Messages

1

General Discussion / Re: asking for feedback on existing setup with NAT outbound

« on: February 01, 2024, 09:42:35 pm »

the dpinger status is the status of the gateway. System -> Gateways
Can also be a widget on the dashboard. The status of the service dpinger corresponds to the gateway status. If your internet access works fine, the dpinger will show green.

Although I have no service called "dpinger", I was able to find it under System -> Gateways and on the Gateways dashboard box.

Regarding your issues with FritzBox <-> FritzFon App I cannot really help as I have no idea how it works behind the curtain.

Thank you anyway for your continued patience. I will try out more things, in particular I will try out switching to a different phone system.

2

General Discussion / Re: asking for feedback on existing setup with NAT outbound

« on: January 31, 2024, 10:45:20 pm »

going for IPv6 is the only reasonable thing here.

Good. I like to do things the right way.

* No outbound NAT present for IPv6
* Gateway configured, up and running (pinger is "green")
* Allow outgoing traffic (for the network setup or the box). If your fritzbox just acts as VoIP client it might be a good idea to allow traffic towards the IPv6 of your provider.

I had this almost set up correctly, but I have questions:
* Where do I find this "green" pinger? I mean, it works, I can ping my FritzBox from online servives, but I'd just like to know.
* Outgoing traffic is already allowed, FritzBox is in DMZ for me.
* I have one NAT rule for IPv4 in place, which is needed to allow the mobile clients with the FritzFon App to access the phonebook (FritzBox requires the clients to be on the same network as the box). At first, no incoming calls/telephony was possible, until I disabled the IPv4 NAT rule. After I ensured calls were working, I reenabled the NAT rule and the calls still work (so far),

* Allow incoming traffic on the respective UDP ports for fritzbox and please enable IPv6 Protocol IPV6-ICMP for it, too. ICMP (e.g. Ping) is quite essential for IPv6 to work (properly). Without ICMP on WAN, no ping from the outside.

So, a single rule to allow UDP traffic and IPV6-ICMP to ::20:2 is the most secure way, I guess? I do not have documentation about the exact ports; If I had, I could restrict access even further.

So far, everything is working, thank you for your help.

Update:
Situation has changed a bit:
* IPv6 connection from FritzBox to SIP provider still works, I can tell by using the DECT clients and making calls.
* FritzApp Softphones are not able to ring, and if starting a call from the softphone, no audio is heard. I give the following additional part of my configuration, in hope you possibly have a solution to that:

Code: [Select]

[ opnsense ]====VLAN Trunk:20,60====[ managed L2 switch ]----UNTAGGED:20----[ SIP client ]
10.0.20.1/24                                 |                           ::20:2(dhcpv6, static)
10.0.60.1/24                                 |                           10.0.20.2(dhcp, static)
                                        UNTAGGED:60
                                             |
                                   [mobile with FritzFon App]
                                    e.g. 10.0.60.100 (dhcp)
                                           ::60:0100 (dhcpv6)

This particular softphone app needs to be in the same IPv4 network as the FritzBox to access the phonebook and other functionality not part of SIP, therefore I have the following NAT Outbound rule:

Code: [Select]

Interface: VLAN20
TCP/IP version: IPv4
SourceAddress: PrivateNetworks
DestinationAddress: Server_VOIP (alias for 10.0.20.2)
Translation/Target: VLAN20 address
Static Port: yes/no (I am unsure about that, it worked in the previous setting without static port)

The regular firewall rules are as such:
* allow IPV6-ICM from WAN to Server_VOIP6 (::20:2)
* allow UDP traffic from WAN to Server_VOIP6
* allow all traffic from VLAN60 to Server_VOIP (10.0.20.2)
* allow all traffic from VLAN60 to Server_VOIP6 (::20:2)

I must still be mssing something.

3

General Discussion / Re: asking for feedback on existing setup with NAT outbound

« on: January 30, 2024, 01:05:58 pm »

You need to set manual route because static-port is not default and you need this for VoIP.

Just to be sure, this is the explanation for the existing IPv4 setup, right?

I'll try things out once my family won't frame me for breaking the phone again.

So I tried to set it up as pure IPv6 the other night, but it didn't work.
If I understand correctly, I would just need to switch my SIP communication to "use IPv6 only" on the FritzBox, statically assign a GUA to the Fritzbox, say e.g. ::20:2, and create two firewall rules like this:

for incoming traffic:

Code: [Select]

Interface: WAN
TCP/IP Version: IPv6
Protocal: any
Destination: Server_VOIP_v6 (alias for ::30:2)

for outgoing traffic only to the internet:

Code: [Select]

Interface: VLAN30
TCP/IP Version: IPv4+IPv6
Protocol: any
Source: VLAN30 net
Destination Invert: yes
Destination: PrivateNetworks (custom alias of all my private networks, e.g. __network_vlan10)

However, it does not work:

• My FritzBox receives a GUA
• GUA is pingable from devices in my private networks
• but GUA is not pingable from the internet, e.g. using https://tools.keycdn.com/ipv6-ping

I am most certainly missing a firewall rule, but I can't figure out which.

4

General Discussion / Re: asking for feedback on existing setup with NAT outbound

« on: January 29, 2024, 06:35:46 pm »

That's quite something for me to digest. I'll try that in pieces.

I don't get why you need IPv6 NAT outbound. Do you mean NPT [...]

No. I just added the almost same NAT outbound rule with the only change being the

Code: [Select]

TCP/IP: IPv6 field.

and is it because your ISP just gives you a /64 IPv6 prefix?

No, I get a /59 IPv6 prefix (vodafone, previously unitymedia).

IPv6 should make your fritz.box' IP adress routable in public. No NAT needed (and no, this is not less secure, it is vice versa)

I understand. And rechecked, that indeed, if I temporarily add an "Allo All" FW rule from WAN, I can ping the fritzbox IPv6 GUA from work.

The outbound NAT for IPv4 is needed to preserve the port numbers during NAT (static port = yes). That is known for IPv4 NAT SIP/RTP setups.

Okay, so as I understand, in theory the setup is "best practice for IPv4 networks", right? And the SIP server should use NAT and not port-forwarding.

Does your VoIP provider support IPv6? If yes, why still using IPv4. It just keeps complexity of your setup high.

Good point. How do I find out, though? For my credentials, I only have the server's name (probably some load-balancing from my provider) and 

Code: [Select]

nslookup <name> just timed out. How is the FritzBox even talking to the SIP registrar then?
I'm very inclined to switch to IPv6 for VoiP only, if that means I get rid of the NAT outbound rules.

I'll try things out once my family won't frame me for breaking the phone again.

5

General Discussion / asking for feedback on existing setup with NAT outbound

« on: January 29, 2024, 03:54:51 pm »

Hi everyone, I have a working existing setup, which I would like to get your feedback on, in terms of security and "best-practice".

In my home network, I am running a FritzBox (German router) in IP-Client mode behind my opnsense in VLAN30.
This way, the FB becomes just a regular network device, with the function of being the SIP gateway of my network.

Code: [Select]

[ opnsense ]====VLAN Trunk:30====[ managed L2 switch ]----UNTAGGED:30----[ SIP client ]
10.0.30.1/24                                                            10.0.30.2/32 (dhcp, static)

In order for ringing and voice communication to commence, I had (found by trial and error and a lot of snippets here and there) to create two NAT outbound rules:

Code: [Select]

Interface: VLAN30
TCP/IP Version: IPv4
Source address: Server_VOIP   (alias for 10.0.30.2)
Source port: any
Destination address: any
Destination port: any
Translation/target: Interface address
Static Port: yes
A second rule is in place for IPv6.

So far, this setup is working, but I do not understand it very well.

In particular, my questions are:

• Is NAT Outbound the right thing to do here?
  I'm asking, because in other places, I do NAT outbound when routing between different VLANs and their subnets, because some stupid service requires the clients to live in the same /24 network, and I require the clients live in a different network from the service. So why (if at all) is it necessary that my SIP provider perceives all the connections coming from one common client with the interface address?
• I feel this is not the ideal solution, and instead, port forwarding should be used. Is my feeling correct? And if so, why?

Any other comments and suggestions are also welcome.

6

Tutorials and FAQs / Re: How to access Hitron CODA56 modem admin page

« on: January 14, 2024, 11:16:24 pm »

System -> Routes: Add a new static route (the + button) with the following settings
[...]
Gateway: WAN

I'm trying to do exactly this. However, the "Gateway" dropdown only has my ipv4 and ipv6 loopback addresses, and my public ipv4 and ipv6 addresses. Is this right?

Note: it doesn't work, so I wonder if I'm missing something else? My FW is deny all by default, so would I need additional rules?

7

Virtual private networks / Re: Problem with Wireguard RoadWarrior Setup

« on: January 07, 2024, 08:29:33 pm »

Update: After I read through this thread, I deleted all my configurations and started from scratch. In particular, I also deleted all disabled instances of wireguard, and made generous use of wireguard service restarts after each step (not that I hadn't restarted umerous times aerlier).

In my opinion, verything is as before, with one key difference: it suddenly works.

I have no clue, why it didn't work before. I will keep my eyes open while continuing to configure.

8

Virtual private networks / Re: Problem with Wireguard RoadWarrior Setup

« on: January 07, 2024, 01:48:58 pm »

Thank you for your suggestions, I tried that:

Code: [Select]

# client wg config
++ DNS = 9.9.9.9

-- Address = 10.10.10.3/24
++ Address = 10.10.10.3/32

-- AllowedIPs = 10.10.10.1/32, 10.0.2.1/24
++ AllowedIPs = 0.0.0.0/0

Afterwards, I connected the tunnel and issued

Code: [Select]

ping 10.0.2.1 -t

ping 10.10.10.1 -t
which again only produced timeouts.

Temporarily, setting the allowed IPs to "all" would be an acceptable solution, however, when doing so I lose the ability to connect via TeamViewer to a machine in my home network and therefore I lose access to the web interface of opnsense while the wg tunnel is up.

I think, I need more advice, in particular I need help to debug whether the WG connection is established at all.

In your setup, are you able to ping interfaces in the same subnet as your wg interface?
Do I perhaps need to tag the incoming traffic from the wg interface with a VLAN tag, and how can I do this?

9

Virtual private networks / Problem with Wireguard RoadWarrior Setup

« on: January 06, 2024, 11:25:22 pm »

Hi. I'm quite new to networking with opnsense and I'm trying to setup wireguard to access my home network remortely while working abroad.

As far as I'm concerned, this seems to be the official guide to follow.

However, after going through all the steps in the way detailed below, I cannot ping any of the services in my home network.

Can you help me debug this setup or point me to what is going wrong here?

Setup
Home location
opnsense 23.7.11-amd64 is running in a VM on proxmox with interfaces into different VLANs, e.g.
VLAN2: home, 10.0.2.0/24
VLAN9: WAN (I have to run everything on one physical NIC, so my cable modem is just on a tagged port of the main switch, while the opnsense VM is on a trunk port)
The WAN interface is assigned the public ipv4 a.b.c.d and and ipv6 aa:bb:cc::dd from my /60 subnet.
A Firewall rule is in place (temporarily), such that I can ping my opnsense router from the remote location.

Remote location
Sadly, only ipv4 in remote location: 192.168.10.0/24.
I have little influence about this.

Wireguard
Following the guide, I have the following settings:

Step 1
os-wireguard 2.6

Step 2 - Instance

Code: [Select]

Name             : HomeWireGuard
Public key       : public-key-server=
Private key      : private-key-server=
Listen port      : 51820
Tunnel address   : 10.10.10.1/24
Peers            : mw88Test
* later I want to work with ipv6 as well, after ipv4 works

Step 3 - peer

Code: [Select]

Name        : mw88Test
Public key  : public-key-client=
Allowed IPs : 10.10.10.3/32
* no DNS server for now, I want to get it working based on IPs first

Code: [Select]

Step 4 - restartdone, is self-explanatory

Step 5 - interface
(a)I assigned interface opt4 to device wg2 as [HomeWireGuard], no IP assignment is possible.
(b) I didn't create an outbound NAT rule.

Step 6 - firewall rules
I created the rules as secribed, as well as temporary floating  ICMP rules from any source to any destination for protocol icmp (I verified these rules work).
(a) I created one normalization rule for ipv4+ipv6.

Step 7 - Client
I'm on Windows 11, using the official WG app on version 0.5.3.
My config looks like this:

Code: [Select]

Name: mw88Test
Public key: public-key-client=

[Interface]
PrivateKey = private-key-client=
Address = 10.10.10.3/24

[Peer]
PublicKey = public-key-server=
AllowedIPs = 10.10.10.1/32, 10.0.2.1/24
Endpoint = a.b.c.d:51820

Problem

• I can activate the tunnel on the client, and when starting a ping, I see Bytes sent, but do not receive any. How do I verify, that the connection was successful?
• Ping to the VLAN2 interface of opnsense, 10.0.2.1, just times out.

I'd be glad to receive any pointers.