"
Here is a screenshot from OPNSense TOR that works on IPv4 but not on IPv6:
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#62
General Discussion / TOR and IPv6 on OPNSense
January 05, 2021, 01:21:11 AM
Did anyone make TOR on OPNSense work with IPv6? My TOR service works fine as a public relay on IPv4 but I am struggling to make it functional on IPv6.
I can see incoming IPv6 packets received and accepted by OPNSense, but TOR service is not processing them and not returning anything. Relay Search is showing only my IPv4 as a reachable address in TOR relay directory.
Attached are some relevant screenshots.
I can see incoming IPv6 packets received and accepted by OPNSense, but TOR service is not processing them and not returning anything. Relay Search is showing only my IPv4 as a reachable address in TOR relay directory.
Attached are some relevant screenshots.
#63
General Discussion / Re: TOR Rate limiting units
January 04, 2021, 11:05:27 PM
This should go into help text in GUI - I was trying to figure it out too...
#64
General Discussion / Re: HE Tunnel Broker No Route to Host Can't Ping Client
October 16, 2020, 07:19:51 AM
Check if this guide has better instructions: https://medium.com/swlh/ipv6-on-opnsense-router-599a9198aaed
#65
General Discussion / Re: How to configure IPv6
October 16, 2020, 12:58:50 AM
IPv6 addressing is structured differently than IPv4. Check this deck on the SlideShare, especially slides 6, 7 and 16.
In a nutshell, you should never use any mask smaller than /64 for each of your networks (meaning no numbers higher than /64), as EUI-64 and SLAAC require 8 bytes to squeeze MAC address into IPv6 address for auto-generated unique address. The most generous ISPs might give you /32, but the most typical ISP assignment is /48 which gives you full two bytes (16 bits) for your networking segmentation.
So, your IPv6 address will be:
6 bytes assigned from ISP + 2 bytes for your networking needs + 8 bytes for host ID.
I hope that makes sense?
In a nutshell, you should never use any mask smaller than /64 for each of your networks (meaning no numbers higher than /64), as EUI-64 and SLAAC require 8 bytes to squeeze MAC address into IPv6 address for auto-generated unique address. The most generous ISPs might give you /32, but the most typical ISP assignment is /48 which gives you full two bytes (16 bits) for your networking segmentation.
So, your IPv6 address will be:
6 bytes assigned from ISP + 2 bytes for your networking needs + 8 bytes for host ID.
I hope that makes sense?
#66
General Discussion / Re: Unbound overrides - for AAAA records only
October 15, 2020, 10:54:35 PM
to provide more details for reproduction:
- create a single override in Services/Unbound/Overrides:
Host: *
Domain: netflix.com
Type: A or AAAA
IP: ::
here are dig results before the entry:
and after the entry:
Clearly a single override impacted both AAAA and A records.
- create a single override in Services/Unbound/Overrides:
Host: *
Domain: netflix.com
Type: A or AAAA
IP: ::
here are dig results before the entry:
Code Select
dig @192.168.1.1 netflix.com AAAA
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.1 netflix.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7685
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com. IN AAAA
;; ANSWER SECTION:
netflix.com. 21 IN AAAA 2620:108:700f::3424:eece
netflix.com. 21 IN AAAA 2620:108:700f::340b:d31a
netflix.com. 21 IN AAAA 2620:108:700f::22d8:7a24
netflix.com. 21 IN AAAA 2620:108:700f::22d1:16ca
netflix.com. 21 IN AAAA 2620:108:700f::342b:d6c4
netflix.com. 21 IN AAAA 2620:108:700f::23a1:2008
netflix.com. 21 IN AAAA 2620:108:700f::341a:4fae
netflix.com. 21 IN AAAA 2620:108:700f::3427:1a02
dig @192.168.1.1 netflix.com A
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.1 netflix.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23065
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com. IN A
;; ANSWER SECTION:
netflix.com. 20 IN A 52.33.157.25
netflix.com. 20 IN A 52.25.226.150
netflix.com. 20 IN A 54.187.176.196
netflix.com. 20 IN A 52.11.104.17
netflix.com. 20 IN A 35.161.95.70
netflix.com. 20 IN A 34.208.21.204
netflix.com. 20 IN A 34.216.180.180
netflix.com. 20 IN A 34.215.127.206and after the entry:
Code Select
dig @192.168.1.1 netflix.com A
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.1 netflix.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6521
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com. IN A
;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Oct 15 13:47:01 PDT 2020
;; MSG SIZE rcvd: 40
dig @192.168.1.1 netflix.com AAAA
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.1 netflix.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8831
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com. IN AAAA
;; ANSWER SECTION:
netflix.com. 3600 IN AAAA ::
;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Oct 15 13:47:12 PDT 2020
;; MSG SIZE rcvd: 68Clearly a single override impacted both AAAA and A records.
#67
General Discussion / Unbound overrides - for AAAA records only
October 15, 2020, 10:44:13 PM
I want to selectively override AAAA records resolution for Netflix domains yet keep A records resolution intact - as described in this Github gist. Yes, I use Tunnelbroker for IPv6 and still want to use Netflix...
The problem is that the Unbound overrides in OPNSense are impacting both A and AAAA at the same time; if I redirect netflix.com to ::, the override will work for both A and AAAA request, as tested by dig commands:
Am I doing it wrong? Is this by design for current Unbound implementation? Any idea how to achieve the desired result of overriding AAAA but not A records?
The problem is that the Unbound overrides in OPNSense are impacting both A and AAAA at the same time; if I redirect netflix.com to ::, the override will work for both A and AAAA request, as tested by dig commands:
Code Select
dig @192.168.1.1 netflix.com AAAA
dig @192.168.1.1 netflix.com AAm I doing it wrong? Is this by design for current Unbound implementation? Any idea how to achieve the desired result of overriding AAAA but not A records?
#68
Zenarmor (Sensei) / Re: Sensei throughput cap despite high-performance device
October 06, 2020, 12:16:42 AM
SVN team did some analysis on my router today and:
- confirmed that throughput indeed drops from >900 Mbps to ~250 Mbps when Sensei is on and active
- throughput goes back to >900 Mbps when Sensei is in bypass mode
- disabling the hyperthreading of firewall increased the throughput to ~350 Mbps
My device is one of the new-generation Protectli clones: https://www.aliexpress.com/item/4000803229693.html
i7 CPU with 32 GB ram and 500 GB mSATA
Will post an update once we progress more.
- confirmed that throughput indeed drops from >900 Mbps to ~250 Mbps when Sensei is on and active
- throughput goes back to >900 Mbps when Sensei is in bypass mode
- disabling the hyperthreading of firewall increased the throughput to ~350 Mbps
My device is one of the new-generation Protectli clones: https://www.aliexpress.com/item/4000803229693.html
i7 CPU with 32 GB ram and 500 GB mSATA
Will post an update once we progress more.
#69
Zenarmor (Sensei) / Sensei throughput cap despite high-performance device
October 05, 2020, 05:52:54 AM
I am running OPNSense on a dedicated i7 CPU with 32 GB of memory and 6 gbps ports. Ubench CPU 1132791 and Ubench MEM 2337171. My internet connection is 1 gpbs.
Before installing and enabling Sensei, average throughput on fast.com or speedtest.com was close to 1.0 gbps with a usual overhead penalty. But when Sensei is installed and active on LAN ports (L3 mode with either native or generic nmap driver), throughput drops to 250 mbps - mere 25% of available bandwidth. CPU is idling and never goes above 15%.
I installed the new 20.7.3-netmap driver - but that didn't change the throughput at all.
What am I doing wrong? What troubleshooting data would you like to see?
Before installing and enabling Sensei, average throughput on fast.com or speedtest.com was close to 1.0 gbps with a usual overhead penalty. But when Sensei is installed and active on LAN ports (L3 mode with either native or generic nmap driver), throughput drops to 250 mbps - mere 25% of available bandwidth. CPU is idling and never goes above 15%.
I installed the new 20.7.3-netmap driver - but that didn't change the throughput at all.
What am I doing wrong? What troubleshooting data would you like to see?
#70
Tutorials and FAQs / Re: Blocking ads using only unbound
January 18, 2020, 09:15:04 PM
Sinnce https://energized.pro started to publish Unbound-readable blocklists, we should simplify our tutorial to something like this:
1. add include: /var/unbound/ad-blacklist.conf into Custom options of Unbound
2. Create Ad-blacklist-refresh.sh in /var/unbound with:
3. insert a regular execution of this script into crontab
There are multiple levels of compiled lists by energized.pro team - just pick the right strength, let Unbound use it and enjoy ad-free browsing.
1. add include: /var/unbound/ad-blacklist.conf into Custom options of Unbound
2. Create Ad-blacklist-refresh.sh in /var/unbound with:
curl https://raw.githubusercontent.com/EnergizedProtection/block/master/blu/formats/unbound.conf -o /var/unbound/ad-blacklist.conf
3. insert a regular execution of this script into crontab
There are multiple levels of compiled lists by energized.pro team - just pick the right strength, let Unbound use it and enjoy ad-free browsing.
