1
General Discussion / Re: WireGuard Site-to-Site without nat
« on: July 23, 2024, 08:26:17 pm »
So I solved it. The problem is that on one side I had IPsec turned on, which routed to the same LAN subnet.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
General Discussion / Re: WireGuard Site-to-Site without nat
« on: July 23, 2024, 08:22:07 pm »
this i already have that set up
3
General Discussion / WireGuard Site-to-Site without nat
« on: July 23, 2024, 06:20:42 pm »
I have wg s2s configured using that wizard https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html#step-3a-setup-wireguard-peer-on-opnsense-site-a. When I try to ping the remote LAN addresses from the router, everything works.
The problem is when I want to ping the addresses of the remote LAN network from some of the hosts in the local LAN network. Such a request will not come. Traceroute shows that it terminates at the local router.
When I set up snat, everything works, but I don't want to use snat for the s2s network, because I want the networks to see each other's source addresses.
My nat rules are set to Hybrid outbound NAT rule generation and I have no custom rules added.
Are there any other settings I should make so that s2s networks can communicate without nat?
The problem is when I want to ping the addresses of the remote LAN network from some of the hosts in the local LAN network. Such a request will not come. Traceroute shows that it terminates at the local router.
When I set up snat, everything works, but I don't want to use snat for the s2s network, because I want the networks to see each other's source addresses.
My nat rules are set to Hybrid outbound NAT rule generation and I have no custom rules added.
Are there any other settings I should make so that s2s networks can communicate without nat?
4
General Discussion / Re: Static setting of IPv6 block /64
« on: May 25, 2024, 02:52:21 pm »
So I now know out where the problem is.
My ISP subnet is already routing. This can also be recognized by the fact that the gateway is in the same subnet as it was assigned to me.
So I can no longer route the subnet on my router. It is therefore necessary to set IPv6 in pass-through mode or ask the ISP not to route the subnet.
Thank you for your help.
My ISP subnet is already routing. This can also be recognized by the fact that the gateway is in the same subnet as it was assigned to me.
So I can no longer route the subnet on my router. It is therefore necessary to set IPv6 in pass-through mode or ask the ISP not to route the subnet.
Thank you for your help.
5
General Discussion / Re: Static setting of IPv6 block /64
« on: May 25, 2024, 12:47:51 pm »
The gateway is set up like this
https://i.imgur.com/B3XUjLz.png
gateway monitoring is disabled and rebooting doesn't help.
The routes are as follows
https://i.imgur.com/pzhn2hB.png
Also strange is that in DHCPv6 Leases, IPv6 addresses assigned to clients are displayed on the WAN interface. At the same time, I have DHCPv6 configured only for LAN.
https://i.imgur.com/2PDN34J.png
https://i.imgur.com/NVO84qy.png
https://i.imgur.com/B3XUjLz.png
gateway monitoring is disabled and rebooting doesn't help.
The routes are as follows
https://i.imgur.com/pzhn2hB.png
Also strange is that in DHCPv6 Leases, IPv6 addresses assigned to clients are displayed on the WAN interface. At the same time, I have DHCPv6 configured only for LAN.
https://i.imgur.com/2PDN34J.png
https://i.imgur.com/NVO84qy.png
6
General Discussion / Re: Static setting of IPv6 block /64
« on: May 25, 2024, 10:25:40 am »
Ping from the router works fine.
https://i.imgur.com/R2tOFFR.png
But not from the client.
https://i.imgur.com/oKo8A5w.png
I have the rules for the LAN interface set as follows.
https://i.imgur.com/lIN1DsU.png
https://i.imgur.com/R2tOFFR.png
But not from the client.
https://i.imgur.com/oKo8A5w.png
I have the rules for the LAN interface set as follows.
https://i.imgur.com/lIN1DsU.png
7
General Discussion / Static setting of IPv6 block /64
« on: May 25, 2024, 02:17:25 am »
Hello,
I am trying to setup IPv6 for my OPNsense router. I got a /64 IPv6 block from the provider. I would like to statically set IPv6 on the WAN and LAN interfaces and then assign IPv6 to clients connecting to the LAN using DHCPv6.
I received information from the provider that I should use the block xxxx:xxxx:ffff:1121::/64 and that xxxx:xxxx:ffff:1121::1 is the gateway.
I made the following settings:
Configuring the WAN Interface:
1. Log in to the OPNsense web interface.
2. Navigate to Interfaces > Assignments.
3. Click on the name of the WAN interface.
4. In the Static IPv6 Configuration section, fill in the following:
IPv6 Address: xxxx:xxxx:ffff:1121::5
IPv6 Prefix: 64
IPv6 Upstream Gateway: xxxx:xxxx:ffff:1121::1
5. Click Save and then Apply Changes.
Configuring the LAN Interface:
1. Navigate to Interfaces > Assignments.
2. Click on the name of the LAN interface.
3. In the Static IPv6 Configuration section, fill in the following:
IPv6 Address: xxxx:xxxx:ffff:1121::7
IPv6 Prefix: 64
4. Click Save and then Apply Changes.
Setting Up the DHCPv6 Server:
1. Navigate to Services > DHCPv6 > LAN.
2. Check Enable DHCPv6 server on LAN interface.
3. In the Subnet section, fill in:
Range: xxxx:xxxx:ffff:1121::1000 to xxxx:xxxx:ffff:1121::2000
4. Click Save.
Configuring Router Advertisements (RA) on LAN:
1. Navigate to Services > Router Advertisements > LAN.
2. In the Router Mode section, select Managed.
3. Click Save.
The result is that the client receives the correct IPv6 address from the set range. He also gets a route.
But I can't get to the IPv6 address of the LAN or WAN interface.
At the same time, I cannot reach any IPv6 address on the Internet.
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether bc:24:11:a5:dd:6b brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 172.16.1.39/24 metric 100 brd 172.16.1.255 scope global dynamic ens18
valid_lft 5461sec preferred_lft 5461sec
inet6 xxxx:xxxx:ffff:1121::11f3/128 scope global dynamic noprefixroute
valid_lft 5459sec preferred_lft 2759sec
inet6 fe80::be24:11ff:fea5:dd6b/64 scope link
valid_lft forever preferred_lft forever
ip -6 route
::1 dev lo proto kernel metric 256 pref medium
xxxx:xxxx:ffff:1121::/64 dev ens18 proto ra metric 100 expires 86394sec pref medium
fe80::/64 dev ens18 proto kernel metric 256 pref medium
default via fe80::1c43:adff:fefb:d3a8 dev ens18 proto ra metric 100 expires 1794sec mtu 1500 pref medium
I have all traffic from the LAN net allowed on the firewall.
Where can the problem be?
Thank you for your help.
I am trying to setup IPv6 for my OPNsense router. I got a /64 IPv6 block from the provider. I would like to statically set IPv6 on the WAN and LAN interfaces and then assign IPv6 to clients connecting to the LAN using DHCPv6.
I received information from the provider that I should use the block xxxx:xxxx:ffff:1121::/64 and that xxxx:xxxx:ffff:1121::1 is the gateway.
I made the following settings:
Configuring the WAN Interface:
1. Log in to the OPNsense web interface.
2. Navigate to Interfaces > Assignments.
3. Click on the name of the WAN interface.
4. In the Static IPv6 Configuration section, fill in the following:
IPv6 Address: xxxx:xxxx:ffff:1121::5
IPv6 Prefix: 64
IPv6 Upstream Gateway: xxxx:xxxx:ffff:1121::1
5. Click Save and then Apply Changes.
Configuring the LAN Interface:
1. Navigate to Interfaces > Assignments.
2. Click on the name of the LAN interface.
3. In the Static IPv6 Configuration section, fill in the following:
IPv6 Address: xxxx:xxxx:ffff:1121::7
IPv6 Prefix: 64
4. Click Save and then Apply Changes.
Setting Up the DHCPv6 Server:
1. Navigate to Services > DHCPv6 > LAN.
2. Check Enable DHCPv6 server on LAN interface.
3. In the Subnet section, fill in:
Range: xxxx:xxxx:ffff:1121::1000 to xxxx:xxxx:ffff:1121::2000
4. Click Save.
Configuring Router Advertisements (RA) on LAN:
1. Navigate to Services > Router Advertisements > LAN.
2. In the Router Mode section, select Managed.
3. Click Save.
The result is that the client receives the correct IPv6 address from the set range. He also gets a route.
But I can't get to the IPv6 address of the LAN or WAN interface.
At the same time, I cannot reach any IPv6 address on the Internet.
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether bc:24:11:a5:dd:6b brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 172.16.1.39/24 metric 100 brd 172.16.1.255 scope global dynamic ens18
valid_lft 5461sec preferred_lft 5461sec
inet6 xxxx:xxxx:ffff:1121::11f3/128 scope global dynamic noprefixroute
valid_lft 5459sec preferred_lft 2759sec
inet6 fe80::be24:11ff:fea5:dd6b/64 scope link
valid_lft forever preferred_lft forever
ip -6 route
::1 dev lo proto kernel metric 256 pref medium
xxxx:xxxx:ffff:1121::/64 dev ens18 proto ra metric 100 expires 86394sec pref medium
fe80::/64 dev ens18 proto kernel metric 256 pref medium
default via fe80::1c43:adff:fefb:d3a8 dev ens18 proto ra metric 100 expires 1794sec mtu 1500 pref medium
I have all traffic from the LAN net allowed on the firewall.
Where can the problem be?
Thank you for your help.
Pages: [1]