Messages

Ciao,

Per semplificare l'adesione di diverse interfacce, e gestirne le interazioni facilmente, esiste una zona chiamata "Aliases".

Comunque non credo che io possa aver capito tutto, generalmente cio' che descrivi tu come una feature che non c'e', gia' lo fa' in automatico;

Se invece vuoi solo dividerle facilmente sopponendole ad alcun controollo o modifica, puoi usare Alias e poi decidi come settare le regole Firewall o quant'altro.

Ciao,
Non ho capito, stai copiando il MAC address del tuo modem?

Hello,
Which version i could try to install on my Radxa E52C?
It have an RK3582 chip, ty.

Hello,

I did created something like 6k rules by flagging all those actives from alert to block, but in the wrong way, creating a lot of user rules.

Now when the alert brings me to the list I need 10 minutes to delete just 100 of them.

How I can delete all in one command maybe? since the system ui goes stuck when try to load everything and it looks like it will need to first disable each rule first.

Thanks

I am just trying to get DNSSEC checks going pass successfully instead of fail in checks.

And in the same context understand (why i am replying to this post), if could have wrongly set something, or is Suricata over IPv6, that is know to not function properly (as reported on the quoted post).

At the moment i am just using "localdomain" without any dots, because is not a real website, and it was expected to be reliable just for the internal LAN.

I had a domain correctly set before and i can't remember if DNSSEC over IPv6 was working fine, also now i use a new DNS resolver.

It shouldn't have nothing to do in particular with wildcards and i have replied to a post at the beginning where it was explained how to get certificates being in conflict with nothing.

13. I do not believe in IPSs like Zenarmor, Crowdsec or Suricata, but YMMV. At least do not use Suricata on WAN, unless you are willing to sacrifice IPv6 connectivity. This is a fine example for always having a tradeoff between (perceived) security and useability. Also: If you use IPS and experience any problems, please state that in your posting - or better, disable it and test again! The same goes for any kind of blocklists: check if they are the culprit.

(BTW this post seems that was edited after the last time i did read it.)

You should be able to determine the difference between a rejected certificate vs. DNS or IP blocking caused by Suricata vs. IPv6 misconfigurations.

The symptoms of each of those are clearly discernible.

Patrick just pointed out that certificates for wildcard domains will not work if they contain just one dot, so if you want to use those, you will have to use a domain with at least two dots in them.

Your problem is not clearly stated, but does not seem to correlate to the cited post.

Hi, thanks for your quick reply,

Can i ask discernible how? Since the IPv6 connection is working well in OPNsense?

That's what i get for the dns's checks:

https://ibb.co/35gp0dr6

I can add a domain again but i would like to know before if is something i can avoid and if i should follow this advice as reported in  this topic: "https://forum.opnsense.org/index.php?topic=42985.0" :

13. I do not believe in IPSs like Zenarmor, Crowdsec or Suricata, but YMMV. At least do not use Suricata on WAN, unless you are willing to sacrifice IPv6 connectivity. This is a fine example for always having a tradeoff between (perceived) security and useability. Also: If you use IPS and experience any problems, please state that in your posting - or better, disable it and test again! The same goes for any kind of blocklists: check if they are the culprit.

Thank you.

Ok, I find myself confused about this, again.
If I have no VLANs and I am simply using the OPNsense default ".localdomain" for my LAN, would you recommend I be using .localdomain or lan.internal?

You can use either of the two... both will work.

Mind you that there can be a minor downside to using "localdomain". If you want to run your own local CA - on OPNsense or anywhere else - and you also want to use a wildcard certificate for a variety of devices that for some reason cannot use a real FQDN and Letsencrypt, then ...

- *.home.arpa will work while
- *.localdomain will not work

with current browsers. There have to be at least two dots in there.

I prefer - at work just like at home - to use a subdomain of a real domain I own.

So if I own e.g. company.com, then for the internal network I use internal.company.com. I know this will never conflict with anybody else, I do not publish this domain anywhere outside on the Internet, therefore I will not have leaks of any kind ... perfect solution but for the slightly longer FQDNs.

Also *.internal.company.com works with certificates as well as with MS Active Directory. Using your official Internet domain company.com with AD leads to all sorts of unexpected constraints.

HTH,
Patrick

Hello, so that's why, because i use "localdomain", and if i leave on Macintosh IPv6 as "automatic" i get dns on IPv6 losing their signatures?

I was think was a related problem of using Suricata on an working IPv6 connection (in this case with Starlink), but since i read this and also trying to use a correct configuration, that's could be the problem, also because i was thinking a Suricata issue like reported on one of this forum FAQ's, and i tried using the IPv6 option on the Mac as "only local" the signatures was getting checked correctly.

I don't know if i should continue to try using a different "localdomain" or is just a problem as described, of suricata and should start to expect as IPv6 only workinkg before OPNsense until a new update will resolve this?

Thank you.

Hi,

Which device would be more likely considered to buy? Raspberry Pi5? Orange pi plus?

Something else? Thanks.

I was trying to set delegations to 64 as is shown on the Overview and since no delegation was shown for my selected one, and NTP is dead, also after a reboot, no package to try reinstall?

daemon child died with signal 11    unable to create socket on igc1 [xxxx:xxxx:;; bind(28) AF_INET6
lags 0x11 failed: Address already in use


***UPDATE****

Despite the socket bind and in use and my others issues with time synchronizations, there is obviously something on my connection, or between me and starlink services, or more likely between me and my country, before starlink, or better say "between" me and starlink, after a while ipv6 are going disappeared... even using their modem...

NOICE.

I am only getting an fe80 private address, even if addresses are shown in Overview, i don't know if this a behavior can be dictated by new updates and the radious that need to be updated or there is something wrong with my starlink modem and i should try to set it as not bypassed

Never 56 so I used a bigger number.

BTW, after resetting it I was able even to set the starlink not in bypass mode and have it working, how should be.

Now the problem is that after the last update seems, I can't get ipv6 addresses working anymore, I think I tried everything.

Seems like i have been told, anyway i will say it again, the Starlink hardware gives /56.

That means Starlink delegates a /56 to your OPNsense. Still every single interface of your OPNsense with IPv6 active must have a /64 prefix length. You get a /56 so you can configure up to 256 interfaces.

Thanks for the reply,

So thats mean i should no care about my 64 delegation?

Because the only way to see Starlink gives /56 is in the overview, but the interface is getting /64 like any other interface.

Also if someone else got it working without putting it in bypass mode and if i need to enable some outbound NAT rules to make it work since would be in double NAT if not set as bypassed.

What do you mean by "gave /56 address"? What exactly do you expect to see? What exactly do you actually see?

I mean WAN was replying 56 addresses allocations,

If i set the WAN interface for 56, and the Starlink is giving 56 as showed in Overview, why i should expect to see/have 64?

Seems like i have been told, anyway i will say it again, the Starlink hardware gives /56.

Maybe i should follow this post?

https://forum.opnsense.org/index.php?topic=46201.0

Also, if i want leave their router without bypassing it, why shouldn't work by itslef? i need to accept ICMP also on IPv4 to make it work?

Thanks again

What do you mean by "gave /56 address"? What exactly do you expect to see? What exactly do you actually see?

I mean WAN was replying 56 addresses allocations,

If i set the WAN interface for 56, and the Starlink is giving 56 as showed in Overview, why i should expect to see/have 64?