Messages

Hey all,

I'm having an issue lately where the DHCPv6 server (for the lan) doesn't start at boot anymore. I need to manually start the service via the Web GUI. Once started, DHCPv6 seems to work on my network again.

I cannot figure out how to force it to start at boot, nor how to get monit to ensure it is always up. I've made several attempts to get the server to use a PID file for monit, but it never shows up.

Additionally, the service `service isc-dhcpd6` doesn't seem to be connected to the same service that the web GUI starts. When I use `service isc-dhcpd6 start`, it is not reflected in the web GUI. When I use `service isc-dhcpd6 status`, it claims the service isn't running even after being started via the web GUI.

Help please :'(

My dashboard showing DHCPv6 did not start at boot:

Config page where I'm trying to get DHCPv6 to start at boot:

In this final screenshot, I've started DHCPv6 via the web GUI then asked via CLI whether it is running. You can see the command thinks it is not running, and there is no PID file to be found either:

Hey all,

I'm trying to learn how to setup traffic shaping using an alias that I can use to specify a large list of IP addresses. However, in the "edit rule" area of Firewall -> Shaper, I only see "any" as an option in the "source" field.

I would like to use some sort of alias so I can group and reuse many IPs/ranges. Is there a way to do this?

Hey all,

I've noticed that every once in awhile - after rebooting opnsense, or rebooting my modem, or sometimes for no reason - opnsense cannot grab a WAN IP for awhile. It seems to happen less than once per week, but when it does, I have to repeatedly reboot both the modem and opnsense until it eventually catches on again.

I've tried doing WAN release/renew, WAN reload, full opnsense reboot in rapid succession, rebooting opnsense then waiting 5 minutes, etc. I'm not sure what sort of pattern I'm supposed to be using for the fastest turnaround.

Is there a related setting I can use to help smooth this process out, or perhaps help opnsense be able to recover on its own, without my intervention?

Update: All I had to do was wait for 22.7 to come out. It has extra TLS options right in Logging -> Remote Targets.

Hey all,

Before switching from a plain home router to opnsense, I was able to connect to certain local services through my WAN IP. Now opnsense seems to be blocking that, which I'm sure is a good default. But now I'm wondering a couple things.

• What firewall rule(s) would I put in place to get that functionality back? Suppose I'm going to sit at a LAN machine and perform a connection on a dynamic DNS hostname, which will map to the WAN IP.



• Would this be considered a bad idea? A security faux paus? I admit I don't need to do this. I just sometimes check functionality from inside the LAN, but I could probably just put my laptop on a mobile hotspot and check that way instead.

Thank you again for your help! Everything seems to be working now on my end.

Yeah agreed about getting the prefix right, according to the ISP. That was definitely my first biggest issue. After that, I may have been messing things up by setting the LAN::DHCP range to my desired URA range. Once I set it to simply "::" to "::ffff", I believe that helped a lot.

I then gave the router a ULA address using the Virtual IP feature, as I've seen recommended in various places. Setting Router Advertisements to "Assisted" did seem to allow LAN clients to get their own IPs (both public and from my ULA prefix), and after rebooting my modem and staring off into space awhile, routing started to work as well.

At that point I kinda gave up on having the DHCP server setup static private IPs and just added them statically to all my machines as an extra address. So now all machines get internet, can reach each other through their private static ULA's, and use advertised DNS servers (I have a couple here).

Thank you again!

Also if anyone in the future would like to ask about specific settings, and I'm still using them, I can share.

Hey thank you for your advice. I might be one step closer now.

So first, I noticed I may have had the wrong "Prefix delegation size" selected in the wan DHCPv6 client config. After looking at my "overview" for WAN, it said /56 and I think matching that in my config that suddenly showed more information over on the dhcp server area.



After that I changed the IPv6 type to "Track Interface" per your suggestion. It would not allow me to enter a ULA prefix in the "IPv6 Prefix ID" so I left it at 0 (?).



With this change, my LAN machines now get IPv6 addresses (!). They just don't have connectivity for some reason so I may still be a step away. Firewall "live view" doesn't show anything being denied on IPv6 during some tests (pings, wgets). I am also using ProxMox but have disabled the firewall there for both interfaces (LAN and WAN), which I feel wouldn't be an issue because the router itself still has both IPv4 and IPv6 connectivity to the internet.

Also now in the DHCPv6 server area, the "Available range" shows my public IP block rather than the previous ULA block, and none of the LAN clients get private IPs on my ULA range. I think I could give that up to get IPv6 WAN working though, and just statically configure the extra private addresses (sad as that may be).

Hello,

Is there a tutorial or wiki somewhere that can help me setup opnsense to send logs to a remote rsyslog server that requires TLS?

I have this working on several other machines using the following tutorial: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_configuring-a-remote-logging-solution_security-hardening

My typical client config inside /etc/rsyslog.d looks something like:

Code Select Expand

global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/usr/local/share/ca-certificates/BLA.crt"
DefaultNetstreamDriverCertFile="/etc/ssl/mike/bla.chain.pem"
DefaultNetstreamDriverKeyFile="/etc/ssl/mike/bla.key.pem"
)

I've also gotten this to work with syslog-ng as a client, but I don't have access to that config at the moment.

[itself]

Hello friends!

I'm brand new to opnsense and happy to have my first install up and running (sorta). All IPv4 seems to work (opnsense public WAN address, LAN private addresses via DHCP, DNS options, NAT, etc). I'm having issues getting public IPv6 addresses out to the LAN clients. Opnsense gets an IPv6 WAN address from my ISP, and can itself ping remote servers with IPv4 and IPv6. It is also able to send ULA addresses to LAN clients via DHCPv6 with my private static prefix, allowing all LAN machines to ping/connect each other via IPv6.

However, none of the LAN machines get public IPv6 addresses, or can ping/connect remote servers via IPv6; Only opnsense seems to have IPv6 WAN connectivity. I'm sure I'm making some very simple newbie mistake and it feels great+awful to be just one step away.

Potentially relevant settings follow (private prefixstuffs altered):

Services: DHCPv6: [LAN]:

• Range is set to my private ULA range: fd00:0000:0000:0000:0000:0000:0001:0000 to fd00:0000:0000:0000:ffff:ffff:ffff:ffff. I started with the 0001:0000 offset so I could leave the very last 16-bits for static address assignments handed out via DHCPv6. So far those seem to be working.


• Prefix Delegation Range is left empty, because I'm not sure I understand what to do.


• DNS Servers is set to two local DNS servers on the LAN


• Domain search list is just "home", because that's the domain I've been using the last few years


• The rest of the settings left blank

Services: Router Advertisements: [LAN]:

• Router Advertisements: Assisted
• Router Priority: Normal
• Source Address: Auto
• Advertise Default Gateway: Checked
• All remaining settings left default/blank

According to "Interfaces Overview", my ISP has given me a WAN IP address with a /56 assignment.

In summary, I'm just one requirement away from success:

• 8) Public WAN IPv6 for opnsense
• 8) Static private ULA IPv6 for opnsense
• 8) Static ULA IPv6 leases for all LAN clients
• :-\ WAN IPv6 for all LAN clients + WAN connectivity

Also potentially relevant: I had all this working last week on OpenWRT, before making the switch to opnsense.

Thank you so much for reading this far. Any help, advice, insight, is appreciated.