Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - zteng

Pages1
#1
25.1, 25.4 Production Series / Transparent bridge traffic will pass through the firewall twice.
April 08, 2025, 03:52:34 PM
I set up a transparent bridge and found that the outgoing traffic from LAN would have two duplicate firewall logs, out and in. As this github issue says. 

Is this normal? The transparent bridge configuration document does not mention this at all. Is this common sense in FreeBSD? How do I set up firewall rules? 

Setting firewall rules in the bridge cannot distinguish the two repeated traffic flows, as there is overlap between the two. 

#2
25.1, 25.4 Production Series / No log of local ipv6 address in the firewall log
April 06, 2025, 05:02:36 PM
I installed opnsense on the pve virtual machine, set up a transparent bridge, and everything else worked fine. 
But no log of local ipv6 address in the firewall log,I set up local ipv6 prefix fd00::/48.   
Windows on the LAN port gets the address and wireshark captures local ipv6 traffic, but opensense does not. 
#3
25.1, 25.4 Production Series / Re: Issues with updating the ipv6 address of devices under LAN
March 25, 2025, 04:32:04 AM
I found the cause of the problem. Because I installed it in a PromoxVE virtual machine, I needed to turn on Router Advertisement in the virtual machine settings.
#4
25.1, 25.4 Production Series / Re: Issues with updating the ipv6 address of devices under LAN
March 24, 2025, 02:25:41 AM
In the firewall log, openwrt will communicate with the 546 port of the ipv6 local link address of opnsense through the dhcpv6 protocol, but the LAN firewall log of opensense does not have such communication at all.
#5
25.1, 25.4 Production Series / Re: Issues with updating the ipv6 address of devices under LAN
March 24, 2025, 01:29:36 AM
The problem is that the devices under openwrt can update the prefix in time, and opnsence itself is also updated in time.   
Is it because opnsence did not pass the updated RA notification to its own lan?
#6
25.1, 25.4 Production Series / Issues with updating the ipv6 address of devices under LAN
March 23, 2025, 03:10:14 PM
My ipv6 environment is that the upstream openwrt obtains the public/60 ipv6 address through the ISP. DHCPv6-PD + SLAAC configured in openwrt. 
OPNsence gets a 64 prefix under openwrt LAN. Both OPNsence and OPNsence LAN devices can obtain DHCPv6-PD + SLAAC addresses and can communicate.
 
But when my ISP updated the IPV6 prefix. Openwrt, OPNsence and other openwrt LAN devices can get updates. The OPNsence LAN device still keeps the original prefix, but I see that the prefix displayed by OPNsense LAN has changed. 

Restarting the OPNsence LAN device still keeps the old prefix. The firewall has a log showing that the device sent to [ff02::1:2]:547 passed. 
Only when you restart the DHCPv6 Server service on OPNsence, The IPv6 DHCPv6 address of the OPNsence LAN device will be updated. 
Restart the Router Advertisement Daemon service, The SLAAC address of OPNsence LAN device is displayed as deprecated. Then restart the device to update the SLAAC address. 

I don't know if it's my ipv6 configuration problem or a software problem. Is there any way to troubleshoot it?
Pages1