Messages

I am just trying to get DNSSEC checks going pass successfully instead of fail in checks.

And in the same context understand (why i am replying to this post), if could have wrongly set something, or is Suricata over IPv6, that is know to not function properly (as reported on the quoted post).

At the moment i am just using "localdomain" without any dots, because is not a real website, and it was expected to be reliable just for the internal LAN.

I had a domain correctly set before and i can't remember if DNSSEC over IPv6 was working fine, also now i use a new DNS resolver.

It shouldn't have nothing to do in particular with wildcards and i have replied to a post at the beginning where it was explained how to get certificates being in conflict with nothing.

13. I do not believe in IPSs like Zenarmor, Crowdsec or Suricata, but YMMV. At least do not use Suricata on WAN, unless you are willing to sacrifice IPv6 connectivity. This is a fine example for always having a tradeoff between (perceived) security and useability. Also: If you use IPS and experience any problems, please state that in your posting - or better, disable it and test again! The same goes for any kind of blocklists: check if they are the culprit.

(BTW this post seems that was edited after the last time i did read it.)

You should be able to determine the difference between a rejected certificate vs. DNS or IP blocking caused by Suricata vs. IPv6 misconfigurations.

The symptoms of each of those are clearly discernible.

Patrick just pointed out that certificates for wildcard domains will not work if they contain just one dot, so if you want to use those, you will have to use a domain with at least two dots in them.

Your problem is not clearly stated, but does not seem to correlate to the cited post.

Hi, thanks for your quick reply,

Can i ask discernible how? Since the IPv6 connection is working well in OPNsense?

That's what i get for the dns's checks:

https://ibb.co/35gp0dr6

I can add a domain again but i would like to know before if is something i can avoid and if i should follow this advice as reported in  this topic: "https://forum.opnsense.org/index.php?topic=42985.0" :

13. I do not believe in IPSs like Zenarmor, Crowdsec or Suricata, but YMMV. At least do not use Suricata on WAN, unless you are willing to sacrifice IPv6 connectivity. This is a fine example for always having a tradeoff between (perceived) security and useability. Also: If you use IPS and experience any problems, please state that in your posting - or better, disable it and test again! The same goes for any kind of blocklists: check if they are the culprit.

Thank you.

Ok, I find myself confused about this, again.
If I have no VLANs and I am simply using the OPNsense default ".localdomain" for my LAN, would you recommend I be using .localdomain or lan.internal?

You can use either of the two... both will work.

Mind you that there can be a minor downside to using "localdomain". If you want to run your own local CA - on OPNsense or anywhere else - and you also want to use a wildcard certificate for a variety of devices that for some reason cannot use a real FQDN and Letsencrypt, then ...

- *.home.arpa will work while
- *.localdomain will not work

with current browsers. There have to be at least two dots in there.

I prefer - at work just like at home - to use a subdomain of a real domain I own.

So if I own e.g. company.com, then for the internal network I use internal.company.com. I know this will never conflict with anybody else, I do not publish this domain anywhere outside on the Internet, therefore I will not have leaks of any kind ... perfect solution but for the slightly longer FQDNs.

Also *.internal.company.com works with certificates as well as with MS Active Directory. Using your official Internet domain company.com with AD leads to all sorts of unexpected constraints.

HTH,
Patrick

Hello, so that's why, because i use "localdomain", and if i leave on Macintosh IPv6 as "automatic" i get dns on IPv6 losing their signatures?

I was think was a related problem of using Suricata on an working IPv6 connection (in this case with Starlink), but since i read this and also trying to use a correct configuration, that's could be the problem, also because i was thinking a Suricata issue like reported on one of this forum FAQ's, and i tried using the IPv6 option on the Mac as "only local" the signatures was getting checked correctly.

I don't know if i should continue to try using a different "localdomain" or is just a problem as described, of suricata and should start to expect as IPv6 only workinkg before OPNsense until a new update will resolve this?

Thank you.

Hi,

Which device would be more likely considered to buy? Raspberry Pi5? Orange pi plus?

Something else? Thanks.

I was trying to set delegations to 64 as is shown on the Overview and since no delegation was shown for my selected one, and NTP is dead, also after a reboot, no package to try reinstall?

daemon child died with signal 11    unable to create socket on igc1 [xxxx:xxxx:;; bind(28) AF_INET6
lags 0x11 failed: Address already in use


***UPDATE****

Despite the socket bind and in use and my others issues with time synchronizations, there is obviously something on my connection, or between me and starlink services, or more likely between me and my country, before starlink, or better say "between" me and starlink, after a while ipv6 are going disappeared... even using their modem...

NOICE.

I am only getting an fe80 private address, even if addresses are shown in Overview, i don't know if this a behavior can be dictated by new updates and the radious that need to be updated or there is something wrong with my starlink modem and i should try to set it as not bypassed

Never 56 so I used a bigger number.

BTW, after resetting it I was able even to set the starlink not in bypass mode and have it working, how should be.

Now the problem is that after the last update seems, I can't get ipv6 addresses working anymore, I think I tried everything.

Seems like i have been told, anyway i will say it again, the Starlink hardware gives /56.

That means Starlink delegates a /56 to your OPNsense. Still every single interface of your OPNsense with IPv6 active must have a /64 prefix length. You get a /56 so you can configure up to 256 interfaces.

Thanks for the reply,

So thats mean i should no care about my 64 delegation?

Because the only way to see Starlink gives /56 is in the overview, but the interface is getting /64 like any other interface.

Also if someone else got it working without putting it in bypass mode and if i need to enable some outbound NAT rules to make it work since would be in double NAT if not set as bypassed.

What do you mean by "gave /56 address"? What exactly do you expect to see? What exactly do you actually see?

I mean WAN was replying 56 addresses allocations,

If i set the WAN interface for 56, and the Starlink is giving 56 as showed in Overview, why i should expect to see/have 64?

Seems like i have been told, anyway i will say it again, the Starlink hardware gives /56.

Maybe i should follow this post?

https://forum.opnsense.org/index.php?topic=46201.0

Also, if i want leave their router without bypassing it, why shouldn't work by itslef? i need to accept ICMP also on IPv4 to make it work?

Thanks again

What do you mean by "gave /56 address"? What exactly do you expect to see? What exactly do you actually see?

I mean WAN was replying 56 addresses allocations,

If i set the WAN interface for 56, and the Starlink is giving 56 as showed in Overview, why i should expect to see/have 64?

What does "everything goes on 64" mean? /64 is the standard prefix length for a LAN subnet. If you create multiple (V)LAN's, each should get its own /64, allocated from your /56 delegation.

Hi there,

I'm sorry but i don't think i fully understand what you mean,

when i set previously my NIC with opnsense first time with starlink and giving /56 of allocation, it also gave /56 addresses, how it works on every router... or i'm missing something?

Hello,

So i did read a little around on different posts here, but the most that seem most like my issue i have found in pfsense forum today and i don't think i can even post here.

After another clean reset i have set without any issues at all my Chinese firewall appliance (N100 SBC with four Intel rj45), using Stalink in bypass mode, don't know if is for the updates or if my NIC was been drunk.

The strange part is i wasn't even able to access it from LAN, when i have set Starlink to operate as NOT bypassed, i didn't made any rule to accept Starlink IP ranges this time since everything was working, only recommendations of RFC 4890, that also strangely, are not all or present or maybe with different names, but i was able to access the OPNsense from my phone that rely on another network behind an openWRT access point in that configuration. So i gave up even if i am still interested to leave their modem before the Firewall to use old IoT devices that can't be connected using WPA3.

This was a little of my issues encountered over the time, but now the issue that i need to resolve as the title says, is that Starlink give correctly a /56 delegation, but when it goes on OPNsense everything goes on 64, i don't know if could just be something related to the equations for the amount of all the others delegations because i am not good to make calculations, or if some misconfiguration, as i said the RFC 4890 is compiled correctly as mentioned, i recently needed to set the DHCP6 manually because is a little tricky to let DNS6 work without setting it, but other then this i don't know what else i could try.

Also I forgot to mention that after trying to left the Starlink router without bypass the IP range on LAN are became as the delegations of their router (192.168.1.100 instead 192.168.1.10~), but for this I can't be sure at 100% because of the reboots, anyway after installed latest update I'm still on this segment even if should end using a Mac to do those things because I can't never be really sure about things like that.

Thank you.