Messages

[client]

It does not work like that (you already noticed, didn't you?).

Like with IPv4, there is two sides:

- WAN
- LAN

On WAN, you have to use whatever means it takes to get a WAN IP, often DHCPv4 and DHCPv6 as a client.

On LAN, you use DHCPv4 and (probably DHCPv6) as server. ALternatively, you can use SLAAC (RA) instead for IPv6.

You did neither: ISC DHCPv6, DNSmasq, RAdvd, all disabled. So how would clients get what they need. You must have IPv6 supplied to your LAN, otherwise it will not work.

There is a guide on how to do this via DNSmasq only in the official docs, instead, I prefer to do it like this.

There seems to be a misunderstanding, let's try again :)

• ISC DHCPv6 is disabled, IPv6 tracking doesn't need that
• LAN IPv6 is tracking WAN so the clients will get IPv6 automatically. No need for DHCPv6 server in here. Clients do receive ISPv6 DNS automatically already
• Services > Router Advertisement: It is up and running. I don't don't need DNSmasq for that
• The above only works if you follow the documentation "Identity Association" instead of "Track Interface(legacy)" : https://docs.opnsense.org/manual/radvd.html

That is the main purpose of having LAN IPv6 > Tracks WAN > RA > Clients get out: things happen dynamically.
You should not have to set up a DHCPv6 server/pool manually and all, it must be fully dynamic.

Hi all,

I finally got OPNSense to see my ISP IPv6, I had to change from IPoE back to PPPoE (ISP dramas).
OPNSense can ping IPv6 just fine but the clients cannot:

ping -6 2001:4860:4860::8888
From fe80::7e5a:1cff:fe48:1c50%eno1 icmp_seq=1 Destination unreachable: Beyond scope of source address


https://docs.opnsense.org/manual/radvd.html

Done that: If "Track Interface (legacy)" is used, an existing disabled entry will also deactivate advertisements on that interface. Alternatively, switch to "Identity association" for full manual configuration if needed."

Dnsmasq is disabled and not being used, and RA is not selected either

My PC network does show the 2400: IP under the DNS6 so it is seeing something.

ISC DHCPv6 service is disabled

Services > Router Advertisements:

• Interface: LAN
• Mode: Managed
• Minimum interval: 200(default)
• Maximum interval: 600(default)

Interfaces > LAN

• IPv6 Configuration Type: Identity association
• Track IPv6 Interface > Parent interface: WAN

Interfaces > WAN

• IPv4 type: PPPoE
• IPv6 type: DHCPv6 (As instructed by the ISP)

OPNSense:
netstat -rn
Internet6:
Destination                       Gateway                       Flags         Netif Expire
default                           fe80::2293:39ff:fef6:75e3%pppoe0 UGS       pppoe0


ping6 -c 3 2001:4860:4860::8888
16 bytes from 2001:4860:4860::8888, icmp_seq=0 hlim=121 time=2.030 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=1 hlim=121 time=1.957 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=2 hlim=121 time=1.952 ms

I am running Unbound Recursive, no major changes other than "Register Mappings"

Thank you

Oh wow, so this could be the reason of my problems.

I am trying to setup dual-stack at home and right now I have WAN > DHCP
To cut it short, my ISP wants me back to PPPoE for the WAN > DHCPv6 to receive the reservation.

I spent ages today trying to get PPPoE to work but nothing happens, in previous releases was type username, password, save, and connected.
I checked old backup configs, the PPPoE section is exactly the same but nope.

I am stuck with WAN > DHCP now and without IPV6 which only works via PPPoE for my ISP.

For future reference, this is an intended behaviour and the ticket was closed in 2021: https://github.com/opnsense/core/commit/4a1bc9f8b5e65651e85385ce0fc6969cd30b2c13

Unbound by design flushes the cache and reload the config on reload, there is an option to avoid that but.

Open an issue on Github: https://github.com/opnsense/core/issues

Sweet, thank you Patrick.

EDIT: If anybody knows please let me know how to report bugs: Unbound does not respect: Flush DNS Cache during reload
Reloading the service is purging the cache every time.

But since I absolutely dislike DNSmasq and never register dynamic leases, anyway, I am happy with Kea and Unbound.

YMMV

Got everything working dynamically:

• ISC DHCPv4 does its thing
• Unbound does its things: Recursive and "Register ISC DHCP4 Leases" and "Register DHCP Static Mappings"
• PiHole was the missing bit: Condition Forward: true,192.168.1.0/24,192.168.1.1,home.arpa

My tablet got a dynamic 192.168.1.82, I can now "dig s6.home.arpa" and get the response back.
I can also go to the browser and hit https://firewall01.home.arpa, that goes to OPNSense as it should.

I will leave as it is until Kea supports dynamic mapping or until OPNSense completely removes ISC.

Finally, I have been fighting this since 5PM, it is 10PM now lmao

Thank you so much :)

To get ISC back install the plugin. Kea does support registration of static mappings in Unbound. Or go DNSmasq for DHCP and DNS.

I had to:

• Disable Dnsmasq
• Enable Kea
• ISC options are back
• Disable Kea
• Enable ISC back

This cannot be right at all.

OPNSense documentation mention that Kea does not support registration mapping, it does not even have the option.
Dnsmasq for DHCP + DNS does not give me Recursive DNS.

Before: Client > OPNSense ISC > PiHole (mDNS) + Unbound Recursive DNS > out
Goal: Client > OPNSense (DHCP, Unbound Recursive DNS, mDNS ) > PiHole > out

How is it going:

DHCP

• KEA is being named as the replacement for ISC but it does not support Register DHCP mapping
• Dnsmasq does support Register DHCP mappings but it is under ISC/KEA DHCP section for when it is set as DNS not DHCP Server(????)
• Online and documentation points to ISC only support dynamic hostname mapping

https://docs.opnsense.org/manual/unbound.html

• Since I disabled ISC to try KEA and dnsmasq, I cannot enable it back, ISC DHCPv4 is literally empty
• I am stuck with KEA which doesn't work for what I need and neither does dnsmasq

DNS

• Surfing the internet is insane faster thanks to OPNSense running it instead of PiHoles (tiny VM)
• "Flush DNS Cache during reload" is disabled, but reloading Unbound cleans the cache and we are back to dial-up speed every single time(????)
• ping "s6.home.arpa" no longer works, I must move Unbound back to PiHole and manually set the local DNS there
• Official documentation does not mention Unbound runs as recursive DNS by default

I am in the process of setting up dual-stack so it makes more sense to move things to OPNSense.
But dynamic hostname mapping does not work, let alone manual one
ISC is gone, the only one that supports dynamic hostname mapping (I guess) can no longer be enabled on 26.1.1, it is gone.

I am stuck with IP only unless I move things back to Pi-Hole.

... so if 'vv' is 20 then it's on VLAN20 - just makes it easy to remember.... Keeps everything memorable.

I am so keeping things easy.
On a high-level, this is my humble home network but remember, as you might have noticed, I am newbie when it comes to networking haha:

• Sophos SG210v3: OPNSense latest, WireGuard for my GrapheneOS phone when out, all the traffic goes via the VPN
• Lenovo miniPC01: Proxmox: Pi-Hole + Unbound recursive DNS01
• Lenovo miniPC02: Proxmox: Pi-Hole + Unbound recursive DNS02
• Netgear SG110: Dumb 16x ports switch: Working on its replacement
• ASUS RT-AX53U: Dumb OpenWRT AccessPoint, it provides radio only, OPNSense does everything, enforces everything with firewall

I haven't looked into IPv6 yet, for what I am running, IPv4 + mDNS is working fine.
Will look into it once I have a proper network in place, mine as it stands is a mess (1 subnet with everything)

Thanks a lot :)

It would be a much better idea to use VLANs

then everything will fit together nicely ;-)

Keep in mind that you need a managed switch to configure VLANs.

Thank you Mike/Patrick :)

I won't try to reinvent the wheel and follow the VLAN gang as you suggested.

I was already planing to replace my unmanned Netgear with a SFP+ one ( I am building a NAS, I don't need 10G network but with everything going so sideways in price and HDD already showing signs, I better do it now before network gears gets bitten by the AI bug also :-) )


Cheers guys

TL;DR: Multiple Subnets with one LAN interface

My current homelab/home network is all under 192.168.1.0/24, I know, a mess :)

I did update OPNSense, the new firewall rule is in place so is KEA over ISC.
I created a few subnets to organise things like: 10.19.4.0/24 for IoTs

OPNWrt is just a dumb WiFi6 wireless router, no DHCP, no DNS, nothing, only radio.
OPNSense does everything.

I reserved my tablet under 10.19.4.0/24 but still getting 192.168.1.0/24 IP
I expected it to receive 10.19.4.0/24 and have no internet access because there are no firewall rules yet.

I don't need the complexity of VLANs.

Some reading suggests that I need to create Virtual Interfaces.
I remember creating virtual interfaces via CLI years ago when I tried VLAN for the first time.

I found some old posts that mention CLI to get multiple subnet but that breaks my backup.
I have the config backup and hardware backup, if the current box dies, plug the other one, import backup and voila.

So it looks like that the only way to have multiple subnet with a single LAN interface is via ........ VLAN.
Other readings makes me believe that the subnet should just work.

Thank you

After getting it to work with a lot of effort only to have it break again after not even a day when updating I consider the wlan support so broken that I am ready to give up and look for a more stable solution and use an external access point.

This is a common bad decision, using one device for everything ( many with me included have been there ), if it dies or issues, there goes the entire network.

Like Seimus recommended, I have an Asus RT-AX53U running openwrt for years now.
You set it and forget, the latest release is 24.10.5 but if you few up to some adventure, you can get snapshot or RC images.

[THE GOAL:]

I did the upgrade last night to OPNsense 26.1_4 and everything went smooth.
Tonight I did the firewall rules upgrade and like many posts I was like "where are the rules??" after importing it over and over with no progress or anything really \o/


THE GOAL:
The above was necessary to do things right, once!
I do have WireGuard VPN, scanning access from my phone returns nothing and the firewall live log does show Default deny / state violation rule.

I wanna spice the relationship a bit and set the port knocking but....
I cannot find any os-fwknop plugin (or fwknop like openwrt), online forums didn't help much, the official documentation has zero mention of "port knocking" - https://docs.opnsense.org/index.html

Doesn't OPNSense support fwknop instead of the legacy way opening two more ports (assuming that works)???
I don't wanna do the weaker legacy way.

Thank you

Last update!

Everything is working, I have enabled the firewall rules back instead of using public DNS.

OPNsense Announcements is showing a hotfix 25.10.1_2 but it is not available yet, but I was reading 25.7 update and that seems to be the root cause of my problems indeed: https://forum.opnsense.org/index.php?topic=50052.msg255254#msg255254

That package manager update is the only thing that could have opened hell's door, until I ran the update again to install another 85 packages which failed with a Danger msg.

So anyway, this update is not great, I have never experience such major issue during an OPNsense update process before.
If you run this in prod, get ready for a wild ride.

Code Select Expand

Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again.  The fix is in this update, but impossible to install without upgrading
the package manager first.  We hope this will only be a minor inconvenience
during the process.