Messages

I am sure it is not the right way to say it, but I have several adresses, some are temporary and what the outside world normally uses to communicate with my computer, but there is also the "regular" ipv6-adress which no-one needs to know besides me.

I need it because it is more convenient to communicate with my gear if they have a static address. You can get around it with dyndns and the like but a static address is useful.

What you mean is the EUI-64-derived static IPv6 (often called "management address") vs. the dynamic "privacy extensions" IPv6. How to have both is explained in the linked article.

Just to be clear, I have both, it is just that the static address isn't static. (that is, i am not sure what the "main/static" address is derived from, but i have 4 adresses, 2 temporary ones, one link-local and one "regular")

Did you set a ,,DHCP Unique Identifier" and enabled ,,Prevent release" in Interfaces->Settings?
For the unique identifier you can use the ,,insert existing DUID" below the input field.

I don't actually know if it will work, but I had the same issue. But since I set the DUID yesterday, I ll get the same prefix after a reboot. Hope it will stay that way...

This explains the DUID: https://datatracker.ietf.org/doc/html/rfc8415

Thanks, I will try that, and see how it works out.

[really]

What is a "secret" address?

The first 48 bits of any routeable IPv6 (i.e. GUA) you are using is determined by your ISP. If he hands out dynamic prefixes, you obviously cannot have static GUAs, no matter how the lower 64 bits are determined. Why do you need static IPv6, seriously? If you really do, you can use only static ULAs in that situation.

Maybe it would be beneficial for you to read this.

I am sure it is not the right way to say it, but I have several adresses, some are temporary and what the outside world normally uses to communicate with my computer, but there is also the "regular" ipv6-adress which no-one needs to know besides me.

I need it because it is more convenient to communicate with my gear if they have a static address. You can get around it with dyndns and the like but a static address is useful.

I though (and wanted) my ipv6-ip to be static, (not the temporary ipv6-adresses of course, but the "secret" ipv6 address) but it doesn't seem to be, have i misunderstood something? Is there a setting that decides this?

My settings is  IPv6 Configuration Type: DHCPv6 with Prefix delegation size 48

Thanks, but why should I not do port translation? In the info you linked to it says:

"c. You can translate ports, even with IPv6."

"c. can be a security plus, because IPv4 port scanners will find it harder to identify services on non-standard ports."

Wouldn't this apply here?

I don't know that much about ipv6, but i have setup where i get a /48 network, and i have made a /64 network "internally", and the clients get their IPs "themselves" with SLACC (if i understand correctly). I can make a firewall rule to let through a port to the IP. But can make OPNsense change the port? That is send something from port 2000 on wan to port 1000 on the LAN for instance? With IPv4 i would just use port forward.

Bonus question, is there a way to see the ipv6-adresses on my clients on the LAN?

I have 4 network ports, one for WAN, one for LAN (which goes to a switch), i want to use a port for my IPTV decoder, to get it to work I need to connect it directly into the router. But what is best practice to set this up? If I set up a dhcp server on the IPTV-interface this seem to cause trouble, even if i set it up to use a different range than the LAN interface. I use 192.168.1.x for IPs on the LAN-interface.

I am struggling with the setup for IPTV, i have postet a screenshot from my asus-router, with those IGMP-settings, the IPTV from my provider works well. But with the opnSense setup of igmp it doesn't work, any tips?

Oh sorry, I even checked there, I don't understand how i missed that, thank you,

I recently for the first time have gotten an IPTV-box to what TV, it uses some kind of multicast setup, and it apparently needs uPNP to be turned on. I tried installing os-upnp, but do i understand it correctly that this cannot be configured through the web Interface?

Thanks, that worked, I had some network problems and was struggling about with finding the config file, so sorry about the very late reply.

Thanks a lot, but I can't find freemyip on the list of supported services in the ddclient plugin?

I am struggling with the ddclient-plugin setup, I don't really care about which service it is I think, as long as it is free, and i can just register there, I tried with a couple, but I seem to set it up wrong. Does anyone have a working setup i can copy, with any service?

I would tend to disagree, unless you want to imply the concept of "source" and "destination" in all NAT types and firewall rules is ambiguous. I might agree, but I haven't witnessed a single discussion that brought that particular argument.

You may think this qualifies as a strawman, but I'm simply wondering why nobody brought this up before in clarity after decades of this code existing. It's strange.


Cheers,
Franco

I can only speak for myself, I am just a guy answering what i personally found less clear than it could be in the interface. I have never used pfsense.

It's rather simple really. Destination is the address of the packet in the destination address field at the time of the rule evaluation. This is basic matching on IP header information. Not magic.

I understand the motivation to make it simple, but without basic networking knowledge port forwarding makes no sense whatsoever.


Cheers,
Franco

I have basic networking knowledge. I know what port forwarding does. That doesn't make "destination" non-ambiguous in a network setting. The machine you are sending to on the LAN is also a destination address with an IP in the header. Understanding the concept of the address in the incoming packet isn't the problem, the problem is that it is not clear enough that "destination" talks about this particular thing. (and that the default isn't the "most normal" choice.)