Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - DeeGee

#1
For future reference, I've solved it, but not exactly in the fashion I had in mind. But it works.

Each IP on Hetzner is on its own MAC. I've added these as NIC's in a bridge in Proxmox to OPNsense.
I've assigned these two NIC's as WAN1 and WAN2 (technically wan and opt1). This is same as previously written.
The difference is I've changed them both to DHCP, instead of static IP. I read it somewhere on this forum, that it allows the same gateway IP added via DHCP, but not manually.

In outbound NAT, I've added LAN-out-via-WAN1 and LAN-out-via-WAN2.
In Firewall / LAN, I've added rules[1] that force gateway WAN1 or WAN2 depending on which machine makes the request. Et voila, it works!


[1] FW Rules:
Proto: IPv4
Source: wan1_machines (this is an alias containing the source IP's)
Dest: any
Gateway: WAN1_DHCP

Proto: IPv4
Source: NOT wan1_machines (inverted rule)
Dest: any
Gateway: WAN2_DHCP


The only thing not working properly right now is hairpinning port forwards. Will need to dig into this more, but also solvable with DNS overrides.


Hope this helps someone in the future.
#2
I've got one machine on Hetzner running Proxmox and a VM with OPNsense 25.1. The host has Hetzner's default single IP, and I want to keep it like that (if the router VM fails to start).

Then I have 2x extra IP's, which are on separate MAC's, added as two separate NIC's in the Opnsense VM. I run into OPNsense's (or FreeBSD's?) limit of having  the same gateway defined only once.

So from what I gather, and here's where I want some input;

- If I chose to reset the MAC in Hetzner Robot on extra-ip-1, can I then assign it on to the same MAC as extra-ip-2?
- If that works, and I have both IP's on the same MAC, do I then have one as primary on the interface, and add the second as a Virtual IP?
- If those two work, is it then the outbound NAT settings which determine which public IP is shown for what service, and I can choose which one with "Translation/Target"?
- For inbound/forwards, I suppose I should select which the incoming IP is within the rule, not just the interface.

I'll probably pull the trigger and experiment on this, when I've got a bit of time on my hands. But would like the extra input if possible.
#3
24.7, 24.10 Series / Re: No IPv6 after update to 24.7.10
December 06, 2024, 03:03:50 PM
Thanks, tested that now, but seems to still be an issue with dhcp6c to retrieve a prefix.

I see this looping

# dhcp6c -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid -fD vtnet1
Dec/06/2024 15:01:27: Sending Solicit
Dec/06/2024 15:01:27: set client ID (len 14)
Dec/06/2024 15:01:27: set identity association
Dec/06/2024 15:01:27: set elapsed time (len 2)
Dec/06/2024 15:01:27: set option request (len 4)
Dec/06/2024 15:01:27: set IA_PD
Dec/06/2024 15:01:27: send solicit to ff02::1:2%vtnet1
Dec/06/2024 15:01:27: reset a timer on vtnet1, state=SOLICIT, timeo=5, retrans=29635
#4
24.7, 24.10 Series / Re: No IPv6 after update to 24.7.10
December 06, 2024, 02:43:15 PM
Seeing the same problem here. Did you document the steps to fix it?
#5
High availability / Re: Failover with VPN Tunnel
April 23, 2022, 05:16:29 PM
For anyone running into this thread, I ended up using a single tunnel instead of two and turning it off/on using hooks as mentioned by spali and jprenken in https://forum.opnsense.org/index.php?topic=25993.0 and https://gist.github.com/jprenken/18ca7bf14ddae547ae0fdf6f56d72573.
#6
High availability / Failover with VPN Tunnel
March 26, 2022, 01:21:25 PM
I've got some local failover using CARP/VIP with my two Opnsenses. Now I'd like to expand this to also get the VPN connectivity to also fail over. Right now it depends on LocalOpn1 to be up. I'm using Wireguard for VPN.

RemotePf1:
LAN IPv4: 192.168.20.1/24
LAN IPv6: 2000:abc:1111::1/64
This machine is also routing the whole 2000:abc::/56

LocalOpn1 (primary):
LAN IPv4: 192.168.5.254/24
LAN IPv6: 2000:abc:2222::254/64

LocalOpn2 (backup):
LAN IPv4: 192.168.5.253/24
LAN IPv6: 2000:abc:2222::253/64

LocalOpn1 gets a /60-net from RemotePf1's /56-net.
I use CARP/VIP on the two locals to assign them 192.168.5.1 and 2000:abc:2222::1
RemotePf1 is the exit node for all IPv6 traffic.

How can I get this two-to-one VPN setup to work?
#7
Can confirm. this works! Thanks for the update.
#8
General Discussion / Re: Install OPNsense on Oracle
October 03, 2021, 02:52:22 PM
Is there any way to do this when it's no longer on the free period?
#9
I've got Opnsense set up with a Mullvad tunnel over Wireguard and selective sites and clients going out through that tunnel just fine for IPv4. How can I achieve the same thing with with IPv6? As far as I can tell, it's only possible to add one gateway address, which is later used in the System / Gateways -screen.

#10
General Discussion / Install OPNsense on Oracle
March 19, 2021, 11:23:18 PM
I'm looking to install OPNsense on a Oracle Always Free Tier virtual machine to use as an endpoint for my WAN (local OPN on LAN and WG to Oracle) because my ISP puts me behind NAT. The VM specs seem to be fine for this limited usecase. It's not possible to upload ISO's, but apparently it can be done by loading a preinstalled qcow2 file. There is some form of scripted install but I've not figured that out yet.

So... Has anyone else installed OPN on Oracle Cloud and have insights to share?