Messages

[NONE]

Apologies for asking such dumb questions, seems there's not many users with transparent filtering bridges with alternate configurations, nor around the web except for few YT videos just telling how to install it.

Between I've just set on all interfaces the IPv4/IPv6 Configuration Type to: NONE except for the [ADM](admin) interface.

One of the reasons for asking was because my ISP strikes it again and broke the IPv6 and OPNsense was unable to be upgraded unless IPv4 was set to DHCP in the [WAN] interface:
You cannot view this attachment.

I will try update/upgrade OPNsense host thru the admin interface, otherwise maybe I should stop being a bit too paranoid and leave the IPv4 set to DHCP on the [WAN] interface and add some rules there even if this is disregarded by the recommended setup from the docs.

Regards

What are your specific questions? Just go ahead and ask them ;-)

You have read the documentation on transparent filtering bridge?

Hi Patrick, I've pushed wrong buttons while writing, but posted them already.

Regards

Hello, I'm really sorry if this was asked previously but I have some specific question regarding a typical Transparent Filtering Bridge configuration.

I was using OPNsense for several years without any issues so far, however I've recently switched from a standard setup to the Transparent Filtering Bridge mode because switched from DSL to an CGNAT/ISP, so I have some questions in regards some setting which typically differs from the OPNsense TFB how-to documentation

This is my current TFB setup(IPv6 is disabled):

Code Select Expand

Interfaces: [WAN] -> igb0
  IPv4 Configuration Type: DHCP (It was: NONE)
  IPv6 Configuration Type: NONE (It was: DHCPv6)

Interfaces: [LAN] -> igb1
  IPv4 Configuration Type: NONE
  IPv6 Configuration Type: NONE (It was: Track Interface)

Interfaces: [TFB] -> igb0 + igb1
  IPv4 Configuration Type: NONE
  IPv6 Configuration Type: NONE

Interfaces: [ADM] -> vtnet0
  IPv4 Configuration Type: Static IPv4
  IPv6 Configuration Type: NONE

My question is if the above TFB configuration looks acceptable since I had set the IPv4 to DHCP on the [WAN] interface, otherwise OPNsense is unable to be upgrade as expected since there's no route to host.

OPNsense and zenarmor how-to's both specify to set the IPv4's to NONE but in my case I had to set it, the TFB rules seems to work as intended however is there any security implication leaving the [WAN] IPv4 set to DHCP alway plus the required rule to "Allow All" in such IF?

I could disable and set it back to NONE after OPNsense upgrades and reboot but that is a bit of a hassle.

PS the [ADM] interface is only for local administration, also sorry as I've push Post instead Preview while writing.

Regards

Nice, thank you. May consider picking this up in core in the future if boot code incompatibilities are to become more common.


Cheers,
Franco

Hi Franco, I've edited the previous post and added the output for "gpz/zfsboot" code update as well for reference.

Regards

[Sample output from my FreeBSD host:]

Hello, I've updated the `bootcode-update` utility to support GPT labels for compatibility with later FreeBSD releases in case someone wants to play with on a VM.

Sample output from my FreeBSD host:

Code Select Expand

root@nas-mserver: ~# bootcode-update -v
bootcode-update 0.3.6
root@nas-mserver: ~# bootcode-update -e

UEFI Partition: [ ada0p1 ]
Disk Serial:    [ TNS519GYXXXXXX ]
Proceed with EFI bootcode update for the following geom: [ada0p1] (Y/n)?: y
Proceeding...
=> Updating EFI bootcode on ada0p1
/boot/loader.efi -> /boot/efi/efi/boot/bootx64.efi
/boot/loader.efi -> /boot/efi/efi/freebsd/loader.efi
=> Success!


UEFI Partition: [ ada1p1 ]
Disk Serial:    [ 140817TM85A3TDXXXXXX ]
Proceed with EFI bootcode update for the following geom: [ada1p1] (Y/n)?: y
Proceeding...
=> Updating EFI bootcode on ada1p1
/boot/loader.efi -> /tmp/boot_esp/efi/boot/bootx64.efi
/boot/loader.efi -> /tmp/boot_esp/efi/freebsd/loader.efi
=> Success!


Sample output from my OPNsense VM:

Code Select Expand

root@fw-opnsense:~ # uname -a
FreeBSD fw-opnsense.arpa 14.3-RELEASE-p2 FreeBSD 14.3-RELEASE-p2 stable/25.7-n271676-ab2281de1853 SMP amd64
root@fw-opnsense:~ # bootcode-update -v
bootcode-update 0.3.6
root@fw-opnsense:~ # bootcode-update -e

UEFI Partition: [ vtbd0p1 ]
Disk Serial:    [ BHYVE-125E-B3XX-XXXX ]
Proceed with EFI bootcode update for the following geom: [vtbd0p1] (Y/n)?: y
Proceeding...
=> Updating EFI bootcode on vtbd0p1
/boot/loader.efi -> /boot/efi/efi/boot/bootx64.efi
/boot/loader.efi -> /boot/efi/efi/freebsd/loader.efi
=> Success!

Sample output updating GPT/ZFSBOOT:

Code Select Expand

root@nas-mserver: ~# bootcode-update -g

Boot Partition: [ ada0p2 ]
Disk Serial:    [ TNS519GYXXXXXX ]
Pool Member:    [ zroot: '/dev/ada0p4' ]
Proceed with GPT/ZFS bootcode update for the following geom: [ada0p2] (Y/n)?: y
Proceeding...
=> Updating GPT/ZFS bootcode on ada0p2
partcode written to ada0p2
bootcode written to ada0
=> Success!


Boot Partition: [ ada1p2 ]
Disk Serial:    [ 140817TM85A3TDXXXXXX ]
Pool Member:    [ zroot: '/dev/ada1p4' ]
Proceed with GPT/ZFS bootcode update for the following geom: [ada1p2] (Y/n)?: y
Proceeding...
=> Updating GPT/ZFS bootcode on ada1p2
partcode written to ada1p2
bootcode written to ada1
=> Success!

Regards

This is one of the reasons I've created an `bootcode-update` utility to update my FreeBSD hosts boot mirrors whenever I upgrade zroot zpool, or the GPT/EFI bootcode gets updated from freebsd-update, also it works on RAIDZx when I've tested some time ago.

The `bootcode-update` utility can be found HERE so you can see how it works and make your own script for update automation.

Be aware that this utility is an experimental attempt for it and I haven't updated that in a while, though I still use it at my own risk on my FreeBSD host and OPNsense, though it does not support yet with the new FreeBSD EFI gpt/label layout just gpt/id, thinking to update it though.

Also be aware that updating bootcode either GPT/EFI/ZFS may prevent you from boot very old Boot Environments as expected, in such case the user need to manually mount said BE's and update the new bootcode files manually or rollback them on disks, though if the zroot zpool was upgraded this may also prevent old BE's from booting.

So always make sure you want to really update them.

Regards

[System: Gateways: Configuration]

Hello, I'm not sure about your OPNsense setup but you can go to [System: Gateways: Configuration] to add/edit GWs then edit the Dashboard widget and add additional gateways:

You cannot view this attachment.

I run a Transparent Filtering Bridge and has no DHCP servers active as expected, so I really don't need it but I've just added IP4 GW for monitor/informational purposes whether it is up or down.

Regards

With a mirror, a three-way mirror almost makes more sense than a hot spare. Hot spares are more useful for RAIDZ/RAIDZ2.

+1 on this.

Also with a single ZFS disk, one can export the latest Boot Environment to a safe place, and can be later imported in case of disk failure and your back to a working order in minutes, and now with the Dashboard Snapshots one can easily update/upgrade with peace of mind ;)

You cannot view this attachment.

👉 Been using OPNsense since v 16.x with Root On ZFS way before the initial ZFS installer script was made and I can tell its pretty solid stable.

Regards

From the first validation screenshots you can see there is an extra whitespace at the end "3478 ", maybe that's a CR (\r) from Windows line endings or a spurious LF (\n) altogether being converted into a space, but that is strange input like

3478
,4379

What are you actually pasting? Just paste it here in the forum...


Cheers,
Franco

Hi @franco, I did noticed that little spaces as well, also Patrick mentioned it too and I though it was just the GUI output.
However as you said it was provably from copying stuff from random websites in a hurry searching for Steam and some game ports to play behind the TFB.

I'm really sorry for all the noise and this can be marked as solved, so next time I will check/format on my text editor before copying a bunch of ports from the web when creating aliases, also when entering hosts IP's manually it requires for comma at the end of each IP too.

Regards

You can click on "text" below that field.

And then copy paste them as newline separated list:

Code Select Expand

172.16.1.1
172.16.1.2
172.16.1.3

Hi, yes I've selected the text icon and copied them and they populated as new lined and worked just fine.

Also as "Patrick M. Hausen" said, I've also copied several IP's from a text file and pasted them in the Alias field and just hit Save and also worked just fine like shown below:

You cannot view this attachment.

I just tend to ignore the "Copy/Paste/Text" icons under the field box but I will select now the "Text" icon to paste entries in order to avoid the previous the errors.

Regards

10.0.0.300 is not a valid IP address

it only goes up to .255

@Monviech (Cedrik)
Wow ppfff -.-, indeed just get max 255, just my bad, falling asleep since too busy weekend.


@Patrick M. Hausen
I just type in addresses/ports in the field and after adding a comma it automatically creates an entry bread-scrum and a space, between I will try pasting all this entries copied from a text document all just separated with a comma and try again how it goes.

Regards

[EDIT:]

What do you mean by "one by one"? Are you pasting multiple entries at once? That works only if

- they are on a simgle line
- comma separated
- without any extra spaces

HTH,
Patrick

Hello @Patrick M. Hausen, I meant entering each IP/Port one by one unless I got lucky and the GUI accept/recognize more than one "correct" entry.
Also yes separating them by commas automatically converts them in mini bread-scrums then when click on the last entry one or more entry does fail like the below screenshot:

You cannot view this attachment.

Indeed the "10.0.0.300" is a correct alias entry, maybe something with the validation check/match I dunno? as I haven't dig more in depth in this regards.

EDIT: Sorry for wrong IP entry error/mistake, forgot the night coffee cup -.-

System versions:

OPNsense 25.7.3_7-amd64
FreeBSD 14.3-RELEASE-p2
OpenSSL 3.0.17

Regards

Hello I'm not sure if this was already posted, but I'm having this issue whenever I create Ports/Host Aliases:

Sample Screenshots:
You cannot view this attachment.
You cannot view this attachment.

My solution is to create the content one by one, some times it works with two or more ports/hosts.
Regards

Many routers tend to hand out only a /64 range, because they usually "think" that it is only one LAN connected to them - I mean that is in itself not a sure sign that your ISP does not hand out a larger prefix like /56 or /48 as per IA-PD. You would probably see that if you use the ISP router in brige/modem mode and try bringing up the connection with OpnSense as the only router.

I cannot provide any specific instructions, because IDK that provider.

Hi @meyergru yes you are right, apparently this ISP is indeed locking out domestic/home users to just one IPv6 lan prefix and the thing in Bridge or DMZ does not work as intended either, hence why the ISP in bridge or DMZ didn't worked on the IPv6 side as expected when testing, and the user can't modify prefix nor to disable IPv6 in the ISP router.

To make things worse found that this ISP company is nothing more than a [Carrier-Grade-NAT] "cgnat.libertypr.net" with a dynamic/dynamic connection setup.

This boils down that no matter what firewall/router is connected in between it will not work as intended for the IPv6 stuff, and since more and more heavily loaded content-delivery-networks websites/apps are using IPv6 it is not recommended disabling it completely like two decades ago.

I've confirmed this by completely disabling the IPv6 only on my workstation/client and all of this websites/apps loaded partially/broken even when connected directly to the CGN ISP.

I will try contact my ISP and ask if they can change this IPv6 prefix limitation though, and if not possible then wait patiently for further resolutions regarding CGN users with OPNsense.

For now I will enable the `ufw` firewall on my workstation and strict my current `pf` settings on my FreeBSD server, even if is a headache working with this stuff by hand, but at least is better than nothing.

Again thanks a lot for the suggestions @meyergru @cookiemonster @Seimus

Regards

In that case you probably do not have an ISP "modem", but a router. I dislike those router-behind-router configurations, because they have several disadvantages (see point 4 here), however I know that outside of countries like germany, you sometimes cannot use a "modem-only" termination with some ISPs.

For IPv6 to work with such a configuration, you would have to configure IPv6 subdelegation. Essentially, most ISPs hand out a single IA-NA IPv6 and a /56 IA-PD IPv6 prefix from which you can take out parts to delegate to your (V)LANs.

This is explained for a specific example here.

That being said, I cannot see what/how your ISP actually delegates subnets, because there are no netmasks for either IPv4 or IPv6 in your picture.

Hi @meyergru, thanks again for the great info much appreciated, gonna have a good read indeed.

You are right, I have an ISP Cable Modem and Router Combo that has its own DHCP/NAT/UPnP/Firewall etc. integrated, I have the habit to call them ISP modems yeah, between it have the option for bridge mode but can't get the IPv6/DNS6 to work regardless if bridged.

Also this ISP gives just an /64 prefix for IPv6 that can't be changed, between dunno if it could be modified through telnet like in some ISP mode/routers but I think not to mess around with before asking them for options.

I will post an image of the Arris cable modem/router IPv6/DNS config pane for reference indeed, hopefully this can be solved soon so I can order a Protectli box to play with.

Regards

ISP Cable/Modem IPv6 config: