Messages

??? - you literally configured fd11:f0d8:a7bb:135d::/64 and not fd11:f0d8:a7bb:135d:215:5dff:fe16:104/64 for your virtual IP:

Thanks for the hint, I must have misunderstood this point in my initial setup back then. Thought it is supposed to define the prefix only, as the column states network. Checked some newer guides out there and all of them show the interface part as well. A great one is here https://www.raydak.de/blog/2025-05-25_opnsense_ipv6/

I must have missed this, as I was using a DNS service on a client on the LAN and not the router itself. Just showed now as I switched to unbound on the box.

WHen you specify a virtual fixed IPv6, you have to provide the EUI-64 part, you only gave ::, which is zero. Your OpnSense would probably respond to fd11:f0d8:a7bb:135d::0, but not to fd11:f0d8:a7bb:135d:215:5dff:fe16:104, simply because you did not configure that.

Ok, makes sense. Any pointers where I can configure this?

Hi guys,

I've updated to 25.7 recently and switched to dnsmasq and unbound. Yesterday I noticed that IPv6 was not working, might have been so for a few days and I've set up dual stack.

Have done some digging from older posts and noticed that the interface did not generate a full IPv6, ony gets the prefix. I'd be greatful for any hints what might cause this and how to fix it.

The set up and troubleshoooting I've done so far is as follows:

Interfaces:
  WAN - changing prefixes with dual stack
  LAN - static IPv4 and TrackInterface for IPv6

DNSmasq on LAN interface
  as DHCP
      Ranges are 192.168.22.10 to 192.168.22.200 for IPv4
                :: for IPv6
      options set dns server, ntp serever and nis-domain for both IPv4 and IPv6

  not for DNS

DNS via unbound


To get the ULA on LAN the virtual IP defined on Interfaces / Virtual IPs as

Code Select Expand

fd11:f0d8:a7bb:135d::/64 - LAN - IP Alias

The Clients on the LAN receive the prefix just fine and get their IPv6 via SLAAC.

I've checked the Router advertisement via Wireshark. As far as I understand it, it looks as expected

Code Select Expand

Frame 2294: 166 bytes on wire (1328 bits), 166 bytes captured (1328 bits) on interface \Device\NPF_{5B7E23CD-8508-42FD-9E61-D2ED511AAD4D}, id 0
Ethernet II, Src: Microsoft_16:01:04 (00:15:5d:16:01:04), Dst: IPv6mcast_01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::215:5dff:fe16:104, Dst: ff02::1
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x78c9 [correct]
    [Checksum Status: Good]
    Cur hop limit: 255
    Flags: 0x48, Other configuration, Prf (Default Router Preference): High
    Router lifetime (s): 1200
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Prefix information : fd11:f0d8:a7bb:135d::/64)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 64
        Flag: 0xc0, On-link flag(L), Autonomous address-configuration flag(A)
        Valid Lifetime: 86400 (1 day)
        Preferred Lifetime: 86400 (1 day)
        Reserved
        Prefix: fd11:f0d8:a7bb:135d::
    ICMPv6 Option (Prefix information : 2003:****:****:****::/64)
    ICMPv6 Option (Source link-layer address : 00:15:5d:16:01:04)
    ICMPv6 Option (Recursive DNS Server fe80::215:5dff:fe16:104)

Got IPv6 to work again by setting the Liknk-Local Address as DNS, as you can see in the RA.
When I try to set the ULA fd11:f0d8:a7bb:135d:215:5dff:fe16:104 as DNS IPv6 breaks as no DNS Requests are answered, wereas fe80::215:5dff:fe16:104 seems to work.


So I logged in via SSH and checked the following in the OPNsense shell:

Ping from OPNsense to a client on LAN is working ...

Code Select Expand

root@JIGOKUMON:~ # ping fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c
PING(56=40+8+8 bytes) fd11:f0d8:a7bb:135d:: --> fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c
16 bytes from fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c, icmp_seq=0 hlim=255 time=0.356 ms
16 bytes from fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c, icmp_seq=1 hlim=255 time=2.206 ms
16 bytes from fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c, icmp_seq=2 hlim=255 time=1.305 ms

Ping to OPNsense is not working

Code Select Expand

ping fd11:f0d8:a7bb:135d:215:5dff:fe16:104 -t

Ping wird ausgeführt für fd11:f0d8:a7bb:135d:215:5dff:fe16:104 mit 32 Bytes Daten:
Zielhost nicht erreichbar.
Zielhost nicht erreichbar.

Ping-Statistik für fd11:f0d8:a7bb:135d:215:5dff:fe16:104:
    Pakete: Gesendet = 2, Empfangen = 0, Verloren = 2
    (100% Verlust),

... but I noticed the second line where the interface part (::215:5dff:fe16:104) is missing.

The Interface looks like this:

Code Select Expand

hn1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN (lan)
        options=80018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
        ether 00:15:5d:16:01:04
        inet 192.168.22.254 netmask 0xffffff00 broadcast 192.168.22.255
        inet6 fe80::215:5dff:fe16:104%hn1 prefixlen 64 scopeid 0x6
        inet6 fd11:f0d8:a7bb:135d:: prefixlen 64
        inet6 2003:****:****:****:215:5dff:fe16:104 prefixlen 64
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Looks like the virtual IP is only shown as the prefix, but no full IPv6 is generated.

If I change the LAN IPv6 setting from "Track Interface" to "SLAAC" the expected IPv6 is generated and the ping TO OPNsense is working, but public accecss is gone as the GUA/2003:: prefix is not known.


I could test the config with 25.1.12 if usefull/needed. Any hint appreciated.

Cheers,
Holger Kühn

What you cannot do is refer to any DNS name outside of your OpnSense, i.e. use an external DNS name with a mask applied in a firewall rule.
That would be a typical scenario for a VPN.

What type of rule do you want to create / what is your use-case? The reason I ask is that I do not see any.

To limit the source of WireGurad Peer to one known network, eg. /64 mask. Setting it in Endpoint address of the WireGuard Peer config.

The same goes for services like Plex or Jellyfin exposed over reverse proxy to family. There I know the network address (from the dyndns entry of the router) and want limit the source of any appropriate rules to those known networks (e.g. all devices behind the known router) and not the entire internet.

Hi,

what I mean is the following.

I've an DynDNS entry for IP 2001:DB8:1:2:a:b:c:d/128.

I want to use this in a rule, BUT ONLY the network portion 2001:DB8:1:2::/64 of it. This seems to be missing in Aliases as far my tests show.

I've one client that updates the dyndns, but want all devices from that network access, so I can not use the specific IPv6-IP from the updating device.

Or am I missing something obvious here?

I'll check this out. Does they strip the interface from an address given by dyndns?

Hi,

I've got a Wireguard Connection working just fine. I am trying to limit the source to the whole network. The IP public addresses are provided via dyndns. IPv4 is fine as its the gateway anyway, but for IPv6 I get 2001:DB8:1:2:a:b:c:d/128. Is there a way to create an alias to get 2001:DB8:1:2::/64. I know about the alias type IPv6 Host, but that's the interface and not the network part.

Would be a bit easier for the dyndns update part.

Hi,

yes I previously tried this. Did not seem to work. Reset the whole configuration to a before state rebooted and tried again, than it worked as expected.

One question there though. I've a working configuration with the manual spn added for the whole network segment used by the clients (e.g. 172.28.0.0/16). During testing before I was only adding the single addresses I actually configured the BI-NAT for (e.g. 172.28.200.106). Should this make any difference in effective configuration?

Hi guys,

I've been using OPNsense at home for quite some time, and could switch our old Zyxel Firewall at work with OPNsense at work recently. I had IPsec tunnels working for quite some time successfully, but had been able avoid NAT until now.

I need to set up a IPsec tunnel to a partner using the same local network as we are. So obviously some NAT had to be set up. Researching I found this post (https://forum.opnsense.org/index.php?topic=22605.0) but for the live in me, I could not get this to work. So I hope to get some input here.


The setup is the following

Code Select Expand

-------------------------------------
-- local network - 172.28.0.0/16   --
--   local PC    - 172.28.200.106  --
-------------------------------------
             -
             -
-------------------------------------
--        Firewall                 --
--                                 --
--      NAT to 10.199.2.129        --
--                                 --
--    IPsec to 10.199.2.128/25     --
-------------------------------------
             -
             -
-------------------------------------
--       at partner                --
--       reaching to               --
--       10.199.2.2/32             --
-------------------------------------

The tunnel itself is configured and should work. Originally set up with source net 172.28.0.0/16 got packets send.


What do I need to configure to get packets send through this IPsec tunnel?

 - 172.28.200.106 sends RDP-packet with destination 10.199.2.2
 - 172.28.200.106 is NATed to 10.199.2.129
 - 10.199.2.129 sends RDP-packet through IPsec tunnel
 - is handled at partner site to reach 10.199.2.2 and NATed to 172.28.x.x

As far as I understood the documentation I found this is Outbound NAT and I configured it as follows

 - Firewall NAT Outbound
 - Interface             IPsec
 - TCP/IP                IPv4
 - Protocol              any
 - Source Address        172.28.200.106
 - Source Port           any
 - Destination Address   10.199.2.2/32
 - Destination Port      any
 - Translation / Target  10.199.2.129

The Hints state something about configuring Virtual IP addresses on the Interface first, but I've no possibility to define them on the Interface IPsec, as it is not listed there.

Any hints on what I am missing would be greatly appreciated. If I need to provide more info just let me know.

What settings did this screenshot refer to?
I have the exact same issue, but the solution is unavailable due to deleted screenshot.

Have done some more testing, it's only port 80 that's not working here. And found some other thread, and changed the GUI-ports to only 443 and LAN, but it still persists.

Anything I missed?

Hi folks,

I've been trying to figure out why one of my portforwardings seems not to be working.

I'm using a PlexMediaServer on my NAS, it's requiring port 32400 for remote access. If I configure the same port on WAN, it's stable. But when using port 80 on the WAN for it, it stops working. I used to do this before I switched to OPNsense, as most guest networks only allow traffic on ports 80 and 443.

Is there any (standard) configuration that might use the port 80 already, so that it's not working here?

The attachments show the aliases and NAT rules I've configured. I'll limit the source to specific known networks later, but like to understand why it's not working in this simple setup.

Holger

... Plex remote access will not work unless I can figure out how to do this.

As far as I know, for remote access only port 32400 is needed. I've not changed anything for the certificates so far. And remote access is working just fine (at least from native apps, usually not using app.plex.tv)

Hi,

I've started a support request about this. Will keep you informed.

Holger

Hi folks,

I'm trying to setup port forwarding for my Plex Media Server. At the moment a simple unconditional one from port 80 to 32400 or 32400 to 32400. Doing so I noticed to different kinds of rules in "Firewall: NAT: Port Forward":

1. named "Enabled rule"
2. named "Linked rule"

Whats the difference between them? Can anyone link me to a documentation? Couldn't find any usefull posts so far.

Furthermore the one trying to forward 80 to 32400 seems to break after a few seconds, without any hint what might be wrong with it. Testing it with 32400 to 32400, so far this seems to be stable (for 30min at the moment).

Holger