"
Hello everyone,
I am a new user of OPNsense as I'd like to replace my ISP-provided router with something a little better.
To outline a few details of the install: I am running Proxmox on a standard x86 PC with OPNsense running as a VM. I passed through two PCIe cards (Connectx-4 and Intel X520) to have 4 physical ports to use. For now, only 1 port of the 2 physical cards is currently used by the ONU (device used to "translate" Ethernet to GPON). Other than that, I added a virtual interface to the Proxmox bridge assigned as LAN, which I'd like to provide internet access to.
Now, my ISP is a little unique, as it is native IPv6. To get access to IPv4, packets are encapsulated over IPv6 and sent to a server owned by the ISP. This corresponds to GIF encapsulation.
The whole chain looks like: [ONU (Physical device)] -> [ConnectX-4 Port] -> [Vlan 836 (assigned as WAN, provides IPv6 connectivity)] -> [GIF (assigned as WAN4, provides IPv4 connectivity)].
After changing the gateway configs to make sure that both WAN and WAN4 are setup as default routes, everything seems to work locally.
When testing directly on the OPNsense GUI (Interfaces > Diagnostics > Ping/DNS Lookup), I can ping and make DNS queries to the internet over both IPv4 and IPv6. I even managed to successfully update my instance of OPNsense.
The problem is, I cannot seem to get NAT working properly. When sending ping requests or DNS queries from a device connected to the Proxmox bridge (and of course with their gateway set to the OPNsense LAN address), I can see the request being translated on the way out to the internet (through packet capture of the physical port) and can even see the request coming back all the way down to the GIF interface, de-encapsulating the response (packet capturing the GIF interface).
And then, nothing. The response from the distant IPv4 server is de-encapsulated by the GIF correctly, but never sent back to the local network. The packet just disappears.
I tried adding firewall rules to all interfaces to allow all possible traffic in all directions, tried to mess with Outbound NAT settings... Nothing did the trick.
While looking at the Firewall Live view, I can't see the responses getting passed or dropped at all, while the original requests are correctly shown as NAT. Also, looking at States and Sessions show the communication from the local client to the distant server.
Am I doing something wrong ?
I can provide more detailed explanations if necessary.
Thank you.
I am a new user of OPNsense as I'd like to replace my ISP-provided router with something a little better.
To outline a few details of the install: I am running Proxmox on a standard x86 PC with OPNsense running as a VM. I passed through two PCIe cards (Connectx-4 and Intel X520) to have 4 physical ports to use. For now, only 1 port of the 2 physical cards is currently used by the ONU (device used to "translate" Ethernet to GPON). Other than that, I added a virtual interface to the Proxmox bridge assigned as LAN, which I'd like to provide internet access to.
Now, my ISP is a little unique, as it is native IPv6. To get access to IPv4, packets are encapsulated over IPv6 and sent to a server owned by the ISP. This corresponds to GIF encapsulation.
The whole chain looks like: [ONU (Physical device)] -> [ConnectX-4 Port] -> [Vlan 836 (assigned as WAN, provides IPv6 connectivity)] -> [GIF (assigned as WAN4, provides IPv4 connectivity)].
After changing the gateway configs to make sure that both WAN and WAN4 are setup as default routes, everything seems to work locally.
When testing directly on the OPNsense GUI (Interfaces > Diagnostics > Ping/DNS Lookup), I can ping and make DNS queries to the internet over both IPv4 and IPv6. I even managed to successfully update my instance of OPNsense.
The problem is, I cannot seem to get NAT working properly. When sending ping requests or DNS queries from a device connected to the Proxmox bridge (and of course with their gateway set to the OPNsense LAN address), I can see the request being translated on the way out to the internet (through packet capture of the physical port) and can even see the request coming back all the way down to the GIF interface, de-encapsulating the response (packet capturing the GIF interface).
And then, nothing. The response from the distant IPv4 server is de-encapsulated by the GIF correctly, but never sent back to the local network. The packet just disappears.
I tried adding firewall rules to all interfaces to allow all possible traffic in all directions, tried to mess with Outbound NAT settings... Nothing did the trick.
While looking at the Firewall Live view, I can't see the responses getting passed or dropped at all, while the original requests are correctly shown as NAT. Also, looking at States and Sessions show the communication from the local client to the distant server.
Am I doing something wrong ?
I can provide more detailed explanations if necessary.
Thank you.
