Messages

[0]

elyl, your issue of intermittent connection seems more related to location and signal strength, not necessarily OPNsense. I would recommend configuring your WAN interfaces under DHCP client configuration to reject leases from the service IP, for my netgear modem that's 192.168.5.1. This will help avoid picking up a private 192.168.0.0/16 address on the WAN side, instead of a real address. Install the unifi wifiman app on a phone, and start surveying where the best cell signal is. Put your LTE modem in that location. If you can't put it there, run LTE TS9 antennae.

Issue is definitely not signal strength, I can connect into the 5G modem itself and see good signal.  I am only getting a 192.0.0.2 address given to me by the modem, which is CGNAT (i.e. not 192.168 local IP).  Are you saying you are getting an actual public IPv4 address on T-Mobile?  Are you in the US?

It seems you're trying to do something similar to me, but are a bit further along.  I am also trying to have WAN failover to a T-mobile modem, but I get very patchy IPv4/v6 connectivity on the T-mobile side, in fact it rarely works.

What modem are you using to connect (I'm using Quectel RM520 in an ethernet enclosure) and do you have it set up in 'bridge' mode?  How is your WAN2 interface configured (DCHP/DHCPv6)?
I get a 192.0.0.2/27 address for IPv4 from the modem, and sometimes I eventually get an IPv6 address, but my gateway monitoring has 100% loss on the IPv4, and it doesn't even try to ping the IPv6 monitoring address.

I went somewhat back to the drawing board with IPv6 last night.  I think I had made things so complicated trying to get it working in the past.  I now have DHCPv6 turned off, and RA set to Unmanaged.  So far, so good.  Android and non-Android devices passing ipv6-test.com and the usual problem apps on Android working correctly.

I set RA to not send any DNS info, and eventually my clients reverted to having the IPv4 DNS address only.  However, in pihole, all those clients started showing DNS requests coming from my WAN IP address, rather than an fe80???

Well, I have been trying to get WAN failover working correctly with my cable internet, failing over to a cellular modem (T-mobile with cgNAT) but not been having much luck.  I have WAN IPv4 and IPv6 gateways, and WWAN IPv4 and IPv6 gateways, with they set up as failover groups and my firewall default routes set to use the failover groups.  I have not yet been able to make this work, everything goes through WAN, but WWAN generally shows as down and there's never any failover.

Anyway, switching the firewall routes back to 'default' from 'FailoverIPv4'/'FailoverIPv6' gateway groups now gives the correct originating (IPv4) address for each client in Pihole, rather than WAN IP.

I guess it's back to the drawing board on the WAN failover stuff, too.  Thanks for your help in pointing me back towards SLAAC, this has probably solved a number of weird issues I've been having.

Interesting.  I am using DHCPv6, since whenever I turn on SLAAC, I get weird behavior on my Android devices (generally work fine, IPv6 tests pass, but various apps refuse to open and I need to get off wifi to open them).  So I have RA set to Managed so it's DHCPv6 only and Android devices only get IPv4.

My DHCPv6 settings are sending the DNS server (pihole).  I guess if I leave them blank, it uses Unbound instead (which I don't want as no Pihole blocking).  If I get SLAAC working and turn DHCPv6 off, how does it decide which DNS server to use?  Does it just revert to the IPv4 DNS server?  What if IPv4 connectivity is broken somehow (I have a WWAN backup connection that I'm also trying to get working, which is IPv6 only, with some kind of IPv4 over IPv6 nonsense)?

If I do an nslookup with Unbound, using an IPv4 address that I have a DHCP lease for, it returns the local name, e.g:

Code Select Expand

> nslookup 10.0.0.1
1.0.0.10.in-addr.arpa   name = OPNsense.internal.
If I do the same thing with a link local IPv6 address, it doesn't give me anything:

Code Select Expand

nslookup fe80::1
** server can't find 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa: NXDOMAIN
If I look up the GUA IPv6, it does give me a result:

Code Select Expand

nslookup 2603:xxxx:ffbb
b.b.f.f.xxxx.3.0.6.2.ip6.arpa        name = OPNsense.internal.
If I look up the link local address in the NDP Table, it is in there, and maps back to a MAC address that I have a DHCP lease for.  I have "Register ISC DHCP4 Leases" turned on, and "Do not register IPv6 Link-Local addresses" turned off in Unbound settings.

How do I get Unbound to respond with a hostname for fe80 addresses?

My use case is for Pihole, I want to resolve client IP addresses to friendly names.  If a request is made to pihole via IPv4, it seems to resolve the client name, but if it's IPv6 (which most devices on my network seem to be using), it just gives me the fe80 link local address as the client name.

Is there any documentation on how to get this to work?  I can't seem to get the right combination of ssh keys working.

For the examples below, "docker.address" is the name of the destination I'm trying to copy the certificates to.

upload_sftp.php --log --host=docker.address --user=root --identity-type=rsa --certificates=mycert.org test-connection

Code Select Expand

INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for 'docker.address'
INFO: SFTP: root@docker.address: Permission denied (publickey,password,keyboard-interactive).
INFO: SFTP: Connection closed
ERROR: Failed connecting to 'docker.address' (user: 'root') ; Cause: {"permission_denied":true,"error":"root@docker.address: Permission denied (publickey,password,keyboard-interactive)."}
{
    "actions": [
        "connecting"
    ],
    "success": false,
    "permission_denied": true,
    "error": "root@docker.address: Permission denied (publickey,password,keyboard-interactive).",
    "connect_failed": true
}
ERROR: Command execution failed, exit code 1. Last input was: {"log":false,"host":"docker.address","user":"root","identity-type":"rsa"}

I have copied the contents of  /var/etc/acme-client/sftp-config/is.rsa.pub to the ~/.ssh/authorized_keys and ~/.ssh/known_hosts (I'm not sure which one I should be doing, I've tried neither, either and both) but still get the same error.

I tried ssh-copy-id to copy the id.rsa file to docker.address, which seemed to work, but running the automation script copied the files to ~/ on the opnsense server rather than to docker.address, so I guess I have things seriously mixed up.

The id.rsa.pub file has the username at the end of it as root@opnsense.internal, I'm tried changing to just root, and also root@docker.address, but to no avail.

I have OPNsense set up as a VM in Proxmox.

I have the WAN and LAN interfaces passed through to OPNsense, and I have OPT1 set up as the vmbr0 bridge from Proxmox, so that I can hopefully manage the router directly if it ever fails on LAN (and set it up without having to have everything live).

I can't seem to access the web gui from this OPT1 interface, unless I SSH in and pfctl -d to disable the firewall, then it lets me log in.

I have tried various combinations of firewall rules on OPT1 to allow all traffic, but I still can't access the GUI without disabling pf from the shell.  Logs say access to port 443 from my systems connected via OPT1 are failing on "Default deny / state violation rule".  WebGUI listen interfaces are set to All.

I feel like I'm missing something obvious, but even with an all * rule on OPT1, it's still blocked.  Any suggestions?