Messages

1

21.1 Legacy Series / Re: Improve settings for traffic graphs, want to be able to choose color

« on: March 01, 2021, 05:10:09 am »

Explicitly assigning colours to interfaces is a long overdue feature.

Now chart.js is being used, I'd also like to see some of its options exposed to help make them useful again. A few examples:

• Customise the history span, ~60 seconds in the widget graph is woefully insufficient, 10-15 minutes would be better.
• Set graph style: bar, line, fill, etc.

Also, with the new widget graph, it should update/populate when the window is not in focus, it no longer does so, at least in Safari 14.0.3. It's useful to see it's detail after switching to and from other applications. I'd also like the option for all or a portion of the configured history span of telemetry it relies on to be continually maintained in memory so it is available when loading the dashboard.

2

20.7 Legacy Series / Re: Question about Upgrading to 20.7

« on: September 18, 2020, 03:17:58 am »

My impression of the OPNsense v6 support is it's implemented by someone proficient with v4 but never studied the actual RFCs. Shoving the configuration of multiple addresses and prefixes for an individual interface into the 'Virtual IP' paradigm is the biggest example of this, but the lack of explicit ULA handling and lazy DHCP firewall rules compound this impression.

This seems to be rather uninformed and overgeneralised. We did not implement the architecture for 'Virtual IP' in the first place, it has nothing to do with IPv6 in particular although people try to coerce ULA into their builds with it, and we did a lot of work in IPv6 over the years that is not found in other projects (see our dhcp6c and the latest multi-WAN support).

Most issues with IPv6 revolve around shifting prefixes and PPPoE parent IPv4 connectivity / reconnect hiccups.

Also, there is a kernel bug in radvd in 20.7 (FreeBSD 12.1) that seems to make multicast stuck after a while.

The rest is solved/broken by ISPs, modem, MAC address issues, settings mismatches etc.

This is a much broader subject which likely needs to be captured in its own thread to be productive, but to address the above:

My post was absolutely uninformed and overgeneralised, in so much as it's born from my attempt to comprehend the design and configuration structure as an end user who has a moderate understanding of what v4 and v6 are capable of. The criticisms are not wholly unique to OPNsense, there's a persistent, broad impression v6 should just be treated like v4 with longer addresses, and this bleeds into design decisions which map v4 conventions to function with v6, leads to backporting and legitimising unnecessary hacks (NAT), and manifests as disproportionate friction when implementing core features v6 provides (multiple discreet address/prefix per interface). ULA configuration should be a core feature of any device claiming to function as a v6 firewall.

It was likely the right choice when first trying to make sense of everything, particularly when many of the RFCs and their revisions created more confusion than they resolved, but it's very much a technical debt which needs to be called out today. I'm very much interested in helping to correct this, but I have very limited capacity to do so beyond an assistance role.

3

20.7 Legacy Series / Re: Question about Upgrading to 20.7

« on: September 17, 2020, 09:24:45 am »

I think IPv6 is essential and to few people are using/testing IPv6.

My impression of the OPNsense v6 support is it's implemented by someone proficient with v4 but never studied the actual RFCs. Shoving the configuration of multiple addresses and prefixes for an individual interface into the 'Virtual IP' paradigm is the biggest example of this, but the lack of explicit ULA handling and lazy DHCP firewall rules compound this impression.

I'd like to help correcting this, but I have no idea where to start beyond posting in this forum. IMO, refactoring the entire interpretation of v6 in OPNsense should be a dedicated project itself.

4

20.7 Legacy Series / Re: DHCP/DHCPv6 automatically configured firewall rules

« on: July 30, 2020, 03:21:56 am »

I've tried to find reference in the relevant RFCs which explicitly permit this, but from my reading it is at least implied DHCP is restricted to transport via IPv4 and DHCPv6 via IPv6.

Is there any supporting documentation which specifies otherwise?

Is there an example of this being implemented outside of the formal specifications?

5

20.7 Legacy Series / Re: DHCP/DHCPv6 automatically configured firewall rules

« on: July 05, 2020, 11:47:37 pm »

I understand why IPv4 UDP 67/68 and IPv6 UDP 546/547 need to be permitted, but as far as I'm aware DHCP doesn't use IPv6 and DHCPv6 doesn't use IPv4. The rules should match what the protocols use and require.

6

20.7 Legacy Series / DHCP/DHCPv6 automatically configured firewall rules

« on: July 05, 2020, 02:10:41 pm »

Is there a reason IPv4 UDP ports 546/547 and IPv6 UDP ports 67/68 are added automatically as allow when DHCP/DHCPv6 are used on an interface?

7

20.7 Legacy Series / Multiple IPv6 prefixes per interface

« on: May 22, 2020, 06:02:32 am »

Is there a way to add multiple discreet IPv6 prefixes to a single interface?

Specifically I'd like to configure a DHCPv6-PD derived and a ULA prefix to a LAN interface, but can see a benefit of being able to explicitly configuring additional prefixes to facilitate migration, multihoming and/or testing.

8

19.7 Legacy Series / ULA and multiple IPv6 prefixes per interface

« on: October 08, 2019, 02:23:31 am »

I'm new to OPNsense and may have missed something obvious, but I'm used to being able to configure multiple IPv6 prefixes on interfaces. The specific use case I have is:

* GUA PD obtained from WAN, advertised on LAN
* ULA advertised to LAN

At a minimum I'd expect an option to explicitly configure a ULA for an interface. They're useful for segregating routable traffic you don't want touching 2000::/3 like locally run proxies.

I tried specifying the prefix manually in the Router Advertisements for the LAN interface, but don't see it on the wire.

The only reference to configuring a ULA is in the context of NPT (which no one should ever use but if you wish to administer a broken network, all the best).