Messages

so, this is more of an experiment on my part i suppose... been using cellular services for a few months now, which is using 464XLAT.  I've somewhat got things working with OPNSense now, but falling short I believe.  This is my first attempt to become more involved with IPv6...

I configured WAN interface to use SLAAC, and get appear to get a valid address with /64 (prefix?)
I configured LAN interface to use "track interface" on the WAN with a 0x0 prefix ID and "allow manual adjustment"

I get what seems like a valid IPv6 address on the LAN, but no gateway?  However, WAN_SLAAC does show up in the gateways list on the dashboard.

I enabled DHCPv6 server on the LAN interface with a range of :: - ::ffff  (? not sure that is totally correct)

I set Router Advertisements on the LAN as "stateless"  (windows 10 supports SLAAC ?) with RA Interface as LAN(dynamic) & router priority to normal.

I can ping ipv6.google.com from WAN interface in opnsense:

Code Select Expand


--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 29.330/32.563/34.813/2.344 ms


However, LAN interface fails

Code Select Expand


--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


clients on LAN network are indeed now getting IPv6 addresses... but are unable to also ping ipv6.google.com
at least unbound seems to be resolving to IPv6.. so i guess that's good right?

what am i missing?

more specifically.. i'm looking for a plugin that might provide some visualizations for the web proxy.  cache hits/misses and other statics perhaps?

If there isn't one, I've seen grafana (?) and other types of visualizers...  would anyone recommend any guides.  In that scenario, i would prefer to offload storage / visualization to another server perhaps?

I tried setting up rules to be applied for a particular gateway, but this didn't do what I thought it would... route that traffic over the interface.

Only seem to be able to setup routing based on network address.  Is there a way to setup routes based on aliases?

...
Not sure if this answers your question or not?
...

It does, thanks for the details!

...
i want to configure bandwidth control on my opnsense with users account of active directory and not with ip
...

this would require setting up limiters basicallly using separate pipes, queues, and rules in the traffic shaper.. and the rules are only protocol/port/IP based.
so, unless you can figure out a way via DHCP and using AD to assign IP by user (which i think is impossible).. there is no way to do this.

[edit]
here's something that you might be able to do if you move DHCP services over to AD:
https://www.serverbrain.org/network-infrastructure-2003/integrating-dhcp-with-active-directory.html

...
I've used OpenWRT as well and am familiar with their scripted implementation to quickly get an AQM up and running.
...

I can see where having separate scripts at the ready would definitely make it easier.  I noticed OpenWRT is able to shape based on DSCP tagging?  (do i have the correct?)

We are able to kind of save a system configuration and restore settings, but importing just shaper settings is a bit lost in OPNsense.

Does OpenWRT use something similar to dummynet?

First off.. this is not a which is better thread and don't want it to be one.  I've been using OPNSense for quite some time now, and have really enjoyed it and contributed/donated, plus plan on continuing to do so.

I've setup the traffic shaper and overall it has done well.  I have little issues with the implementation and it performs simply and easily.

I spun up a box with x86 OpenWRT just to see and experiment, configured SQM and applied CAKE with their piece_of_cake script.. ran a series of tests, and not really finding (at this time) much difference in network performance.

Other than being able to define my properties, rules, queues etc via the GUI in OPNsense whereas OpenWRT is script oriented.  They both are a bit tedious to a degree, but OpenWRT moreso (IMO).

These are two completely different systems I'm running, so I know it's an Apples to Oranges scenario, but in general.. I'm really curious what at the core are the implementation differences?

I really like to "keep it simple sorta" :)

would be nice to have graph options from histogram, stacked, area and deviation styles...

I'm trying to figure out which option to select from the drop down list to only restore the TrafficShaper pipes,queues, and rules values from backup.

WHich option do i choose?

sometimes this can be solved by issueing device block licenseing. say a block of 10 licenses for  liek 10$ a years....  100 devices for like 99$ a year... etc.

just a thought

almost note that you have to setup the firewall rules to support the redirect to port 3128... there's a very small 'clickable' link in the setting that will do this automatically for you.

I had a low sequence rule defined for a particular device that only streams over http to limit its' bandwidth usage and after enabling proxy cache the rule is not respected and all of the device traffic just gets passed to a higher sequence rule that caches all download traffic using http. (atleast that is the behaviour I noticed)

Is there a way in proxy cache to exclude an IP address/range or specify a shaping rule that gets applied?

The latest drivers available in FSB support RTL drivers much better IMO....  OPNSense gots them in!

One of the last rules I have setup for shaping is dealing with somewhat of a "catch" all which immediate follows any HTTP and HTTPS traffic that i have missed in preceding rules.

I try to keep ntopng nearby, but often i 'miss' activity this way and would really like to be able to drill into some better metrics by pipe, queue, rule....

thoughts?

Hi,

I notice that I am unable to make a silent 'statement' to my donation.. so i have to publicly state it here.

"I just wanted to say thank you for this project and the work that is being done here.  I have been using OPNSense for nearly two years now and I have really learned and enjoyed using this at my home.  Thank you so much and keep up the great work!"

thanks!
-Troy W.