Messages

I think I resolved this.  It appears to be because "Allow manual adjustment of DHCPv6 and Router Advertisements" wasn't selected on the interface and for some reason "Enable DHCPv6 server on LAN interface" was enabled on the DHCPv6 ISC setting for each interface.  

Name resolution is now working, but ping for ipv6 addresses is still erratic.

maybe this will help someone else.

Hi everyone
 
I'm hoping someone else has encountered this and is able to tell me a solution.
 
I have recently upgraded to 26.1.3 and I'm not sure if this issue occurred before or not, but I am getting a Link local address assigned as a IPv6 gw entry on my internal network interfaces and the firewalls eui-64 address for DNS.
 
My config is as follows:

• I use Adguardhome for primary DNS on port 53
• Unbound for reverse lookups on port 53530
• fw rules & NAT force all DNS traffic to us internal DNS servers for name resolution as much as possible.
• I use ISC DHCP & v6 with router advertisements.
• No DNS entry is configured in router advertisements.
• WAN interface is set to DHCP
• internal interfaces are set to track the WAN interface with a prefix added for each unique interface.

 
The  DNS entry is a problem because Windows, if IPv6 is available, defaults to using it so reverse and forward lookups are failing and it eventually reverts to IPv4.  Nslookups fail as do pings to dns names.
 
AI suggests removing IPv6 completely as the solution, thing is, this used to work.
 
Is anyone aware of a fix for this or where I could be going wrong in my config?
 
thanks

Hi Team

I've tested upgrading successfully 3 times on different lab environments, but I'm confused as to why the fw rules continue to remain greyed out and uneditable once migrated and step 5 is complete, am I missing something to complete the migration of fw rules?

Everything appears to function as expected although mine aren't complicated labs, but my main reason for testing was to see what happens with ISC DHCP and IPv6, which is working.

While I do appreciate all the effort that goes into the software and please I'm not disrespecting anyone, I'm not a fan of the new firewall interface to switch between networks, it's a lot of extra clicking to navigate now.  If it was possible to choose a default landing page rather than floating rules, it may help.  Happy to hear the reason for the change though.

unfortunately there is no network between levels, but I suspect that may resolve the issue I'm facing.

Thanks everyone else for your replies, I was hoping that there was some solution that avoided seperate controllers as that's another level of management that needs to remain stable.

Hi everyone

I'm in need of some recommendations, obviously, I'm using Opnsense as my firewall, but as I'm living in a double story home, I need a mesh wifi solution.  Currently I'm using 4 wifi AP's so that I can separate IOT & Guest clients from home client devices.

Can anyone recommend some AP's that I can use that will allow vlans over wifi and still support a mesh system?

I've heard Ruckus can do this but I'd appreciate some feedback from the Opnsense community.

I'd like to replace the current system with 2 AP's but I'd like to have more VLAN's on the wireless network.
Does anyone have any recommendations that they have successfully implemented?

thanks

I'll second this!

I've done quite a bit of testing, moving from Adguardhome to unbound and its BL's. Even using the same BL's with the URL's added to unbound make them identical, I'm still getting AD's coming through when using unbound, that I don't when using Adguardhome.
A restart of Opnsense also doesn't appear to make any difference, local client dns cache and browser cache clears as well as rebooted the client.

I'll give it a second go after the next upgrade

Thanks for the reply and info Franco

Hello Franco

Sorry to direct this to you, I know you're busy.

• Could you please tell me what the plan is for DHCP ISC?  
• I know it will be retired and become a plugin, but when will this happen?  
• Will we need to change any configurations to keep it running or will it continue as already implmented?

I know I should be moving off it, but after spending too many days implementing, configuring and troubleshooting it due to encountering problems with DHCPv6, I've given up.

Unless there are serious security risks, I'm going to keep using ISC, but I would like to know the plan moving forward with it.

thanks 

ok, thanks for all your patience with me Maurice, you've been a big help

sorry I don't mean to appear rude, but wasn't the point of migrating to dnsmasq to remove dependancy on ISC so it can be removed at the next major update?

thanks

Yip, they are configured exactly like that :-)

But then dnsmasq isn't assigning the ipv6 address is it?

that would mean I can't remove isc dhcpv6 or the router advertisement service as it's enabled when tracking is enabled.

So it would seem that dnsmasq is not able to completely replace ISC yet?

Unfortunately I'm not having any success with this.

Router Advertisements in general settings is enabled, although I didn't believe this was required if configured on each interface, when reading the help for the setting.
WAN interface IPv6 is set to DHCPv6
LAN Interface IPv6 configuration is set to none, so no entry available for ISC DHCPv6 or Router Advertisements.

Re the DNSMASQ RA configuration I've tried all the options and no IPv6 address is assigned to the client.

I'm starting to think that dnsmasq is incapable of assigning an ipv6 address to the clients.

Where am I going wrong?

Hi Maurice

Thanks for the help.

I'd like to remove all dependancies on the old ISC, so I've removed DHCP6 from the interface.  I'm now only left with the dnsmasq config.
I've tried the suggestions you've given me, but I don't get an IPv6 address on that interface anymore.

Just to clarify, I specifiy the same interface for the constructor?
And should the WAN interface still be set to DHCPv6 and if it changes what should I set it to SLAAC?  My ISP supports slaac and I currently get a /48 via DHCPv6.
thanks

thanks team the upgrade to OPNsense 25.7.7 went perfectly