Messages

Hi zan,

OK no problem.

So the configuration will look like this:
ISP IPv6 GW: aaaa:bbbb:cccc::1

WAN:
static IPv6: aaaa:bbbb:cccc::2/64
GW: auto
Router Advertisements: Router Only

LAN:
static IPv6: aaaa:bbbb:cccc:1::2/64
GW: auto
Router Advertisements: Unmanaged
Advertise Default Gateway: true

Hope this does look better.

Thank you for your help.

Hi Saarbremer,

- is your gateway set as default gateway?

You mean set to active? If so, I would say yes as it is working.

- is the gateway for WAN set to Auto?

It was set to the GW of the ISP, I changed it now to auto.

- what does "cannot reach" mean? Ping or Connection to apllication or both do not work?

The OPNsense is able to use IPv6, But the subnet of the LAN is not able to reach anything outside the /64.

- does firewall live view show blocked packets
- can you packet capture and see if there's any traffic at all?

I can see the traffic from LAN reaching the WAN interface.
This is the answer on the ICMP Echo:

19:56:30.191565 IP6 fe80::21f:9eff:feff:2f41 > ff02::1:ff58:21: ICMP6, neighbor solicitation, who has ::0001:546f:78ff:fe58:21, length 32

-is you ISP ready? Mine told me IPv6 was working, except it didn't as they failed to deploy it to their routers.

In general I guess yes. But I managed it only in the same /64 as the default GW so far.

For me it looks like that I don't receive the IPv6 multicast to ff02::/16.
I can see the packets with tcpdump but not with tcpdump -p. So the kernel is dropping them already.

Hi all,

please note that I'm currently trying to enable IPv6 on my OPNsense.

I received a IPv6 /48 and a GW from my ISP.

GW is ::0000::1
OPNSense is ::0000:2/64

The OPNsense is able to reach services in the Internet via IPv6.

I have create add static IPv6 to an existing interface.
OPNSense is ::0001:1/64
client is ::0001:546f:78ff:fe58:21/64 via SLAAC

The client is able to reach the OPNsense via ::0001:1 but I'm not able to reach something in the internet nor the GW of the ISP (::0000::1).

WAN Interface:
IPv6:  ::0000:2/64
GW: ::0000::1
Router Advertisements: Router Only

LAN Interface
IPv6: :0001:1/64
GW: auto
Router Advertisements: Unmanaged
Advertise Default Gateway: true

For me it looks like that this is not getting answered:

19:56:30.191565 IP6 fe80::21f:9eff:feff:2f41 > ff02::1:ff58:21: ICMP6, neighbor solicitation, who has ::0001:546f:78ff:fe58:21, length 32

I guess this is what I'm missing?

Note that you need to create and set a gateway address for this mode to connect to your next gateway hop which your ISP should provide to you as well.

from https://docs.opnsense.org/manual/ipv6.html#static-ipv6

But I don't understand what is needed.

Would be great if you could give me any point to look into.

Thank you

Thx!!

Hi all,

not sure if I missed something but I'm not able to find these multi select switches on the log files anymore.
Is this a bug or wanted?

Any possibility so select all severities now?

Best regards
Timmi

Hi community,

I'm looking for a possibility to get the crowdsec log forwarded to my central logging platform.

I already opened a ticket to enhance it as the log file is currently not available in the selection.
https://github.com/opnsense/plugins/issues/3666

Just wondering if there is maybe a workaround until this might be enhanced inside the GUI.

Best regards
Timmi

Hi all,

I did some more research yesterday.
It looks like that the NOERROR response without answer and no SOA won't get cached by resolved.

The typetransparent flag in the unbound configuration solved my issue.

Best regards
Timmi

Yes, there is no AAAA entry defined for this.
I guess the problem is Unbound. Will check with the guys there.
Keep you updated.

The single client is currently performing around 300 DNS lookups (5min so 1/sec) for IPv6 (AAAA) where the IPv4 (A) requests have been cached.
The systems inside my network register via DHCP their host names (IPv4 only).
Maybe this is also an issue of resolved that it does not cache the response.

Just to make it clear that the single client does not matter much. But it is unnecessary load for nothing and might effect the network and responses for normal DNS requests.

Hi,

the client is Rocky Linux 8 based and using systemd-resolved for the DNS cache.
This is not about to disable IPv6 at all.

The system is resolving internal hostnames. IPv4 responses are cached normally.
The client is just asking all the time AAAA requests for the internal hostnames as I guess I'm missing a config on the OPNsense to make sure that these responses are getting cached as well.

Hope this explains it better.

Hi bimbar,

the client has IPv6 disabled on the nic.
I guess the empty response from the OPNsense is preventing the local DNS cache of the client to not ask again.

Hi guys,

I'm currently trying to reduce the amount of DNS requests hitting my OPNsense (Unbound).
All my networks are IPv4 based.

The client is caching IPv4 IPs correctly but still requests IPv6 IPs for the host name.
I guess the answer from the OPNsense does not keep him happy to he is requesting the IPv6 IP again next time.
Means I'm seeing only AAAA requests from that client.

Happy to get your ideas.

Best regards and thank you
Timmi

Hi,

I had the same issue with the Suricata.

My config is very basic on my test system. So I guess this needs to be checked before releasing this version as I guess this will effect a lot of people.

Best regards
Christoph

Hi Franco,

I have multiple phase twos. But I manage to get it working with the new connections interface.
Have somehow the feeling that I had to delete the old phase 2 from the old tunnel as well as there have been some old SPD entries.

Now the new configuration is working.

Best regards
Christoph

Hi OPNsense,

I'm looking into the migration of my IPsec configuration to the new IPsec Connection interface.

Tunnel connection looks OK but I don't get any traffic through it. I remembered that the "Tunnel Isolation" was required in the past but I don't find a way to configure this on the new interface.

Any advice?

Best regards
Christoph