1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.1 Legacy Series / Re: OpenVPN - Selective Routing to External VPN Endpoint
« on: February 23, 2024, 10:33:01 am »
Some additional troubleshooting, packet capture only shows packet leaving the interface, but nothing from remote
Also, lan clients can ping VPN interface IP on firewall
Btw, I have only route-noexec enabled on the VPN client configuration
Also, lan clients can ping VPN interface IP on firewall
Btw, I have only route-noexec enabled on the VPN client configuration
3
24.1 Legacy Series / OpenVPN - Selective Routing to External VPN Endpoint
« on: February 22, 2024, 09:28:58 pm »
Versions OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
I have OpenVPN client connected to a VPN provider, VPN connection is up and Interface/Gateway are also up (VPN -->OpenVPN-->Instances). I can ping and traceroute through the tunnel IP to internet (Gateway --> Diagnostic) from the firewall itself.
I have use case similar to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html where I need only few LAN client traffic to traverse through the VPN connection/interface.
For some reason, I cannot seems to get it working. I have the Outbound NAT and Rule on LAN interface configured but none these LAN clients cannot seem to be able to reach internet. Traceroute/Ping just timeout. Removing the LAN interface firewall rule cause all traffic to go through WAN interface, which is not what I want.
Any ideas how to troubleshoot or fix this?
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
I have OpenVPN client connected to a VPN provider, VPN connection is up and Interface/Gateway are also up (VPN -->OpenVPN-->Instances). I can ping and traceroute through the tunnel IP to internet (Gateway --> Diagnostic) from the firewall itself.
I have use case similar to https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html where I need only few LAN client traffic to traverse through the VPN connection/interface.
For some reason, I cannot seems to get it working. I have the Outbound NAT and Rule on LAN interface configured but none these LAN clients cannot seem to be able to reach internet. Traceroute/Ping just timeout. Removing the LAN interface firewall rule cause all traffic to go through WAN interface, which is not what I want.
Any ideas how to troubleshoot or fix this?
4
23.7 Legacy Series / [SOLVED] LAN clients cannot ping internet IPv6 addresses
« on: December 02, 2023, 04:08:20 pm »
Solved this with following config, IPV6 works with Etisalat Dubai, which gives /64 prefix. LAN clients get IPv6 Global Addresses and routing to external IPv6 addresses
[WAN]
[LAN]
Services: Router Advertisements: [LAN]
[WAN]
Code: [Select]
IPv4 Configuration Type: PPPoE
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration
Use IPv4 connectivity: Checked
[LAN]
Code: [Select]
IPv4 Configuration Type: Static IPv4
IPv4 Configuration Type: Track Interface
Track IPv6 Interface
IPv6 Interface: WAN
Manual configuration: Checked (Allow manual adjustment of DHCPv6 and Router Advertisements)
Services: Router Advertisements: [LAN]
Code: [Select]
Router Advertisements: Unmanaged
5
23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses
« on: November 16, 2023, 04:29:39 am »
That would required DHCPv6 and Route Advertisement enabled, right?
Quote
That is perfectly ok and intended. Your LAN clients will (if all else goes well) be able to communicate using the GUA from that single /64 and your OPNsense will route the packets using a link-local address.
6
23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses
« on: November 15, 2023, 10:01:13 pm »
The IPv6 I get on WAN/LAN are identical except last octet with /64 prefix
The reddit post mentioned above is the exact situation I am in.
Can someone translate it to OPNsense setup?
If I change WAN to "Request only an IPv6 prefix", the WAN interface only get a link-local address
Code: [Select]
LAN 2001:XX:XX:XX:XX:XX:XX:2f10/64
WAN 2001:XX:XX:XX:XX:XX:XX:2f13/64The reddit post mentioned above is the exact situation I am in.
Can someone translate it to OPNsense setup?
Quote
I gave up on MikroTik and used cisco ISR router. I was able to configure dialer interface via ppp, request dhcp-pd prefix and create own DHCP with ULA addresses. So now I have both stable internal IPv6 network and ipv6 internet access.
If I change WAN to "Request only an IPv6 prefix", the WAN interface only get a link-local address
Code: [Select]
fe80::7e5a:1cff:fe6d:2f11
7
23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses
« on: November 15, 2023, 02:49:54 pm »
The WAN and LAN are set to these
I cannot even ping the LAN interface of the OPNsense from any of the LAN clients, which I think is due to incorrect or non-existing default route.
Please refer to the default route from one of the LAN clients
Code: [Select]
WAN
===
IPv4 Configuration Type: PPPoe
IPv6 Configuration Type: SLAAC
LAN
===
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: Track Interface
- Tracking interface for LAN seems to be working as I am getting /64 prefix IPv6 on LAN as well
- I cannot enable Router Advertisement, as soon as I enable it, I loose IPv6 on the LAN interface
- WAN/LAN get /64 prefix IPv6 with identical IP's except for last octets
I cannot even ping the LAN interface of the OPNsense from any of the LAN clients, which I think is due to incorrect or non-existing default route.
Please refer to the default route from one of the LAN clients
Code: [Select]
ip -6 route show default
default proto ra metric 1024 expires 1566sec mtu 1492 pref medium
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev eno2 weight 1
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev wlo1 weight 18
23.7 Legacy Series / [SOLVED] LAN clients cannot ping internet IPv6 addresses
« on: November 13, 2023, 05:38:15 pm »
Another IPv6 setup help,
I am running OPNsense 23.7.5, Etisalat UAE ISP and need help with setting up IPv6. I was able to get IPv6 on the WAN and LAN interfaces as well as LAN clients seems to get the IPv6
I can ping IPv6 address on internet from the OPNsense itself, but I cannot ping the LAN clients
LAN clients cannot ping OPNsense IPv6 address or any IPv6 on the internet
Default route on the LAN clients
Any help appreciated
I am running OPNsense 23.7.5, Etisalat UAE ISP and need help with setting up IPv6. I was able to get IPv6 on the WAN and LAN interfaces as well as LAN clients seems to get the IPv6
- OPNsense get /64 prefix on both LAN/WAN interfaces 2001:--redacted--/64
- LAN clients also get /64 address 2001:--redacted--/64
Code: [Select]
WAN
===
IPv4 Configuration Type: PPPoe
IPv6 Configuration Type: SLAAC
LAN
===
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: Track InterfaceI can ping IPv6 address on internet from the OPNsense itself, but I cannot ping the LAN clients
LAN clients cannot ping OPNsense IPv6 address or any IPv6 on the internet
Default route on the LAN clients
Code: [Select]
ip -6 route show default
default proto ra metric 1024 expires 1566sec mtu 1492 pref medium
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev eno2 weight 1
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev wlo1 weight 1- Any attempt to enable - Allow manual adjustment of DHCPv6 and Router Advertisements - I lose IPv6 on the LAN interface
- Floating firewall rule to allow IPv6 ICMP for both direction, on any inferface is in place
Any help appreciated
9
22.1 Legacy Series / Re: Wireguard and ZeroTier switched interface on Reporting-Insight
« on: June 23, 2022, 12:30:36 pm »
Sorry don't understand the inner working of Netflow, but can I manally override this index?
Any other suggestion to fix this?
Any other suggestion to fix this?
10
22.1 Legacy Series / Re: Wireguard and ZeroTier switched interface on Reporting-Insight
« on: June 22, 2022, 08:14:22 pm »
Did a packet capture of both WG0 and ZT0, don't see any source/destination mismatch.
Looks like this might be issue with Netflow tagging the interface incorrectly, any idea how to troubleshoot and fix it?
Looks like this might be issue with Netflow tagging the interface incorrectly, any idea how to troubleshoot and fix it?
11
General Discussion / Re: How to setup DDNS?
« on: June 22, 2022, 10:31:19 am »
There are some known issue with newere Dyndns client os-ddclient, https://forum.opnsense.org/index.php?topic=26446.msg127725#msg127725
Try DuckDNS, it worked for me, I had no luck with Noip
Try DuckDNS, it worked for me, I had no luck with Noip
12
22.1 Legacy Series / Wireguard and ZeroTier switched interface on Reporting-Insight
« on: June 22, 2022, 10:22:27 am »
I am running both Wireguard and Zerotier the Opnsense firewall ( OPNsense 22.1.8 ) , with firewall rules & Gateway for each interface. I have enabled Netflow on LAN/WAN interface capturing locally.
For some reason, Reporting --> Insight shows Wireguard traffic on Zerotier interface and Zerotier traffic on Wireguard interface. This is true for Insight Graph and Traffic tab as well.
Strangely enough, realtime traffic under Reporting --> Traffic (Graph and Top Talkers) show correct traffic for each of these interfaces.
This looks like a cosmetic issue with no affect on Firewall rules, Routing or Gateway etc.. What could be causing this?
For some reason, Reporting --> Insight shows Wireguard traffic on Zerotier interface and Zerotier traffic on Wireguard interface. This is true for Insight Graph and Traffic tab as well.
Strangely enough, realtime traffic under Reporting --> Traffic (Graph and Top Talkers) show correct traffic for each of these interfaces.
This looks like a cosmetic issue with no affect on Firewall rules, Routing or Gateway etc.. What could be causing this?
Pages: [1]