Messages

1

Tutorials and FAQs / How to Redirect all IPv4 and tracked IPv6 DNS requests to OPNsense using Unbound

« on: September 17, 2024, 06:53:23 pm »

I wanted to compile one place for this commonly discussed topic, spread throughout the web. There are many sources and threads here, as well as Reddit and other home networking sites with different information, some of it out of date or incomplete. And, nearly all other information is woefully inadequate in regard to dynamic tracked IPv6.
I invite those more knowledgeable than myself (ostensibly, everyone) to a constructive discussion. I am sure the methodology can be optimized or improved.

Why redirect DNS requests with port forwarding/Firewall rules?
Mainly, as a method to ensure all devices on a given network use the DNS you have chosen through OPNsense.

Here is what I have proved to work.
For IPV4:
Goto Firewall/NAT/Port Forward
Add new (+)

Interface: LAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: any
Source Port Range: from any to any
Destination / Invert: Checked
Destination: LAN address
Destination port range: From DNS to DNS
Redirect target IP:  Single Host or Network
                               127.0.0.1
Redirect target port: DNS
Description: Redirect DNS to local
NAT reflection: Use System Default
Filter rule association: Rule Redirect DNS to local *
* This can also be set to 'Pass', in which case, there will NOT be an associated Firewall rule; Pass and port forward will be handled in one place.

For tracked IPv6:
There seems to be a few ways to do this. Unlike IPv4's 127.0.0.1, IPv6's corresponding ::1 will not work as a redirect target IP address.
This can be solved by creating an alias which points to the dynamic tracked LAN IPv6 address and redirecting to it.**
Copy the last 4 hextets from your tracked LAN interface. This can be found in multiple places, for instance, the table at Interfaces/Overview/LAN/IPv6.
For example, if your tracked LAN IPv6 address is 2000:3000:d000:e000:AAAA:BBBB:CCCC:DDDD/64 copy AAAA:BBBB:CCCC:DDDD

Goto Firewall/Aliases
Add new (+)
Enabled: (checked)
Name: lan_ipv6_alias
Type: Dynamic IPv6 Host
Content:  ::AAAA:BBBB:CCCC:DDDD  (The last 4 hextets of your current LAN IPv6 tracked address. Notice the leading double colons! :: )
Interface: LAN
Description: lan ipv6 alias

Goto Firewall/NAT/Port Forward
Add new (+)

Interface: LAN
TCP/IP Version: IPv6
Protocol: TCP/UDP
Source: any
Source Port Range: from any to any
Destination / Invert: Checked
Destination: LAN address
Destination port range: From DNS to DNS
Redirect target IP: lan_ipv6_alias
Redirect target port: DNS
Description: Redirect IPv6 DNS to local
NAT reflection: Use System Default
Filter rule association: Rule Redirect IPv6 DNS to local *
* This can also be set to 'Pass', in which case, there will NOT be an associated Firewall rule; Pass and port forward will be handled in one place.

If you did NOT use 'Pass' for Filter Rule Association:
You will need the corresponding Firewall rules for IPv4/v6 to be moved above the default 'allow any' rules.

Goto Firewall/Rules/LAN
For IPv4:
Check the 'Redirect DNS to local' rule and move above 'Default allow LAN to any rule'
For IPv6:
Check the 'Redirect IPv6 DNS to local' rule and move above 'Default allow LAN to any rule'

**As an alternative to an alias, it has been suggested that a virtual IP can be used to point to ::1
This can be done by assigning fd00::53 (or any ULA address) to the loopback interface:
Interfaces/Virtual IPs/Settings
Modify the port forwarding rule to redirect to the virtual IP (e.g. fd00::53) rather than the lan_ipv6_alias.
Restart the Unbound service to bind to the new loopback virtual IP address

I have carefully checked my work, but please feel free to point out any errors.

Information gleaned from P.M Hausen, Cypher 100, Z1ng and others. Thank you.

2

23.7 Legacy Series / Re: Is there an official or recommended way to forward all ipv6 DNS requests?

« on: August 25, 2024, 03:44:01 pm »

Thank you as well, Patrick.
I'll keep searching.

3

23.7 Legacy Series / Re: Is there an official or recommended way to forward all ipv6 DNS requests?

« on: August 25, 2024, 02:54:28 pm »

Disabling clients from using their own DoT, DoH, or DoQ is a complicated matter. Against DoT you have Zenarmor. Against DoQ you can block QUIC in Zenarmor. But DoH blocking is a lot more complicated, unless you have an exhaustive list of all DoH servers. The problem is that anyone may start a DoH server, so such list is never foolproof.

Correction: Zenarmor blocks DoH, not DoT. But the problem that anyone may create their own DoH server persists. DoH is indistinguishable from regular HTTPS traffic. Technically, Zenarmor can inspect HTTPS connections, but that breaks much of the internet and smartphone apps.

Thank you for the insight.
I guess my follow up question would be, is there a way to forward ipv6 DNS requests akin to the ipv4 tutorial at https://forum.opnsense.org/index.php?topic=9245.0 ?
There seems to be no guides or consensus on a workable solution that I can find.

4

23.7 Legacy Series / Re: Is there an official or recommended way to forward all ipv6 DNS requests?

« on: August 24, 2024, 10:59:31 pm »

Here are my Firewall LAN rules.
Is this an effective strategy for IPV6?

Edit: No image hosting allowed?
Interface:LAN
TCP/IP ver:IPV6
Protocol: TCP/UDP
Destination Invert: checked
Destination: LAN address
Destination Port Range: DNS, DNS
Redirect Target IP: Single Host or Network: ::1
Redirect Target Port: DNS
NAT Reflection: Default

The IPV6 rule is nearly identical to the ipv4 rule, but is using ::1 instead of 127.0.0.1

5

24.7 Production Series / Re: Failing widgets after upgrade to 24.7

« on: July 27, 2024, 12:22:48 pm »

Another widget issue here, unfortunately.
Unable to add widgets due to the drop down menu disappearing immediately after clicking on the desired widget to add, and therefore unable to apply changes.

6

24.7 Production Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

« on: July 04, 2024, 09:49:20 pm »

I am very grateful to be using the Community edition, and I deeply appreciate the forums.
Thank you to the devs and all who offer support in whatever form they can afford.

7

24.7 Production Series / Re: New sidebar improved

« on: July 04, 2024, 09:35:16 pm »

I do my best for the community. But I would also be grateful to anyone who would leave me some “karma”. thank you for the kind words.

Karma sent your way. Vicuna has been my theme of choice since I discovered it, thank you for your contribution.
If anyone hasn't tried Vicuna, I highly recommend it.

8

Tutorials and FAQs / Re: IPv6 on OPNsense with Verizon FiOS

« on: July 04, 2024, 02:01:42 pm »

Anybody else on FIOS?

Does your WAN interface have a real IPv6 address (i.e. a globally unique address)? I remember some people speculating that FIOS had started using the RFC6603 PD Exclude option.

I have a 2600 address on the LAN, and I can ping ipv6.google.com. I am not clear on how to establish if I am actually receiving a globally unique address. The example in your link citing the example

Fios users have asked or searched for at one point if anyone has a script or something or ideas on how to automate the WAN geting a GUA assigned that will draw from the /56 so we don't have ONLY a link local ipv6 addresson wan. Verizon's own routers seem to have something hardcoded that makes it so that FF::1 is used for the wan. People thought that it was RFC6603 being used, but when the traffic was analyzed at the packet level verizon did not seem to be responding to the RFC6603 prefix exclusion request.

..is a little above my head. My WAN ipv6 (from the interfaces widget) ends with a %em0, and my gateway ends in FF:xxxx:xxxx.

9

Tutorials and FAQs / IPv6 on OPNsense with Verizon FiOS

« on: June 09, 2024, 12:54:46 am »

I looked for a tutorial on the forums, but could not find one, so I copied this great information from here.

IPv6 on Verizon Fios with OPNsense:

UNDER INTERFACES > WAN:
IPv4 Configuration Type: keep using DHCP
IPv6 Configuration Type: DHCPv6
Request only an IPv6 Prefix: ✓ (enabled)
Prefix delegation size: 56
Send IPv6 prefix hint: ✓ (enabled)
UNDER INTERFACES > LAN:
IPv4 Configuration Type: keep using Static IPv4
IPv6 Configuration Type: Track Interface
IPv6 Interface: WAN (which interface to track)
IPv6 Prefix ID: 0

If you have other local networks, like a guest network VLAN, you can assign those interfaces a different prefix ID to keep them isolated.

Enjoy.

10

23.7 Legacy Series / Re: Is there an official or recommended way to forward all ipv6 DNS requests?

« on: December 03, 2023, 02:08:12 pm »

Yes, that is the exact method I am using and thank you for your time.
However, my question is bit more specific; I am wondering how to forward ALL DNS (port 53) ipv6 requests on the lan and force them to use unbound DoT port 853.
(For instance, some clients may 'go rogue' and try to use 2606:4700:4700::1111 when I want them to use 2001:4860:4860::8888)

11

23.7 Legacy Series / Is there an official or recommended way to forward all ipv6 DNS requests?

« on: December 03, 2023, 01:54:43 pm »

I am sure many of us have found this excellent tutorial: https://forum.opnsense.org/index.php?topic=9245.0
which I am using, and it works great for ipv4.
Further down in the thread some people have inquired as to an equivalent method for ipv6, without any real consensus.
Of course, there are a few more threads around the web asking similar questions, but none seem to have any real traction.
I am currently using DNS over TLS. My ISP is dual-stack ipv4/6 and I am utilizing ipv6 (LAN tracking WAN)
Unfortunately, I can't really find any official documentation addressing this scenario. The official unbound docs state:

Should clients query other nameservers directly themselves, a NAT redirect rule to 127.0.0.1:53 (the local Unbound service) can be used to force these requests over TLS.

(from https://docs.opnsense.org/manual/unbound.html)
So, with this in mind, as well as the fact that, I believe, ipv6 ignores NAT, I am compelled to ask the community for an official or correct, or at least, clean and recommended method to forward ipv6 DNS requests (for an Opnsense beginner).
Thank you!

12

23.7 Legacy Series / Re: Unbound DNS in query forwarding mode on dual stack ipv4/ipv6

« on: November 19, 2023, 07:33:56 pm »

Yes, you can do that. This doesn't affect IPv4-only hosts in the LANs. They can still send queries to Unbound over IPv4 and Unbound forwards these to Google over IPv6.

Perfect explanation, and thank you for the quick reply.

13

23.7 Legacy Series / [SOLVED]Unbound DNS in query forwarding mode on dual stack ipv4/ipv6

« on: November 19, 2023, 01:56:27 pm »

My isp offers dual stack ipv4/ipv6, and so far, so good; https://test-ipv6.com/ gives me 10/10.

I am using Unbound DNS in query forwarding mode, and have my DNS servers as 8.8.8.8 and 8.8.4.4 under System/Settings/General/Networking.

Would it be recommended to switch these to 2001:4860:4860::8888 and 2001:4860:4860::8844, in order to make everything future proof/simple/consistent/"correct" ?
(I do have a couple devices in my network which only show up under ipv4 ARP.)

14

Hardware and Performance / Re: BIOS versions on DEC hardware

« on: October 31, 2023, 12:10:44 pm »

I have also been wondering about BIOS update availability. I have a DEC690, and I am unable to find any information on BIOS whatsoever. I presume the 600 series has no such functionality?

15

Tutorials and FAQs / Re: How to enable automatic microcode updates

« on: October 30, 2023, 01:12:35 pm »

Not quite a necro, I hope..

1. How vulnerable to microcode attacks are those of us using a bare metal install of OPNsense with no remote login?
2. Should those of us on bare metal with no remote login consider enabling automatic microcode updates?

My (limited) understanding is that side channel attacks like Spectre and Meltdown are a threat if you run applications on a system designed for multiple untrusted users, like in a webserver environment. I also fear that configuring automatic updates (IF they are not strictly necessary on an OPNsense machine without remote login) might lead to "entropy" wherein one might be met with unexpected breakage with updates and forget how to address it. It seems that the packages and configuration for this have changed over time and may continue to change and require manual intervention.

Any advice appreciated.