Messages

1

24.1 Legacy Series / Re: IPv6 ULA with NPT, when WAN is Dynamic

« on: April 26, 2024, 06:15:14 pm »

So you want to use the entire /56 PD for NPT? No GUAs in the LANs at all?

Set the internal IPv6 prefix (source) to your ULA /56, leave the external IPv6 prefix (target) empty and set the track interface to an interface which tracks the WAN interface. Since you don't seem to be using tracking at all, you'll have to create a dummy interface for this purpose. Make sure the IPv6 Prefix ID used there isn't in use for any of your "real" LAN interfaces.

This is a rather new workaround and I haven't personally tested it yet, but I think that's how it's supposed to work. There's currently no "direct" way to use a delegated prefix for NPT.

Like others I want to keep it consistance with the prefix changes on the WAN.  I'll give your suggestion a look, but @ProximusAl how are you mapping addresses on the WAN side?

2

24.1 Legacy Series / IPv6 ULA with NPT, when WAN is Dynamic

« on: April 26, 2024, 02:08:55 am »

Hi Guys,

• I have DHCPv6 configured on the WAN interface and its using PD with a /56.
• I also have Static IPv6 configured on my LAN interfaces using ULA configured as /64.
• I'd like to use NPT for 1:1 between the equivalent WAN /56 mapped to the LAN /56.

I have this working with NPT (/56 and /64) mapping configs, however I need to enter the "External IPv6 Prefix (target)" to make this work.  I recall reading to leave "External IPv6 Prefix (target)" empty for it to work dynamically, however that does not work, even with /56, which is address to address.

Any thoughts, what I'm missing?

3

General Discussion / Re: Outbound NAT not working

« on: February 24, 2022, 05:39:33 pm »

Did you find a solution to this?  I have just deployed a new opnsense VM using KVM and NAT rules are not automatically being generated.

4

21.7 Legacy Series / Re: OpenVPN 'Client Specific Overrides' 'Common Name' Not Working

« on: October 06, 2021, 03:33:50 pm »

In server instance there should be a checkbox called "Username is Common Name" .. this should help there too, but using certificates is always better than User Auth only

I was playing with that, but I am specifically trying to use different certificate Common Names.

5

21.7 Legacy Series / Re: OpenVPN 'Client Specific Overrides' 'Common Name' Not Working

« on: October 06, 2021, 03:31:43 pm »

I'm hitting another issue now regarding certification, 'Remote Access (SSL/TSL + User Auth)' and overrides. 

Although Overrides work when the Username and cert CN are the same, it doesn't if a different certificate with a different CN is used.  Additionally, within 'Connection Status' the common name remains the username.

6

21.7 Legacy Series / Re: OpenVPN 'Client Specific Overrides' 'Common Name' Not Working

« on: October 06, 2021, 03:06:24 pm »

Thanks,

It was due to the Server Mode being 'Remote Access (User Auth)' and not include SSL.

7

21.7 Legacy Series / Re: ESXi Shaper 1Gb download performance

« on: October 06, 2021, 12:24:44 pm »

For anyone else looking, it appears to Spectre and Meltdown Mitigation.  This is a subtle difference between pfSense and opnsense.  I only needed to tweak 'hw.ibrs_disable' to 1, within Tunables.

https://docs.opnsense.org/troubleshooting/hardening.html

8

21.7 Legacy Series / OpenVPN 'Client Specific Overrides' 'Common Name' Not Working

« on: October 06, 2021, 12:19:32 pm »

Hi Guys,

I understand the Common Name within 'Client Specific Overrides' is the certificate CN used for the user, however, it doesn't appear to be working.

Any Ideas?

Thanks,

9

21.7 Legacy Series / Re: ESXi Shaper 1Gb download performance

« on: September 21, 2021, 02:53:54 am »

I've been using it for years without issues, its just at this speed, its hitting some form of bottle neck.  I know there are card related issues and recommendations for shapers in a virtual machine, such as using e1000 cards over vmxnet3.

I've done a bunch of testing on to try and resolve it and found various things regarding Hz and tickrates on ipfw, I think thats a dead end.  I've ended up dropping in pfsense to see how that performs as a comparison.  That is working very well and although I'm not a fan of pfsense, I'll keep with it until I find the cause.

Edit:  Although I have shapers working in pfsense, the other interesting observation is the performance without shapers, I am noticing a marked performance increase over opnsense.

10

21.7 Legacy Series / ESXi Shaper 1Gb download performance

« on: September 17, 2021, 03:00:12 pm »

Hi Guys,

I have a couple of shapers, one for inbound and one for outbound on my WAN interface.  I am running a virtual firewall, the external WAN interface is now passthrough using igb, which has improved things a lot.

When enabling any shapers using vmxnet3 on the LAN interface, my download performance drops from 800-900Mbit to 600Mbit. 

I therefore changed to E1000e for the LAN, and that increased performance without shapers to between 850-950Mbit.  However, I am still getting a performance drop with shapers to around 700Mbit (during testing, I am increasing the shaper to 1800Mbit to eliminate queue size).

Any Suggestions?

Thanks,

11

21.7 Legacy Series / Re: VRF support

« on: July 28, 2021, 12:40:11 pm »

Thanks for your replies guys.  I am currently running FRR but I don't see anything in there for routing instances, VRF, etc.  I could maybe do it manually in FRR's configuration, but I'm unsure if that would be persistent.

I'll check out the kernel requirements such as the mentioned vimage, so thanks for that.  If it's fully enabled on the kernel in 21.7, I'll play around with it.

I have implemented policy-based rules to get this working ATM, but multiple tables would be preferable.

Thanks,

12

21.7 Legacy Series / VRF support

« on: July 27, 2021, 08:15:44 pm »

Hi Guys,

Is there any support for VRF's?  I have a use case for a Management/OOB interface.

Thanks,

13

19.7 Legacy Series / Re: DNS records not found; pages won’t load

« on: September 23, 2019, 04:40:08 pm »

If DNS is resolving you might be looking in the wrong place.  You might also be hitting locally cached DNS records, so under testing, you might want to clear it. Below is my dig of worldclassroom.webster.edu.  Additionally, some ISP's block root DNS server, so you might need to forward.

You're not using firefox are you with DNS over HTTPS?

Code: [Select]

dig worldclassroom.webster.edu

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> worldclassroom.webster.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30238
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;worldclassroom.webster.edu.    IN      A

;; ANSWER SECTION:
worldclassroom.webster.edu. 17268 IN    CNAME   webster-vanity.instructure.com.
webster-vanity.instructure.com. 141 IN  CNAME   canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com.
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.197.146.108
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 34.236.11.156
canvas-vanity-webster-1260719357.us-east-1.elb.amazonaws.com. 56 IN A 3.222.218.57

;; Query time: 0 msec
;; SERVER: X.X.X.X#53(X.X.X.X)
;; WHEN: Mon Sep 23 15:31:45 BST 2019
;; MSG SIZE  rcvd: 218



14

19.7 Legacy Series / Re: VLANs and Firewalling

« on: September 23, 2019, 01:55:57 pm »

If you think the rules are correct, try resetting the states, under Diagnostics.

15

19.7 Legacy Series / Re: DNS records not found; pages won’t load

« on: September 23, 2019, 01:33:54 pm »

The Global DNS settings are for the firewall itself unless you don't have a DNS server enabled, then those servers are pushed via DHCP to the client.  I am sure you get that but just wanted to clarify.

What DNS Server are you using on opnsense?  I don't recall the default, its ether Unbound DNS or Dnsmasq DNS.  I'd suggest checking out the settings.