Messages

Whatever the mask it is, you are right.
I oughtta get my eyes checked since I totally read those third octets as being different. They are indeed the same. Ouch.  ::)

Firewall -> Aliases -> + (add new) -> Type: Hosts
Then add the external IP addresses that should be allowed and choose a useful name for the alias.

Next, edit the firewall rule that allows incoming traffic from WAN to your local PBX. There you select the alias you just created as allowed source.

We do not know the subnet sizes, do we? ;D

Ich habe mit OPNsense 22.7.10_2 das selbe Problem und wir sind auch nicht allein: https://github.com/opnsense/core/issues/6223#issue-comment-box

Could you do a DNS lookup of the hostname you are using to access the GUI and see if it returns a single address or multiple values, some of which might not be reachable beacuse of firewall rules?

For what it's worth: It's working here again. Not sure if clearing the browser cache helped or if it was some heisenbug.

Edit: Clearing the browser cache fixed this issue with Chrome/Windows 10 as well as Safari/macOS 13.0.

I can reproduce this on OPNsense 22.7.6-amd64 using Unbound as DNS resolver.

I can confirm that the solution described by comet does indeed fix this problem.

Posting to add that you should flush your state table after adding the custom outbound NAT rule - just in case some other host is using any of the required ports.

Firewall > Diagnostics > States > "Actions" tab > "Reset state table" button.

That interface still shows IFDISABLED

Indeed, but why? Does it stay in disabled state until it receives a prefix?

73

It says the interface is disabled.  Also no carrier, doesn't that mean isn't plugged in?

Yes, sorry I unplugged it a few times while testing and didn't notice when taking the screenshots.

Here's the same thing when connected:

Code Select Expand

ifconfig igc1
igc1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: USERS
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 60:be:b4:02:38:61
        inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

This is unique to your setup.

That's encouraging!  ;D

Going to Interfaces: Overview will show that an ipv6 link local is applied to each interface.

It does not and neither does ifconfig.

Here is an example of an interface that has Track Interface configured, while the the uplink is down (hasn't acquired a prefix yet):

Code Select Expand

% ifconfig igc1
igc1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: USERS
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 60:be:b4:02:38:61
        inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
        media: Ethernet autoselect
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

See the attached screenshot for the Web GUI view of that interface.

Test case 3:

• Manually assign an fe80::/64 IP Alias under Interfaces / Virtual IPs
• IPv6 Configuration Type: Static IPv6
• Set IPv6 address to valid non-link-local IPv6 address.

Result: neighbor solicitations for both, the link-local and the statically configured interface address are sent from an all-zeroes address.

On further investigation I noticed that OPNsense not only fails to assign a link-local address but sends its ICMPv6 messages from an all-zeroes address. See attached nighbor discovery message for example. The destination address is generated correctly in this case.

It appears that 22.7 does not automatically assign link-local addresses to an interface once IPv6 is enabled.

Test case 1:

• IPv6 Configuration Type: Track Interface
• Set Track IPv6 Interface to valid Interface and Prefix ID.

Test case 2:

• IPv6 Configuration Type: Static IPv6
• Set IPv6 address to valid non-link-local IPv6 address.

Result in both cases: the interface picks up the configured address but no link-local address is assigned.

What's going on?

IPv6 Configuration Type: Track Interface
Track IPv6 Interface:
IPv6 Interface: WAN
IPv6 Prefix ID: 0x2

Solange kein GUA-Prefix per DHCPv6 von upstream auf das WAN-Interface kam, gibt es auf dem lokalen Interface in OPNsense auch keine LLA.

Muss das so, soll das so, oder übersehe ich was?

edit: Ist eskaliert, siehe hier.