1
Virtual private networks / Re: wireguard floating rules interface not present
« on: May 28, 2024, 12:57:28 am »
Sorry, it was all my fault: I failed to enable the interface after assigning it. After enabling it, it now shows up
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
[transport-tls]
type=transport
protocol=tls
bind=192.168.3.50:5061
ca_list_file=/etc/pki/tls/certs/ca-bundle.crt
cert_file=/etc/asterisk/cert/cert.pem
priv_key_file=/etc/asterisk/cert/privkey.pem
method=tlsv1_2
maybe a quick "fix" for this is to make a dnsrewrite in opnsense-bind for this particular domain pointing to ipv4?
see here how this can be done in bind: https://www.redpill-linpro.com/techblog/2015/12/08/dns-rpz.html
When I manually ping the server of the VOIP provider, ping uses an IPv6 address. I have to use 'ping -4' to get an IPv4 address. That also shows that asterisk must be asking for IPv4 and not for IPv6.
No, it shows that when you advise the client (ping) to use IPv4, it will ask for the IPv4 address of its target only.
Try it yourself: If you use "nslookup <target>", you will get both adresses. Which of those are used is then up to the client (which will default to IPv6 if it is able to use it).
With bind running on OPNsense, it doesn't work. I have verified that when using the IP address of the server of the VOIP provider instead of the host name, it works and asterisk registers. Again the conclusion is that bind on OPNsense is incorrectly answering with an IPv6 address instead of an IPv4 address.
You are wrong. The default for DNS is to return all addresses (in no specific order) and it is up to the client to decide which it uses. That is by design, not "incorrect".
But as I said, you can restrict OpnSense or even bind itself to only use IPv4, as is probably the case with your other bind instance.
Consider this: If you want bind on OpnSense to return IPv6 adresses as well as IPv4, and you have three options:
1. Ask for IPv4
2. Ask for IPv6
3. Ask for any IP
and you say, you want to be able to do 2. and 3. (since you do not want to disable IPv6 altogether), what does your client have to do in order to get IPv4? See?
I would guess that your server bind installation is restricted to IPv4 only like this.
# ping ipv64.net
PING ipv64.net (2a01:4f8:192:1326::bad:c0de) 56 data bytes
64 bytes from ipv64.net (2a01:4f8:192:1326::bad:c0de): icmp_seq=1 ttl=57 time=12.4 ms
[...]
# dig ipv64.net
; <<>> DiG 9.18.26 <<>> ipv64.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5885
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 41379600a24aa64b010000006653753b6c1b0112247d26d9 (good)
;; QUESTION SECTION:
;ipv64.net. IN A
;; ANSWER SECTION:
ipv64.net. 3446 IN A 144.76.85.238
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun May 26 19:45:31 CEST 2024
;; MSG SIZE rcvd: 82
# dig -t any ipv64.net
; <<>> DiG 9.18.26 <<>> -t any ipv64.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64751
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9072464819cc397a0100000066537571f28842cc104a0ef2 (good)
;; QUESTION SECTION:
;ipv64.net. IN ANY
;; ANSWER SECTION:
ipv64.net. 3143 IN SOA ns1.ipv64.net. hostmaster.ipv64.net. 4239685 10800 3600 604800 3600
ipv64.net. 3520 IN AAAA 2a01:4f8:192:1326::bad:c0de
ipv64.net. 3392 IN A 144.76.85.238
ipv64.net. 3143 IN NS ns1.ipv64.net.
ipv64.net. 3143 IN NS ns2.ipv64.net.
ipv64.net. 3143 IN TXT "v=spf1 mx a -all"
ipv64.net. 3143 IN TXT "google-site-verification=8aQ-Dd65zb-d8CCA121kSqkuOOHHzrpxEg9f8ADm7f8"
ipv64.net. 3143 IN MX 10 mail.schroederdennis.de.
;; ADDITIONAL SECTION:
ns1.ipv64.net. 88807 IN A 195.201.223.103
ns2.ipv64.net. 88807 IN A 157.90.241.20
ns1.ipv64.net. 88807 IN AAAA 2a01:4f8:c2c:559c::1
ns2.ipv64.net. 88807 IN AAAA 2a01:4f8:c012:9c97::1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Sun May 26 19:46:25 CEST 2024
;; MSG SIZE rcvd: 430
dig -p 530 ipv64.net @192.168.3.1
; <<>> DiG 9.18.26 <<>> -p 530 ipv64.net @192.168.3.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37648
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3d90bb4740ed5194010000006653763ec95d7c5786cc36bc (good)
;; QUESTION SECTION:
;ipv64.net. IN A
;; ANSWER SECTION:
ipv64.net. 3600 IN A 144.76.85.238
;; Query time: 55 msec
;; SERVER: 192.168.3.1#530(192.168.3.1) (UDP)
;; WHEN: Sun May 26 19:49:50 CEST 2024
;; MSG SIZE rcvd: 82
dig -p 530 -t any ipv64.net @192.168.3.1
; <<>> DiG 9.18.26 <<>> -p 530 -t any ipv64.net @192.168.3.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21078
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 5148bcba6202632d010000006653769e52b873e71ac13dc5 (good)
;; QUESTION SECTION:
;ipv64.net. IN ANY
;; ANSWER SECTION:
ipv64.net. 3600 IN SOA ns1.ipv64.net. hostmaster.ipv64.net. 4239843 10800 3600 604800 3600
ipv64.net. 3600 IN AAAA 2a01:4f8:192:1326::bad:c0de
ipv64.net. 3504 IN A 144.76.85.238
ipv64.net. 3600 IN NS ns1.ipv64.net.
ipv64.net. 3600 IN NS ns2.ipv64.net.
ipv64.net. 3600 IN TXT "google-site-verification=8aQ-Dd65zb-d8CCA121kSqkuOOHHzrpxEg9f8ADm7f8"
ipv64.net. 3600 IN TXT "v=spf1 mx a -all"
ipv64.net. 3600 IN MX 10 mail.schroederdennis.de.
;; ADDITIONAL SECTION:
ns1.ipv64.net. 172704 IN A 195.201.223.103
ns2.ipv64.net. 172704 IN A 157.90.241.20
ns1.ipv64.net. 172704 IN AAAA 2a01:4f8:c2c:559c::1
ns2.ipv64.net. 172704 IN AAAA 2a01:4f8:c012:9c97::1
;; Query time: 37 msec
;; SERVER: 192.168.3.1#530(192.168.3.1) (TCP)
;; WHEN: Sun May 26 19:51:26 CEST 2024
;; MSG SIZE rcvd: 430
...and thanks for raising the original topic of configuration of BIND on Opnsense, defaultuserfoo. It is something I am about to test myself.
The ISC changed the terms to primary and secondary with BIND 9 and there is no arguing about that fact. Probably you missed the memo.