Messages

Thanks for the metrics. The 1Gbp/s symmetrical was to future-proof me as my current connection is only 900 Mbps down and 100 Mbps up.

I'm very happy with the Mikrotik HEX S PPPoE router so far as it works with my HA firewalls and supports IPv6. The speed tests look good but it's interesting that with small packets it may struggle. I'll do more testing on my side.

I've ended up ordering a "Microtik Hex S" router as I couldn't find any "Microtik Hex" for sale. Looks like it'll do the job. I'll post back once I've tested it in case anyone is in the same boat as me.

Hi, I have a HA pair of Opnsense firewalls and a new internet connection accessed over PPPoE. I don't want to do PPPoE on the firewalls as they are HA pair and that's a pain to manage and can be fragile (or so I believe). Can anyone recommend a simple router that can do PPPoE on a WAN port and has at least 2 LAN side ports? It needs to be all gigabit and either not have NAT/Firewall or can be full turned off, it must also support IPv6

Hi, I'm looking to deploy Shadowsocks as I need an authenticating socks5 proxy. I was just wondering if is possible to block what targets the proxy clients can connect to. In particular, I'm worried that should someone compromise the socks5 client they could leverage it to connect to other internal VLANs that opnsense can see.

The question is can I block socks5 clients from connecting to RFC1918 networks?

Sorry to have troubled you but its now working despite 0 changes on the firewall, switches or the client networking. Now that its working I've got no ways to try and trace why it was not working previously  ???

The Carp addresses are as below. The "x" is to hide the start of my ipv6 address

Ipv6 x:x:x:5::1/64
Ipv6 ll: fe80::5/64

Just to added to the above the IPv4 CARP address is pingable on the same VLAN. This just effect IPv6 CARP address

When attempting to ping a CARP IPv6 address on the same VLAN from a client machine I get "Destination unreachable: Address unreachable". The output of "ip -6 neigh show" show the following "x:x:x:5::1 dev br0  INCOMPLETE".  Packet capture on the OPNsense instance that hosts the CARP IPv6 address shows "ICMP6, neighbor solicitation" but no ICMP6 responses. I've attached my network diagram to this post.

If I add a static entry with "sudo ip -6 neigh add x:x:x:5::1 lladdr 00:e2:69:63:f7:00 nud permanent dev br0" The ping completes until I remove the static entry. Not sure what else to try to resolve this issue?

Well it turned out that 192.0.2.1 did cause slow DNS for me as I hadn't considered instances that had network connections in to this network and then another network that had a default gateway. This then cause the 192.0.2.1 DNS server to be used from the DHCP network but then attempt to route out of network that had a default gateway. This then led to DNS resolution delays while this timed out.

I tried changing the DNS server to 127.0.0.255, the thinking being that my local resolver listens on 127.0.0.53 so it would fail quicker but it actually cause the DNS servers not to be applied. I'm not sure if its the DHCP server not publishing or my systems ignoring the loopback DNS config but either way its now working as I wanted.

So to summarise. If you want a DHCPv4 scope that only gives out IP addresses and not a gateway or DNS server(s) then setting the gateway to "none" and DNS to "127.0.0.255" worked for me.

Thanks I'll give that a try

Hi I'm attempting to set up a DHCP scope for a network where I only want to allocate IP addresses. I can see I can set the gateway to "none" but I can't find away not to allocate DNS servers or DNS search suffix. Is this possible?