With my internet connection I received a router that assigns me two dynamic IPs, IPV6 and IPV4.
IPV4 is quite stable because it seems to only change when the router is rebooted.
IPV6, instead, always changes at midnight and, I think, even during the day.
So, I created two accounts on DuckDNS and Dedyn.io.
There's no DDNS setting on the router.
However, no matter how hard I try in OpnSense, I can't get an IP address to assign Let's Encrypt certificates for an internal NAS.
At this point, the problem is either the ISP or a misconfigured firewall.
I also looked at guides for configuring the WAN interface with IPv6, but I'm holding off to avoid creating a mess because I know very little about IPv6.
I've now reset OpnSense to its default configuration, meaning there are no WAN or LAN rules.
OpnSense is version 26.1.6, and the only plugins installed are OS-ddclient and os-isc-dhcp.
Thanks in advance for your help.
Quote from: Cobra on Today at 10:22:07 AMIPV6, instead, always changes at midnight and, I think, even during the day.
Yeah, it's interesting to compare what different residential ISPs do w.r.t dynamic IPv6. I have experience with two here: Comcast and Verizon. They are very different. In both cases with DHCPv6-PD in OPNsense, the former one uses long-lived prefixes that rarely change (you could be forgiven for thinking it's static) and the latter changes them almost every time you look! There are annoying tradeoffs either way.
The problem with the long-lived prefix is that SLAAC clients, especially those with privacy extensions, break whenever the modem reboots and causes a prefix deprecation for the same prefix that is going to be used again. It doesn't sound too problematic until you realize that Comcast reboots frequently (it feels like weekly, at least).
The problem with the short-lived ones is just that your clients accumulate all the prefixes and if they're using privacy extensions you could imagine dozens of deprecated addresses in 'ip a' or 'ifconfig' output :P But the network heals quickly / doesn't break. (Side note: I bet these are probably the users that complain the most about all of the addresses appearing in Hostwatch / Automatic Discovery.)
I digress.
Quote from: Cobra on Today at 10:22:07 AMI created two accounts on DuckDNS and Dedyn.io (https://dedyn.io/).
Why both?
I use DuckDNS and it does work with the os-ddclient plugin. I use the native backend in General Settings with interval=300.
Attaching a screenshot of my IPv4 ddclient config. Put your DuckDNS domain name in the "Hostname(s)" field. For IPv6 you would just clone it and change the "Check ip method" to "Interface [IPv6]".
Once that is working, then you can move on to setting up the ACME client with the DNS-01 challenge type. You'll need the DuckDNS API token. There's one "gotcha" that's very important for certificate renewal to work with DuckDNS: you need to set the "DNS Sleep Time" parameter in the challenge type settings to some value (I use 120) which gives enough time for propagation. Else it tends to fail.
Quote from: OPNenthu on Today at 11:01:53 AMQuote from: Cobra on Today at 10:22:07 AMI created two accounts on DuckDNS and Dedyn.io (https://dedyn.io/).
Why both?
I use DuckDNS and it does work with the os-ddclient plugin.
I have read in the past that DuckDNS had many "less reliable moments" so having two of those services running isn't a bad idea at all :)
I've always worked with IPv4 and still prefer it.
I know my ISP's main IP is v6, and I don't want v4 to be a stretch.
In any case, I'm not receiving any v4 or v6 DDNS from either DuckDNS or Dedyn.io.
How should I configure the rules and interface?
Quote from: Cobra on Today at 10:22:07 AMWith my internet connection I received a router that assigns me two dynamic IPs, IPV6 and IPV4.
IPv6 should be static. Otherwise your ISP is not following RIPE recommadations of offering you a statich /48 prefix or at least a static /56.
If that is the case, please name and shame.
Quote from: Cobra on Today at 10:22:07 AMSo, I created two accounts on DuckDNS and Dedyn.io (https://dedyn.io/).
I really like deSEC.io.
If you are looking for a OPNsense plugin that was specifically tailored for deSEC.io, take a loot at this: https://github.com/jameskimmel/deSEC_DynDNS
IMHO simpler than the DDNS plugin.
Quote from: Cobra on Today at 10:22:07 AMHowever, no matter how hard I try in OpnSense, I can't get an IP address to assign Let's Encrypt certificates for an internal NAS.
Why would you need that? You can simply get a cert by using the API DNS challange of desec.io (just make sure to add a 300s wait timeout) to get the cert. For example opnsense.internal.yourdomain.com. Then you can create a unbound DNS override to map opnsense.internal.yourdomain.com to for example 192.168.1.1. On the webGUI settings of opnense you set it to use said cert.
Now you have a valid cert for opnsense.internal.yourdomain.com and can reach your opnsense by inserting https://opnsense.internal.yourdomain.com into your browser.
Quote from: Cobra on Today at 10:22:07 AMI also looked at guides for configuring the WAN interface with IPv6, but I'm holding off to avoid creating a mess because I know very little about IPv6.
Don't worry, you won't mess up anything. Just use the settings your ISP tells you to use on the WAN interface (hopefully DHCPv6). In combination a static IPv6 for your interfaces (or identity association if you don't have a static prefix) combined with Router Advertisement, you have a working IPv6 network(s).