Messages

I figured it out:

To get this working the gateway has to be overwritten with a firewall rule. It is possible to configure a custom gateway at the bottom for inbound rules.

Hi, can you enable logging for your firewall rules and check if you can see anything in Firewall -> Log files -> Live View?
If there is nothing, please double check your client IP configuration.

You can configure cronjobs in System -> Settings -> Cron

What else are you missing?

> per-host

What do you mean by that?

> Is there either a different template I should be using within Zabbix

If there is no different template available you can still define custom items on your zabbix server to get the missing data

Hello!

I try to set different IPv6 gateways for different interfaces. There is an IPv6 connection from my ISP and from a Tunnelbroker.
Gateways:
Name: ISP, Interface: WAN, Prio: 2 (upstream), Gateway: link local IPv6 of next router(with modem)
Name: Tunnelbroker, Interface: TUNNELBROKER, Prio: 3, Gateway: remote IPv6 from broker

Interfaces:
WAN - IPv6: DHCPv6
OPT2 - IPv6: Track interface, IPv6 Interface: WAN, Prefix ID 0x0
OPT3 - IPv6: Static IPv6, IPv6 address: static IP from Tunnelbroker subnet, IPv6 Upstream Gateway: Autodetect

RA:
OPT3 - Unmanaged (SLAAC)

Firewall: not relevant here (if it is, please tell me)

Now I can successfully connect from clients in OPT2 with IPv6 addresses from the ISP to the Internet. IPv6 traffic gets routed via "ISP" Gateway.

From clients in OPT3 with IPv6 addresses from the Tunnelbroker subnet I can reach the static IPv6 from the OPT3 interface but nothing beyond. All traffic gets routed to the "ISP" gateway (and dropped there) and not to the "Tunnelbroker" gateway.

If I change the prio from "Tunnelbroker" gateway to "1" and try again, the connection to the Internet works from clients in OPT3 through "Tunnelbroker" gateway but connections from clients in OPT2 to the Internet don't work anymore because their traffic gets routed through the "Tunnelbroker" gateway instead of the "ISP" gateway.

I already tried to set both gateways as "upstream" and/or with the same prio. I also tried to configure a custom gateway for OTP3 interface but it gets rejected because:

> The gateway address does not lie within one of the chosen interface's IPv6 subnets.
> The gateway IP address already exists.

Both understandable, gateway address of course does not lie within the subnet and the gateway IP already exists in the "Tunnelbroker" gateway.

Is it somehow possible to get this working?

This issue is probably fixed with new Fritz!OS 7.20


- **Behoben** Geräte, die an einen nachgelagerten Router via IPv6-Präfixdelegation angebunden sind, bekamen bei aktiver Kindersicherung keine IPv6-Internetverbindung
- **Behoben** Geräte, die an einen nachgelagerten Router via IPv4 Static Routes angebunden sind, bekamen bei aktiver Kindersicherung keine IPv4-Internetverbindung

https://ftp.avm.de/fritzbox/fritzbox-7590/deutschland/fritz.os/info_de.txt

I will report back once my FritzBox received the 7.20 update too

IPv6 is working, yes.
And ICMP is, as you said, filtered. But that is exactly what we don't want. We want ICMP.

My ISP (from where I use the IPv4) allows IPv4 and IPv6 ICMP. Does that mean he.net blocks ICMP? I don't think so because it is possible to ping (if allowed) other IPv6 addresses from the he.net subnet I received.

I just tested this and I also do not get ICMP working.
But opening the port just works fine. If you nmap the IPv6 of your gif interface, then port 80 / 443 of the opnsense is open. Just ICMP does not work for whatever reason.

If you allow ICMP to a host in for example the LAN in the firewall in tunnelbroker rules, then this ICMP works fine. You can even see the firewall IPv6 in the mtr. But it still is not ping-able.

Thank you for your reply.
If I have multiple virtual IPs on a single LAN interface, I can simply specify the IP on which the port should listen as the destination address in the NAT rule.
Probably you are right and I can **also** do it with outbound rules on the LAN interface, but in my opinion punching a whole into the firewall and **afterwards** closing it again with an outbound rule is not the best way to do it.

Can you think of any other use cases?

Hi all

Can someone please explain when outbound rules on for example the LAN interface are required? If I want to expose a port to the internet I create a new NAT -> Port Forward rule but I don't need any other special outbound rule on the LAN interface.

So what is its use case with IPv4?

Next approach

Allow incoming port 443 on OPNsense WAN interface (which is in LAN1) with exposed Host configured in fritzbox -> OPNsense interface is reachable from remote via IPv6

Then I tried the similar setup as before from the internet (with curl)

device1 in LAN1
device2 in LAN2

device1 webserver port 80
i opened port 80 for device1 in fritzbox
-> access to webserver on device1 from remote server via IPv6 is possible
tcpdump on port 80

Code Select Expand


13:43:46.206828 IP6 ipv6-of-device1:198d.54222 > ipv6-of-device2:e03a.http: Flags [S], seq 4161419774, win 28640, options [mss 1432,sackOK,TS val 3100947471 ecr 0,nop,wscale 7], length 0
13:43:46.206879 IP6 ipv6-of-device2:e03a.http > ipv6-of-device1:198d.54222: Flags [S.], seq 2344778224, ack 4161419775, win 64260, options [mss 1440,sackOK,TS val 457004862 ecr 3100947471,nop,wscale 7], length 0
.....
13:43:46.213160 IP6 ipv6-of-device1:198d.54222 > ipv6-of-device2:e03a.http: Flags [P.], seq 1:104, ack 1, win 224, options [nop,nop,TS val 3100947478 ecr 457004862], length 103: HTTP: GET / HTTP/1.1
......


device2 webserver port 80
i opened firewall for opnsense (exposed host) and allowed also to access the delegated IPv6 prefixes for this device in fritzbox
i opened port 80 in opnsense on WAN interface for device2
-> access to webserver on device2 from remote server via IPv6 was **not** possible

i saw the request from the remote server in my opnsense firewall log
lan   [remote-ipv6::2]:59836 [ipv6-of-device:e03a]:80   tcp   let out anything from firewall host itself

then i tcpdump'd on device2 port 80
i saw the requests:

Code Select Expand


13:55:21.417708 IP6 remote-ipv6::2.42044 > ipv6-of-device2:e03a.80: Flags [S], seq 2674231027, win 28800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
13:55:21.417754 IP6 ipv6-of-device2:e03a.80 > remote-ipv6::2.42044: Flags [S.], seq 4276351807, ack 2674231028, win 64800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
13:55:22.442402 IP6 ipv6-of-device2:e03a.80 > remote-ipv6::2.42044: Flags [S.], seq 4276351807, ack 2674231028, win 64800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0


I wireshark'd this via http://fritz.box/html/capture.html - image1 is on eth1 - image2 on wan interface
(please ignore that image2 is ::1 instead of ::2, doesnt matter here)

also tcpdump'd on the remote server

Code Select Expand


14:18:13.265952 IP6 remote-ipv6::2.39468 > ipv6-of-device2:e03a.80: Flags [S], seq 730490927, win 28800, options [mss 1440,sackOK,TS val 2624988435 ecr 0,nop,wscale 7], length 0


verbose:

Code Select Expand


14:17:36.967342 IP6 (flowlabel 0xc305c, hlim 64, next-header TCP (6) payload length: 40) remote-ipv6::2.39466 > ipv6-of-device2:e03a.80: Flags [S], cksum 0xe30d (incorrect -> 0xeca7), seq 2577571887, win 28800, options [mss 1440,sackOK,TS val 2624952138 ecr 0,nop,wscale 7], length 0


Sorry for the late reply

I have tested the following with IPv6:
device1 in LAN1
device2 in LAN2

device1 can ping device2
device2 can ping device1

installed webserver on device2 and allowed port 80 in opnsense on WAN interface for device2
-> device1 can access website running on device2

I played a bit more around and noticed the following:
If I block the device via Filter -> Kindersicherung and then change it again I get a single package through it via IPv6.
If I block it again and set it back to "Standard" the mtr always succeeds but only until I stop and re-start the mtr on a device in LAN2

I added my OPNsense as exposed IPv6 host but that did not work either.
The most interesting part is, that if the mtr runs long enough sometimes a single package goes out.

Hi :)

I tried to configure IPv6 behind my OPNsense but I stuck right now.
My setup looks like this:
Internet -> FritzBox -> LAN1
                                    -> OPNsense (in LAN1) -> LAN2
What is working?
IPv6 is working fine on devices in LAN1. IPv6 is working fine on the WAN port on my OPNsense.

What is not working?
IPv6 is not working on devices in LAN2

I do get IPv6 addresses on devices in LAN2 and I can ping OPNsense and the FritzBox via IPv6 but I cannot reach anything outside on the Internet.

Configuration:
Enabled IPv6 in FritzBox with "DNS and IA_PD"
Enabled IPv6 in OPNsense

WAN interface:
IPv6 Configuration Type - DHCPv6

Configuration Mode - Basic
Request only an IPv6 prefix - Yes
Prefix delegation size - 62 (also tried 60 here)
Send IPv6 prefix hint - Yes
Prevent release - Yes
Enable debug - No
Use IPv4 connectivity - No
Use VLAN priority - NO

LAN interface:
IPv6 Configuration Type - Track Interface

IPv6 Interface - WAN
IPv6 Prefix ID - 0x0
Manual configuration - No

Firewall -> Advanced:
Allow IPv6  - Yes

Firewall -> Rules -> LAN:
Action - Pass
Interface - LAN
Direction - in
TCP/IP Version - IPv6
Protocol - ICMP
ICMP type - any
Source - LAN net

With this config I get IPv6 addresses in LAN2 and can ping other local devices but I cannot reach outside IPv6 addresses via ping.
According to the "Live View" under "Log Files" the ICMP ping is successful, at least it is not blocked.
A mtr shows successful connection to OPNsense, then FritzBox, then it stops.

Any idea what is wrong here?

/edit
To test this more I added following rules to LAN:
IPv6 * - Source WAN - any...
IPv6 * - Source LAN - any...

And on WAN the same:
IPv6 * - Source WAN - any...
IPv6 * - Source LAN - any...

But still not working