"Quote from: Fright on August 18, 2021, 08:03:48 PMI had the same issue and this fixed works. I had to select "Web GUI TLS Certificate" before clicking save.
tryCode Select# configctl webgui restart renew
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
21.7 Legacy Series / Re: Certificate Web GUI SSL certificate is not intended for server use.
September 24, 2021, 12:43:52 PM #2
General Discussion / Re: Carrier Grade NAT (CGN) range to be separated from "Block private network" group
January 04, 2020, 01:27:37 PM
was this ever resolved??
I'm now using an install with an ISP that has CGNAT using below:Internal range – 100.68.0.0/17
External ranges: 121.200.4.0/22 (121.200.4.0 – 121.200.7.255)
The problem is the default (auto generated rules) blocks incoming traffic so it never had a chance to hit any of my own rule.
I'm now using an install with an ISP that has CGNAT using below:Internal range – 100.68.0.0/17
External ranges: 121.200.4.0/22 (121.200.4.0 – 121.200.7.255)
The problem is the default (auto generated rules) blocks incoming traffic so it never had a chance to hit any of my own rule.
#3
18.7 Legacy Series / Re: Unable to get DHCPv6 working on LAN side
December 04, 2018, 02:13:52 PM
Interesting observation there. The linklocal address throw me off for quite some time as I did not bother testing the clients hosts thinking it didn't work!
For some reason today I found IPV6 has stopped working on the OPNsese box and DHCP6 service also stopped. I gave it a reboot and things seems to come back on correctly. Don't know if its issue with OPNSense or not. No time to look into at the moment.
For some reason today I found IPV6 has stopped working on the OPNsese box and DHCP6 service also stopped. I gave it a reboot and things seems to come back on correctly. Don't know if its issue with OPNSense or not. No time to look into at the moment.
#4
18.1 Legacy Series / Re: not able to add new virtual ip setting getting error
November 30, 2018, 01:45:41 PM
Thank you Trident!
I had exactly the same issue!!! Running the latest version of Firefox.
I had exactly the same issue!!! Running the latest version of Firefox.
#5
18.7 Legacy Series / Re: Unable to get DHCPv6 working on LAN side
November 30, 2018, 01:15:46 PM
For those wonder what GDickson mean by "LL" = link local IPV6 Address.
Looking into it more may have something to do with my ISP giving out the link local IP. However doesn't quite explain why Windows direct was getting a proper IPv6 when connected directly to the bridged modem.
Looking into it more may have something to do with my ISP giving out the link local IP. However doesn't quite explain why Windows direct was getting a proper IPv6 when connected directly to the bridged modem.
#6
18.7 Legacy Series / Re: Unable to get DHCPv7 working on LAN side
November 29, 2018, 02:45:43 PM
I seem to have made it worked!
WAN confighttps://i.imgur.com/R2S8qt4.png
https://i.imgur.com/9CAHSf8.png
LAN Config https://i.imgur.com/jy2mZrh.png
Also under Firewall->Settings->AdvancedUntick "Allow IPv6" & Click SaveThen Tick "Allow IPv6" & Click Save
Also Under WAN Firewall rules I've added below rule. Not sure if this matters.https://i.imgur.com/Q8FcA6p.png
The LAN interface and devices behind the OPNSense are getting their IPv6 IPs now.
WAN confighttps://i.imgur.com/R2S8qt4.png
https://i.imgur.com/9CAHSf8.png
LAN Config https://i.imgur.com/jy2mZrh.png
Also under Firewall->Settings->AdvancedUntick "Allow IPv6" & Click SaveThen Tick "Allow IPv6" & Click Save
Also Under WAN Firewall rules I've added below rule. Not sure if this matters.https://i.imgur.com/Q8FcA6p.png
The LAN interface and devices behind the OPNSense are getting their IPv6 IPs now.
#7
18.7 Legacy Series / Re: Unable to get DHCPv7 working on LAN side
November 29, 2018, 02:27:12 PM
Not quite sure what I fiddled with that made it works. The LAN interface and hosts now get proper IPv6 addresses!
The WAN interface still say it has a link local IPv6 IP.
The WAN interface still say it has a link local IPv6 IP.
#8
18.7 Legacy Series / Re: Unable to get DHCPv7 working on LAN side
November 29, 2018, 01:33:08 PM
igb1 is the WAN interface.
DHCP log looks like this
Routing log looks like this
Digging some more I see a lot of below in the firewall log
DHCP log looks like this
Code Select
Nov 27 18:17:27 gw1 dhcp6c[68673]: send solicit to ff02::1:2%igb1
Nov 27 18:17:27 gw1 dhcp6c[68673]: reset a timer on igb1, state=SOLICIT, timeo=4155, retrans=128388
Nov 27 18:18:09 gw1 dhcp6c[68673]: restarting
Nov 27 18:18:09 gw1 dhcp6c[68673]: removing an event on igb1, state=SOLICIT
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[interface] (9)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <5>[igb1] (4)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>begin of closure [{] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[send] (4)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[ia-pd] (5)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[0] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>comment [# request prefix delegation] (27)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[request] (7)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[domain-name-servers] (19)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[request] (7)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[domain-name] (11)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[script] (6)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>comment [# we'd like some nameservers please] (35)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of closure [}] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[id-assoc] (
Nov 27 18:18:09 gw1 dhcp6c[68673]: <13>[pd] (2)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <13>[0] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <13>begin of closure [{] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[prefix] (6)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[::] (2)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[/] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[56] (2)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[infinity] (
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[prefix-interface] (16)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <5>[igb0] (4)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>begin of closure [{] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[sla-id] (6)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[0] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[sla-len] (7)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>[8] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of closure [}] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of closure [}] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: <3>end of sentence [;] (1)
Nov 27 18:18:09 gw1 dhcp6c[68673]: called
Nov 27 18:18:09 gw1 dhcp6c[68673]: called
Nov 27 18:18:09 gw1 dhcp6c[68673]: reset a timer on igb1, state=INIT, timeo=0, retrans=433
Nov 27 18:18:10 gw1 dhcp6c[68673]: Sending Solicit
Nov 27 18:18:10 gw1 dhcp6c[68673]: a new XID (7ae07) is generated
Nov 27 18:18:10 gw1 dhcp6c[68673]: set client ID (len 14)
Nov 27 18:18:10 gw1 dhcp6c[68673]: set elapsed time (len 2)
Nov 27 18:18:10 gw1 dhcp6c[68673]: set option request (len 4)
Nov 27 18:18:10 gw1 dhcp6c[68673]: set IA_PD prefix
Nov 27 18:18:10 gw1 dhcp6c[68673]: set IA_PD
Routing log looks like this
Code Select
Nov 29 22:07:36 gw1 rtsold[55679]: <rtsol_input> Processing RA
Nov 29 22:07:36 gw1 rtsold[55679]: <rtsol_input> ndo = 0x608230
Nov 29 22:07:36 gw1 rtsold[55679]: <rtsol_input> ndo->nd_opt_type = 1
Nov 29 22:07:36 gw1 rtsold[55679]: <rtsol_input> ndo->nd_opt_len = 1
Nov 29 22:07:36 gw1 rtsold[55679]: <make_rsid> rsid = [igb1:slaac]
Nov 29 22:07:36 gw1 rtsold[55679]: <rtsol_check_timer> there is no timer
Nov 29 22:07:36 gw1 rtsold[55679]: <rtsol_input> received RA from fe80::1:1 on an unexpected IF(igb0)
Nov 29 22:07:36 gw1 rtsold[55679]: <rtsol_check_timer> there is no timer
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_input> received RA from fe80::b226:80ff:fe1f:4442 on igb1, state is 0
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_input> Processing RA
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_input> ndo = 0x608230
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_input> ndo->nd_opt_type = 1
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_input> ndo->nd_opt_len = 1
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_input> ndo = 0x608238
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_input> ndo->nd_opt_type = 5
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_input> ndo->nd_opt_len = 1
Nov 29 22:07:40 gw1 rtsold[55679]: <make_rsid> rsid = [igb1:slaac]
Nov 29 22:07:40 gw1 rtsold[55679]: <rtsol_check_timer> there is no timer
Nov 29 22:07:42 gw1 rtsold[55679]: <rtsol_input> received RA from fe80::1:1 on an unexpected IF(igb0)
Nov 29 22:07:42 gw1 rtsold[55679]: <rtsol_check_timer> there is no timer
Nov 29 22:07:45 gw1 rtsold[55679]: <rtsol_input> received RA from fe80::1:1 on an unexpected IF(igb0)
Nov 29 22:07:45 gw1 rtsold[55679]: <rtsol_check_timer> there is no timer
Nov 29 22:07:54 gw1 rtsold[55679]: <rtsol_input> received RA from fe80::1:1 on an unexpected IF(igb0)
Nov 29 22:07:54 gw1 rtsold[55679]: <rtsol_check_timer> there is no timer
Nov 29 22:08:00 gw1 rtsold[55679]: <rtsol_input> received RA from fe80::1:1 on an unexpected IF(igb0)
Nov 29 22:08:00 gw1 rtsold[55679]: <rtsol_check_timer> there is no timer
Nov 29 22:08:08 gw1 rtsold[55679]: <rtsol_input> received RA from fe80::1:1 on an unexpected IF(igb0)
Nov 29 22:08:08 gw1 rtsold[55679]: <rtsol_check_timer> there is no timer
Nov 29 22:08:09 gw1 rtsold[55679]: <rtsol_input> received RA from fe80::1af1:45ff:fe74:a29d on igb1, state is 0
Digging some more I see a lot of below in the firewall log
Code Select
Nov 30 00:03:45 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x00000,64,TCP,6,40,<redacted>:4100:300:adc2:6258:8d90:f30b,2404:6800:4006:807::2003,59900,443,0,S,595995957,,14400,,mss;sackOK;TS;nop;wscale
Nov 30 00:03:45 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x00000,64,TCP,6,40,<redacted>:4100:300:adc2:6258:8d90:f30b,2600:1415:10:4be::33c4,60123,443,0,S,961410098,,14400,,mss;sackOK;TS;nop;wscale
Nov 30 00:03:45 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x00000,64,TCP,6,40,<redacted>:4100:300:adc2:6258:8d90:f30b,<redacted>:100:9::2,56608,443,0,S,1099330371,,14400,,mss;sackOK;TS;nop;wscale
Nov 30 00:03:45 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x00000,64,TCP,6,40,<redacted>:4100:300:adc2:6258:8d90:f30b,<redacted>:100:9::2,56609,443,0,S,3527085472,,14400,,mss;sackOK;TS;nop;wscale
Nov 30 00:03:45 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x00000,64,TCP,6,40,<redacted>:4100:300:adc2:6258:8d90:f30b,<redacted>:100:9::2,56610,443,0,S,1318992366,,14400,,mss;sackOK;TS;nop;wscale
Nov 30 00:03:45 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x00000,64,TCP,6,40,<redacted>:4100:300:adc2:6258:8d90:f30b,2404:6800:4006:807::2003,59905,443,0,S,100023556,,14400,,mss;sackOK;TS;nop;wscale
Nov 30 00:03:45 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x00000,64,TCP,6,40,<redacted>:4100:300:adc2:6258:8d90:f30b,2600:1415:10:4be::33c4,60128,443,0,S,2870499212,,14400,,mss;sackOK;TS;nop;wscale
Nov 30 00:03:45 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x00000,64,TCP,6,40,<redacted>:4100:300:adc2:6258:8d90:f30b,2600:1415:10:4be::33c4,60129,443,0,S,439595810,,14400,,mss;sackOK;TS;nop;wscale
Nov 30 00:03:48 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0xc5fab,64,UDP,17,157,<redacted>:4100:300:dc5d:6175:57ce:f950,2a03:b0c0:3:d0:6a:3001:7800:cd08,9993,9993,157
Nov 30 00:03:48 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x11c6a,64,UDP,17,157,<redacted>:4100:300:c1b4:db25:ae60:96b9,2a03:b0c0:3:d0:6a:3001:7800:cd08,9993,9993,157
Nov 30 00:03:48 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0xb7b0b,64,UDP,17,157,<redacted>:4100:300:c1b4:db25:ae60:96b9,2a03:b0c0:3:d0:6a:3001:7800:cd08,21645,9993,157
Nov 30 00:03:48 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x638ca,64,UDP,17,157,<redacted>:4100:300:dc5d:6175:57ce:f950,2a03:b0c0:3:d0:6a:3001:7800:cd08,21645,9993,157
Nov 30 00:03:48 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0x6e486,64,UDP,17,157,<redacted>:4100:300:dc5d:6175:57ce:f950,2a03:b0c0:3:d0:6a:3001:7800:cd08,21646,9993,157
Nov 30 00:03:48 gw1 filterlog: 10,,,0,igb0,match,block,in,6,0x00,0xba747,64,UDP,17,157,<redacted>:4100:300:c1b4:db25:ae60:96b9,2a03:b0c0:3:d0:6a:3001:7800:cd08,21646,9993,157 #9
18.7 Legacy Series / Re: Unable to get DHCPv7 working on LAN side
November 29, 2018, 12:31:56 PM
I'm with AussieBroadband no one on it with OpnSense have any success. Some report success with PFSense.
Already try the Kame and and the turtle not moving!
BTW I'm using IPoE with a bridged VDSL modem in front of OPNSense. If I plug my Windows laptop directly into the Bridged modem I get an IPV6 straight away without any effort!
Best I can do is get a link local address on the WAN interface fe80::20e:c4ff:fed0:48e2
Settings https://i.imgur.com/rXsH6ZP.png
The log says below
Already try the Kame and and the turtle not moving!
BTW I'm using IPoE with a bridged VDSL modem in front of OPNSense. If I plug my Windows laptop directly into the Bridged modem I get an IPV6 straight away without any effort!
Best I can do is get a link local address on the WAN interface fe80::20e:c4ff:fed0:48e2
Settings https://i.imgur.com/rXsH6ZP.png
The log says below
Code Select
Nov 28 01:26:10 sshd[85727]: Received signal 15; terminating.
Nov 28 01:26:10 opnsense: /interfaces.php: Warning! services_radvd_configure(auto) found no suitable IPv6 address on igb0
Nov 28 01:26:06 opnsense: /interfaces.php: ROUTING: skipping IPv6 default route
Nov 28 01:26:06 opnsense: /interfaces.php: ROUTING: skipping IPv4 default route
Nov 28 01:26:06 opnsense: /interfaces.php: ROUTING: no IPv6 default gateway set, assuming wan Nov 28 01:26:06 opnsense: /interfaces.php: ROUTING: no IPv4 default gateway set, assuming wan Nov 28 01:26:06 opnsense: /interfaces.php: ROUTING: entering configure using 'lan'
Nov 28 01:26:06 opnsense: /interfaces.php: Warning! services_radvd_configure(auto) found no suitable IPv6 address on igb0
Nov 28 01:26:04 opnsense: /interfaces.php: ROUTING: skipping IPv6 default route
Nov 28 01:26:04 opnsense: /interfaces.php: ROUTING: keeping current default gateway '180.150.xxx.z'
Nov 28 01:26:04 opnsense: /interfaces.php: ROUTING: setting IPv4 default route to 180.150.xxx.z
#10
18.7 Legacy Series / Re: Unable to get DHCPv7 working on LAN side
November 27, 2018, 03:38:05 PM
I'm back to not getting an IPv6 WAN IP not sure if this is related :(
#11
18.7 Legacy Series / Re: Unable to get DHCPv6 working on LAN side
November 27, 2018, 08:20:37 AM
I'll give those suggestions a try
#12
18.7 Legacy Series / Unable to get DHCPv6 working on LAN side
November 21, 2018, 11:57:32 AM
My ISP has started offering IPV6 and I'm trying it out. I am having an issue where I can't seem to start the DHCPv6 server an gets the log filled with below errors:
I don't have anything set int he DHCPv6 settings fore the LAn other than enabling it with " Enable DHCPv6 server on LAN interface".
The DHCP6 service simply refuse to start with above errors.
Code Select
opnsense: /status_services.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid igb0' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.4.1 Copyright 2004-2018 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 10: expecting a parameter or declaration authoritative; ^ Configuration file errors encountered -- exiting If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging. exiting.'I don't have anything set int he DHCPv6 settings fore the LAn other than enabling it with " Enable DHCPv6 server on LAN interface".
The DHCP6 service simply refuse to start with above errors.
#13
18.1 Legacy Series / Re: Port forward & Firewall rule based on source IP via dynamic DNS [no-ip.com]
July 29, 2018, 03:28:53 PM
Thank you for the quick reply and confirmation that it can be done.
I tried again and worked out where I went wrong earlier. I hadn't notice that I messed up the alias name by pasting the full ddns.net alias there (so easy to remember). Once I fixed up by removing the "." from eh alias name things work as it should.
Thank you! ;D
I tried again and worked out where I went wrong earlier. I hadn't notice that I messed up the alias name by pasting the full ddns.net alias there (so easy to remember). Once I fixed up by removing the "." from eh alias name things work as it should.
Thank you! ;D
#14
18.1 Legacy Series / Port forward & Firewall rule based on source IP via dynamic DNS [no-ip.com]
July 29, 2018, 02:46:12 PM
Hi
I would like to create a restricted port forward based on a dynamic source IP address. This IP address will be identified by myhostname.no-ip.com (which may change from time to time by ISP)
I want to create a portforward rule to be able to remotely connect to a server behind the firewall. However I want to lock it down to to whatever the IP myhostname.no-ip.com happens to currently resolved to.
I looked at creating an Alias but it didn't seem to accept myhostname.no-ip.com as an entry.
I know that this is possible with other firewall. How do I go about doing this.
Thank you.
I would like to create a restricted port forward based on a dynamic source IP address. This IP address will be identified by myhostname.no-ip.com (which may change from time to time by ISP)
I want to create a portforward rule to be able to remotely connect to a server behind the firewall. However I want to lock it down to to whatever the IP myhostname.no-ip.com happens to currently resolved to.
I looked at creating an Alias but it didn't seem to accept myhostname.no-ip.com as an entry.
I know that this is possible with other firewall. How do I go about doing this.
Thank you.
#15
17.7 Legacy Series / Re: Multiple additional WAN ip ranges
August 06, 2017, 04:20:34 PM
I'm not familiar with ProxyARP however will give that a try.
Thanks.
Thanks.
