All traffic not bound to specific interface leaves firewall as 0.0.0.0

Started by Rhabarbertorte, August 22, 2022, 04:51:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 22, 2022, 04:51:21 PM
Hello guys,

One important note beforehand: this all is not working anymore since my update to 22.7.2.

might be somehow a copy of https://forum.opnsense.org/index.php?topic=29962.0 , but i think this is quite urgent and not directly related to Wireguard.

On my firewall, after the latest update, every traffic originated from the firewall itself leaves with a source ip of 0.0.0.0. Therefore i never receive any answer.

If i do ping 9.9.9.9 --> no answer
If i do ping -S <WAN_IP> 9.9.9.9 --> everything works as expected

I added a NAT rule (Outbound, Interface WAN, Source IP 0.0.0.0/32, Destination !PRIVATE_NETWORKS(10.0.0.0/8, 192.168.0.0/16,..., MASQUERADE with WAN IP) --> now ping 9.9.9.9 works

This is definitly a major problem for me. Does anybody has a clue whats going on here?

Thanks in advance!
August 22, 2022, 05:59:45 PM #1
Can be closed. I was able to fix it by myself.
August 22, 2022, 06:16:00 PM #2
Thanks a lot for this.

This finally fixed my update problem and I believe it will fix my wireguard problem as well.

I only had automatic NAT rules before - none of which changed IP.


August 22, 2022, 06:22:59 PM #3
Quote from: Rhabarbertorte on August 22, 2022, 05:59:45 PM
Can be closed. I was able to fix it by myself.
And how exactly, please?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 22, 2022, 08:17:24 PM #4
Quote from: pmhausen on August 22, 2022, 06:22:59 PM
Quote from: Rhabarbertorte on August 22, 2022, 05:59:45 PM
Can be closed. I was able to fix it by myself.
And how exactly, please?

I'm not 100% sure. But i disabled e.g. a failover interface (which i don't use anymore) and all routes / gateways belonging to it. I also disabled dynamic gateway switch globally.
August 22, 2022, 08:18:33 PM #5
Quote from: schup on August 22, 2022, 06:16:00 PM
Thanks a lot for this.

This finally fixed my update problem and I believe it will fix my wireguard problem as well.

I only had automatic NAT rules before - none of which changed IP.

I don't really get your point. But good to know this was somehow helpful.
August 22, 2022, 09:05:09 PM #6
I'm interested in this. When the system is in the "broken" state is there any "0.0.0.0" in the ifconfig output or in the pf.conf rules?

# ifconfig | grep 0\\.0\\.0\\.0
# grep 0\\.0\\.0\\.0 /tmp/rules.debug

Because if there is not this might be a kernel bug in FreeBSD 13.1 or our auxiliary patching for it (shared forwarding).


Cheers,
Franco
August 22, 2022, 11:51:18 PM #7
Quote from: franco on August 22, 2022, 09:05:09 PM
I'm interested in this. When the system is in the "broken" state is there any "0.0.0.0" in the ifconfig output or in the pf.conf rules?

# ifconfig | grep 0\\.0\\.0\\.0
# grep 0\\.0\\.0\\.0 /tmp/rules.debug

Because if there is not this might be a kernel bug in FreeBSD 13.1 or our auxiliary patching for it (shared forwarding).


Cheers,
Franco

I am currently really glad that I could somehow solve the problem. Nevertheless, I would like to help, of course, if this is a general problem.

I still have the backup config XML where the problem occurred. If I find time tomorrow I will restore it to a virtual machine with OpnSense. Then I can do the said searches for 0.0.0.0.
Print
Go Up Pages1
User actions