"
防火墙设置中定义一个schedule,设置一条需要控制的防火墙规则,选择这个schedule就可以。
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
24.1, 24.4 Legacy Series / Re: Logroation doesn't work as expected (24.1.1)
April 20, 2024, 08:07:01 AM
Hi, your issue has been closed due to the invalid template. I just open a new issue https://github.com/opnsense/core/issues/7397 based on yours. Just want you know if you want to append more details.
#3
High availability / Re: Multi WAN routing won't work properly (randomly)
January 11, 2024, 06:58:55 AM
seems like as same as this post https://forum.opnsense.org/index.php?topic=34189.0
#4
High availability / Multi WAN routing won't work properly (randomly)
January 11, 2024, 05:52:04 AM
I have 2 PPPoE WANs from same ISP, so they have very similar IPs (like 1.1.1.x) and same gateway.
I create a failover WAN group:
WAN0 - Tier 1
WAN1 - Tier 2
And point LAN's gateway to this wan group.
My problem is the internet sometimes can't be accessed after a reboot and all gateways (SYSTEM->Gateways->Single, monitor are enabled) are online. WAN Groups shows all gateway's online. In this situation, if you:
1. Disconnect a WAN(WAN0 or WAN1) -> Internet OK
2. Disconnect all WANs and connect WAN0 first and then WAN1 -> Internet OK
3. Disconnect all WANs and connect WAN1 first and then WAN0 -> Internet Failed
4. Goto firewall, set policy routing to WAN0 -> Internet Failed
5. Goto firewall, set policy routing to WAN1 -> Internet OK
6. ALL WAN interface works properly if you try to access internet from the firewall itself (use curl and specify wan0 or wan1)
Have no idea how to solve this issue, can anyone help me on this? Thank you very much.
I create a failover WAN group:
WAN0 - Tier 1
WAN1 - Tier 2
And point LAN's gateway to this wan group.
My problem is the internet sometimes can't be accessed after a reboot and all gateways (SYSTEM->Gateways->Single, monitor are enabled) are online. WAN Groups shows all gateway's online. In this situation, if you:
1. Disconnect a WAN(WAN0 or WAN1) -> Internet OK
2. Disconnect all WANs and connect WAN0 first and then WAN1 -> Internet OK
3. Disconnect all WANs and connect WAN1 first and then WAN0 -> Internet Failed
4. Goto firewall, set policy routing to WAN0 -> Internet Failed
5. Goto firewall, set policy routing to WAN1 -> Internet OK
6. ALL WAN interface works properly if you try to access internet from the firewall itself (use curl and specify wan0 or wan1)
Have no idea how to solve this issue, can anyone help me on this? Thank you very much.
#5
23.1 Legacy Series / Re: Can't ping/access WAN interface from internet with NPTv6
July 15, 2023, 07:24:04 PM
Hi Maurice,
Thanks again for your reply. I'll keep watching on this.
Thanks again for your reply. I'll keep watching on this.
#6
23.1 Legacy Series / Re: Can't ping/access WAN interface from internet with NPTv6
July 15, 2023, 06:22:55 AM
Copy from WAN interface info:
IPv6 address 2408:xxxx:xx0:1234:567:89ff:fe98:765/64
IPv6 prefix 2408:xxxx:xxb:2345::/60
x part is identical, the others are totally different. Looks weired, using wrong prefix length?
IPv6 address 2408:xxxx:xx0:1234:567:89ff:fe98:765/64
IPv6 prefix 2408:xxxx:xxb:2345::/60
x part is identical, the others are totally different. Looks weired, using wrong prefix length?
#7
23.1 Legacy Series / Re: Can't ping/access WAN interface from internet with NPTv6
July 14, 2023, 04:26:03 PM
Thank you for reply.
1. 2408:xxxx....::/60 is the delegated prefix and the interface WAN got an address 2408:xxxx..../64
2. I tried to ping the WAN address, protocol IPV6-ICMP/any, destination is [This Firewall]. As you said, the NPT goes first and then pf. Now I can understand why it blocked fd00:10::[wan addr suffix] in pf's log. But that's WAN's address, the translated address starts with fd00 doesn't even exist in anywhere. That's how NPT works like? Does that mean there is no way to connect to WAN from outside?
3. I also tried to ping a ULA host in vlan10 with addr fd00:10::xxxx, I created a rule with dest by an alias of dynamic ipv6 host, still no luck. //update, use hosts with whole ULA works.
I know all these troubles are coming with the dynamic prefix, still trying to figure out a way.
1. 2408:xxxx....::/60 is the delegated prefix and the interface WAN got an address 2408:xxxx..../64
2. I tried to ping the WAN address, protocol IPV6-ICMP/any, destination is [This Firewall]. As you said, the NPT goes first and then pf. Now I can understand why it blocked fd00:10::[wan addr suffix] in pf's log. But that's WAN's address, the translated address starts with fd00 doesn't even exist in anywhere. That's how NPT works like? Does that mean there is no way to connect to WAN from outside?
3. I also tried to ping a ULA host in vlan10 with addr fd00:10::xxxx, I created a rule with dest by an alias of dynamic ipv6 host, still no luck. //update, use hosts with whole ULA works.
I know all these troubles are coming with the dynamic prefix, still trying to figure out a way.
#8
23.1 Legacy Series / Can't ping/access WAN interface from internet with NPTv6
July 14, 2023, 11:56:24 AM
Hi guys,
Sorry for the english since I'm not a native speaker.
I'm going to apply IPv6 to my home network. The ISP provides dynamic prefix so I decided to use ULA + NPTv6. Here's the configurations/steps:
1. I have 4 vlans, let's pick up one called vlan10 and assign static address fd00:10::1/64 to the interface.
2. WAN is PPPoE connection + DHCPv6 through IPv4 connection. I want to run VPN on the firewall so I didn't tick "Request only an IPv6 prefix" and the WAN interface got a IPv6 address starts with prefix 2408:xxxx..../60.
3. Use RA stateless for client address, so I'll get fd00:10::xxxx:xxxx:xxxx:xxxx at the client side.
4. Setup NPTv6 for WAN, external - blank, internal - fd00:10::/64.
5. Test the clients got the correct address and can access internet via IPv6.
6. Now I want to access services in my network from outside. I've config the firewall rule for ICMP then I can start with ping but failed. Since I also have a public IPv4 address I've tried to ping the address and can confirm it works.
7. I checked the firewall log and found the ICMP packet is blocked and the destination is fd00:10::[wan suffix]. I believe it was done by NPTv6. (But is that right?)
8. The IPSec VPN (road warrior) also won't work. (But it works on IPv4)
How can I done this with ULA+NPTv6 enabled? Thanks.
PS:
1. It works If I port forward the ICMP to an internal ULA or the local-link address of the WAN interface.
2. It won't work if I port forward IPSec to local-link address of the WAN interface. The client just won't connect and the log says "no IKE config found for fe80::[wan suffix]...". That shows the IPSec won't work with local-link address.
3. I also tried to get IPv6 address through "Track Interface" and it works. But I want ULA+NPTv6 here because "Track Interface" may disconnect clients after a wan reconnect and it's hard to manage when using multi-wan.
Sorry for the english since I'm not a native speaker.
I'm going to apply IPv6 to my home network. The ISP provides dynamic prefix so I decided to use ULA + NPTv6. Here's the configurations/steps:
1. I have 4 vlans, let's pick up one called vlan10 and assign static address fd00:10::1/64 to the interface.
2. WAN is PPPoE connection + DHCPv6 through IPv4 connection. I want to run VPN on the firewall so I didn't tick "Request only an IPv6 prefix" and the WAN interface got a IPv6 address starts with prefix 2408:xxxx..../60.
3. Use RA stateless for client address, so I'll get fd00:10::xxxx:xxxx:xxxx:xxxx at the client side.
4. Setup NPTv6 for WAN, external - blank, internal - fd00:10::/64.
5. Test the clients got the correct address and can access internet via IPv6.
6. Now I want to access services in my network from outside. I've config the firewall rule for ICMP then I can start with ping but failed. Since I also have a public IPv4 address I've tried to ping the address and can confirm it works.
7. I checked the firewall log and found the ICMP packet is blocked and the destination is fd00:10::[wan suffix]. I believe it was done by NPTv6. (But is that right?)
8. The IPSec VPN (road warrior) also won't work. (But it works on IPv4)
How can I done this with ULA+NPTv6 enabled? Thanks.
PS:
1. It works If I port forward the ICMP to an internal ULA or the local-link address of the WAN interface.
2. It won't work if I port forward IPSec to local-link address of the WAN interface. The client just won't connect and the log says "no IKE config found for fe80::[wan suffix]...". That shows the IPSec won't work with local-link address.
3. I also tried to get IPv6 address through "Track Interface" and it works. But I want ULA+NPTv6 here because "Track Interface" may disconnect clients after a wan reconnect and it's hard to manage when using multi-wan.
Pages1
