Messages

Generally IPv6 does away with the reasons for NAT (address space exhaustion, LAN discovery) but there is no reason why you can't do it. However, the fc00::/7 range is reserved for non-routable addresses. Any router (including OPNsense) will refuse to route these. Only addresses in the 2000::/3 range are publicly routed.

You can set up an internal IPv6 /64 subnet and NAT that to another range on OPNsense. The option for this is NPT (Network Prefix Translation) under firewall, NAT. As its name implies, the host portion of the address stays the same and the first 64 bits of the address are NAT-ed.

Bart...

Apart from ICPM, does http work over IPv6?

Bart...

Sounds like a routing issue. Perhaps a typo on your lan side? I.e. your traffic is going out OK but return packets never make it back because your lan is outside your range and your ISP routes it to somebody else.

Bart...

Does your DNS server resolve AAAA records? You can try ping to 2001:4860:4860::8888 or 2001:4860:4860::8844

Bart...

Yes, spot on. Once you have your internal computers set up, try http://cav6tf.org/ to test.

Bart...

Is there an IPv6 address showing on the interface section of your dashboard?

The first 14 characters is your /56. E.g. 2001:0db8:85a3:4700:feed:8a2e:0370:7334 would be part of a 2001:0db8:85a3:47::0/56 delegation.

You can also get the IPv6 from the console (or SSH) with ifconfig

Ignore the fe80: address, routable addresses start with 2001:

Bart...

Given the size of the overall address space, I can't see your ISP changing your range any time soon but it's worth keeping an eye on your WAN interface across a couple of reconnects.

RFC3177 says that you should assign a /64 for any network that contains hosts https://tools.ietf.org/html/rfc3177 so the /56 gives you the option to create a DMZ (or even a few hundred).

Bart...

Pick a /64 within your delegation and assign a static IP to the LAN interface from that subnet. Enable router advertisements from the dhcpv6 service and watch the magic happen (SLAAC permitting) ;-)

Bart...

What happens when you press the I (for India) key when you get the choice between LiveCD and Installer?

FWIW, most boots go straight to the installer. Yours is different somehow.

Bart...

The accepted way to troubleshoot is to reduce the problem. You know that it is "fixed" with no filter at all (direct laptop connection)

I would build the absolute minimum configuration, e.g. outbound NAT only, and play with the hardware and tunable settings to maximise throughput. Then introduce features you want and weigh up for each if you're willing to pay the performance tax and/or tune more to reduce the impact.

The old adage still holds; tweak it until it breaks, then take it back a notch ;-)

Bart...

You need to run a proxy to filter by URL https://docs.opnsense.org/manual/proxy.html

Bart...

OPNsense can use Active Directory but doesn't host it out of the box. Your best alternative for a free directory is samba on Linux.

If your hardware is up to it, you can run a free hypervisor with samba and opnsense as guest VM's. ESXi, KVM and virtualbox are the most common options.

Bart...

Default credentials are root with password opnsense

https://docs.opnsense.org/manual/install.html

Bart...

Hi Bill,

I danced around this subject for a wee while back when I switched to an IPv6 capable provider. These are my notes from that time. My modem is in bridged mode (PPPoA -> PPPoE).

- WAN IPv4 configuration type to PPPoE
- WAN IPv6 configuration type to DHCPv6
- Credentials as per ISP

DHCPv6 client configuration
- Use IPv4 connectivity
- DHCPv6 Prefix Delegation size as per ISP

Set the internal (LAN) network to a /64 subnet within your delegation. Under Services, DHCPv6, Advertisements set the router to unmanaged, priority high and enter the IPv6 address of your internal DNS server(s) with domain search list. Tick RA Sending for router advertisements. The default intervals are RFC 7772 compliant.

After a while, SLAAC compliant clients will automagically pick up the config and add a 2001: IPv6 address. Browse to http://cav6tf.org and watch the turtle swim ;-)

Bart...

Creating VM's that use more vCPU's than there are execution units available will reduce performance, not increase it.

Hyper threading offers two threads on a single core. That is fine if the workloads are split into multiple smaller VM's that take advantage of the better scheduling from hyper threading. A single VM that takes all threads will suffer a lot of CPU ready wait and co-stop time. If you want to over-commit your CPU resource (and you should), do so by creating multiple smaller VM's.

Going back to the example; you will find that an OPNsense VM with two vCPU will perform better than one with four unless the workload is capable of using all cores, in which case you are better off running it directly on bare metal.

More details are in the VMware KB https://kb.vmware.com/kb/1017926 with a bit more explanation in blogs like this one: http://wahlnetwork.com/2013/09/30/hyper-threading-gotcha-virtual-machine-vcpu-sizing/

Bart...