Hi,
I have OPNSense 23.7.8 running. I would like to experiment with IPv6 in my network. Currently I assign an IPv4 like 10.1.1.X to my clients via DHCP. Via SLAAC the clients get a dynamic public /64 IPv6 and a ULA /64 IPv6. I have enabled this via a virtual IP /64 ULA on the LAN interface. So far that works.
Now I would like to address the Unbound Service from Opnsense via IPv6. If I use the public ipv6, this also works without any problems:
dig @MY_OPNSENSE_PUBLIC_IPv6 www.google.de
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @MY_OPNSENSE_PUBLIC_IPv6 www.google.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32014
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.de. IN A
;; ANSWER SECTION:
www.google.de. 300 IN A 142.250.27.94
However, when I try to request the ULA of OpnSense, there is only a connection refused:
dig @MY_OPNSENSE_ULA_IPv6 www.google.de
;; communications error to MY_OPNSENSE_ULA_IPv6#53: connection refused
;; communications error to MY_OPNSENSE_ULA_IPv6#53: connection refused
;; communications error to MY_OPNSENSE_ULA_IPv6#53: connection refused
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @MY_OPNSENSE_ULA_IPv6:: www.google.de
; (1 server found)
;; global options: +cmd
;; no servers could be reached
Even if I try it directly from the OPNsense box via 'host', I have the same result. Ping to ULA works in all directions.
Services -> Unbound -> General -> Network Interfaces is set to 'ALL'.
What do I have to do so that I can address Unbound via the Virtual ULA IP? Does anyone have an idea how I can debug this?
https://forum.opnsense.org/index.php?topic=36893.15
Maybe related to all the other ULA issues w/23.7.8 that I and others were having with ULA addresses not working. The latest workround from Franco of opnsense-patch cd808e3152 solved my issues.
Even with the new version 23.7.8_1, the unbound does not listen to the ULA address. The patches should be included in this version, right?
I can't stress enough the fact that providing hard evidence is the key to a bug fix or support help:
# grep ^interface: /var/unbound/unbound.conf
To see if Unbound actually listens to that ULA and if it doesn't look why it's not configured correctly and if it's set make sure the ULA is accessible to clients and/or responds locally. There are tools for querying a server directly, too. In the case of Unbound also make sure the ACL is set correctly.
But to be honest the recent ULA issue wasn't affecting the way Unbound binds to IPs/ULAs, only the first proposed bug fix patch did so neither 23.7.8 or 23.7.8_1 should not be omitting ULA addresses here.
Cheers,
Franco
I can only apologize for not providing all the relevant information. I will do better next time.
My problem has now been solved without me deliberately doing anything. I must have made some kind of mistake beforehand.
Many thanks to everyone for the help.