Messages

Many routers tend to hand out only a /64 range, because they usually "think" that it is only one LAN connected to them - I mean that is in itself not a sure sign that your ISP does not hand out a larger prefix like /56 or /48 as per IA-PD. You would probably see that if you use the ISP router in brige/modem mode and try bringing up the connection with OpnSense as the only router.

I cannot provide any specific instructions, because IDK that provider.

Hi @meyergru yes you are right, apparently this ISP is indeed locking out domestic/home users to just one IPv6 lan prefix and the thing in Bridge or DMZ does not work as intended either, hence why the ISP in bridge or DMZ didn't worked on the IPv6 side as expected when testing, and the user can't modify prefix nor to disable IPv6 in the ISP router.

To make things worse found that this ISP company is nothing more than a [Carrier-Grade-NAT] "cgnat.libertypr.net" with a dynamic/dynamic connection setup.

This boils down that no matter what firewall/router is connected in between it will not work as intended for the IPv6 stuff, and since more and more heavily loaded content-delivery-networks websites/apps are using IPv6 it is not recommended disabling it completely like two decades ago.

I've confirmed this by completely disabling the IPv6 only on my workstation/client and all of this websites/apps loaded partially/broken even when connected directly to the CGN ISP.

I will try contact my ISP and ask if they can change this IPv6 prefix limitation though, and if not possible then wait patiently for further resolutions regarding CGN users with OPNsense.

For now I will enable the `ufw` firewall on my workstation and strict my current `pf` settings on my FreeBSD server, even if is a headache working with this stuff by hand, but at least is better than nothing.

Again thanks a lot for the suggestions @meyergru @cookiemonster @Seimus

Regards

In that case you probably do not have an ISP "modem", but a router. I dislike those router-behind-router configurations, because they have several disadvantages (see point 4 here), however I know that outside of countries like germany, you sometimes cannot use a "modem-only" termination with some ISPs.

For IPv6 to work with such a configuration, you would have to configure IPv6 subdelegation. Essentially, most ISPs hand out a single IA-NA IPv6 and a /56 IA-PD IPv6 prefix from which you can take out parts to delegate to your (V)LANs.

This is explained for a specific example here.

That being said, I cannot see what/how your ISP actually delegates subnets, because there are no netmasks for either IPv4 or IPv6 in your picture.

Hi @meyergru, thanks again for the great info much appreciated, gonna have a good read indeed.

You are right, I have an ISP Cable Modem and Router Combo that has its own DHCP/NAT/UPnP/Firewall etc. integrated, I have the habit to call them ISP modems yeah, between it have the option for bridge mode but can't get the IPv6/DNS6 to work regardless if bridged.

Also this ISP gives just an /64 prefix for IPv6 that can't be changed, between dunno if it could be modified through telnet like in some ISP mode/routers but I think not to mess around with before asking them for options.

I will post an image of the Arris cable modem/router IPv6/DNS config pane for reference indeed, hopefully this can be solved soon so I can order a Protectli box to play with.

Regards

ISP Cable/Modem IPv6 config:

Are you really sure that the problem is about OpnSense? The way you describe it, you employ a great amount of blockers/privacy tools and other plugins in your browser which might interfere with dynamic websites. I would try to use another browser without those tools and try if one (or more) of these are the culprit.

Hi @meyergru, thanks for the input.

I've concluded that OPNsense is not the issue here as previously denoted, also yes I've tested with alternate clients and a Laptop with Debian and fresh/stock Firefox and have no luck with those sites/apps other than connecting it directly top the ISP, same with Android and iPhone clients.

I'm leaning towards a possible IPv6 miss-configuration between the ISP modem and the firewall, since I got some IPv6 content when directly connected to ISP but none wen connected through firewall like shown in the image below, hopefully will get some time to do more testing on this during the weekend.

Regards

Dynamic IPv6 content when connected to ISP directly(no bridge/DMZ modes though):

[Here's the latest testing process I performed:]

Hello, here's an update.
I wanted to get more answers on this but looks like there is very little to none viable solution to this phenomenon yet.

Here's the latest testing process I performed:

1: Played with the MTU and IPv6 without luck.
2: Played with some interface settings and the hardware offloading stuff, no luck.
3: Completely disabled IPv6 in ISP modem and OPNsense to test, no luck.
4: Installed an old OPNsense version "21.7" for re-testing, no luck.
5: Tested with two different clients and a laptop, no luck.

Then decided on testing "that other firewall distro" and I was amazed it did behaved exactly the same as OPNsense after playing with, man that moment I've got an wide ear-to-ear smile as I rapidly determined that OPNsense is not the issue here.

Since both firewalls did behaved the same, I decided to reset my old but good Linksys EA8100v2 and connected it as a basic AP/Router and I was surprised it did also behaved the same as the previous tests, most websites loads ok but web pages/apps depending on any CDN/Google stuff were broken as well, yep wow...

Also noticed that on every time wen restarting the Arris ISP cable modem the DNS/DNS64 servers changes.

So I've concluded that something bizarre is happening between my ISP and OPNsense even if the ISP modem is in bridge mode, definitely this phenomenon is caused by them, and very worrying that most of the websites/apps broken are the ones with the worst privacy concern.

Currently retired the HP Pro 6300SFF/Linksys AP and connected my clients directly to the crappy ISP until I got some more time debugging this, so pity I was about to order an Protectli Vault V1211, but for now will keep testing this issue on old hardware to determine if I should look around for ISP alternatives other than Liberty Cablevision LLC.

PS. Maybe I could try scanning/sniffing the network traffic and patiently read the logs lastly if I could get some time to do so though.

Regards

I was thinking your ISP or your IP but if other hardware fixes, then that's out.
Brings to configuration really. I can only think of some service blocking (blocklists on unbound as an example but you checked that) or MTU or IPv6 settings. There is a good few resources here from meyergru that delve deep into those.

Hi cookiemonster, good point in regards MTU and IPv6, I will play around with those and also completely disabling IPv6 on the ISP and redo some testing again and see what happens before hanging the gloves.

Regards

[So I wanted to be more creative on this issue before writing on forums, then I've made the below test procedures without success:]

Hello small update on this case.

Unfortunately things getting even worse on my recent situation, good news is that I appealed and recovered my Instagram account, though I'm still unable to access the Meta "Content Delivery Network" related websites and apps, just as previously denoted page loads but no media displayed and forever loading loop, however that is not the case.

So I wanted to be more creative on this issue before writing on forums, then I've made the below test procedures without success:

1: Re-installed a fresh copy of OPNsense 25.1 with most sane default on my current hardware.
2: Re-installed a fresh copy of OPNsense 25.1 on my previous/retired hardware, a Supermicro X7SBL-LN2.
3: Played again with Unbound, Dnsmasq, DNS, OpenDNS, Google DNS, UPnP, etc. etc. etc. forum suggestions.
4: Removed my Linksys AP and used direct CAT.6e cables to discard for possible AP firmware bug messing around.
5: Set the OPNsense host as DMZ in my Arris cable modem to discard possible issues with the built-in firewall/DNS/UPnP stuff.
6: Set the Arris cable modem to Bridged mode and connected OPNsense to discard that double NATed suggestion around the net.

And some more tests but pretty much redundant/inverse stuff so not listed, and to resume none of the above did worked on my current situation.

However I've discovered more issues as follow:

1: All META websites and apps connecting to *CDN* fails with a partially loaded content or just looped.
2: Android(Google) mobile clients are unable to update/download apps, and when sporadically/partially download, it will fail with a yellow warning.
3: YouTube slow and/or constant loading issues.
4: 4kvideodownloader does not download 90% of the YouTube videos, but no issues when connected directly to ISP.
5: Netflix slow and/or constant loading issues.

I have to note that sometimes I'm able to connect to Meta sites/apps and can download YouTube videos with 4kvideodownloader after a quick firewall restart or when I mess around with OPNsense setting but after few mins the issue reappears.

At this point I'm out of options and unfortunately every suggestion around the forums/net that I've tried didn't worked for me, even on 2 different hardware, also I don't want to think that this may be possibly related to my ISP company "Liberty Cablevision" but at this point who knows.

My last test TODO is to install that "other firewall distro" and redo all this test with it, and even if works I will personally connect my homelab directly to my ISP cable modem until I found a viable solution.

This post is for reference purposes between, and I really hope I will find a solution soon as I don't want to use anything else but OPNsense.

Regards!

@cookiemonster
@Seimus

Hello, many thanks for the input, yeah definitely the ad-block related extensions make sense if their system are way too sensitive against those,
I admit that I run Adblock Plus, PrivacyBadger and ClearURLs Firefox extensions and all this stuff may early-trigger false positives on their backend.

ATM I'm not running VPN, Intrusion detection/prevention or add-blockers from my OPNsense appliance nor was using my Proton VPN account, so who know exactly what was the issue as I remember that I've tested others browsers whit no addons enabled and was experiencing the same thing.

What I will do is to enable the Wi-Fi on the ISP modem for guest access those particular sites when I needed from a standalone device but definitely I will not try to give it access to my homelab for now until some more research.

Regards!

[Here is they claim:]

Looks like I've got an arrow to the knee now, and just got the Instagram suspended for absolutely no relevant reason just after 2 days of the account creation, wow!, how funny and very very worrying/scary at the same time o_O.

Here is they claim:



Regards!

[System:]

Hello all, I'm not a fan/user of any social media at all hence I dint noticed this problem before, unfortunately with the nowadays marketing trends I have to sin and get involved with "WhatsApp/Instagram" just to get in touch with the "Solar Energy" business and found some problems when loading content from such sites.

Been using OPNSense since version 16.x and never had any problem on my small homelab/office network other than recently found that "Meta" child websites/apps partially work when pass through OPNSense, the webpage(Instagram) load but the content is blocked, i.e. images/videos etc but text, for WhatsApp chats is the same the media content does not load and have to turn off Wi-Fi and use cell data in order to view the images/videos, however if I connect the Linksys access point directly to the ISP cable modem the Meta websites/Apps works on all clients as intended but that's definitely not an option.

I did search the web/forums in this regards but just found some repetitive advice about "Enable syncookies" in which I've tried in either "never/always/adaptive" without success, I really hope some with knowledge in this case can bring some viable advice, other than the easy route on leaving host(s) vulnerable to DDoS.

System:
i5-2390T + 8GB RAM, 160GB HDD
HP Pro 6300SFF(WAN) + HP NC360T(LAN/OPT)

Versions:
OPNsense 25.1.4_1-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16

Network:
ISP --> OPNSense --> Linksys-AP --> Clients


Regards!

Edit:
Here is an example of the Meta site loading but without media content, it gets stuck in a connecting loop to ...fbcdn.net.

Here is a similar case in this regards in r/opnsense without proper solution, and again the OP Update/Solution is not an option for me. ;)

about a year ago i purchased an opnsense racl appliance9the model escapes me at the moment).  did these last gen devices not ship with zfs by default?

Hello, if such appliance is running of an "USB/SDCard/CF" or similar, leave it as is(UFS), however if such appliance can run on either single or a pair of "NVMe/M.2/SSD/HDD" then ZFS is the next-gen enterprise file system you want with vast of features/utilities.

The default On-Dashboard Boot-Environments(Snapshots) can "preview/create/name-edit/destroy", a must have tool for upgrades, quick-rollback testing etc, but not limited too, you can use CLI tools to backup/restore to/from remote servers as well for easy disaster recovery etc.

Kudos to the OPNsense/Deciso team for such formidable work and bring the ZFS file system on the installer.

P.S. Sorry forgot to add the attached images as Preview Thumbnails.

Hi, this is an old yet small cosmetic bug, in some pages the device name or hostname isn't displaying properly when it contain spaces, looks like some users like to name their network devices with spaces which difficult the device identity initially, since this hasn't been fixed yet just posted as reminder. ;)

For example the "dhcpd.leases" are showing client-hostname correctly but somehow not being parsed properly.

Example images:

[supposed]

Boot loaders are at least supposed to always be backwards compatible. If you ever upgrade your zpool, you need to upgrade your boot loader, too. But a downgrade should never be necessary.

Yeah it just happens that I've ran into boot issues/broken EFI console in the past and and I'm still skeptical about bootcode upgrade, though I think I should make some testing on VM's in this regards.

Also agreed that a downgrade should never happens, but sometimes jumping into bleeding edge makes you wanting to rollback when you later discover that something can't be easily fixable on time.

Regards

Hi, some time ago I've  created a TUI wrapper around beadm/bectl to ease the Boot Environments backups(exports) to either local or remote servers through SSH.

Each time I upgrade either FreeBSD and OPNsense to a major version I backup the current BE to my server and and after backup completes I create a new BE and reboot into it to perform the upgrade.

Here is the little utility: Bemanager
Here is the source: Bemanager at GitHub
There is no manual on how to configure it but the sample config have some hints.

Notes:
Be aware that after upgrading to a major version, if the user upgrades the bootcode GPT/BIOS/EFI, in order to rollback to a previous BE, the user must mount the previous BE containing the older bootcode and perform a downgrade from its files under "/boot", however if the user upgrades the ZFS pool feature flags, this may lock-down the ability to easily rollback to a previous BE*.

*The solution is to backup the wanted previous BE, then reinstall a FreeBSD/OPNsense version matching the previous version then import back the Boot Environment regardless of the disk layout, e.g. I've exported a BE from a single disk to later import that BE to a mirrored setup with good results.

Unfortunately haven't enough time to read the plugin development manual to make an Boot Environments manager plugin for the OPNsense GUI to perform basic tasks from.

ZFS Boot Environments Reloaded by Sławomir Wojciech Wojtczak (vermaden)

Regards

Hello, I've decided not to complicate myself with NAT/firewall rules/ect between two different ip/subnets in my home lab, so I've decided to just bridge the HP NC360T ports to act like an 2 port switch and stay with the default 192.168.1.1 for simplicity sake.

Will mark the OP as solved.

[Wanted scenario:]

Hello, only have basic knowledge here regarding networking/firewall in general so I think this is the best forum section for asking such question/help, really sorry if should be in another sub forum. ;)

I've recently switched from a basic OPNsense setup with just WAN + LAN, to WAN + LAN + OPT to have two routes, main one for my home LAB and secondary one for the rest of the house locations, since then I've been struggling trying to access from my workstation(192.168.1.200) the Access Point's located on the secondary route(192.168.2.1), I've followed several OPNsense how-to's around the net and read the OPNsense online manual but I was unsuccessful.

So the question is what should be the best way to do this, through NAT-Port-Forward, Firewall-Rule(s) or through Routing, also since an illustration can say a lot of things I will post an image of my setup for convenience.

Wanted scenario:
Gbe Client Admin want to access the Access Point's 192.168.2.10 and and 192.168.2.11 Web Interface, pretty sure after setting up access for one I will know how to do this for the rest, also 192.168.1.200 can ping OPT 192.168.2.1.

System specs:
OPNsense 22.7_4-amd64
FreeBSD 13.1-RELEASE
OpenSSL 1.1.1q 5 Jul 2022
CPU: i5-2390T
RAM: 8GB
Disk: 2.5" HDD/RootOnZFS

Setup diagram: