Messages

Don't fear the VLAN ;-)

The Register has a gentle introduction: https://www.theregister.co.uk/2017/06/30/vlans_at_20/

In a nutshell; you trunk as many VLAN's as you want to use to OPNsense on a tagged port, and add untagged ports to the switch for all the bits of kit that you want to connect to each zone.

TL-SG105E is fine too, but the price per port is a bit higher than for the 108.

Bart...

For around the same cost, you can purchase a TP-Link SG108e managed switch and trunk the necessary VLAN's to OPNsense.

Just a thought

Bart...

Are you allowing icmp6? Does radvdump show the beacon information you are expecting? Have you packet traced the NDP traffic? Any host firewalls getting in the way?

Bart...

Yes, you need routing both ways for the return packets to make it back to the source, or you need an outbound NAT on OPNsense.

It's much easier to have static routes on your NAT gateway for all internal subnets. A few protocols won't even work with double NAT.

Bart...

If you have a fixed IP address, you can configure your clients with that; no need to use an FQDN.

What I meant was, even if you have a variable IP address you still have to have some constant to reliably connect to your VPN; i.e. a dynamic DNS service.

Does the internet router know where 10.0.0.0/8 lives?

Bart...

A VPN increases security by reducing your attack surface through moving services from public to private networks. The time that you have a public IP address has little bearing on that. You need a dynamic DNS record to reach the VPN server anyway, and there is no security in obscurity.

TL;DR: static IP for VPN is not more insecure

Bart...

so you can configure and can use e.g. OpenVPN only over IPv6?

Gregor

Yes, indeed. One /64 from the ISP range for the LAN and one for the VPN. Both LAN clients and VPN clients can browse over IPv6.

Not exclusively, no. OpenVPN won't connect over IPv6 only. You can give the server and clients 169.254.0.0/16 (a.k.a. IPv4 link-local) addresses if you don't want a routable IPv4 tunnel

Bart...

Works fine on ESXi 6.0 with ISP delegated range.

Bart...

Are these users in a directory somewhere? My first port of call would be Radius.

Bart...

Does your openvpn tunnel use a tap or a tun device?

Bart...

From the console use option 13 to return the firewall to a state before you locked yourself out.

Bart...

You need to separate them at layer 2 or layer 3 to force them to go through the firewall. That means (respectively) putting them on different VLAN's or on different IP subnets, or preferably both.

Different subnets is easiest, since the firewall is a router out of the box. You will need to move the web server to a different firewall network interface with a separate switch. If you don't want to have multiple firewall interfaces and multiple switches, VLAN separation is the answer.

Bart...

Post a screenshot of Services: Network Time: General to show settings?

Your time needs to be close to the current time, so set it approximately in the console e.g.

# date 181107183500

Bart...

Don't HE give you a static range? Zonomi will host your aaaa records for free, if there's not too many of them.

Bart...