Messages

First, @nero355 is right, see point 8 here.

That being said, this sounds like a router-behind-router scenario where you forgot to have outbound NAT on your OpnSense such that the returning packets do not get back because the front router does not know about your LAN subnet, see point 4 here.

The problem is that you cannot use "This Firewall" as redirection target IP, regardless of IPv4 or IPv6. "This Firewall" is not a SINGLE address.

Imagine you say "192.168.10.1, 192.168.20.1" there. What does that mean? Use ONE single IP there.

Look at your WAN IPv4. Does it start with 100? Also, start this command from a CLI from your OpnSense box:

Code Select Expand

curl -4 ifconfig.me
If either your WAN IPv4 starts with 100 or the WAN IPv4 differs from what the command shows you (or both), you probably have a CG/NAT aka DS-Lite connection. With that, your ISP does not give you a routeable IPv4, but translates your WAN IPv4 via NAT to a routeable IPv4 that is used outside of the provider network.

Therefore, you share your "outside" IPv4 with many other customers. This is a case of double-NAT, where your ISP would have to create a port-forwarding rule for you, which he doesn't. So, if you find yourself in that situation, you cannot port-forward IPv4 and must find other means for outside-in access, like IPv6-only or create a tunnel connection (e.g. via Cloudflare or a VPN to a cloud instance that provides IPv4). Some ISPs also offer "real" IPv4 for a fee.

This is now also covered here, point 31.


Forget that, it does not apply to you. You cannot port-forward IPv4 and IPv6 at once, because the redirect destinations must be either IPv4 for IPv4 and IPv6 for IPv6. You cannot port-forward IPv6 to an IPv4 address, much less to a set of IP adresses for your firewall via "This Firewall". You must specify one (and just one) specific IP and you normally need two separate rules. That being said, maybe the combined rule would work with "LAN address" as the redirection target.

For IPv4, you can use 127.0.0.1 or any (V)LAN interface IP, for which there are specific aliases as well (like "LAN address"). For IPv6, you cannot use ::1, and you also cannot use the link-local IPv6s. I always use an ULA virtual IP for that or also "LAN address". Matter-of-fact, I never use IPv6 port-forwarding on OpnSense itself , but only open the ports directly with firewall rules.

For HTTPS, I use a reverse proxy, because then you can also use name-based redirection. There are guides on how to do that via Caddy or HAproxy in the tutorial section.

The only thing you cannot do is to "clone" an ONT because the ISP-provided ones are often locked. Cloning provides the benefit of having a cold standby in case the original ONT dies.

The equipment the providers usually have can do both XGS-PON and GPON or they give you a port that is suitable for you depending on what the ISP knows (or thinks) you have. Technically, they can also optically mix XGS-PON and GPON OLTs on the same customer fibres, just because of the different wavelengths.

You would be hard pressed to find an ISP that starts with XGS-PON and has only that. Although that might be true of Telekom when they now start a new "Ausbaugebiet".

XGS-PON ONT prices are a lot higher than GPON ONTs. They often draw a lot more power, as well. As long as you do not have a rate > 1 Gbps, you can use a GPON ONT, because XGS-PON is mostly downwards-compatible. In Germany, there are only a few ISPs who already offer XGS-PON - we sometimes use to call it "digital diashora".

In theory, one could have up to 2.5 Gbps downstream over plain GPON, BTW.

https://www.amazon.de/Telekom-Glasfaser-Schwarz-Ethernet-Anschluss/dp/B0FJ8CCY1L

https://www.playox.de/telekom-glasfaser-modem-2b-lan-port-lc-anschluss-2-gbit/s-bandbreite-schwarz-40824527-n2008265932

[set of IPs]

We have to discriminate some things here. When you look at my NAT rules here (which of course address NTP, not DNS), you will notice three parts vital parts:

1. The interfaces to which the NAT rule should apply. This determines for which of your networks this rule applies. You are free to choose here and that also works for me when I only specify some interfaces.

2. The range of destination IPs and ports that will match. This will be ! (i.e. NOT) "This Firewall", which means: every OTHER DNS server than the firewall itself (regardless of which subnet IP you are referring to) - so it matches any request that does not directly use your firewall, so any external DNS server. Here, it is O.K. to use the set of IPs "This Firewall" to indicate an exclusion. The port would be 53 (DNS) instead of 123 (NTP).

3. The destination IP and port that the request will be redirected to. This must be a single IP, so the set "This Firewall" is plain wrong. You must give a specific target here and you want these requests handled by your firewall, thus, you use 127.0.0.1 to indicate it. The port for DNS also is 53.

[set]

What does a redirect IP of "This Firewall" even mean? "This firewall" is the set of all adresses the firewall has.

Use an explicit IP like 127.0.0.1 and it will work.

Billiger wird nicht mehr

Doch: https://www.amazon.de/HSIPC-Firewall-Appliance-Router-i226-V/dp/B0CP1VZRG7 - dort kostet es mit RAM und Platte soviel wie bei ipu-system ohne.

 

You should talk to them directly, but I would think they want it covered, because when that breaks outside your house for whatever reason (e.g. vandalism), it is their obligation to fix it.

The ballpark for such things is 30-50€, as I already wrote. The Leox LXT-010H-D should work for Telekom, because they use VLANs (I still was unable to get it to work for DG). It costs ~31€. The Telekom Glasfaser Modem 2b is ~40€ and that should work with Telekom for sure...

Really? Interesting. Both M-Net and Deutsche Glasfaser give you one. Either way, they are dirt cheap (30-50€). I just bought an LXT-010H-D from wisp.pl and that also has 2.5 Gbps.

I would doubt that - unless you mix tagged and untagged traffic on the same physical interface and the rule somehow applies to you camera VLAN as well. You can look at /tmp/rules.debug to convince yourself of what gets thrown at pf.

P.S.: If you did the same as here, namely to redirect to "This Firewall": try 127.0.0.1 instead. Details matter.

[want]

No. Not at all.

1. The ONT is normally provided at no cost from the provider. Unlike with DSL modems, ISPs actually want you to use their equipment, because they say that it makes their infrastructure more stable. Know that you still share an OLT port with other customers.

2. The fibre cabling ends at the ONT. So it is your choice on where you locate it (provided that you actually get FTTH, not FTTB, where this is a whole different story). From there, you need ethernet cabling to the WAN port of your router. The provider does not care about the in-house cabling with FTTH, that is your problem. Usually, the fibre ends somewhere in your basement with the ONT directly connected via a short fiber stretch near it. Thus, it is your choice: If you have existing ethernet cabling that leads to the ONT, then you use it. If not, you can either install ethernet abling or install a longer fibre cable (which is really cheap) from the box to your ONT (which you place with your router).

There are multiple options available, for GPON and XGS-PON, this will always be single-mode fibre, usually with SC/APC or LC/APC ends, depending on sockets. Huawei has an interesting option for single-mode cables that you can glue to the wall and that are pratically invisible (you can actually put paint on those):

https://www.youtube.com/watch?v=ls26PPutDMc

Those were developed for FTTR, but can also be used for this purpose.

"Track Interface" is legacy now - what you probably want is now called "Identity Association". See: https://docs.opnsense.org/manual/interfaces.html

AFAIR the IPv6 changes were referenced in the 26.1 release notes, also.

In that case, you should create a bug report on github for the plugin: https://github.com/opnsense/plugins/issues