Messages

I see. Thought, it's possible to state a custom port there.

So maybe natting the port can be a workaround.

I have tried to use NAT for pfSense and that doesn't work so well, so I don't think it will work for OPNsense either :(

I suppose I could try one of our alternative IPs and see if it works, I know they don't work for everything though, since Merakis are weird for outbound traffic when them come in on them.

I currently have a pfSense VM at work with the IPSec ports set to 501 and 4501 so as not to overlap with the main Meraki Client VPN we use. I want to replace it with an OPNsense VM, but I need to use the same ports for IPSec.  Is this possible with OPNsense?  I know it is not a normal use case, and I am fine with it.

Hi!

How about disabeling Unbound and entering your preferred DNS IP to the DHCP config page?

Is there a way to specify three DNS IPs in the DHCPv6 config page?

So our firewall at work is a Meraki MX95 (which was decided above my pay grade).  It works, the problem is now that I am getting ready to roll out an IPv4 + IPv6 dual stack it is very limiting.  I can't just say let's rip it out and replace it because we just purchased a costly 3-year licensing & support renewal for it.  So I have to figure out a way to make it work.  I'd like to use OPNsense to tell clients to use our domain controllers for DNS, but not override the Meraki when it comes to the default route.  The problem is so far if I enable DHCPv6 on an OPNsense VM I'm using for testing (with one virtual NIC, the next time I'm in the office it will get a passed-through i350 NIC) it advertises itself as a DNS server as well.  With Advertise Default Gateway unchecked hosts also tend to get the MX95 as a DNS server.  Does anyone have any suggestions on how to make this work without telling my boss we just wasted $7250.00 on the MX95?

Do you mean that download speed fluctuates quickly over time?

If so, you may experience bufferbloat, especially because your upstream and downstream speeds differ so much. Try this or this to check.

If this is indeed the problem, you can refer to this page and there is also a step-by-step guide for OpnSense.

Yes.  I have a local speed test app running tests hourly and it is wildly different every hour. I'll check bufferbloat later. Gotta love Internet in most of the US. Hopefully I get High-Split symmetrical cable Internet this winter (so soon).

I have successfully converted everything from pfSense to OPNsense (but the OpenVPN server I almost never used).  However, I have noticed that my connection speeds are not nearly as stable as they were under pfSense.  In pfSense I'd almost always get close to my provisioned 960 Mbps down and 35 Mbps up (actually 40 Mbps up due to the over-provisioning my ISP does).  But in OPNsense I will get anywhere from 300 Mbps to 950 Mbps down.  Upload is fairly stable.  I just need some ideas on where to look to help resolve this before I start transitioning other people to OPNsense from pfSense as well.

All this advanced troubleshooting and we all forgot the most basic item.  Firewall -> Settings -> Advanced -> Allow IPv6 :(

If you'll excuse me, I'm going to go find some crow to eat.  Works fine now.

On OpnSense, the resulting dhcp6c configuration is in /var/etc/dhcp6c.conf, you can check if it is like the one on your pfSense.

For LAN interfaces with RA enabled, you can check if /var/etc/radvd.conf contains the correct definitions (you did configure the router advertisements, did you?).

The order is:

1. get a delegated prefix on WAN of the correct size (in your case, /56) - regardless if the WAN itself gets an IPv6,
2. assign a part of it to each of your LAN interfaces via a different prefix ID (at most 8 bits) and
3. have that prefix advertised via RA or DHCPv6.

I haven't tried to configure RA yet since I don't have an IPv6 on the WAN yet.  As for /var/etc/dhcp6c.conf, the only difference is pfSense has

Code Select Expand

interface igb0 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix ::/56 infinity;
  prefix-interface igb1 {
    sla-id 6;
    sla-len 8;
  };
  prefix-interface igb2 {
    sla-id 7;
    sla-len 8;
  };
};
whereas OPNsense has

Code Select Expand

interface igb0 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix-interface igb2 {
    sla-id 7;
    sla-len 8;
  };
  prefix-interface igb1 {
    sla-id 6;
    sla-len 8;
  };
};

The problem is, to get it visible in pfSense I have to reload my router.  Which means everything is down for a while :(
I wonder if I can restore the config file in a VM just so I can look at that file.

Here's the WAN XML from my pfSense config file.  I see nothing that makes it so it shouldn't work.

Code Select Expand

<wan>
<enable></enable>
<if>igb0</if>
<blockbogons></blockbogons>
<descr><![CDATA[WAN]]></descr>
<spoofmac></spoofmac>
<alias-address></alias-address>
<alias-subnet>32</alias-subnet>
<blockpriv></blockpriv>
<ipaddr>dhcp</ipaddr>
<dhcphostname></dhcphostname>
<dhcprejectfrom></dhcprejectfrom>
<adv_dhcp_pt_timeout></adv_dhcp_pt_timeout>
<adv_dhcp_pt_retry></adv_dhcp_pt_retry>
<adv_dhcp_pt_select_timeout></adv_dhcp_pt_select_timeout>
<adv_dhcp_pt_reboot></adv_dhcp_pt_reboot>
<adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_backoff_cutoff>
<adv_dhcp_pt_initial_interval></adv_dhcp_pt_initial_interval>
<adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
<adv_dhcp_send_options></adv_dhcp_send_options>
<adv_dhcp_request_options></adv_dhcp_request_options>
<adv_dhcp_required_options></adv_dhcp_required_options>
<adv_dhcp_option_modifiers></adv_dhcp_option_modifiers>
<adv_dhcp_config_advanced></adv_dhcp_config_advanced>
<adv_dhcp_config_file_override></adv_dhcp_config_file_override>
<adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-duid></dhcp6-duid>
<dhcp6-ia-pd-len>8</dhcp6-ia-pd-len>
<dhcp6-ia-pd-send-hint></dhcp6-ia-pd-send-hint>
<dhcp6usev4iface></dhcp6usev4iface>
<dhcp6withoutra></dhcp6withoutra>
<adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface>
/</wan>

And I just got done chatting with my ISP, their "solution" was to use their router.  Nor would they reprovision my modem when I asked them to.

Just the following over and over with different times.

Code Select Expand

2023-11-05T18:13:55-06:00 Notice dhcp6c reset a timer on igb0, state=SOLICIT, timeo=30, retrans=109080
2023-11-05T18:13:55-06:00 Notice dhcp6c send solicit to ff02::1:2%igb0
2023-11-05T18:13:55-06:00 Notice dhcp6c set IA_PD
2023-11-05T18:13:55-06:00 Notice dhcp6c set IA_PD prefix
2023-11-05T18:13:55-06:00 Notice dhcp6c set option request (len 4)
2023-11-05T18:13:55-06:00 Notice dhcp6c set elapsed time (len 2)
2023-11-05T18:13:55-06:00 Notice dhcp6c set identity association
2023-11-05T18:13:55-06:00 Notice dhcp6c set client ID (len 14)

I will check with them, but given the settings are the same between pfSense and OPNsense it should just work. DHCPv6, /56 prefix, DUID, all the same.

And removing the 0e:00 from the front of the DUID did not help. Still not working. I can get a prefix fine, but that doesn't propagate to my LAN.

I could just change my WAN NIC from igb0 to igb3 as well, or em0.  I do have multiple NICs to specify.

First four bytes are "0e:00:00:01"