OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: ole on May 22, 2020, 03:59:06 pm
-
Hello,
Im just starting to migrate from pfsense to opnsense. So, only LAN and default rules are here. I created an admin account with SSH keys, root isn't allowed to login, also no password login.
If I login using FQDN of my opnsense it takes really time (~5min):
date && ssh admin@opnsense.home.lan
Fr 22. Mai 15:45:21 CEST 2020
Last login: Fri May 22 15:41:09 2020 from 192.168.1.100
----------------------------------------------
| Hello, this is OPNsense 20.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Lists: https://lists.opnsense.org/ | @@@@ @@@@
| Code: https://github.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ % date
Fri May 22 15:49:51 CEST 2020
Using the IP I'm immediately on the opnsense box. Even changes of the unbound override doesn't change it. Using the web UI is also fast.
Attached my unbound changes. So, what is the reason and how to fix it?
EDIT:
nslookup is quite fast ...
$ nslookup opnsense.home.lan
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: opnsense.home.lan
Address: 192.168.0.66
Name: opnsense.home.lan
Address: 192.168.1.1
Name: opnsense.home.lan
Address: 2a0c:d242:3805:3bf0:20d:b9ff:fe52:f724
Name: opnsense.home.lan
Address: fe80::20d:b9ff:fe52:f724
Name: opnsense.home.lan
Address: 2a0c:d242:3805:3b00:20d:b9ff:fe52:f725
Name: opnsense.home.lan
Address: fe80::20d:b9ff:fe52:f725
Thanks
-
You run dual-stack. Do you have a source ip restriction and privacy extensions active?
Then your PC resolves both addresses and first connects via ip6 with a temporary source address that is not permitted and the connection times out, then your client falls back to ip4 and since correct source ip, it works. I bet you use the ip4 address when using ip. That's the reason it works instantly.
I have the same problem. I even used netsh to disable temporary addresses and privacy extensions, but I think I still miss a setting.
-
Thanks for your answer!
You run dual-stack. Do you have a source ip restriction and privacy extensions active?
Then your PC resolves both addresses and first connects via ip6 with a temporary source address that is not permitted and the connection times out, then your client falls back to ip4 and since correct source ip, it works. I bet you use the ip4 address when using ip. That's the reason it works instantly.
All network settings are on default, no special rules so far. So, I can't answer your question with respect to IPv6 privacy extensions. Prior my LAN was IP4 only. This time I though I can start with IP6 in dual stack - and obviously run into this issue.
So, what are the recommandations here? Any advantages by using IP6 in home lan environment (with vlan next time)? Viewing the firewall logs with IP6 makes understanding hard for me ... But long term use I would like use IP6...
Thanks
-
The problem is not the firewall. It's the client you use to access your firewall. Opposite to IPv4 where only one address exists per interface, an IPv6 node always has several addresses. At least a link-local fe80:: and one or more public addresses, depending whether you use slaac, dhcpv6, static and whether privacy extensions enabled or not.
So either your make your access rule for your admin pc less restrictive (whole ipv6 subnet) or you manually specify the ipv6 source address that your ssh client should use for connections to firewall or your try to configure your system just to use one static ipv6 address which means static ipv6, no temporary addresses and no privacy extensions enabled.
-
thanks for explanation!