23.1-RC1 aka 23.1.b_151 - Gateway Monitor and route to other end of VTI Failing

danderson · January 13, 2023, 03:28:44 PM

I know wrong forum sub, but as there isnt a 23.1 yet.

Updated, all working correctly. Rebooted. BGP Neighbor and Gateway Monitor for VTI interface failing for remote IP on my /30 for the tunnel.

Tunnel Up and can reach the other router via client (due to fw rule) but not on Opnsense. Added static /30 route in system > routes > config to point to far end router.

All working again. BGP Neighbor AS came up and Gateway Monitor started pinging/getting stats.

Never had to have a static for the VTI /30 prior. Unknown if by design or bug.

Just sharing info.

franco · January 13, 2023, 04:59:04 PM

Hi and thanks for your report!

23.1.b_151 isn't what you are looking for, see https://forum.opnsense.org/index.php?topic=31861.msg153964#msg153964 for preliminary upgrade instructions.

Though this might be part of the swanctl.conf changes carried out to the IPsec tunnel configuration. If the issue persists I'd appreciate a ticket on GitHub.

Cheers,
Franco

danderson · January 13, 2023, 06:18:27 PM

Thanks Franco,

I did opnsense-update -ur 23.1.r1 and am still seeing the same issue when i disable the static route I created earlier. Will create a ticket on Github

danderson · January 13, 2023, 06:39:55 PM

Franco.

#6244

https://github.com/opnsense/core/issues/6244

franco · January 13, 2023, 07:36:49 PM

Thanks, we will discuss this next week.

Cheers,
Franco

zan · January 17, 2023, 10:39:00 AM

I can confirm with 23.1.b_151 the route to remote tunnel is missing.

I have a GRE tunnel with 10.2.3.1 as local address and 10.2.3.2 as remote address.
With 22.7.10_2 OPNSense created two routes:
10.2.3.1 link#13 UHS lo0
10.2.3.2 link#13 UH gre1

With 23.1.b_151 only one route is created:
10.2.3.1 link#13 UHS lo0

To fix this I manually added a static route to 10.2.3.0/30 via 10.2.3.2

danderson · January 19, 2023, 04:05:33 PM

updated to RC2, still having the same issue. adding static route still a valid workaround

danderson · January 19, 2023, 10:23:56 PM

Zan,

are you running any policy based routing? and have a gateway setup for the tunnel? I am on my config. I narrowed it down a bit. In the gateway settings select the option Disable Host Route (checked) the save. Then a full reboot of the box.

No longer need a static route added as i have mentioned above and all my routes are showing up properly. Check the github comments as we have been troubleshooting with the opnsense team.

Quote from: zan on January 17, 2023, 10:39:00 AM
I can confirm with 23.1.b_151 the route to remote tunnel is missing.

I have a GRE tunnel with 10.2.3.1 as local address and 10.2.3.2 as remote address.
With 22.7.10_2 OPNSense created two routes:
10.2.3.1 link#13 UHS lo0
10.2.3.2 link#13 UH gre1

With 23.1.b_151 only one route is created:
10.2.3.1 link#13 UHS lo0

To fix this I manually added a static route to 10.2.3.0/30 via 10.2.3.2

zan · January 20, 2023, 04:33:28 AM

Quote from: danderson on January 19, 2023, 10:23:56 PM
are you running any policy based routing? and have a gateway setup for the tunnel? I am on my config. I narrowed it down a bit. In the gateway settings select the option Disable Host Route (checked) the save. Then a full reboot of the box.

Yep I have setup a gateway for policy routing & monitoring.
So upon further checking I found OPNSense actually did create the tunnel's remote host route but it gets destroyed if we have setup a gateway for the tunnel and did not tick the 'Disable host route' option.
I found it strange but I can live with that.

Good find @danderson! Thanks for your help appreciate it.

franco · January 20, 2023, 10:09:15 AM

Patches at https://github.com/opnsense/core/issues/6244#issuecomment-1398088673

Something is fishy with the input that gateways are giving system_host_route()

Cheers,
Franco

franco · January 20, 2023, 02:27:16 PM

Looks to be this... https://github.com/opnsense/core/commit/a230326d7fe16

# opnsense-patch a230326d7fe16

Confirmation help is welcome.

Thanks,
Franco

danderson · January 20, 2023, 02:39:26 PM

Franco,

this patch is confirmed working. as posted on github, I unchecked disable host route under the gateway and applied patch opnsense-patch a230326d7fe16

Quote from: franco on January 20, 2023, 02:27:16 PM
Looks to be this... https://github.com/opnsense/core/commit/a230326d7fe16

# opnsense-patch a230326d7fe16

Confirmation help is welcome.

Thanks,
Franco

zan · January 20, 2023, 05:55:11 PM

Yep patch a230326d7fe16 fixes this.
Cheers!

23.1-RC1 aka 23.1.b_151 - Gateway Monitor and route to other end of VTI Failing

danderson

January 13, 2023, 03:28:44 PM Last Edit: January 13, 2023, 03:33:52 PM by danderson

franco

January 13, 2023, 04:59:04 PM #1

danderson

January 13, 2023, 06:18:27 PM #2

danderson

January 13, 2023, 06:39:55 PM #3

franco

January 13, 2023, 07:36:49 PM #4

zan

January 17, 2023, 10:39:00 AM #5

danderson

January 19, 2023, 04:05:33 PM #6

danderson

January 19, 2023, 10:23:56 PM #7

zan

January 20, 2023, 04:33:28 AM #8

franco

January 20, 2023, 10:09:15 AM #9

franco

January 20, 2023, 02:27:16 PM #10

danderson

January 20, 2023, 02:39:26 PM #11

zan

January 20, 2023, 05:55:11 PM #12