Messages

ICMP is pretty important for IPv6 functionality and the automatic floating ICMP rule is probably letting the pings out (the logs suggest that).

BTW, "LAN address" just means the interface address on OPNsense. I think you really want "LAN net".  And your "no WAN out" rule won't do anything. [emoji3]

Thank you for the reply.  I'd heard of ICMP but, I didn't know much about it.  So, I did a little reading and now I know a little more.  If I'm reading things correctly, ICMP might allow someone on the internet to see that the devices in the NoWAN alias exist and who my ISP is but, that's about all.   

That also explains the ipv6 leak that allowed DNSLeakTest.com to see my ISP for my VPN group until I disabled ipv6 on the nodes.  It may not be possible but, I'll try to come up with a floating rule that will block this.

Thank you for the info on the LAN addresses.  I'll make that change.  I didn't see a problem with communication on the LAN but, that's probably because my switches were routing the traffic and it never went to the router.  Yeah I never saw the out rule triggered.  I'll dump it.

Please educate me a little.  I believe the ICMP hypothesis is correct but, why don't I see this issue until it's connected a while? 

I have another data point.  Thanks to @lfirewall1243 for pointing out that I should be looking at the log.  So I again put in separate rules for ipv6 and ipv4 to see what's getting triggered.  The result is the same whether the ipv6 rules are first or the ipv4 rules are first.  The log shows that the ipv6 rules never get triggered.

Enable logging for these rules and show us the LiveView. :)
And does ipv4 traffic also doesn't getting blocked?

Thank you for the reply.  I added a description (Deny WAN Access In and Deny WAN Access Out) to both rules and I turned on logging.  I've attached a pic of the liveview log both detail and the view as it's going by when it's blocked.  It was a bit tricky given the traffic but. I managed to get a detail view when ipv6 is getting out. 

If I turn ipv6 off on the node, it times out and I do see the block on ipv4 in the liveview. 

I need to note that I saw something similar with nodes I set up to go through NordVPN.  Ipv6 was getting through even though I had blocking rules.  There were a lot of rules for that setup and I thought that I'd done something wrong so I disabled ipv6 at the nodes.  I never was satisfied with that solution.

I have a few IPs I want to limit to my LAN only.  First I set up an alias called NoWAN to hold the IPs.  I've attached a pic of my rules.  These are the first rules in the list.  They block inbound and outbuound ipv4 and ipv6 traffic from anywhere except a LAN address.  Now here's the weird part.  They work fine for both ipv4 and ipv6 when I'm first connected but, after 10 minutes or so ipv6 starts leaking.  Here's what I see on reboot or when I cycle the network connections:

Code Select Expand

ping www.google.com
ping: www.google.com: Temporary failure in name resolution

After 10 minutes or so I get:

Code Select Expand

ping www.google.com
PING www.google.com(yx-in-x68.1e100.net (2607:f8b0:4002:c08::68)) 56 data bytes
64 bytes from yx-in-x68.1e100.net (2607:f8b0:4002:c08::68): icmp_seq=1 ttl=106 time=16.2 ms
64 bytes from yx-in-x68.1e100.net (2607:f8b0:4002:c08::68): icmp_seq=2 ttl=106 time=16.5 ms

Note that those are ipv6 adresses.

I've tried making separate rules for ipv4 and ipv6 with the same result.  I'm not a networking expert and I don't know much about ipv6.  So, any help would be appreciated.

I'm a total noob too but, I did get the VPN client working for PIA and I was able to specify which nodes on my network go through it.  This guide is for pfsense but, it's what I used as a go by:

https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/

I suspect that you need to check don't pull routes on your VPN client.  That won't route things through VPN but, it will stop your entire network from going through VPN. 

Things have been busy with Thanksgiving and all but, I intend to post a thorough guide to doing it in the next week or so.

Thanks for the reply!

Fair enough. We are working on our documentation, but others have a 10 year head start so it takes a while to be able to do the same.

What I was really referring to is sources other than the documentation.  There's not a lot of buzz out there for opnsense.  You can't fix that.  As you said, it'll take time.  OTOH if you're looking to move to something like this, you can't help running across the pfsense attitude I was referring to earlier.  That provides some motivation to give opnsense a loook.

For my part, I'll probably post a thorough guide on here for what I did.  i certainly could have done something stupid.  So having a few more eyes on it won't hurt.  I might also ask PIA if they are interested in it.  If they put it up, perhaps other VPN vendors will follow suit.

Not sure what the question is? It won't use the disk unless you use disk-intensive services like web proxy cache or insight reporting.

It's moot now.  After I posted that, I found that msata drives had come down in price.  I have a 120GB on the way.  I was really asking if with just basic router functions and a VPN client, if I needed more than 30GB and pointers to how to enable that drive if I did.

ARP is automatic, or I don't understand the question very well. Sorry.

I didn't state the question well.  I was referring to the static ARP entries you can enable for permanent leases in DHCP.  That's what got me looking at ARP at all.  I haven't enabled it. From my reading, it's cheap and it's not going to hurt anything but, it's a very minor help.

Insight reporting is nice, enable NetFlow with local reporting... and skim the plugins list as there are a few other interesting things, also see:

https://github.com/opnsense/plugins#a-list-of-currently-available-plugins

Thanks!!!  I'll probably wait till I get that 120GB drive in but, I'll check it out.

After 2 days, still very pleased with opnsense!

I'm a noob to much of this but, what you need is a bridge.  The following may help.
https://wiki.opnsense.org/manual/how-tos/lan_bridge.html

[Comments]

New here and I just got opnsense set up with PIA and kill switch.  I used the pfsense guide here https://www.reddit.com/r/PFSENSE/comments/6edsav/how_to_proper_partial_network_vpn_with_kill_switch/ as a go by.  I'm a soon to be retired DBA so, while I don't know the details of networking, I can get around a little.  I'm pretty experienced with Linux.  I don't know much about BSD.

I actually did it with pfsense first but, those guys' attitude really makes me uninterested in using their software if I have an alternative.  However, doing it in pfsense did give me the confidence to try it in opnsense.

I know it's overkill for a home router but, it's on an i5 with 32GB and a 30GB msata drive.

Comments

• I couldn't get the USB version to boot or even be recognized by the BIOS.  I had to burn a DVD. Not sure why.
  The install took a while.
• Others have commented on this but, guides for opnsense other than the documentation are pretty hard to come by.  That's why I did it with pfsense first.
• [ don't want it but, I'm a bit surprised that opnsense has no provision for UPnP.  The only reason I know that pfsense has it is because I went looking for it to make damn sure it was turned off.
• I've only had it running a few hours but, very pleased so far!

Questions

• Telling me to RTFM isn't unreasonable here but, this sysstem also has a 200GB hard drive.  Opnsense isn't using it.  Any pointers on getting it running?  Any reason I should?
• Is there a reason to set up ARP on a network with less than 20 nodes?  From what I've read it reduces broadcast messages for mac addresses but, how many of those are there going to be on that small a network?
• Anything else I should try to set up for a home router?  Obviously, I have some spare cycles.

My other observation is that both pfsense and opnsense perform about the same.  However, they both beat the tar out of my ASUS AC-RT87U performance wise.  That's not much of a surprise.  I also get higher throughput over PIA than I do on a clear connection with both opnsense and pfsense.  I'm pretty sure that's due to compression between my router and PIA.

Thanks for any answers, comments, insults, whatever. :)