Topics

Hey!

A user of my system reported issues access my IMAP server by IPv6.

After some digging around, I found his IPv6 in the firewall-logs

Code Select Expand

17,,,02f4bab031b57d1e30553ce08e0ec131,vtnet4,match,block,in,6,0x00,0xeb111,64,tcp,6,40,2a01:XXXX:fe02::110,2a00:XXXX:ea05,993,61465,0,SA,3642631772,3523825403,21420,,mss;sackOK;TS;nop;wscale

Rule 17, label 02f4bab031b57d1e30553ce08e0ec131 is the global IPv4/6 Default deny / state violation rule

Code Select Expand

@16 block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
  [ Evaluations: 1886      Packets: 279       Bytes: 12488       States: 0     ]
  [ Inserted: uid 0 pid 79740 State Creations: 0     ]
@17 block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
  [ Evaluations: 1886      Packets: 427       Bytes: 45298       States: 0     ]
  [ Inserted: uid 0 pid 79740 State Creations: 0     ]

I inserted a specific rule for his addresses (beside that the mail server has it's v4/v6 rules allowing access to all mail ports). I see other v6 addresses with the same issue, on v4, it works.

OPNsense 24.1.9_4-amd64

Anybody a good idea how to solve that, I was told it started recently, might be around the 24.1.9 update.

Hey!

I recently switched a pfSense to OPNsense and after having done so, I added some VLAN to encapsulate IoT and Amazon Devices. Now I am moving devices from the main network to those new VLAN tagged Wifi networks.

Adding another entry (previously assigned an address with DHCP), KEA crashed with

Code Select Expand


2024-06-22T14:57:30 Error kea-dhcp4 ERROR [kea-dhcp4.dhcp4.0x8366ae000] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': failed to add new host using the HW address 'd8:13:2a:4a:09:2c and DUID '(null)' to the IPv4 subnet id '2' for the address 192.168.28.101: There's already a reservation for this address
2024-06-22T14:57:30 Error kea-dhcp4 ERROR [kea-dhcp4.dhcp4.0x8366ae000] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /usr/local/etc/kea/kea-dhcp4.conf, reason: failed to add new host using the HW address 'd8:13:2a:4a:09:2c and DUID '(null)' to the IPv4 subnet id '2' for the address 192.168.28.101: There's already a reservation for this address
2024-06-22T14:57:30 Error kea-dhcp4 ERROR [kea-dhcp4.dhcp4.0x8366ae000] DHCP4_PARSER_FAIL failed to create or run parser for configuration element subnet4: failed to add new host using the HW address 'd8:13:2a:4a:09:2c and DUID '(null)' to the IPv4 subnet id '2' for the address 192.168.28.101: There's already a reservation for this address

I checked the config and there was no duplicate entry for that mac. I managed to get access to the OPNsense again and deleted the single entry from the config thus got it working again.

Beside that, even if, such an error should result in a warning and skipping of the second (duplicate) entry marking him erronous in the reservations section but must not prevent KEA from starting as a running DHCP can be critical to access the network.

Hallo!

Ich möchte auf meinem Hetzner Root-Server (Haupt-IP, 3 zusätzliche IP, 2 zusätzliche /29, v6 /64 und zusätzliches v6 /56 Netz, dazu zwei interne vBridges, einmal nur für den Server, einmal für den vSwitch) OPNSense als Firewall vor den VMs einsetzen. Proxmox 7.1 wird in der "routed" Variante genutzt.

OPNSense ist in einer KVM installiert, konfiguriert und IPv4 (1:1 NAT bzw. Port NAT über die IPv4 der OPNSense VM läuft auch).

Nach einigem Rumprobieren und Durchlesen/-probieren zahlreicher Anleitungen habe ich es geschafft, dass die OPNSense KVM von der Kommandozeile per IPv6 mit der zugewiesenen WAN Adresse aus dem /56er Netz ins Netz kommt  (ICMP, TCP bspw. curl). Auch im LAN2 (IPv6)  mit einem /64 Subnet aus dem /56er Netz können die VMs mit der OPNSense kommunizieren (bpsw. ICMP, SSH per TCP).

Allerdings komme ich nicht von einer VM mit IPv6 ins Internet.

Hat jemand einen Tipp?

Netzwerk-Setup des Proxmox Hosts

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp7s0
iface enp7s0 inet static
        address 5.9.111.111/32
        gateway 5.9.111.22
        pointopoint 5.9.111.22

iface enp7s0 inet6 static
        address 2a01:4f8:aaa:bbbb::2/128
        gateway fe80::1
        up sysctl -p

auto enp7s0.4000
iface enp7s0.4000 inet static
        address 0.0.0.0
        mtu 1400

auto vmbr4000
iface vmbr4000 inet static
        address 10.1.0.1/24
        bridge-ports enp7s0.4000
        bridge-stp off
        bridge-fd 0

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o enp7s0 -j MASQUERADE
        post-down iptables -t nat -F

auto vmbr1
iface vmbr1 inet static
        address 111.222.200.248/29
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add 5.9.111.130/32 dev vmbr1

iface vmbr1 inet6 static
        address 2a01:4f8:aaa:bbbb:1::1/64

auto vmbr2
iface vmbr2 inet static
        address 111.222.222.240/29
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add 5.9.111.110/32 dev vmbr2
        up ip route add 5.9.111.220/32 dev vmbr2

iface vmbr2 inet6 static
        address 2a01:4f8:ccc:ddd0::1/56



Interfaces der OPNSense:

WAN

Static IPv4: 5.9.111.130 (von der vmbr1), Gateway ist die Haupt-IP des Proxmox Hosts

WAN2

Static IPv6: 2a01:4f8:aaa:bbb0::2/56 (von der vmbr2), Gateway ist 2a01:4f8:aaa:bbb0::1/56

LAN:

Static IPv4: 10.0.0.102, VM use this IP as gateway

LAN2:

Static IPv6: 2a01:4f8:aaa:bbb1::1/64, VM use 2a01:4f8:aaa:bbb1::xxx/64 and 2a01:4f8:aaa:bbb1::1/64 as gateway