Messages

OK, I choose Interface->WAN->Prefix delegation size "60" because I only need 5-6 subnet for me.
When I change my setup and OPNSense is behind another router, I can´t get size "56".

Please say me, wich size I should choose.

/60 on WAN is a reasonable choice.



Available prefix delegation size of 61 is fine, that's what we expect.

Available dhcp ranges is the same /60 in all cases. Thats bad.

I wonder how you managed getting a /60 on the LAN-side? It's supposed to be /64 for a single LAN-Net, i.e. Subnet mask 64 bits.

   [LAN] -> IPv6 address    xxx:xx:xxx:8b00:xxx:xxxx:fe92:8584 / 60
   [Kamera]-> IPv6 address    xxx:xx:xxx:8b01:xxx:xxxx:fe92:8584 / 60
   [Gast] ->IPv6 address    xxx:xx:xxx:8b02:xxx:xxxx:fe92:8584 / 60

Those should be /64 and everything is fine.


We need to get the 2001:db8:a:8b00::/60 into /64-Networks.

Did you try using different Prefix-IDs? Currently you're using 0x0 to 0x2 (or 0x6). Try setting LAN to prefix-ID 0x8, we expect the LAN to become 2001:db8:a:8b08::/64.

OK, with:
Interfaces: [WAN]
Prefix delegation size: 60
Send IPv6 prefix hint: on/off -> Does this make a difference?

then i'd expect at:
Services: DHCPv6: [LAN] and [VLAN]
Subnet mask: 64 bits
Available prefix delegation size: 61
with the Subnet/Prefix 00:: and 01:: for prefix-IDs of 0x0 and 0x1.





Could you test with Prefix-IDs of 0x2 and 0x3 for the LAN and VLAN interfaces?

In that case we want to see
2001:db8:a:8b00::/60 requested by WAN
2001:db8:a:8b02::/64 is assigned to LAN
2001:db8:a:8b03::/64 is assigned to VLAN
2001:db8:a:8b08::/61 available for delegation.

Does any 2001:db8:a:8b00:: appear in this case?

OK, this is odd. If It's a bug, then I'm out.

Does it work as expected with the production release? In general tracking works fine with multiple VLANs and also with delegating subnets to routers on LAN side with the production release.



Can you try smaller subnets? Perhaps the /60 are interleaving because there is no /59 available for delegation?

Are you delegating parts of the prefix to routers on LAN or VLAN? Are those delegated networks too large?

I'd expect smaller subnets
subnet6 xx:xx:xx:8b00::/64
subnet6 xx:xx:xx:8b01::/64
in /var/dhcpd/etc/dhcpdv6.conf for "normal" v*LANs.

Which subnet  and "Available prefix delegation size" does the GUI show at -> Services: DHCPv6: [LAN]?


There is no MAC for IPv6. The easiest way to add a static mapping is finding the ID/IPv6 at -> Services: DHCPv6: Leases -> and add it from there. With a dynamic prefix just use a "::123" for the IP and DHCP will add the correct prefix.

[ff]

What is going wrong?

Probably nothing wrong at all. ;)

LAN is getting the subnet(-ID) ::e301::, which seems to be Prefix-ID 0.
VLAN with Prefix ID 1 is getting the subnet :: e300::

The association of Prefix-ID and subnet depends on how your'e counting and where you start. Just don't rely on any predictable relation between subnet-ID and prefix-ID, it depends on implementation.


e.g. my parent router delegates the prefixes from the end of its range:  /60 with ID 0xf results in ...ff::/64, also does a /61 with IDs 0x0 to 0x7 result in ...f8:: to ...ff::/64 networks.

Things start getting interesting when leases expire with multiple routers and the subnet-IDs switch e.g. from ef:: to ff::, while the prefix-IDs were not touched.

You can find the links of the individual lists - depending where you're blocking - at

https://raw.githubusercontent.com/opnsense/plugins/master/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py

https://raw.githubusercontent.com/opnsense/plugins/master/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh

https://raw.githubusercontent.com/opnsense/plugins/master/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh



E.g. the resulting BIND-blocklist can be found at

Code Select Expand

/usr/local/etc/namedb/dnsbl.inc

I'm still not sure which DNS/DHCP you're talking about.

DNS-Forwarder
@ Services: Unbound DNS: General

forward-zone:
name: "."
forward-addr: IP@53

DNS-server for OPNsense/its DHCP:
@ System: Settings: General
DNS servers
... 192.168.2.1
[ x ] Allow DNS server list to be overridden by DHCP/PPP on WAN

DNS-Server set at OPNsense-DHCP:
@ Services: DHCPv4: [LAN]
... 192.168.2.1 can be used for testing,
"Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers."


Above ones "should" set the correct DNS-server at the clients.


@unbound the play-button needs to have green background, otherwise its switched off.

1) You don't have to, however you can remove the route if you don't need it.
5) I'm not sure if i understand.

With BIND and/or unbound you can set DNS Query Forwarding.
https://wiki.opnsense.org/manual/how-tos/bind.html#advanced
You can put 192.168.2.1@53 there.

When adding the IPs of your ISP-DNS-Servers, these mightwill change sometime and break thinks. Be aware of it. Should be fine until then.



6.
If IPv6 doesn't work: there is a 'feature' in the recent FritzOS. All devices connected to the fritzbox need to be set to standard-profile, without any restrictions.

1.
The route ffritzbox->opnsense-LAN is only needed if you want to access the opnsense-LAN from fritzbox-Net.

2.
The route is wrong, gateway should be 192.168.2.52 (OPNsense-WAN-IP)

3.
Don't add any routes in OPNsense, those are added automatially.

4.
Can you ping 192.168.2.1 from LAN-Interface in OPNsense?

5.
Are there any restrictions on the fritzbox? child-protection, online-limit, ...

Create an alias of private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), set that alias as the destination in the firewall then invert the destination

The above seems clunky and is surely not the solution that the developers intended for us to use.

I'm not sure. It makes perfectly sense, why should developers intend something different?



What's the problem with "allow from LAN to NOT-local ..."? "Internet" is "NOT-local". WAN is usually "Internet", with doubleNAT WAN is "Internet + some local net".

Instead of

Code Select Expand

allow "NOT rfc1918" https

You could use

Code Select Expand

block rfc1918
allow any https




If you need acces to WAN/DMZ/...

Code Select Expand

allow 192.168.123.0/24 https
block rfc1918
allow any https

[lokalem Subnetz]

Soweit läuft alle, jetzt will ich (da umgezogen wird) kurzfristig eine neue Opnsense an die alte anbinden
Opsense2

ich verstehe noch nicht wozu du 2 x OPNsense in deinem netzwerk hast.

Umbau wegen Umzug? Habe Ich jedenfalls so verstanden. Ist doch unerheblich.


Wenn es aus dem WAN-OPNsense2=LAN-OPNsense1 in das LAN der OPNsense2 funktioniert, it ja schon einmal gut.


In die andere Richtung

• muss die Firewall auf dem LAN-Interface OPNsense2 rdp erlauben.
  
• 
  Die jeweilige Windows-Firewall muß es auch zulassen. D.h. auf den Geräten im OPNsense1-LAN rdp aus dem 192.168.2.0/24-Netz erlauben. Dort gibt es möglicherweise verschiedene Netzwerk-Profile bzw. eine Unterscheidung nach lokalem Subnetz?
  

This is the private IP space in IPv6 fc00::/7. Packets from there should never arrive at the WAN interface. Maybe your provider is doing strange things with IPv6, then it may still happen.

Neither from RFC1918 ranges if the ISP uses CGNAT.

I've never seen those in any logs. My point was just defining bogon fc00::/8 vs. private fd00::/8. I just chose IPv6, because fc00::/7 combines both easily.

OK, simple answer:
1) no
2) yes



--
More elaborately:
I never used nor tested OpenVPN.
I'm currently running Wireguard with doubleNAT:


Internet
|
ISP-Router with VoIP-stuff
|
OPNsense
|
LAN, Wireguard, ...


Basically https://wiki.opnsense.org/manual/how-tos/wireguard-client.html without Outbound-NAT.

Bogon networks are not defined, thus you can safely block those.

e.g.
fc00::/8 is not defined/invalid ULA,
fd00::/8 are valid ULA
blocking fc00::/7 doesn't harm.

You can create a single firewall-alias with the networks to block and keep the rules tidy. Also nested aliases with rfc1918, other "private", ULA and so on.

100.64.0.0/10 is not defined private. The "checkbox" considers it to be blocked, too. Whatever.


Disable the checkbox and create a Firewall-Rule blocking the "real" private Networks. (i.e. 10/8,192.168.0.0/16, 172.16.0.0/12, fd00/8 )

aber sobald ich die Route eintrage, komm ich nicht mehr auf den 2 Opnsense rauf (netzwerk zerhauen)

?

Stimmen meine Annahmen über den Netzwerkaufbau bzw. die Tippfehler bei den IP-Adressen denn? Insbesonder liegen LAN und WAN in unterschiedlichen Netzen?

Ist

• 1. das Gateway
• 2. die Route

beides auf der Opsense1 angegeben?


ggf.
Funktioniert es, wenn die Routen auf der FritzBox eingerichtet werden?