[6.12.4] Multiple network related issues and crashes after latest update

[Januszmirek]

After the update to 6.12.4 I am more than unhappy with the issues I'm facing. 

First noticeable issue was wireguard that just stopped working correctly. Until 6.11.x it worked flawlessly. Now I cannot make it to have a client to connect to my unraid and use internet at the same time. I mean i can browse all containers webgui but internet does not work. I had this issue previously but it was incorrect DNS configuration on my part, after I finally figured this out it and was flawless on any client ever since. After the update to 12.4 I can connect through wg to unraid but internet on any of the clients is no more.

 

Yesterday I noticed other network related multiple issues. My plex server suddenly stopped being available remotely. Wordpress page hosted on my unraid is not available anymore, Unraid Connect doesn't work anymore (API KEY: NETWORK_ERRORNETWORK: Unable to connect to https://mothership.unraid.net), my system log is full of network errors and so on.

I know there were some maclav/ipvlan changes made with this release and I did changed a few settings  accordingly to release notes - probably misconfiguration on my part is what caused the issue but have no idea how to reverse these so i can get to where it was just a week ago before i updated.

 

I hope it is all down to some configuration but no idea where to start so some steer would be much appreciated. Diagnostic log attached. Happy to provide more input if needed. Thanks.

tower-diagnostics-20230916-1041.zip

[Mainfrezzer]

Its currently impossible (theres probably a work around but i have not spend the time or efford into figuring that out yet) to have Internet and Lan Access while Host Access is enabled and youre running the Macvtap.

You would need two tunnel for that. One where its possible to reach unraid and the internet and one where you can only reach unraid, the lan and the docker container.

Cant comment on your normal networking issue.

[Januszmirek]

1 minute ago, Mainfrezzer said:

Its currently impossible (theres probably a work around but i have not spend the time or efford into figuring that out yet) to have Internet and Lan Access while Host Access is enabled and youre running the Macvtap.
 

But id DID work previously. Are you saying that with the new update this functionality of having both worlds just disappeared?

[Mainfrezzer]

Just now, Januszmirek said:

But id DID work previously. Are you saying that with the new update this functionality of having both worlds just disappeared?

Yep, it did work previously and probababy still does with the bridge enabled instead of macvtap but getting the call traces isnt worth it. Theres a little dirty trick but that would limit you to internal ipv4 only and ipv6 externally. If i find the time im gonna dig into it and try to make it work again.

[Januszmirek]

Just now, Mainfrezzer said:

Yep, it did work previously and probababy still does with the bridge enabled instead of macvtap but getting the call traces isnt worth it. Theres a little dirty trick but that would limit you to internal ipv4 only and ipv6 externally. If i find the time im gonna dig into it and try to make it work again.

Fair enough, tbh WG is the least of my worries atm. I practically lost all my unraid services exposed to external world;( Thanks for chip in anyway.

[Mainfrezzer]

Sometimes simple things are the solution. 

The wireguard issue can be "fixed" by this

 

PostUp=logger -t wireguard 'Tunnel WireGuard-wg4 started';/usr/local/emhttp/webGui/scripts/update_services
PostUp=iptables -t nat -A POSTROUTING -s 10.253.4.0/24 -o eth0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:4:0::/64 -o eth0 -j MASQUERADE
PostUp=iptables -t nat -A POSTROUTING -s 10.253.4.0/24 -o vhost0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:4:0::/64 -o vhost0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg4 stopped';/usr/local/emhttp/webGui/scripts/update_services
PostDown=iptables -t nat -D POSTROUTING -s 10.253.4.0/24 -o eth0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:4:0::/64 -o eth0 -j MASQUERADE
PostDown=iptables -t nat -D POSTROUTING -s 10.253.4.0/24 -o vhost0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:4:0::/64 -o vhost0 -j MASQUERADE

Gives access to everything. Thought would be a bit more complicated but well, here we are.



EDIT: IMPORTANT
I did notice a while ago while i tested it that theres an issue with vhost0 as interface, Wireguard starts but before docker and when docker starts, docker kills the tunnel.

You need to add 
 

( sleep 60 ; wg-quick up wg4) &

to the GO file so that the Tunnel gets started after docker starts.

Although it does seem like since the first line is eth0 and that interface exists, wireguard doesnt fart itself anymore and sets it up correctly without throwing a fuzz and needing to be restarted.

Edited September 16, 2023 by Mainfrezzer

[phyzical]

i was in the same boat as @Januszmirek but it was going from 6.9.1 to 6.12.x, took me a few hours to workout that having wireguard enabled broke the connectivity. (webui access, ssh access and internet access)

disabling the WG tunnel fixes it for the time being and everything can talk again, i assume it relates to "remote access to lan" and all the new security stuff 6.12 introduced  but i just don't have the time to dig deeper atm.

 

i dont have any crash issues just network issues.

 

edit: for me the issue ended up being that fact i was providing my local networks CIDR as an allowed ip, this used to work now it seems to kill everything. setting a csv of allowed local ips resolves the issue.

The only issue left now is to make the vpn have access to my pihone dns for translation of container hostnames

 

 

Edited September 24, 2023 by phyzical