Messages

Thanks for your reply. I did some packet captures, and I see my packets coming in from my client and seeing that they are meant for example to reach the ipv6.google.com IPv6 address. I am not as far to see in the Capture itself if that packet was routed properly. Maybe I should try to analyze the pcap files with Wireshark so see more information?

I begin to doubt that the tunnel is doing anything at all, even when I can reach ipv6.google.com from my OPNsense. When pinging ipv6.google.com directly from the OPNsense, I get a roundtrip time of about 0.1 to 0.2 ms. When www.google.com with IPv6, I get a more realistic roundtrip time of around 15-20 ms. I refuse to believe that IPv6 manages to improve roundtrip time that much ;-)

Also, to set up the GIF interface, I get the following information from Hurricane Electric:
- Server IPv4 address (where I need to talk on the IPv4 Network to reach out to the HE Tunnelbroker)
- Server IPv6 address (a /64 which ends with ::1)
- Client IPv6 address (a /64 which ends with ::2 and is in the same network as the Server IPv6 address)

Now my common sense and the tutorial at https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html tells me, that when configuring the GRE Interface, I need to
- Put the Server IPv6 address into the GIF tunnel remote address and
- the Client IPv6 address into the GIF tunnel local address

If I configure it that way, I can not ping a Remote IPv6 address.
When I enter them the other way round, I can (seeminly) ping Remote IPv6 addresses. Now when I reverse the configuration again (as it should be according to the Tutorial), I still seems to work.

All that makes no sense to me. The low ping times and that I have to configure the GIF interface "wrong" to get IPv6 up and running and then can revert it and it still seems to work (on the OPNsense only, though), throws me off the track. I cannot comprehend this.

When I do a Live trace via Firewall --> Logfiles --> Live View and filter for example the ipv6.google.com destination address, it shows me that the firewall rules are allow the traffic to the IPv6 Tunnel interface I created. Because of the low latency, I suppose my packets never leave the OPNsense and no matter what IPv6 address is resolved by DNS, it stays on the OPNsense. Otherwise, pings which are the same as for 127.0.0.1 should not be possible.

Maybe I should sleep another night over this...

There is no CGNAT in my case and yes, both IPs show the same. I am self-hosting all kind of stuff from home and I get a "pretty static" (usually for months) IPv4 address from my ISP.

I did make some progress today, though. I picked another Provider and was able to establish the tunnel and ping from my OPNsense to the other end of the tunnel and to the ipv6.google.com address. I am not able to get this working from my LAN yet, although I have a Firewall Policy on my LAN interface which allows IPv6 and IPv4 (both rules are identical) to *.

Advertisement seems to work, as my systems in the LAN get an IPv6 address assigned from the block that the Tunnelbroker assigned me. Also I can ping the IPv6 addresses of the OPNsense, but traffic does either not seem to get routed through the tunnel or it does not find its way back.

How would I debug that? Is tcpdump the way to go or is this not sufficient to check routing issues, but rather for packet inspection? I am not very proficient in the BSD area. Pointing me in the right direction / the right tools to debug this should be enough, as I am willing to learn and get better in managing OPNsense and using BSD. So any tips are very welcome how you would start debugging the current situation that OPNsense can now utilize the Tunnel, but Systems in LAN not, despite getting their IPv6 address and default route to the OPNsense assigned.

Thank you very much in advance :-)

Hello everyone,
I searched the forum and some other bits of the internet and it seems like this setup usually is a no-brainer. But for some odd reason, I cannot get it up and running and I am a bit lost on how to debug this.
I got myself a /64 prefix from tunnelbroker.net and try to configure it on my OPNsense. Although on my end all lights show up green / up, I cannot even ping the remote end of the tunnel.
What I did is what is in the documentation here: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html.
I ended up having a gif Interface in the interface overview which shows up and the correct IPv6 addresses.
Also in the gateways, I made sure the tunnel is the default IPv6 gateway.

ifconfig shows me that the interface is there with the correct prefix length:
```
gif0: flags=1008051<UP,POINTOPOINT,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1280
        description: IPv6Tunnel (opt7)
        options=80000<LINKSTATE>
        tunnel inet 1xx.x.x.9 --> 216.66.80.30
        inet6 fe80::aab8:e0ff:fe03:fec5%gif0 prefixlen 64 scopeid 0xf
        inet6 2001:470:xxxx:xxx::2 prefixlen 64
        groups: gif
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```
netstat -rn6 shows me that the IPv6 tunnel is indeed the default gateway:
```
Routing tables

Internet6:
Destination                       Gateway                       Flags         Netif Expire
default                           2001:470:xxxx:xxx::1          UGS            gif0
```

But I cannot ping the other end of the tunnel. All "local" IPv6 addresses work. Even when configuring SLAAC, my clients get valid IPv6 addresses and up until the LAN interface on the OPNsense I can ping all hosts. It just seems like nothing wants to go through the tunnel.
But if I look at the live view and filter the destination IP I am trying to ping, it shows no blocked traffic... quite contrary, it shows that the packet was sent through the tunnel interface.

And this is where I am lost now... I have the impression that all interfaces are configured correctly and that the route for IPv6 traffic into the tunnel is honored. Tunnelbrocker.net is a free service and I want to make sure I have checked everything on my side before trying to open a ticket and ask them for help. Is there anything else I can do to debug if I have a problem on my end?

Ooooh, now it dawns on me! So static mappings are not used to reserve specific IPs within the range for systems, but they are put on top (and outside) of the range. That's it. As I hoped... total User error on my side. Thank you very much for helping me! :-)

Hi everyone,

I am pretty sure there is something I am doing wrong and you can point me in the right direction.
I run OPNsense 24.7.5_3-amd64 and utilizing ISC DHCPv4 to handle my LAN IP Pool.
It is set to hand out IPs in the range of 10.0.0.100 to 10.0.0.150. Within that range, I configured a static mapping to one of my devices MAC address, so it always will get the 10.0.0.149 address.

For whatever reason, every new system or VM I join to the network gets the 10.0.0.149 address. It feels like instead of picking one of the other 49 free addresses, it gives out the Static one on purpose and not by accident. But I can not wrap my head around why this is.

Attached is a Screenshot of the current situation. The Host "BOEXLE" is the one with the correct MAC and the static reservation. I spun up a Container on another system and it gets the .149. Yesterday I spun up a KVM VM on one of my other hosts and it got the .149 too. I do not understand why this is. I thought reserving a IP within the pool for a specific MAC should prevent from handing out this IP to another system.

Can you go up in power and find a used HP T740? Then you can install the card of your choice.

That sounds very tempting, but I only can find those new over here and to be honest: I do not want anything with a fan that runs 24/7. That stuff will sit right on my desk where I also work everyday. I already regret that I bought a (really very silent, but still there´s a fan) Lenovo Ideacentre Mini 5 as my Server and not paid a little bit extra for something fanless. It is not an issue when I use my regular PC for gaming, watching Videos etc, but when I am at work on my Surface (which is dead silent) and concentrating on some difficult tasks, I really appreciate when it is dead quiet here. That barely noticable fan of the Ideacentre is sometimes already too annoying, now that I know what silence is :-)

@newsense
@Seimus
@meyerguru
Thank you to all of you. This is very reassuring and makes it much easier for me to find the right hardware.
I am looking at the new Odroid H4+ by the way, if just the cases were not that ugly ;-) They announced another case for May/June, so I might take a look at that or pick one of the N100 multi-NIC boxes that I see everywhere.

Regarding the ASPM related issues, that was one of the reasons I get so nervous. Looking at the specs and power usage measurements over at Odroid for their H4 (https://www.hardkernel.com/shop/odroid-h4-plus/) pretty far at the bottom there, I have seen that ASPM on / off makes quite a difference in total power usage. With off they claim it uses twice the power than with ASPM on. Sure, in total that is not that much power since the whole unit is very low on power usage anyway, but why give away money you can save ;-) But I am yet to find out if the ASPM + i226-V issue is a general one or only for certain manufacturers / BIOS / UEFI implementations.

When you 3 say you do not have issues with your i226-V NICs, do you know if ASPM is on or off for you?

I am doing my research now for a few days to get the right hardware for a new OPNsense system that should replace my DD-WRT system. I am especially looking for devices capable of 2.5GbE with 2-4 NICs. In that process I have read a log about Realtek NICs and Intel NICs and the issues people have with the i225/i226 NICs.

The problem is, that no matter what devices I search for in that segment (small, fanless, 2-4 NICs, 2.5GbE), there does not seem to be a way around the i226-V NICs. Even on devices that are meant to be used with OPNsense like the Thomas Krenn LESv4, they all use the i226-V NICs.

I also read that some people can get rid of the issues by tweaking the APM features (turning them off), but that defeats the purpose of a low power, low noise Firewall for me (which sits right here on my desk).

Even when reading all the recent posts about which hardware to chose, in the end it seems always to be a device with an i226-V. Like no other thing exists... and I can not find something else with current technology and low energy consumption either.

I was even on the fence to get a Odroid H4+, because of its  super low power consumption but still good performance... well, i226-V again :-) Current CWWK systems? i226-V. Most of the Aliexpress no-name stuff? i226-V or i225 if they are a bit older.