Messages

Thanks... None of this appears to be in the default Dashboard, but I am able to see more info in the Interfaces->Overview screen. It appears that they offer a /64 by default and I am able to request and obtain a /56. It does appear that, for the subnet that the OpnSense is on, IPv6 tracks through to the clients for auto-config without an issue but does not go beyond the border of my router to other client subnets. In the end, this might not actually be an issue like this.

With regard to my comment about changing ISP's... I wasn't saying my potential need for IPv6 would change, only that the specifics of the address and prefix would change. I didn't want to have to invest any effort at this point into any sort of specific configuration to get my various devices working as I would have to "re-do it" when I moved. My focus would have been on specific configuration efforts post-move.

I'll have to look more into RADVD to see what it will take to get that working to allow clients on other subnets be able to pick up IPv6 addresses.

I severely doubt that. Usually, ISPs hand out two IPv6 adress(es):

1. An IPv6 for the router itself (IA_NA)
2. An IPv6 range for the devices behind the router (IA_PD)

Normally, you would request both and on your LAN, you would use "track interface" in the IPv6 configuration. Also, you would use RADVD with a prefix ID for each local subnet / interface.

That way, your LAN devices would pick up IPv6 adresses with the ISP-assigned prefix (plus prefix ID) and could then use native IPv6.



If you do not get a prefix or if you do not want to have IPv6 in your local networks, you could install a squid proxy on your OpnSense and configure your browsers through it, if only the OpnSense itself was IPv6-capable.

How does an ISP "hand out" the IP range?

It also sounds like I would need to be running DHCP services on the OpnSense box. If that's the case, then I'm going to wait until we move to invest -any- effort into that at all since the ISP is likely to change anyhow.

NAT the IPv4 and allow the IPv6. There is no need for IPv6 NAT. Concentrate on routing the IPv6 internally. You'll likely need RADVD.

You could run a reverse proxy if your ISP doesn't give you static IPv6 delegation but that's just dumb and you should complain. Apply the KISS principle.

Bart...

I already have NAT in place for IPv4 from my internal LAN to the WAN (using the WAN IPv4 address) and I'm using private IP Address space on my LAN so NAT is required.

It sounds like you're saying that I need to contact the ISP to find out what they are providing to me for IPv6 use on my LAN, and I fully expect they aren't providing anything at all but are only allocating an IPv6 address to the modem because that's something that all of the cable ISP's seem to be doing.

I recently ran into an issue with trying to access a local company's web site. On my LAN/WiFi, I could not access the site at all with mobile devices (part of my testing) but it worked fine from the same devices on the cellular data network. It turned out that the issue was because they never bound an IPv4 address to the site, only IPv6.

My ISP assigns both an IPv4 and an IPv6 address to my firewall via DHCP. Opening up a site like whatismyip.com shows that only the IPv4 address is being used.

Is it possible to set up NAT rules that will translate my internal IPv4 network to IPv6 when the destination is an IPv6 address? What are my options here to be able to support both address types for translation?

rks with standard NAT without any special configuration as long as that is only on one side - which needs to initiate the connection. That's why there's no documentation. Nothing to see here, just works.  ;)

Ok, good to know.

Is there a HOWTO from opnsense somewhere on setting up a remote OpenVPN client w/ PSK?

Either the client-side NAT is missing

Don't you want to put the Pi behind the DSL/similar router? That router does NAT and OpenVPN works through NAT devices. So what's to consider here? You can route the entire LAN through the OpenVPN connection site to site - provided the DSL router permits you to add a single static route for the remote site.

An alternative to building your own might be a small Ubiquiti EgdeRouter, either with EdgeOS or OpenWRT. They come reasonably cheap and power effcicient and with a great feature set at the price.
[/quote]

Cable Modem (owned not leased) - WiFi Router (owned) - RPi

The router is the default GW and would get a static route for the remote LAN pointing to the RPi.

The RPi gets NAT'ed and there doesn't appear to be any documentation that I can find that spells out whether the router has to explicitly support NAT for VPN devices or not. If so, then this changes everything as I will ultimately end up swapping out the router with one that has OpenVPN support directly in it and this becomes a moot point.

It's no different from any other site-to-site OpenVPN setup, so possibly exlude the "raspberry pi" keywords from your searches.

You will ned to to an inbound port forwarding for 1194/udp or whatever you prefer on the NAT gateway/router in that network but apart from that the setup should work with any generic "howto" document.

If the RPi is the client and initiates the tunnel, why do I need a port forward on the NAT device it sits behind?

And thought the setup isn't specific to the RPi, I'm finding absolutely nothing from the OpenVPN docs that outline this sort of setup. Either the client-side NAT is missing or it's focused on setup using user/pass authentication instead of PSK. This is why I'm considering just putting a opnsense appliance in front of the router and doing it like I did previously.

Any small device which can run OpenVPN.
A raspberry Pi for example but depends on the throughput you need

Thanks - I've been trying to figure out how to configure a RPi as an OpenVPN client, Site-to-Site, SSL, pre-shared keys, sitting behind a NAT device. I can't find any sort of HOWTO for this type of setup that even comes close.

Really? No one has any kinds of suggestions for a small device that would fairly low power?

There has to be SOMETHING that would work...

In the past, I have gotten very good results running a VPN between two opnsense firewalls to connect two homes. The second home is no longer connected, but I am now looking at options to bring a different second home "on line" but I may not have the same level of ability to run a PC w/ opnsense on it. So, I'm wondering if there's another option that would be smaller footprint and lower power consumption (sort of like a RPi type of device) that would let me accomplish this?

I ended up getting this to work via the refelection. I pulled out the handful of rules that I had in place, restarted everything, then re-added the rules and it began working correctly.

Thanks for the replies.

I have tried the reflection component and it does not seem to work. I am able to access everything as expected from outside, but not inside.

I should also mention that I do understand there is no "need" for what I am asking based on basic usage principles, but this is kind of a unique situation where I actually do need it to work this way and this access happens infrequently and for a short period only during the middle of the night by an automated routine.

Quick description of the setup: I have a server running on my internal network that I need to access from outside. I have configured port-forwarding and firewall rules to make this function correctly. The device is positioned on what can be thought of as "inside" (not a DMZ).

I have an additional need to be able to access this same server from other machines on my internal network but I have to access them using the externally-resolvable DNS FQDN for it. If I try to do this now, it fails because it is attempting to resolve to and connect to the WAN Interface Address of the firewall.

I need some help in understanding where there may be a missing rule or setting that will allow these connections to pass through correctly.

Does the SSH Daemon of OpnSense support port forwarding like the standard linux daemon does? I've typically used a linux system to handle port forwarding for me while I am remote, but I need to shut that system down to move it to a new home and will only have the OpnSense machine left.

Left hand side is what existed prior to moving the systems (Subnet A). Right hand side represents the systems that were added in via the Cisco switch (Subnet B).

The OpnSense firewall has a static route for Subnet B that points to the Cisco as the gateway. All devices on Subnet A point to the OpnSense as their default gateway.

If I manually add a route to a device on Subnet A that points to the Cisco for Subnet B, I can stay connected to Subnet B systems indefinitely. Without the manually added route, traffic first flows to the OpnSense and is then forwarded to the Cisco to reach Subnet B. This works initially, but connections are reset after 1-2 minutes and I have to reconnect.

I don't know if this is because of a lack of ICMP redirect or something entirely different.