Messages

1

General Discussion / Re: High inblock packet count on passive LAN interfaces

« on: Today at 01:35:37 pm »

To be honest, that has also confused me for a while.

Since the unit is packets/second, wouldn't it be nicer to see for example "0.2" instead of "200m" and just add k or M for the bigger values (>1/s)?

2

General Discussion / Forum itself: More english subforums - eg. networking

« on: Today at 01:24:05 pm »

Hey all,

Wouldn't it be great to have a couple (not a ton) more specific english (sub) forums? So much stuff goes into "general discussion" (like this post - which could go into a forum forum ;-) )

I came across the issue while writing some posts on IPv6 related stuff. Very similar (if not basically the same) problems exist in the current release forum, general discussion, tutorials etc. Of course, search is available - but that's not the point.

It's just an idea. As mentioned in the topic for example, it would be nice to have a separate "Networking" forum to discuss topics like IPv4, IPv6, DHCP, vlan, routing - stuff like this.

What do you think?
 

3

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: Today at 10:29:29 am »

Indeed I think OPNsense is not the root problem in your case. Dig deeper into the ONU and see if it can get a bigger prefix delegated down to OPNsense. I don't think (anyone?) proper IPv6 setup with only a /64 dynamic prefix received is possible.

From what I read there is a chance the ONU does not even support delegating networks down.

After you did your next setup and research, it would be great if you could post your findings here, maybe including our ONU model. It's always interesting to know.

Good luck

4

24.7 Production Series / Re: Double NAT, IPV6 Issue

« on: Today at 09:25:15 am »

The Asus router must delegate a prefix to OPNsense. You need to check with the vendor documentation if it can do that and how to configure.

Long story short ... while I was writing ;-)

5

24.7 Production Series / Re: Double NAT, IPV6 Issue

« on: Today at 09:23:56 am »

It sounds like the ASUS router is your first problem. But that is just a guess without knowing this piece of hardware.

1. ISP prefix length

I have a WAN prefix length of 56.

good thing. Where can you see this? in the ASUS router? Let's assume YES.

2. ASUS DHCPv6 / Router advertisment setup

The uplink router has a lan prefix of 64 ... The ASUS Router LAN is set to 64 and can't be changed.

The most important prerequisite for a IPv6 router chain is prefix delegation. Your ASUS router must be able to delegate a part of its available /56 network down to the next router in the chain (OPNsense).

Assigning addresses to clients is not the same as delegating a subnet (prefix) to another router. As I understand from what you write, the ASUS router is assigning addresses to its connected clients on its LAN ports.

3. "second prefix" does not exist

Thus I won't be able to do a second prefix length of 64 with opnsense.

There is no such thing as a "second /64" prefix. The client router (OPNsense) can only request 1 prefix. That's why, it must be bigger than /64, at the minimum /63

4. summary

You must find a setting in your ASUS box to delegate a prefix down to OPNsense. In your current configuration, your OPNsense only gets an address. Please try to find some documentation on the ASUS router or post a link here.

Thank of it this way: Let's assume you can convince the ASUS router to delegate a /58 block down. The OPNsense box then simply asks "Hey Asus, give me a /58 subnet which I can handle. Not you, me". That's prefix delegation.

The OPNsense box then grabs the prefix and divides it into smaller chunks to assign it to its own clients. That's the /64 address assignment as you see it on the ASUS router too.

The bad news: If your ASUS router can not delegate subnets (=prefixes) to downstream routers, IPv6 will not work the right way. But honestly, I doubt it.

6

24.7 Production Series / Re: Double NAT, IPV6 Issue

« on: November 20, 2024, 09:25:16 pm »

In opensense Dynamic IPV6 prefix is not showing up.

If you don't see a prefix delegated to OPNsense, it won't work.

Play with your uplink router settings (eg PD, length etc), mode (dhcpc, slaac etc) and OPNsense WAN interface settings (mode, prefix length, prefix hint, prefix ID)

7

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 06:19:46 pm »

Additional hint from memory (not on a box right now):

You can increase dhcp6c logging level on interfaces->settings->IPv6 DHCP log level

These can later be viewed on system->logfiles->general reported as dhcp6c events

8

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 06:06:37 pm »

I tried to change the "Child Prefix Mask" to ::/63 and ::/60 but I got "Invalid prefix mask" from the ONU, not sure what the mask should be to get a larger different prefix.

Did you also change the „request prefix size“ on the WAN interface settings in OPNsense?

You should get at least a /57 prefix out of your uplink router. Some documentation available?

9

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 05:50:56 pm »

You get a /56 prefix from your ISP - perfect.

Try DCHPv6 for delegation as dseven said and also try to get a bigger network delegated into OPNsense, maybe /62 or even bigger.

I remember having an issue long time ago when a /64 was not enough, even with request prefix only checked.

@dseven on routing: I meant the uplink router, not the OPNsense box. If the uplink router delegates the network downwards, it MUST route it.

10

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 05:38:20 pm »

It seems like you have the prefix, but maybe the "ISP ONU" is not routing it to your OPNsense WAN interface....

Sorry overlooked the working traceroute to opnsense ;-)

But is it even possible that the uplink router would delegate a prefix and NOT route it?

Should check what OPNsense->Interfaces->Overview->WAN->Detail popup says at „dynamic IPv6 prefix received“

11

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 05:22:21 pm »

Without a bit more information itˋs just guessing, but first things to look at:

1) is IPv4 working correctly? (Ping, WAN access)

2) at first look, your IPv6 stack looks good - your LAN client gets an IPv6 via RA from OPNsense

3) Do you have at least 1 Firewall rule defined on the LAN interface? (No rule = block everything)

12

24.7 Production Series / Re: No NAT states in FW->LiveView anymore

« on: November 20, 2024, 11:49:45 am »

  I was looking only in opnsense/core for the issue

thank you

13

24.7 Production Series / Re: Double NAT, IPV6 Issue

« on: November 20, 2024, 11:43:42 am »

Patrick answered the question perfectly.

A bit more Detail from my personal experience:

I do "double NAT" (wrong term for IPv6!) on all my sets since years now. It works (almost) perfectly with Opnsense. And since IPv6 needs no NAT by design, there is no performance regression either - except for the added ethernet latency due to one more hop.

The biggest culprit is getting a large (small) enough prefix from your provider and having it delegated from your uplink router to OPNsense.

The OPNsense (WAN) interface settings vary depending on your uplink router model and settings.

While working on it, your best chance to debug is to see if OPNsense actually got a prefix delegated on your (WAN) interface. During the last releases, the location of this information has changed a bit (now Interfaces->Overview->Detail Popup).

Once you get it running like on the picture below, you are on the road.

14

24.7 Production Series / Re: No NAT states in FW->LiveView anymore

« on: November 20, 2024, 10:51:45 am »

I guess I found some starting point to the issue:

It seems that in FW->Diagnostics->States->Rules the NAT rules are present (and logged?). At least that's my understanding of this table.

In the FW->Logging->LiveView table, the NAT entry is present but 1) has no rule label displayed 2) is labeled pass(green) instead of NAT (blue)

Log sequence with hybrid NAT rules enabled:






With manual NAT rule:





both cases actual do the correct NAT. But for debugging purposes, it would really be nice to see the them in the FW live log.

Am I completely wrong here, did something change, is this behavior expected or indeed a bug/issue?

@Franco would you mind taking a quick look?

thank you 

15

24.7 Production Series / Re: 24.7.8 System: Firmware failure

« on: November 20, 2024, 08:26:29 am »

Had the same error yesterday early in the morning. Changing the mirror from dns-root.de (HTTPS, Cloudflare CDN) to LeaseWeb (HTTPS, Frankfurt, DE) fixed it immediately.