions that would make a connection partially work?

Never had an update issue before with opnsense but this one was totally crippling given opnsense itself couldn't contact its servers to roll anything back!

Any suggestions?

Edit: Updated to 22.1.3 via 'other' = 22.1/MINT/22.1.3/OpenSSL and installed all my missing plugins. All is OK on this version too. Going to leave updating for now...

[sijones2010]

I've had the same thing, I've had to reinstall and put a config on from 22.1 but can't put it all back as can't reinstall the packages.

From what I can tell on boot up on the console I see some DNS config issue (looks like it flashes past saying error in DNS config) after the upgrade which then appears OPNSense can't do any DNS look up's after upgrade.

I was just using unbound as a forwarder for DNS but I've changed to do the look ups and going to set the system DNS to 127.0.0.1 to see if this works but having kids constantly using the internet it's difficult to be able to try things!

[dcol]

I also notice many sites are not reachable. facebook and instagram are among them. Twitter, Tiktok, and Google work fine. Tried to get to facebook via IP and still not reachable, so not a DNS issue.

By the way I am testing a new box with OPNsense 22.1.6 on a separate internet connection. My production firewall , using v 21.7.8, has no issues getting to these sites.

[sijones2010]

Are you seeing more firewall blocking? I thought i'd seen more default deny happening in real time.

[dcol]

No unusual firewall blocks in the logs. I tried every Facebook owned sites and none of them open. I haven't found any other site that didn't open. Very strange. What is it that Facebook does differently? I can't even get to them via their IP address. No problem on the other firewall. I even tried a default OPNsense install with nothing else modified.

I can ping facebook with no problem. They must have some handshaking that is not working with OPNsense.

[BasilBasil]

I've had the same thing, I've had to reinstall and put a config on from 22.1 but can't put it all back as can't reinstall the packages.

From what I can tell on boot up on the console I see some DNS config issue (looks like it flashes past saying error in DNS config) after the upgrade which then appears OPNSense can't do any DNS look up's after upgrade.

I was just using unbound as a forwarder for DNS but I've changed to do the look ups and going to set the system DNS to 127.0.0.1 to see if this works but having kids constantly using the internet it's difficult to be able to try things!

You can specify a version via the firmware settings and 'other' option, I used "22.1/MINT/22.1.3/OpenSSL" and its updated everything to 22.1.3 and allowed me to install my plugins. I suggest you try the same.

I also tried a factory reset on 22.1.6 but then DNS servers would not start "no such user: dhcpd". So I had to reinstall then to the USB image of 22.1.2.

Are you seeing more firewall blocking? I thought i'd seen more default deny happening in real time.

Yes, randomly I would see LAN to WAN blocked in the lists even though no LAN routes had changed (Allow all to everything!)

Something very broken in 22.1.5/6 for me, not going to risk 22.1.4 for the moment. Reverting is a pain as you can't do it via the revert command as it can't contact the servers!

Sadly you can't seem to make a 22.1.6 USB easily so I can't even try a live boot.

[sijones2010]

When I did the upgrade I couldn't get to opnsense.org never mind the forums.

It's really strange, as some websites like youtube and google work but like you've found others don't.

Am guessing it might be blocking a packet that is for setting up the SSL handshake, maybe some sites using different root cert that causing something weird.

Can't look in to it at moment as can't have it running without wiping my internet connection.

[sijones2010]

You can specify a version via the firmware settings and 'other' option, I used "22.1/MINT/22.1.3/OpenSSL" and its updated everything to 22.1.3 and allowed me to install my plugins. I suggest you try the same.

Thanks for this, didn't know about this, just doing it now.

[dcol]

Reinstalled OPNsense 22.1.2 and facebook worked. Then updated to 22.1.6. Still works. Maybe a bad install first time. I will slowly reinstate my configuration and see if any steps has issues.

Also seems to respond better now

[sol]

I had the same issue.
Setting Anti DDOS / Enable syncookies to never (default) or rather leave at the default setting solved the problem.
This can be found under firewall / settings / advanced / Anti DDOS at the bottom.

[sijones2010]

I had the same issue.
Setting Anti DDOS / Enable syncookies to never (default) or rather leave at the default setting solved the problem.
This can be found under firewall / settings / advanced / Anti DDOS at the bottom.

Mine is on the default so this isn't it for me.

[BasilBasil]

Checked all the above, no dice.

Also updated to 22.1.4 - same issue.

Absolutely nothing obvious, so going to stick with 22.1.3.

This is obviously a major bug because the only way out so far is to reinstall a earlier version.

[meyergru]

If Twitter.com and Tiktok.com work while others like Facebook.com do not, this would lead me to believe that IPv6 connectivity is broken while IPv4 works.

Why? Twitter and Tiktok rely solely on IPv4, while many others also use IPv6. IPv6 having the higher priority, this could mean that the IPv6 DNS addresses are resolved (possibly via IPv4) but cannot be reached for one reason or the other.

This can easily be checked by "ping -4 facebook.com" and "ping -6 facebook.com". Should IPv6 really be the culprit, one can then check every single building block (i.e. DNS, routing, firewall) and see what is the root cause - or disable IPv6 altogether.

[sijones2010]

I've currently got IPv6 disabled so it isn't that.

[BasilBasil]

If Twitter.com and Tiktok.com work while others like Facebook.com do not, this would lead me to believe that IPv6 connectivity is broken while IPv4 works.

Why? Twitter and Tiktok rely solely on IPv4, while many others also use IPv6. IPv6 having the higher priority, this could mean that the IPv6 DNS addresses are resolved (possibly via IPv4) but cannot be reached for one reason or the other.

This can easily be checked by "ping -4 facebook.com" and "ping -6 facebook.com". Should IPv6 really be the culprit, one can then check every single building block (i.e. DNS, routing, firewall) and see what is the root cause - or disable IPv6 altogether.

Thought that might be the problem, but I totally disabled IPV6, no change...! Although I did not try pinging ipv6 but given nothing had an IPV6 address I can't see how it would be?