Messages

1

24.1 Legacy Series / Re: Can you "port forward" ipv6 when clients have IPs from SLAAC?

« on: June 04, 2024, 08:12:17 am »

Thanks, but why should I not do port translation? In the info you linked to it says:

"c. You can translate ports, even with IPv6."

"c. can be a security plus, because IPv4 port scanners will find it harder to identify services on non-standard ports."

Wouldn't this apply here?

2

24.1 Legacy Series / Can you "port forward" ipv6 when clients have IPs from SLAAC?

« on: June 03, 2024, 09:06:13 pm »

I don't know that much about ipv6, but i have setup where i get a /48 network, and i have made a /64 network "internally", and the clients get their IPs "themselves" with SLACC (if i understand correctly). I can make a firewall rule to let through a port to the IP. But can make OPNsense change the port? That is send something from port 2000 on wan to port 1000 on the LAN for instance? With IPv4 i would just use port forward.

Bonus question, is there a way to see the ipv6-adresses on my clients on the LAN?

3

23.1 Legacy Series / How to set up several interfaces.

« on: April 01, 2023, 03:06:46 pm »

I have 4 network ports, one for WAN, one for LAN (which goes to a switch), i want to use a port for my IPTV decoder, to get it to work I need to connect it directly into the router. But what is best practice to set this up? If I set up a dhcp server on the IPTV-interface this seem to cause trouble, even if i set it up to use a different range than the LAN interface. I use 192.168.1.x for IPs on the LAN-interface.

4

22.7 Legacy Series / Setting up IPTV(igmp)

« on: January 26, 2023, 09:17:28 pm »

I am struggling with the setup for IPTV, i have postet a screenshot from my asus-router, with those IGMP-settings, the IPTV from my provider works well. But with the opnSense setup of igmp it doesn't work, any tips?

5

22.7 Legacy Series / Re: Setting up uPNP

« on: January 26, 2023, 07:22:34 am »

Oh sorry, I even checked there, I don't understand how i missed that, thank you,

6

22.7 Legacy Series / Setting up uPNP

« on: January 25, 2023, 10:19:39 pm »

I recently for the first time have gotten an IPTV-box to what TV, it uses some kind of multicast setup, and it apparently needs uPNP to be turned on. I tried installing os-upnp, but do i understand it correctly that this cannot be configured through the web Interface?

7

General Discussion / Re: Does anyone have a DDNS-setup i can copy?

« on: July 17, 2022, 02:43:58 pm »

Thanks, that worked, I had some network problems and was struggling about with finding the config file, so sorry about the very late reply.

8

General Discussion / Re: Does anyone have a DDNS-setup i can copy?

« on: July 09, 2022, 11:40:56 am »

Thanks a lot, but I can't find freemyip on the list of supported services in the ddclient plugin?

9

General Discussion / Does anyone have a DDNS-setup i can copy?

« on: July 06, 2022, 10:10:10 pm »

I am struggling with the ddclient-plugin setup, I don't really care about which service it is I think, as long as it is free, and i can just register there, I tried with a couple, but I seem to set it up wrong. Does anyone have a working setup i can copy, with any service?

10

Tutorials and FAQs / Re: Why is port forwarding not easier?

« on: June 24, 2022, 03:45:50 pm »

I would tend to disagree, unless you want to imply the concept of "source" and "destination" in all NAT types and firewall rules is ambiguous. I might agree, but I haven't witnessed a single discussion that brought that particular argument.

You may think this qualifies as a strawman, but I'm simply wondering why nobody brought this up before in clarity after decades of this code existing. It's strange.


Cheers,
Franco

I can only speak for myself, I am just a guy answering what i personally found less clear than it could be in the interface. I have never used pfsense.

11

Tutorials and FAQs / Re: Why is port forwarding not easier?

« on: June 24, 2022, 01:25:09 pm »

It's rather simple really. Destination is the address of the packet in the destination address field at the time of the rule evaluation. This is basic matching on IP header information. Not magic.

I understand the motivation to make it simple, but without basic networking knowledge port forwarding makes no sense whatsoever.


Cheers,
Franco

I have basic networking knowledge. I know what port forwarding does. That doesn't make "destination" non-ambiguous in a network setting. The machine you are sending to on the LAN is also a destination address with an IP in the header. Understanding the concept of the address in the incoming packet isn't the problem, the problem is that it is not clear enough that "destination" talks about this particular thing. (and that the default isn't the "most normal" choice.)

12

Tutorials and FAQs / Re: Why is port forwarding not easier?

« on: June 24, 2022, 11:06:43 am »

Partly agree to the ordering issue and the help texts csn definitely be improved. Destination ... well ... systems outside can't talk to your internal private address hosts. That's why you need a port forwarding NAT in the first place. So drom the point of view of the systems outside they talk to one WAN address of the firewall. And there might be a couple of them, so the admin needs to pick one.

Every firewall product I used in the last decades worked exactly this way.

Pick from leases ..  well, that's a matter that has the potential to lead to heated debate. Common consumer routers like the ubiquitous (in Germany) Fritzbox do this. I for one don't want any of that. Neither do I want any DHCP lease leading to an automatic DNS entry. I hate it when random devices connected to my network create artefacts in my carefully curated DNS zone or firewall policy.
Worst of all theses products create port forwards to deviced with dynamic leases and are completely intransparent about how they address and track those devices. Device gets new IP address - does the port forward follow? New device gets old IP address - what now?

I really want the thought process

- ok so my son wants to run Minecraft and open it up for his friends
- that means static IP address internally
- that means DNS entry for bookkeeping
- that means firewall object (alias in OPNsense) with that IP address
- and finally port forwarding rule

That's exactly how it should be in my book. Magic automatic things like assigning a firewall rule to a dynamic lease tend to explode and make a mess at some time in the future.

Thanks for the feedback!

Patrick

I know why it is needed, but it is imho not clearly worded. What is the "destination", destination of what? It could just as well be the destination on the LAN.

I don't think a list is complicated, you choose some suggested ips from the list, because (at least me) you don't rember every single IP on your network. The port forwarding goes to the IP. If people don't understand dynamic and static leases they certainly won't understand the rest of the dialogue imho.

I like the other suggestion for the setup as well, it groups related things together in a more understandable manner.

13

General Discussion / Re: How to setup DDNS?

« on: June 22, 2022, 11:05:50 pm »

Try disabeling "Force SSL". Some DDNS providers don't work if you have that enabled, if HTTPS is something you must have, then namecheap works just fine for it.

Thanks this at least gave me som new errors

Like Failed to update Server said: 'KO'
and "WARNING: Wait at least 5 minutes between update attempts"

Despite the update time being 6 minutes, any idea what can be wrong here?

14

Tutorials and FAQs / Re: Why is port forwarding not easier?

« on: June 22, 2022, 11:02:15 pm »

I don't get what's confusing about NAT > Port Forwarding ... can you explain in a bit more detail?

This is what is confusing to me, the most normal port forwarding task I think (at least for me) is to forward a port directly from "the outside" to a machine on you LAN. The 3 most important settings is thus the incoming port(s) the ports they are to be sent to and which ip to send it.

First option - disable the rule why is this first? Why isn't this at the bottom?
Second option - NO RDR - another option that should be at the bottom, the helt even says it is rarely needed and shouldn't be used unless you really know what you are doing.
Interface: Fair enough
TCP-IPverson fair enough
Protocol - fair enough.
Source Advanced - seems to me like this should be moved down, what if you press advanced, and want to go back to "basic"? Impossible?
Destination-invert, should be moved down but up for debate.
Destination: Help says nothing, destination for what? The destination machine on my LAN perhaps? No, but not very clear, and why isn' WAN the default, and why is there no help-text?
Destination port range: This seems to be useful, but what does it say HTTP? Is this some kind of weird protocol-choice? What does HTTP have to do with port-forwarding? Ah, they mean port 80, why isn' the default to input the port number? And why doesn't it at least say HTTP (Port 80) or something so it is actually clear that this is the input of the ports?
- Redirect target ip: Why can't i choose from a pulldown-list of the leases here?

The rest is fine enough, but I really think the interface makes a simple task like "forward port 42101 to port 42101 on machine X" more confusing than it needs to be.

15

General Discussion / Re: How to setup DDNS?

« on: June 22, 2022, 12:15:52 pm »

There are some known issue with newere Dyndns client os-ddclient,  https://forum.opnsense.org/index.php?topic=26446.msg127725#msg127725

Try DuckDNS, it worked for me, I had no luck with Noip

I tried duckDNS first, but i had the same problem there as with dynu.