Messages

1

General Discussion / Re: Problems with IPv6 subnetting

« on: September 26, 2023, 03:23:38 pm »

OPNsense is running on Proxmox. So /etc/network/interfaces is Debian 12 running Proxmox. I'm trying to route IPv6 prefix /56 I have from Hetzner to OPNsense (I also have original /64 from them, haven't found use for it yet).

IPv4 is working fine, only with IPv6 I can ping f300::1337, which is OPNsense WAN from the internet, but can't ping f301::1 (VLAN DMZ), etc.

I think /etc/network/interfaces is somehow configured wrong.

2

General Discussion / Re: Problems with IPv6 subnetting

« on: September 26, 2023, 02:37:15 pm »

Changed. I'm posting whole IPv6, because it doesn't matter anyway:

When I ping the DMZ IP address now, this shows up:

Code: [Select]

PING 2a01:4f8:13b:f301::1337(2a01:4f8:13b:f301::1337) 56 data bytes
From 2a01:4f8:13b:2b1d:: icmp_seq=1 Destination unreachable: Address unreachable
It's showing completely different IP, not unknown actually, this IP is assigned to enp4s0 interface, but shouldn't have anything to do with OPNsense.

EDIT: If I remove the IP from /etc/network/interfaces on the host, it still shows up this:

ping -6 2a01:4f8:13b:f301::1
PING 2a01:4f8:13b:f301::1(2a01:4f8:13b:f301::1) 56 data bytes
From 2a01:4f8:13b:f300::1336 icmp_seq=1 Destination unreachable: Address unreachable

Could this line in /etc/network/interfaces be a problem?

up ip -6 route add 2a01:4f8:13b:f300::/56 via 2a01:4f8:13b:f300::1337 dev vmbr0

3

General Discussion / Re: Problems with IPv6 subnetting

« on: September 26, 2023, 02:22:11 pm »

That is actually my first rule on the WAN interface:

Code: [Select]

Protocol Source Port Destination Port Gateway Schedule Description
IPv6 ICMP * * * * * * Allow ICMP

4

General Discussion / Problems with IPv6 subnetting

« on: September 26, 2023, 12:42:50 pm »

Hi,

I'm having problems with setting up working IPv6 on my OPNsense installation running on Proxmox. I have a /56 assigned from Hetzner.

This is the /etc/network/interfaces of the host machine:

Code: [Select]

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp4s0
iface enp4s0 inet static
        address x.x.1x.x/26
        gateway x.x.x.1
        up route add -net 94.130.161.0 netmask 255.255.255.192 gw 94.130.161.1 dev enp4s0
        post-up sysctl -w net.ipv4.ip_forward=1
        post-up sysctl -w net.ipv6.conf.all.forwarding=1
        post-up iptables -t nat -A PREROUTING -i enp4s0 -p tcp -m multiport ! --dport 22535,8006 -j DNAT --to 10.10.10.1
        post-up iptables -t nat -A PREROUTING -i enp4s0 -p udp -j DNAT --to 10.10.10.1
# route x.x.x.0/26 via 94.130.161.1

iface enp4s0 inet6 static
        address 2a01:xxxx:xxxx:f300::1/128
        gateway fe80::1

iface enp4s0 inet6 static
        address 2a01:xxxx:xxxx:2b1d::/64
        gateway fe80::1

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.0/31
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.10.10.1/31' -o enp4s0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.1/31' -o enp4s0 -j MASQUERADE
#OPNSense WAN - Proxmox LAN

iface vmbr0 inet6 static
        address 2a01:xxxx:xxxx:f300::1336/127
        up ip -6 route add 2a01:xxxx:xxxx:f300::/56 via 2a01:xxxx:xxxx:f300::1337 dev vmbr0

auto vmbr1
iface vmbr1 inet manual
        ovs_type OVSBridge
#VM Net
I can ping both the host machine (f300::1336) and the OPNsense (f300::1337) from the internet.

WAN interface is setup like this:

Code: [Select]

IPv6  address: 2a01:xxxx:xxxx:f300::1337/127
Gateway: 2a01:xxxx:xxxx:f300::1336
Block bogon networks checked
The gateway shows up as online.

I have created a VLAN called DMZ, with the following setup:

Code: [Select]

IP address: 2a01:xxxx:xxxx:f301::1/64
Gatewaay: Auto-detect
Nothing else is checked
The situation is as follows, I can ping the internet from inside of the VM's assigned to this VLAN, IPv6 is working, HOWEVER I cannot access / ping these VM's from the outside, not from the host machine, not from the internet.

So if I ping 2a01:4f8:13b:f301::1234 (which is assigned to my mail server), I will get address unreachable. It is probably some stupid thing I'm not getting (I'm a beginner), so any help or poke in the right direction would be greatly appreciated.

Thanks in advance.

5

23.7 Legacy Series / IPv6 being blocked by Default deny / state violation rule

« on: August 31, 2023, 02:55:27 pm »

Hello everyone.

I am totally at loss. I have a dedicated server at Hetzner with Proxmox, and I have OPNSsense as my firewall, running as one of the virtual machines. Everything is working as expected and as it should, however; I have mailcow instance running in other virtual machine, IPv4 with port forwarding is working without problems, however, with IPv6 it's a different story. The configuration is static, because I couldn't get DHCPv6 to assign me one. I can ping the IP from the internet and it responds, however by doing nmap, the ports for the mailcow are showing as filtered, except for port 587. Everything else is not filtered, but I know that on the mailcow side the ports are open because if I take down the stack (it's running inside docker), the ports suddenly start showing as closed. I have added the rule to allow these ports from the WAN side to the mailcow virtual machine IPv6 address, but no change. I can see when doing the nmap scan in Live View that it's blocking these pings by Default deny / state violation rule.

Any help would be greatly appreciated. Thanks in advance.

Attached you will find the rule in question.