Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - smccloud

Pages: [1] 2

General Discussion / Re: Using OPNsense to override crappy Meraki IPv6 implementation

« on: August 15, 2024, 07:34:08 pm »

Quote from: chemlud on August 15, 2024, 06:27:57 pm

Hi!

How about disabeling Unbound and entering your preferred DNS IP to the DHCP config page?

Is there a way to specify three DNS IPs in the DHCPv6 config page?

General Discussion / Using OPNsense to override crappy Meraki IPv6 implementation

« on: August 15, 2024, 05:48:33 pm »

So our firewall at work is a Meraki MX95 (which was decided above my pay grade). It works, the problem is now that I am getting ready to roll out an IPv4 + IPv6 dual stack it is very limiting. I can't just say let's rip it out and replace it because we just purchased a costly 3-year licensing & support renewal for it. So I have to figure out a way to make it work. I'd like to use OPNsense to tell clients to use our domain controllers for DNS, but not override the Meraki when it comes to the default route. The problem is so far if I enable DHCPv6 on an OPNsense VM I'm using for testing (with one virtual NIC, the next time I'm in the office it will get a passed-through i350 NIC) it advertises itself as a DNS server as well. With Advertise Default Gateway unchecked hosts also tend to get the MX95 as a DNS server. Does anyone have any suggestions on how to make this work without telling my boss we just wasted $7250.00 on the MX95?

23.7 Legacy Series / Re: Speeds not as stable as pfSense

« on: November 09, 2023, 02:31:04 am »

Quote from: meyergru on November 09, 2023, 01:07:54 am

Do you mean that download speed fluctuates quickly over time?

If so, you may experience bufferbloat, especially because your upstream and downstream speeds differ so much. Try this or this to check.

If this is indeed the problem, you can refer to this page and there is also a step-by-step guide for OpnSense.

Yes. I have a local speed test app running tests hourly and it is wildly different every hour. I'll check bufferbloat later. Gotta love Internet in most of the US. Hopefully I get High-Split symmetrical cable Internet this winter (so soon).

23.7 Legacy Series / Speeds not as stable as pfSense

« on: November 08, 2023, 11:48:56 pm »

I have successfully converted everything from pfSense to OPNsense (but the OpenVPN server I almost never used). However, I have noticed that my connection speeds are not nearly as stable as they were under pfSense. In pfSense I'd almost always get close to my provisioned 960 Mbps down and 35 Mbps up (actually 40 Mbps up due to the over-provisioning my ISP does). But in OPNsense I will get anywhere from 300 Mbps to 950 Mbps down. Upload is fairly stable. I just need some ideas on where to look to help resolve this before I start transitioning other people to OPNsense from pfSense as well.

23.7 Legacy Series / Re: WAN not getting IPV6 address

« on: November 06, 2023, 03:07:50 pm »

All this advanced troubleshooting and we all forgot the most basic item. Firewall -> Settings -> Advanced -> Allow IPv6

If you'll excuse me, I'm going to go find some crow to eat. Works fine now.

23.7 Legacy Series / Re: WAN not getting IPV6 address

« on: November 06, 2023, 03:00:53 pm »

Quote from: meyergru on November 06, 2023, 02:05:36 am

On OpnSense, the resulting dhcp6c configuration is in /var/etc/dhcp6c.conf, you can check if it is like the one on your pfSense.

For LAN interfaces with RA enabled, you can check if /var/etc/radvd.conf contains the correct definitions (you did configure the router advertisements, did you?).

The order is:

1. get a delegated prefix on WAN of the correct size (in your case, /56) - regardless if the WAN itself gets an IPv6,
2. assign a part of it to each of your LAN interfaces via a different prefix ID (at most 8 bits) and
3. have that prefix advertised via RA or DHCPv6.

I haven't tried to configure RA yet since I don't have an IPv6 on the WAN yet. As for /var/etc/dhcp6c.conf, the only difference is pfSense has

Code: [Select]

interface igb0 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix ::/56 infinity;
  prefix-interface igb1 {
    sla-id 6;
    sla-len 8;
  };
  prefix-interface igb2 {
    sla-id 7;
    sla-len 8;
  };
};

whereas OPNsense has

Code: [Select]

interface igb0 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix-interface igb2 {
    sla-id 7;
    sla-len 8;
  };
  prefix-interface igb1 {
    sla-id 6;
    sla-len 8;
  };
};

23.7 Legacy Series / Re: WAN not getting IPV6 address

« on: November 06, 2023, 02:17:44 am »

The problem is, to get it visible in pfSense I have to reload my router. Which means everything is down for a while

I wonder if I can restore the config file in a VM just so I can look at that file.

23.7 Legacy Series / Re: WAN not getting IPV6 address

« on: November 06, 2023, 01:45:19 am »

Here's the WAN XML from my pfSense config file. I see nothing that makes it so it shouldn't work.

Code: [Select]

<wan>
	<enable></enable>
	<if>igb0</if>
	<blockbogons></blockbogons>
	<descr><![CDATA[WAN]]></descr>
	<spoofmac></spoofmac>
	<alias-address></alias-address>
	<alias-subnet>32</alias-subnet>
	<blockpriv></blockpriv>
	<ipaddr>dhcp</ipaddr>
	<dhcphostname></dhcphostname>
	<dhcprejectfrom></dhcprejectfrom>
	<adv_dhcp_pt_timeout></adv_dhcp_pt_timeout>
	<adv_dhcp_pt_retry></adv_dhcp_pt_retry>
	<adv_dhcp_pt_select_timeout></adv_dhcp_pt_select_timeout>
	<adv_dhcp_pt_reboot></adv_dhcp_pt_reboot>
	<adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_backoff_cutoff>
	<adv_dhcp_pt_initial_interval></adv_dhcp_pt_initial_interval>
	<adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
	<adv_dhcp_send_options></adv_dhcp_send_options>
	<adv_dhcp_request_options></adv_dhcp_request_options>
	<adv_dhcp_required_options></adv_dhcp_required_options>
	<adv_dhcp_option_modifiers></adv_dhcp_option_modifiers>
	<adv_dhcp_config_advanced></adv_dhcp_config_advanced>
	<adv_dhcp_config_file_override></adv_dhcp_config_file_override>
	<adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path>
	<ipaddrv6>dhcp6</ipaddrv6>
	<dhcp6-duid></dhcp6-duid>
	<dhcp6-ia-pd-len>8</dhcp6-ia-pd-len>
	<dhcp6-ia-pd-send-hint></dhcp6-ia-pd-send-hint>
	<dhcp6usev4iface></dhcp6usev4iface>
	<dhcp6withoutra></dhcp6withoutra>
	<adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface>
/</wan>

And I just got done chatting with my ISP, their "solution" was to use their router. Nor would they reprovision my modem when I asked them to.

23.7 Legacy Series / Re: WAN not getting IPV6 address

« on: November 06, 2023, 01:15:49 am »

Just the following over and over with different times.

Code: [Select]

2023-11-05T18:13:55-06:00	Notice	dhcp6c	reset a timer on igb0, state=SOLICIT, timeo=30, retrans=109080	
2023-11-05T18:13:55-06:00	Notice	dhcp6c	send solicit to ff02::1:2%igb0	
2023-11-05T18:13:55-06:00	Notice	dhcp6c	set IA_PD	
2023-11-05T18:13:55-06:00	Notice	dhcp6c	set IA_PD prefix	
2023-11-05T18:13:55-06:00	Notice	dhcp6c	set option request (len 4)	
2023-11-05T18:13:55-06:00	Notice	dhcp6c	set elapsed time (len 2)	
2023-11-05T18:13:55-06:00	Notice	dhcp6c	set identity association	
2023-11-05T18:13:55-06:00	Notice	dhcp6c	set client ID (len 14)

OPNsense only stores the DUID in the config if you explicitly enter one. Otherwise, dhcp6c uses the DUID it generated itself, which is stored in /var/db/dhcp6c_duid.

Might be the same in pfSense.

Probably is, my config file from pfSense shows <dhcp6-duid></dhcp6-duid> and at this point I can't get the DUID from pfSense.

Pages: [1] 2