Messages

Been reading about MTU lately and trying to get my network to be the most optimal it can be. From a lot of research online, I've gotten confused on a few things.

Knowing the standard default is 1500 for Ethernet on MTU, when it comes to VLANs (which I do use), does keeping the defaults on everything work out? From what I can tell, on my PC, all my routers, and OPNsense, everything says 1500 for MTU. On the defaults, like this, what about VLANs? that add 4 bytes to the message. Do I increase the 1500 somewhere (parent interface?), or are their already automated systems in place (usually), that adjust these kind of things? Therefore when I have VLANs going on OPNsense, and going down my other routers within the network (that are also 1500), I don't need to change anything?

After tons of trial and error, I have finally got Wireguard to work with Mullvad VPN using the Wireguard app in OPNsense. IPv4 works great, but the part in all the config that I'm stuck at for IPv6 is the gateway. In a lot of tutorials for Wireguard in OPNsense for external VPN, you set up the gateway on the config of Wireguard to be something similar to one number down on a IPv4 address (eg: 1.2.3.4 > 1.2.3.3) by using this command:

Code Select Expand

curl -sSL https://api.mullvad.net/wg/ -d account=123 --data-urlencode pubkey=PUBKEY

But how do I do all of this for IPv6 address? I get the IPv6 address from the above terminal command. So it's inputted in the "local" on Wireguard for the Tunnel Address.

IPv6 seems hard to grasp because the one down method for IPv4 doesn't seem to work if trying to attempt the same principle for IPv6, or I just don't know how to "one down" a IPv6 address. I just get those endless errors of "does not lie within one of the chosen interface's IPv6 subnets"

So how would I do this for IPv6 address?

Also I would assume the firewall rules for IPv6 are pretty much the same as the IPv4 addresses for IPv6?

All the info I could find for Wireguard on OPNsense are all for IPv4, never really going into detail on how to do it for IPv6 (such as how to do the gateway for IPv6).

Update:

Welp, I fixed my own issue. Oddly enough what was happening, was the VLAN IP network address on the Proxmox I was putting 192.168.30.1/24 without realizing that, just that was conflicting with the OPNsense VLAN 30 of 192.168.30.1/24. But when I changed the .1 to something like .5 or whatever, everything worked correctly when restarting a VM. I guess the mistake was accidentally trying to have two VLAN interfaces on the network instead of the one which is on OPNsense.

So for anyone with a similar issue, that's how I solved it.

Been delving into Proxmox and the VM world making a lot of things more simple, for me at least. But what I've been running into is that whenever I restart a VM in Proxmox even using a static IP Address from within the IP settings of the VM (LXC Container specificly), which is mostly always a Debian 10 Container. From the console if I ping or use a simple command like "Apt update" to see if the internet is working, it doesn't. I'm running VLANs for these, and Proxmox itself is on a VLAN too (an Admin VLAN you could say) E.g. Admin is on 192.168.10.1/24 and typical application VLAN 192.1678.30.1/24. If that helps at all.

After doing pretty much every kind of setting I could think of in OPNsense that could possibly conflict with this when I restart a VM, I ended up finding that if I flush the ARP Tables, the Tables refresh, and then the VM's internet and even local traffic works correctly.

I made it so the VM MAC address doesn't auto change since it auto generates in a VM, I made it static. But even so, even the ARP table has the same MAC, still, it needs to be refreshed.

When the LAN/internet is down on the VM, the only person I 'can' ping, is the VLAN 192.168.30.1 (which is the main OPNsense VLAN) for example. Not sure if I could ping others on the sub net as well, but I don't have any other clients on that VLAN yet. But once the ARP is flushed I can ping other sub nets on my network (and yes, the firewall rules allow this, for now).

VLANs are set up correctly with the switch and router-bridge that are in between the server and OPNsense.

Here is the topology if it helps:  OPNsense > Mikrotik-Router Fiber Switch in Bridged mode > Mikrotik regular Switch > then VM Proxmox Server.

Anyone know what I could do to solve this?

I ended up fixing it. Had some wrong settings in the upstream DNS server on AdGuard that wasn't pointed to my Unbound.

Update: Sorry it's been a good while before getting back.

But I finally switched up the order to AdGuard so now it's Unbound > AdGuard. And everything works like it's suppose to, since Unbound can start resolving, no startup issues are happening after a reboot which is great.

Only thing that sucks is on AdGuard the queries only show 127.0.0.1, ::1, and the Fe80 IPv6 addresses. Instead of the actual client name (hostname). Is there a way around this? Some setting within OPNsense?

I have three switches connected to OPNsense, and I'm getting the hang of how to do the VLANs and am creating VLANs and the like. My question is, is there a point in putting the switches in their own VLAN at all? Would it be helpful? Or not really worth it?

The switches are Layer 3 switches. If that matters.

Oh I see. I forgot the colons after ] which screwed me up when testing.

That definitely worked. But if in the end it doesn't really matter since IPv6 will just auto-do it's thing from the IPv4. That's alright.

I've been tinkering with my DNS settings, and at least from what I know IPv4 is good to go. The way I have it set up, is port 53 is Adguard > port 5353 is Unbound. My question is, when editing the settings in AdGuard to have the upstream be 127.0.0.1:5353, how do I do it for IPv6?

I'm able to put ::1 into it, and it states everything is good, but when using ports, and doing the IPv6 localhost which is ::1, how do you do ports with IPv6, for localhost? Or would ::1 work fine?

Or as long as the upstream which is the 127.0.0.1:5353 is set, there is no reason to bother with the IPv6 settings since it would auto do it. Is that how it works? I honestly can't find much info when it comes to ports with IPv6. All info is just IPv4.

I ask this, because when looking at the queries on Adguard, the IPv6 address get pushed forward (or blocked, because of adblock settings and stuff). Maybe because I'm seeing this, I honestly don't need to edit anything?

Thanks!

Oh ok, that makes sense. But what would it be? A WAN rule, or LAN rule? Nat Rule? Sorry, I'm still learning all of this, so it's a bit confusing still.

For troubleshooting purposes is there a way to turn off the firewall without completely shutting down the internet access? Mainly do this for troubleshooting ports, or why a software isn't working correctly - to tell if the issue is on my end.

There a way to do this? Some kind of filters or something? I've seen "Disable Firewall", but obviously that kills all traffic outbound. Is it some kind of NAT setting?

Thanks.

Thanks for the info. I edited a few settings that were not the same to yours. So I'll see if that makes a difference, and update here.

Oh right, I'm sorry, I forgot to mention I am using Unbound. The way I have the paths going, is AdGuard on Port 53, then in the AdGuard Upstream DNS servers I point it to 127.0.0.1:5353 which is what Unbound is on.

Would maybe doing it the other way around or something fix this issue? Like Unbound is on 53, and AdGuard on 5353. Which I'm not sure how to forward the traffic of unbound to Adguard so it does the job in reverse (from the config I have now).

Hi there,

been using OPNsense for about a month now, incredible stuff. Love it.

But I've been noticing an issue on reboots. I have the plugin AdGuard Home from mimugmail, and from the logs I'm noticing that Dynamic DNS is trying to update, but AdGuard hasn't started yet. So the DNS stuff isn't working, and obivously the Dynamic DNS isn't going to work. Plus about 7 other plugins never start until I manually turn on AdGuard. Then everything goes back to normal and the bootup completes.

Is there some kind of config I can edit or something to change the weight/boot order so AdGuard could be the top first things to load?