Messages

1

General Discussion / Re: Public IPv6 address not getting assigned to LAN connected device

« on: Today at 11:14:18 am »

Your WAN IPv4 address is RFC1918, so I assume that OPNsense's WAN interface is connected to the LAN of some upstream ISP router? That upstream router will need to delegate an IPv6 prefix for OPNsense to use on its LAN(s).

2

General Discussion / Re: Forum login timeout very aggressive?

« on: Today at 11:10:26 am »

Maybe something in your browser cleaning up cookies? I don't remember the last time I had to login.......

3

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 10:24:15 pm »

Yes, but a client on your LAN can't use a LLA to talk to the LLA of your ONU, because it'd have to route through OPNsense to get there.

4

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 09:55:12 pm »

fe80 addresses are link-local. They're not supposed to get routed. It's actually interesting that OPNsense appears to be routing it outbound, if I'm reading what you're doing right.........

5

24.7 Production Series / Re: All IPv6 traffic "Default deny / state violation rule"

« on: November 20, 2024, 09:09:05 pm »

Your clients may be still using the prefix that was advertised before - see if you can reset them somehow - maybe disable/enable the network interface, unplug/replug cable, etc.....

6

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 06:33:10 pm »

@dseven on routing: I meant the uplink router, not the OPNsense box. If the uplink router delegates the network downwards, it MUST route it.

So did I. I have two OPNsense instances here - one cascaded behind the other, and ran into this issue when I first tried to delegate a prefix from one to the other. I don't want to distract this thread any further over it - point is that it could happen.

7

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 05:44:02 pm »

But is it even possible that the uplink router would delegate a prefix and NOT route it?

OPNsense will do just that if a downstream router gets a prefix only and not an address for its WAN interface - the fix for that is to add a DHCPv6 reservation for it - then a route (to that address) should be created. Not really relevant here, though. Why OPNsense can't route to the link-local address, I'm not sure. A bit of a tangent for this discussion.... but we don't know what the "ISP ONU" does.....

8

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 05:39:54 pm »

Maybe try changing "Address/Prefix Assignment Mode" to "DHCPv6"? Just guessing - that interface doesn't look familiar....

9

24.7 Production Series / Re: IPv6 connectivity from LAN side not working

« on: November 20, 2024, 05:17:07 pm »

IPv6 connectivity worked before I implemented OPNsense by connecting the router to the physical switch in the topology.

By "the router", do you mean "ISP ONU"? I see that you have 192.168.1.0/24 for IPv4, so assume that there's layer 3 stuff happening in that box. For IPv6 to work behind OPNsense (without NAT), you'll need that box to delegate a prefix for OPNsense to use, and it will need to route that prefix. Do you have any control over that box?

I can't tell due to your redaction, but it looks like you did get a delegated prefix as all we the /64 network that your WAN interface is using? Are there two different prefixes in the "routes" column?

It seems like you have the prefix, but maybe the "ISP ONU" is not routing it to your OPNsense WAN interface....

10

General Discussion / Re: Home network with OPNsense, UniFi, and Asus AP (FreshTomato) - VLAN help

« on: November 20, 2024, 01:59:50 pm »

Will UniFi let you tag VLAN 1 on a switch port? If so, I think the track you're on should be OK. OPNsense doesn't attach any special meaning to that ID (AFAIK).

11

24.7 Production Series / Re: Requesting help with One-to-One NAT setup

« on: November 20, 2024, 12:25:40 pm »

I was pondering reply-to, but I wasn't able to reproduce what you were seeing. Do you have any inbound firewall rules (aside from your NAT ones) on your WAN interface?

12

24.7 Production Series / Re: All IPv6 traffic "Default deny / state violation rule"

« on: November 20, 2024, 12:03:15 pm »

Being able to ping from the WAN interface doesn't mean that you have a delegated prefix - it just means that your WAN interface has a routable IPv6 address. For LAN hosts to work (without NAT) requires a delegated prefix that your router (OPNsense) can use for your LAN(s). It'd generally be larger than /64, but maybe not always. Take a look at Interfaces -> Overview, click on the magnifier next to your WAN interface, and look for "Dynamic IPv6 prefix received". By having your LAN interface track your WAN interface, it should be able to use the delegated prefix, and it sounds like that's actually working for you (as you appear to have a routable address on your LAN client).

So why is the traffic getting blocked? Something that makes me slightly suspicious is that "lan" is in lower case in the log that you pasted, where I believe that the default is upper-case "LAN". Did you create/assign an additional "lan" interface??

13

General Discussion / Re: ping OK but no internet with static client

« on: November 20, 2024, 11:37:52 am »

I wonder if curl is trying to use IPv6. Try "curl -4v https://ipleak.net/json/" ?

14

General Discussion / Re: Static IP addresses vs DHCP for IoTs

« on: November 20, 2024, 11:27:25 am »

What sort of "congestion" are you talking about? Was the DHCP service somehow unable to keep up with demand? Otherwise I can't imagine how static configuration vs. DHCP would affect network congestion.

Personally I use DHCP with static mappings (reservations) for most of my "things" - so I can "tell what's what", and manage things as needed (mDNS may be an alternative for the latter).

15

General Discussion / Re: WAN DHCPv6 and IPsec

« on: November 19, 2024, 01:14:04 pm »

I don't have experience with IPsec, but in general any interface that has a routable IPv6 address should be reachable from the internet if you have a rule to allow it (destination "This Firewall"), so you probably could use your DMZ interface. Alternatively you might be able to use a VIP with an address within your routable prefix, or a loopback interface. Is your prefix "static"?