Messages

Hi all,

In the Reporting → Health page, OPNsense displays some time-dependend graphs with a time range spanning a few days.
The tick labels along the time axis are displayed in US format, i.e. MM/DD/YYYY which is impossible to read to most of the world.

Is it possible to customize these legends to users needs, so US citizen can keep this representation as it probably suits them, but allowing European people to use DD/MM/YYYY, or at least use the international standard for date representations (ISO-8601) which reads YYYY-MM-DD and it easy to read to everyone?

For the record, someone helped me found the problem.
I had the same /64 network on several interfaces which created problems in the routing tables.
After splitting my overall /56 network into several different /64 sub-networks and using a different number on the various interfaces, routing became possible between LAN and WAN.

Could you elaborate on static routes?
Can I set up different static routes depending on source IP ?
I have only seen destination IP for setting static routes.

I just tried, it did not work.
I had to add the interface first so it showed up as the parent interface for GIF, and I also added firewall rules for IPV6-ICMP on this interface.

The ping that did not work before the change still didn't work after the change.

The ping that did work before the change (from outside to the WAN and TUNNEL IPV6 addresses) did not work after the change, so I had to revert the change and attache the GIF to the vlan again (the vlan is required by my fiber ISP).

Yes, I read this doc and used it to set up my configuration.
The changes I did were only that
  1) it was not a HE tunnel but something different set up specifically for me by an administrator of a remote server
  2) I use fixed IPV6 addresses and not SLAAC

Rereading this page, I noticed I forgot to tick the "upstream gateway" when I created the single gateway for the tunnel. I fixed this but it did not fix the connexion problem. Ping IPV6 still does not traverse from LAN to WAN or TUNNEL in either direction.
The LAN firewall rules are in the attached screenshot. The plagnole_ipv6_fibre alias corresponds to the IPV6 adresses that have the fiber prefix. These are the ones that do not go through firewall.

Here are the physical layout (which probably does not really matter), and more importantly the logical layout with the various links.

The idea is to have the servers (black boxes on the bottom of the drawing) use either the tunnel IPV6 gateway or the wireless IPV6 gateway depending on which IPV6 adress is used. All servers have both types of addresses.

Does it make more sense?

Hello,

I have an IPV6 routing problem.
I have a network with OpnSense on a physical box with 4 physical ports.

One port (igc0) has a fiber connexion, with a vlan configuration, so I have in the Interfaces/other types/VLAN a configuration for vlan01 with parent=igc0. This vlan device is for the [WAN] interface, with an IPV4 gateway on the other side of the fiber.
Due to a bug in the Isp network, this connexion cannot hanfle IPV6 directly. So on top of [WAN], I also have GIF tunnel (with parent interface WAN), this is the [TUNNEL] interface, with a gateway on the other side of the tunnel.

Another port (igc3) has a wireless connexion, which supports directly both IPV4 and IPV6, this is my [HERTZIEN] interface, with both and IPV4 and an IPV6 gateway on the other side of the wireless link.

The IPV6 prefixes on fiber and wireless links are different. The hosts on the [LAN] sides do have IPV6 addresses using both prefixes.

My ultimate goal was that when one host uses the wireless IPV6 prefix it is routed through the wireless gateway, and when it uses the fiber IPV6 prefix it is routed through the fiber gateway.

As I understand, this should be achieved not by setting static routes, but rather using firewall rules using the source address (i.e. the prefix)  and specifying the gateway. One rule for one prefix and one gateway, another rule for the other prefix and the other gateway. Is this the right approach?

So I set up rules according to this:
  - [LAN] if prefix matches fiber prefix, use gateway at far end of the tunnel
  - [LAN] default gateway is wireless gateway
  - [HERTZIEN] allow IPV6-ICMP to any address with wireless IPV6 prefix
  - [WAN] allow IPV6-ICMP to any address with fiber IPV6 prefix
  - [TUNNEL] allow IPV6-ICMP to any address with fiber IPV6 prefix

With this settings
  - I can ping from outside to any LAN host using its wireless IPV6 address
  - I can ping for any LAN host using its wireless IPV6 address to outside
  - I can ping from any LAN host using wireless IPV6 address to any LAN host using its fiber IPV6 address
  - I can ping from any LAN host using fiber IPV6 address to any LAN host using its wireless IPV6 address
  - I can ping from outside to TUNNEL interface using its fiber IPV6 address
  - I can ping from outside to WAN interface using its fiber IPV6 address
  - I *cannot* ping from outside to LAN hosts using their fiber IPV6 address
  - I *cannot* ping from LAN hosts using fiber IPV6 address to [WAN], [TUNNEL] or outside

So basically, the IPV6 connexion fails between either WAN/TUNNEL and LAN.


What do I do wrong?