-> firewall: remove deprecated "Dynamic state reset" mechanic

Started by keropiko, January 20, 2023, 01:21:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 20, 2023, 01:21:59 PM
Hello all,

i have recently updated to 23.1.r2 and i noticed that the option  "Dynamic state reset" is no more available.

I have multiwan setup and the primary wan is a pppoe dynamic ip connection and a pbx with multiple voip providers.
Today i had a disconnection of the pppoe connection and the voip stopped working. (Previous versions with dynamic state reset after disconnect everything worked correctly).
Is there any similar option i need to enable?

Thank you
January 20, 2023, 02:30:18 PM #1
Hi keropiko,

Can you tell more about your setup? Especially WAN sides and IPv6 settings (if VOIP also goes over IPv6).

Dynamic state reset is a brute force approach, which does break multi-WAN cases quite considerably.

Commit in question: https://github.com/opnsense/core/commit/bb9abf86a4f95b2


Cheers,
Franco
January 20, 2023, 04:28:56 PM #2 Last Edit: January 20, 2023, 04:36:16 PM by keropiko
Hi franco, thank you for the reply.

I have IPV6 disabled, don't use IPV6 for now.

I have a pppoe dynamic ip (though vdsl modem) as the main WAN connection, a WWAN connection through usb stick and a second slow wan connection through ethernet cable with static ip.
I have different priorities on every gateway (WAN 200, WWAN 201, WAN2 202) (for the default gateway to choose in case a gateway fails) and three gateway groups (with gateway down option for failover).

The pbx, has as gateway W1failoverW2, which means WAN ->WWAN-> WAN2.

until now, when a gateway disconnected or failed, after some seconds the voip started again to work (of course as you said, this option does break multi-WAN cases since after a gateway failed, some voip providers took longer to connect and mainly all the wan connections for every gateway and local network device i have, disconnected for some seconds, even the ones that had as gateway a different one from tha main.)

The important  thing is that the voip continued to work after a while.
Also i think i have noticed that whatever gateway used to fail, apart dynamic ip or not, i always lose connectivity for a while once a gateway goes down.

Today with the new version, i had to manually reset the states of the pbx in order to recover telephony, even after hours of the disconnection of the main wan.

the firewall states are set to normal, not to conservative since i neved had any kind of problems.

(in the past, before the "reset states" option i used to have a script to the firewall that checked the external ip and if changed reloaded asterisk, but as solution it used to create me some problems and many times the pbx hanged,)

Couldn't this option be enabled for specific IPs only? like on ip change flush states of a specific client/IP
thank you

January 26, 2023, 09:57:36 PM #3
I have a similar issue. I have a IPv4 client which establishes a wireguard connection on his own to a remote server.
Whenever I reboot Opnsense the wireguard connection is stale forever. With 22.7 I mitigated this by enabling 'Dynamic state reset' which has been removed in 23.1. I now have to manually reset the state table to ensure after a reboot that everything works.
January 26, 2023, 10:05:27 PM #4
Quote from: schmuessla on January 26, 2023, 09:57:36 PM
I have a similar issue. I have a IPv4 client which establishes a wireguard connection on his own to a remote server.
Whenever I reboot Opnsense the wireguard connection is stale forever. With 22.7 I mitigated this by enabling 'Dynamic state reset' which has been removed in 23.1. I now have to manually reset the state table to ensure after a reboot that everything works.

Have you enabled the Cron job for restarting stale WG tunnels?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 26, 2023, 10:21:33 PM #5
The wireguard client is not running on opnsense itself, so from opnsense perspective it's just a ordinary UDP connection. The cronjob I can see is for the IP change problem if the far endpoint changes its IP, but that shouldn't matter here.
January 26, 2023, 10:24:48 PM #6
Quote from: keropiko on January 20, 2023, 04:28:56 PM
Couldn't this option be enabled for specific IPs only? like on ip change flush states of a specific client/IP
thank you

I had this problem in the past and also wanted to do something like that.
Now, since my "dynamic" IP have not changed for a long time I didn't experienced disconnections again, but I'd also like some option like flushing some states based on wan address change or, better, an alias change.
January 28, 2023, 11:28:29 PM #7
Print
Go Up Pages1
User actions