Messages

1

General Discussion / Re: Expanding home Network using VLAN's

« on: August 03, 2024, 10:36:37 pm »

well turns out, my config was correct and the reason for not to work as expected was totally my fault...
I was suspecious that this new chinese switch was not tagging correctly tha packets... to test my theory I decided to mirror the trank port on anther port an capture the traffick with a second ethernet card.. an USB/ethernet adapter... by preparing this setudp I connectecd the adapter on the switch and boom... works fine!!!
So now I got the final evidence that my laptop was the issue...
Turns out when I received the chinese switch I tested its VLAN function before connecting to my network and changed the VLAN tags on the adapter settings... I don't know why but the rollback to default config I thought that the original config was VLAN ID 1... When I deleted the 1 from VLAN ID option, started to work!

I leave this here to help others that might find this post googleing and also to inform and thank those who read this thread and spent some time thinking what could be wrong!!!
Thak you!!!

2

General Discussion / Re: Expanding home Network using VLAN's

« on: August 02, 2024, 09:09:14 pm »

please... Can anyone help me?

3

General Discussion / Expanding home Network using VLAN's

« on: July 27, 2024, 05:43:52 pm »

Hello Friends... I'm having a hard time to setup an expansion on my home network..
It's not an OPNSense issue but I think that here are the best chance to find someone with knowledge
Currently I have 3 vlans on my network: 10(LAN), 30 (guest) and 107 (iot).. they are working fine and the devices are connected to each other this way:

upload photo on web

On Horaco Switch the VLAN ports are configured this way:

- Ports 1 and 2 are configured as LAGG and the are connected with the OPNSense device;
- 802.1Q VLAN:
        - VLAN 10: Member on all ports, Tagged on LAGG (Trunk1), 4 and 6, Untagged on 3 and 6;
        - VLAN 30: Member on all ports, Tagged on all ports
        - VLAN 107: Member on all ports, Tagged on all ports
- 802.1Q PVID: All ports on PVID 10

On TP-Link TL-SG108E ports are this way:

- 802.1Q VLAN:
        - VLAN 10: Member on ports 1 to 7, Untagged on 1 to 7;
        - VLAN 30: Member on all ports, Tagged on all ports
        - VLAN 107: Member on all ports, Tagged on ports 1 to 7, Untagged on port 8
- 802.1Q PVID: Ports 1 to 9 PVID 10 and port 8 PVID 107

Until here, everething works fine... Now I wish to add another managed switch with a similar config of the TP-Link... it's a XikeStore... It's very like the Horaco Switch... I believe both are the same whitebranded... On this switch I need devices on VLAN 10 and other devices on VLAN 107... and possible in the future another AP...
I'm connecting Horaco and XikeStore by a SFP+/Fiber on the 10GB interface... I have configured the Xikestore switch like this:



- 802.1Q VLAN:
        - VLAN 10: Member on ports 2 to 6, Untagged on 2 to 6;
        - VLAN 30: Member on all ports, Tagged on all ports
        - VLAN 107: Member on all ports, Tagged on ports 2 to 6, Untagged on port 1
- 802.1Q PVID: Ports 2 to 6 PVID 10 and port 1 PVID 107

This XykeStore switch is configured with IP manual IP address, with an address of VLAN 10... I can ping its IP and access its web interface but when I plug a device on any port DCHP doesn't work at all... neither on port 1 (PVID 107) nor other ports (PVID 10)... On the TP-Link switch the devices connected works fine on any port...
I can't find what I'm missing here and I hope some good soul could help find what I'm doing wrong....

4

General Discussion / Re: [Solved] IPv6 Not working

« on: April 26, 2024, 05:12:13 pm »

Finnaly I could solve the proble, thankfully to this topic:

https://forum.opnsense.org/index.php?topic=9986.0

Hello,
I did a lot of checks to find out why fe80::1:1 is marked as duplicated on vtnet2. The only device where this address is used is indeed the opnsense installation. Further investigations brought up, that the switch is the reason. Several years ago I created an isolated port group for DMZ on it but probably forgot to save the running configuration into the startup configuration. So after a powerloss the switch no longer had that isolated port group. So the LAN and the DMZ interface could "see" each other via the switch. Oddly enough it never caused any problem until now. I now recreated that isolated port group on the switch and the duplicate mark is gone. THis time I made sure it is saved into the startup configuration.

That quote gave the hint to look for the switch...
Turns out, I had a TP-Link TL-SG108E which is 8x1Gbps Managed switch... A few months ago I got a white label chinese 2.5Gbps Managed Switch to replace  the TP-link and get 2.5Gpbs connections...

On both TL-SG108E and OPNSense I had 2 ports on LAG (link aggregation Group) configured...
On the white label switch, there was no LAG configuration... or at least not by that name... There is a "Trunk Group Setting" which I grouped the resepctive ports and gues what?? No more loop logs and clients are getting I their IPv6's!!!

Thank you guys for tring to help me on this!!!

5

General Discussion / Re: IPv6 Not working

« on: April 26, 2024, 04:11:47 pm »

I can't find the reason of those loops... I tried to rebuid the interfaces... Before that the IP that was apearing on loop was the IP with ISP prefix... now the IP is the internal.. In both cases was the LAN interface IP:

NOW:

Code: [Select]

vlan010: a looped back NS message is detected during DAD for fe80:a::2e2:69ff:fe5b:b6a8. Another DAD probes are being sent.
BEFORE:

Code: [Select]

<3>vlan010: a looped back NS message is detected during DAD for 2804:xxxx:xxxx:1180:2e2:69ff:fe5b:b6a8. Another DAD probes are being sent.

6

General Discussion / Re: IPv6 Not working

« on: April 26, 2024, 02:24:02 pm »

I believe (as opposed to: I know) that the DAD occurs because all of your VLANs try to get the same IPv6, because you only have one /64 prefix. The EUI-64 bits are all the same if they share the same parent interface.

As I wrote: With a /64 prefix, you are limited to one IPv6 VLAN. You could try to convince your ISP to give you a longer prefix. There is no shortage of these, so I think your ISP is just clueless. This has been discussed over and over again here on the forum.

but only 1 VLAN has IPv6 configured... only the VLAN 10, which is the main VLAN (called LAN) is configured to IPv6.... The others are IPv6 config are set to "None".

7

General Discussion / Re: IPv6 Not working

« on: April 26, 2024, 02:00:38 pm »

I tried other length but only /64 seems to work...
But I thinnk I found a possible root cause and unfourtnatly I have no idea why... on logs I found:

On System logs I found this:

Code: [Select]

<3>vlan010: a looped back NS message is detected during DAD for 2804:xxxx:xxxx:1180:2e2:69ff:fe5b:b6a8. Another DAD probes are being sent.

8

General Discussion / Re: IPv6 Not working

« on: April 26, 2024, 01:40:16 pm »

Hi... I have also configured "Router Advertisements"... no mode seems to work... On LAN interface I tried with both checked an unchecked "Manual Configuration"...
I tried to configure Track WAN on other interfaces but only one I can ativate... When I try to activate Track on the second interface I get this error:

Code: [Select]

The following input errors were detected:

You specified an IPv6 prefix ID that is already in use.
If I try to chance prefix ID I get this error:

Code: [Select]

The following input errors were detected:

You specified an IPv6 prefix ID that is out of range.
On LAN Interface, IPv6 Prefix ID is set to "0" and if i try to change it I get this error:

Code: [Select]

The following input errors were detected:

You specified an IPv6 prefix ID that is out of range.

9

General Discussion / [Solved] IPv6 Not working

« on: April 26, 2024, 06:39:11 am »

Hi... I'm trying to get IPv6 to work after migrating from an OpenWRT router.

This is my wan ifconfig:

Code: [Select]

igc0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=48420b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO,NOMAP>
        ether 50:64:2b:35:20:e0
        hwaddr 00:e2:69:5b:b6:a7
        inet6 fe80::5264:2bff:fe35:20e0%igc0 prefixlen 64 scopeid 0x1
        inet6 2804:xxxx:xxxx:0:d109:666d:92ee:8f7d prefixlen 128
        inet 179.xxx.xxx.6 netmask 0xfffffc00 broadcast 179.152.55.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

And here is my LAN interface:

Code: [Select]

vlan010: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (opt2)
        options=4000000<NOMAP>
        ether 00:e2:69:5b:b6:a8
        inet6 fe80::2e2:69ff:fe5b:b6a8%vlan010 prefixlen 64 scopeid 0xa
        inet6 2804:xxxx:xxxx:1180:2e2:69ff:fe5b:b6a8 prefixlen 64 tentative
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        groups: vlan
        vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I can't finish to setup DHCPv6 on LAN... there is an alert message:

Code: [Select]

No available address range for configured interface subnet size.
On a windows machine connected to this LAN, I get only a private IP:

Code: [Select]

   Sufixo DNS específico de conexão. . . . . . : local
   Endereço IPv6 de link local . . . . . . . . : fe80::d55d:e5f5:c92c:d6d2%6
   Endereço IPv4. . . . . . . .  . . . . . . . : 192.168.1.131
   Máscara de Sub-rede . . . . . . . . . . . . : 255.255.255.0
   Gateway Padrão. . . . . . . . . . . . . . . : fe80::2e2:69ff:fe5b:b6a8%6
                                                 192.168.1.1

But if I move the cables (WAN and LAN) and to the OpenWRT device, the same windows machine get the IPv6:

Code: [Select]

   Sufixo DNS específico de conexão. . . . . . : lan
   Endereço IPv6 . . . . . . . . . . : 2804:xxxx:xxxx:1537::70f
   Endereço IPv6 . . . . . . . . . . : 2804:xxxx:xxxx:1537:3f33:d068:54a1:b5aa
   Endereço IPv6 . . . . . . . . . . : fd7c:acb1:e35e::70f
   Endereço IPv6 . . . . . . . . . . : fd7c:acb1:e35e:0:f226:66be:45db:e0ec
   Endereço IPv6 Temporário. . . . . . . . : 2804:xxxx:xxxx:1537:2842:ef5e:52d8:59a5
   Endereço IPv6 Temporário. . . . . . . . : fd7c:acb1:e35e:0:2842:ef5e:52d8:59a5
   Endereço IPv6 de link local . . . . . . . . : fe80::d55d:e5f5:c92c:d6d2%6
   Endereço IPv4. . . . . . . .  . . . . . . . : 192.168.1.131
   Máscara de Sub-rede . . . . . . . . . . . . : 255.255.255.0
   Gateway Padrão. . . . . . . . . . . . . . . : fe80::5264:2bff:fe35:20e1%6
                                                 192.168.1.1

The OpenWRT config is extremely simple...

I do not know what to check anymore...

Can anybody please point what to do?

My setup is a 4x2.5Gbps ethernet mini PC runing OPNSense (no virtualization)... 1 port is connected to the ISP Modem... 2 of the remaning ports are connected by LAGG (loadbalance) to a switch which send 3 differents VLAN's (LAN, iot and GUEST) to the Firewall.... I'm trying to config IPv6 only on the LAN VLAN with the Track opation (Tracking WAN).

I thogth that my device was receiveing a /128 IP but latter I realized that this /128 is the WAN interface IP but the /64 prefix is being delegated....

Can anybody please help me?

Thanks!!!

10

General Discussion / Re: LAN ports bridge (why and why)

« on: April 25, 2024, 07:04:03 pm »

You will have problems with that config if you decide to do VLAN's...
When I activated my OPNsense on a 4x2.5Gbps ports mini PC I expeceted to assign 1 port to WAN and 3 ports on bridge with VLAN's.
That's another limitation, which I know that exists but I do not know fore sure why!

11

General Discussion / Re: Getting /128 IPv6 on WAN

« on: April 24, 2024, 11:09:47 pm »

I found on settings some config to change logs for debug... I did that and then reloaded the interface...
A saw this:

Error   dhcp6c   transmit failed: Can't assign requested address

12

General Discussion / Getting /128 IPv6 on WAN

« on: April 24, 2024, 10:51:01 pm »

Hi guys...
Can you help me on what should I config/check the reason of why is my OPNSense is receiving an /128 IPv6?
I thought that could be an ISP issue but when I connect the modem to an OpenWRT device, it gets an /64 address...
Is there a way to find the log the transaction betweem OPNSense and the modem to get this /128 IPv6?

Or is there some way that I can dig this anymore?

Thanks!

13

General Discussion / Re: Traffic blocked by "Default deny / state violation rule"

« on: November 07, 2023, 08:36:58 am »

I have found PA and FA.... Tks!!!

Now I need to research what that means!   

14

General Discussion / Re: Struggling to get VLANs working

« on: November 07, 2023, 08:28:14 am »

you could also  try to migrate your OPNSense to a VM on proxmox and follow this guide:

https://www.youtube.com/watch?v=t7qt1wlS9uA

15

General Discussion / Traffic blocked by "Default deny / state violation rule"

« on: November 07, 2023, 04:35:44 am »

Hi guys...

I found some traffic been blocked on my OPNSense Firewall but I'm not sure why...
On the attached picture there is an example...
There is a LAN IP trying to reach an IP on the Internet and also there is traffic between IP's on the same subnet..
There is no rule on LAN or WAN to reject this traffic so I think by the label its due to some "state violation rule".
Can you help me to find out why these traffic is been blocked?


Thanks!