Messages

Hello Everyone,
in my Network I have a custom DNS server that is configured to reply differently based on the host that uses it. My current setup is:

Code Select Expand


____________________________________________________________________
|                                                                   |
|                             |---------------- Internal Clients    |
|                             |                                     |
|                             |                                     |
------- ISP Router-------- OPNsense Box-------- External Clients    |                                                                 
|                             |                                     |
|                             |                                     |
|                             |----------------- DNS & Server       |
|                                                                   |
|____________________________________________________________________


The clients, external clients and servers do not share interfaces; they are on VLANs attached to different physical NICs.
My setup is pretty easy: The DNS has a fixed IPv4, it is announced to all IPv4 clients via DHCP.

On IPv6 I have to track the WAN-Interface. Now since I do this, the default behavior seems to be that OPNSense will announce itself as the DNS server on DHCPv6. This is not what I want, since I want all clients to directly use the custom DNS server. But it seems like I cannot announce it as it's IPv6 Address will change based on the tracked interface and I cannot find a way to set it dynamically.

I thought about assigning ULA to all clients manually but I stumbled upon this discussion: https://forum.opnsense.org/index.php?topic=33902.0 wich states that ULA has problems ansd should not be used.

So I'm curious: What's the correct way to solve this? I thought about using the IPv4 DNS as the upstream DNS server of OPNsense but it will not solve my problem as the DNS Server itself is meant to be filtering based on the requesting host. This won't work if it only sees the gateway doing all the requests.

Thanks in Advance
symon

Sad to hear that. I'm still trying to figure out a way around this. I almost forgot there were limitations but I rebooted the OPNSense Box today and it got a new prefix. So things stopped working and it came back to my attention.
Is there a good reason, wireguard does not allow DHCP?

Nice thanks for the hint! I did not know that.

Unfortunately the ISP router decides to announce his own DNS server via DHCPv6 if I don't provide my own. So it seems like I have to use the IPv6 Address as well if I want DNS control.

The favouring of the ULA over the GUA has also popped up in other contexts, eg diagnostics tools. Franco is looking at that, although I am not sure whether in the outbound NAT context

Is there maybe a possibility to split the reveived IP-Adresses on the WAN-Interface to multiple virtual Interfaces? So that I could track an interface? Or maybe another option would be to use a delegated prefix from the ISP box inside the VPN Network so outbound traffic to GUAs will not have to be NATted?

Yep that is correct. It normally would not do this but (that's one of the reasons I thought I made a fundamental mistake here) I switched ULAs on because I have an internal DNS server. It's inside the ISP-Lan and has to be addressed somehow.

Thanks for the suggestions. I changed the rules accordingly. It's still not possible to use "Interface address" within the IPv6 rules since it will pick the first one by default (it's the ULA) and since that is no GUA it cannot leave the local network.

Okay I think I found at least one of the problem (I still do thing kere is some x-y-problem here).

As you can see in the alias table attached I created an alias for both IPv6 (GUA and ULA) addresses assigned to the WAN interface. I also changed the outbound-NAT to use the appropriate adress whenever possible. This actually does work.

Still the question remains: now IPs are hardcoded. That will probably make the whole construct unstable as the GUA is assigned via DHCPv6 and will change.
Is there any option to use the current adress (such as "Track Interface" within Interfaces)? Or is it even better to give GUAs from the assigned prefix to the VPN clients (and how, since the prefix will change as well)?

Code Select Expand


peer: (hidden)
  endpoint: ip:8886
  allowed ips: 10.0.10.2/32, fd01::10/128
  latest handshake: 1 minute, 55 seconds ago
  transfer: 235.91 KiB received, 2.03 MiB sent

peer: (hidden)
  endpoint: ip:34636
  allowed ips: 10.0.10.3/32, fd01::30/128
  latest handshake: 4 minutes, 51 seconds ago
  transfer: 213.72 KiB received, 1.31 MiB sent


Both of these peers have IPv4 inside allowed IPs, they have "Address = 10.0.10.2/24, fd01::10/64" and "Address = 10.0.10.3/24, fd01::30/64" on the client side and are able to ping eachother.

I found the entry shown in the attached picture on the Rules Live View. The outbound NAT rule is set to translate IPv6 to "WAN Address". Anyways: WAN has two adresses. A publicly routable and an ULA. The Logs show that it is using the ULA for NAT (wich should afaik only be used for internal applications. Is it possible the ISP uplink box is blocking this as an invalid IP to communicate with global adresses?

Hello,
I have a opnsense appliance inside my local network and since it has limited hardware I am just using it as a VPN endpoint. I opted for wireguard as VPN software. This is the network layout:

Code Select Expand


____________________________________________________________________
|                                                                   |
|                             |---------------- Internal Clients    |
|                             |                                     |
|                             |                                     |
------- ISP Router-------------------- OPNsense Box-----VPN Clients |                                                                 
|                             |                                     |
|                             |                                     |
|                             |----------------- DNS & Server       |
|                                                                   |
|____________________________________________________________________


The internal ISP IPv4-Subnet is 192.168.178.0/24  and the OPNsense VPN-net is 10.0.10.0/24.
The ISP-Router also gives out ULA (since I am running a DNS-Resolver for IPv6 and the given prefix from the ISP changes every few days). The IPv6-Net internally is fd00::/64. Also full IPv6-Adresses (2001::) are given out to internal clients as well as a /60 prefix is delegated to the OPNSense Box.

The wanted scenario is: Roadwarriors should be able to connect via Wireguard, all traffic should be rerouted through VPN and the internal as well as external services should be reachable via both IPv4 and IPv6. The IPv4 part (OPNSense Box is doing a NAT) is working quite well already.

However I have problems with IPv6. I am really unexperienced with IPv6 so please correct me if I made wrong assumptions.
Since the prefix is rolling I decided it would be the best to give out ULA internally (so the DNS server is always reachable on a fixed address. So I gave the Wireguard-Endpoint the network fd01::/64. I also added an outbound NAT-Rule (see picture below). Also here are my configs for the clients:

Code Select Expand


interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  endpoint: ip:55916
  allowed ips: 10.0.10.4/32
  latest handshake: 32 seconds ago
  transfer: 76.46 KiB received, 78.96 KiB sent

peer: (hidden)
  endpoint: ip:8886
  allowed ips: 10.0.10.2/32, fd01::10/128
  latest handshake: 1 minute, 55 seconds ago
  transfer: 235.91 KiB received, 2.03 MiB sent

peer: (hidden)
  endpoint: ip:34636
  allowed ips: 10.0.10.3/32, fd01::30/128
  latest handshake: 4 minutes, 51 seconds ago
  transfer: 213.72 KiB received, 1.31 MiB sent


However no IPv6 Access seems to be possible through the connection. The settings on the test-client (iPhone) are:

Code Select Expand


[Interface]
Address = 10.0.10.2/24, fd01::10/64
PrivateKey = [mobile.seckey]
DNS = 192.168.178.2, fd00::2

[Peer]
PublicKey = [vpn-server.pubkey]
PresharedKey = [vpn.psk]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = endpoint_domain:51820


Is there anything wrong with the setup? Or did I maybe mess something up with the network interface names or did I miss something? How is IPv4 working like charm, where IPv6 does not?

Maybe this helps debugging: I can see in the live-view, that the firewall lets packets from IPv6 NAT pass. Also (I am currently checking with https://ipv6-test.com ) the test says that "DNS6 + IP4" is working. Is it possible, that my NAT rule should be differentiating between internal and external addresses?

Hello everyone,
I am fairly new to IPv6 so please bear with me as I might just have gotten something wrong. Also this are my first steps with Opnsense as I just got a HW instance (TERRA, Opnsense 20.1.7) and am fiddling around.

My setup is the following: I use the Opnsense appliance behind a consumer grade router (router, switch, wifi... as provided by my ISP) to split the network up into several virtual networks (using VLAN-Tags and some more switches). So basicly it just creates some VLANs, adds a DHCP4 to each one and then NATs to the outside. This is working very nicely for IPv4.

Now I would like to add IPv6 to my networks (this time no NAT, off course). Sadly the ISP machine does not support prefix delegation. So the WAN-Interface will receive one IPv6 /64 prefix. This is not enough for multiple subnets.
So my first question is: The correct way to solve this problem without changing the ISP box should be to relay all DHCP6 requests from the subnets to the WAN-net so that the clients will be assigned /64-Prefixes from the upstream router and the Opnsense-Box can track those to provide appropriate firewalling. Is that correct?

If that is the case: how is this accomplished? The WAN-Prefix should be changing every now and then as well as the ISP-Boxes IPv6. So what is the correct IP to put in Services->DHCPv6->relay->Destination Server?Also what are the correct settings for Interfaces->VLANXX->IPv6 Configuration Type?

Or did I miss the whole concept?
Thanks for helping me out.