Messages

Thanks for Your Help!!!

Now i understood the Problem and also have 2 Solutions for it.

I also wrote the Hetzner Support about it, lets see what they thing about it.

I will use NAT for now and then try the nd-proxy. After implementing it in production i will write a guide on Hetzner for it.

Thanks and i keep you updated on nd-proxy :)

The answer from Hetzner is: "On vSwitch its not possible to set a MAC for your Subnet, but Yyou can add up to 32 Mac Adresses (Server) to a vSwitch, so NAT is not needed. "

But if you wanna use the Features from OPNSense like Geoblocking or the FireHole Lists etc. you need it.

Wenn die VIP bereits funktioniert fehlen die NAT Regeln.

Dabei einfach als Ziel "Single Host / Network" auswählen und die VIP mit einer /32 Subnetzmaske eintragen.
Dann die gewünschten Ports und Weiterleitungsadresse eintragen. -> Fertig
Wenn du es schön machen möchtest, richte noch ein Outbound NAT ein, damit ausgehender Traffic der VM`s auch über die jeweilige VIP geht.

ACHTUNG: FW Rule / NAT Regeln mit dem Ziel WAN adresse schließen auch die VIP`s ein! Also das bitte prüfen, sonst wird die neue Regel möglicherweise überschrieben...

Thanks for Your Help!!!

Now i understood the Problem and also have 2 Solutions for it.

I also wrote the Hetzner Support about it, lets see what they thing about it.

I will use NAT for now and then try the nd-proxy. After implementing it in production i will write a guide on Hetzner for it.

Thanks and i keep you updated on nd-proxy :)

The Gateway for IPv6 on a vSwitch is pingable.  :)

The Virtual IP form type "Alias IP" also works now (no idea why not last time), but it takes some time to become active...

Where do i set the aliases? I tried the Virtual IP as i use it on IPv4, but that dosen't work.

Surprises me although I admit I never tried it. Yes, I implied Virtual IP. Should work with IPv4 and IPv6 just the same.

I never used it because that's not how IPv6 is supposed to work. NAT deserves to die.

😂 Thats what a wanted, but then the GW Thing stopped me.  :(

I will try it. The VIP shoud be pingable if the FW Rule for it is set right? (Ipv4 is it)

Probably in the next minor version.  :)

So 24.7.9

Theres 4 settings, check out the man page. Its only 4 settings but it feels rather complicated (at least to me) even though it should be simple. Guess it depends highly on the exact usecase.

Ah, found it. Can I do multiple LAN Networks? Because i have to put the MAC and IP in the config.

Check the previous page, it will come as normal plugin in the next version. Any tests are highly valuable for documentation purposes. Thanks in advance.

That sounds great! Sounds like it solves my Problem without NAT. I will test the Plugin if its out.
When it will come? In v25 or v24.8?

Are there any settings to do or dose it work out of the box?

As an alias address on WAN.

If you want an address on LAN or OPT1, then routing must take place and you must use an entire /64.

I don't know if Hetzner support routing additional /64 with a vSwitch. They sure do if you do not use a vSwitch, though.

Where do i set the aliases? I tried the Virtual IP as i use it on IPv4, but that dosen't work.
The plan is to set multiple WAN IPv6 Addresses and then do a Port-forwarding and Outbound NAT for the Servers.

I really do not know, the ways it works are all in the man pages. I did a lot of testing and I have read people who use it here:

https://gist.github.com/MCterra10/7e3930e54db0be10f42dd999e3263560?permalink_comment_id=5178523#gistcomment-5178523

I could not recreate the above mentioned setup yet.

https://man.freebsd.org/cgi/man.cgi?query=ndproxy&apropos=0&sektion=4&manpath=FreeBSD+11-current&format=html

I guess you have to test the potential of it yourself in your environment, but the module seems to be around for a long while and there are no reports of people who have issues with it. Any (good or bad) reports are scarse...

I will give it a try, if i see it correct its experimental at the moment. Will it be implemented as plugin later? I can try it in a test enviroment, but not at production at the moment.

Yes, we use a Proxmox Cluster and if you wanna migrate your vm's / your OPNSense you need to change the ip's if you don't get the IP via vSwitch.

Hetzner only offer Public IP`s bound to a Dedicated Server or a vSwitch.

Will it work the other way round? That would be our setup at Hetzner for hosting - not OPNsense but FreeBSD.

WAN: dead:beef:dead:beef::1/128
WAN GW: fe80::1%igc0 (for example)
LAN: dead:beef:dead:beef::2/64 (bridge for our hosting jails and their default GW)

Kind regards,
Patrick

Yes i had it like this before, but that only works if Hetzner gives you a MAC that you have to use. As mentioned earlier, because of that they know where to route your subnet.
vSwitches are different. You claim a IP without giving your IP to Hetzner so the GW dosen't know where to route the rest of the /64 subnet if your WAN only claims 128. (If I understood it right)

Ah now i understood the key difference. The Subnet I used before war's bound to a MAC-Address, but the new one not. On vSwitch you claim your IPv4 and v6, but there is no need for a specific MAC.

How can I bind a second IPv6 from the Subnet to the OPNSense?

But if OPNSense don't claim the additional Subnet, how dose the Hetzner GW know that it has to route it to the OPNSense?

If I wanna use NAT and give my clients local IPv6 addresses how can i claim for example ...::4:10 as WAN destination for my client?

So I have to use NAT now if I have a LAN and DMZ that i wanna give a IPv6?
Can I use VIP for IPv6 to give a separate IPv6 on WAN for Routing?


Previous the Gateway wars a link local on wan given by Hetzner. So my WAN look like this: 235:248:241::1 and the LAN and DMZ had something like this: 235:248:241::1:1/123. It worked out of the Box.

I'm new to IPv6 so it's a bit complicated to understand for me 😅

I can't influence the Upstream GW, because it's managed by Hetzner. Dose this mean the OPNSense need a /64 Subnet on WAN?

In my Previous Subnet The Upstream wars a link-local Adress, why dose this didn't need a route?