Messages

1

German - Deutsch / Re: gleiches Netz direkt auf NIC und tagged über 2. NIC möglich?

« on: May 29, 2020, 01:59:14 am »

Man muss die VLANs wie gesagt nicht nur anlegen, sondern auch assignen und enablen. Erst dann stehen sie auch bei der Bridge-Erstellung zur Auswahl. Das gilt für physikalische Interfaces übrigens genauso.

2

20.1 Production Series / Re: haproxy for ipv4 and ipv6 to ipv4; ipv6 doesnt work?

« on: May 27, 2020, 03:07:40 pm »

Another user reported similar issues with a Deutsche Telekom DSL line on the German forum:
IPv6 auf WAN nicht erreichbar
Maybe you can work on this together. I don't have a PPPoE line so I can only guess.

3

20.1 Production Series / Re: Unable to get dpinger to work on WAN ipv6 link local address

« on: May 26, 2020, 11:56:46 pm »

To really know for sure I would need to put a wireshark on the interface but I don't have that as an option here, lacking a switch to allow it.

Interfaces / Diagnostics / Packet Capture is your friend.
Generated .cap files can be analysed with Wireshark.

4

20.1 Production Series / Re: Is there a way to Edit DHCPv6 configuration

« on: May 26, 2020, 11:09:34 pm »

As suspected: Was broken for track interfaces. Fix:

opnsense-patch e20c705

Cheers

Maurice

5

20.1 Production Series / Re: Is there a way to Edit DHCPv6 configuration

« on: May 26, 2020, 10:34:06 pm »

I would like to test if it is possible to get the DHCPv6 server to only provide "other" information such as DNS without assigning addresses.

That should be possible. Support for this use case was added some time ago.

the line with the "range6" weirdness is not liked by the DHCP.

Indeed, that's phony.

From reading Linux documentation, the correct configuration for Stateless is to completely delete the range6 line and it should work.

That's 100% correct and this is how it should be here, too.

When I edit the file manually it puts it back in and dies.

Yeah, manual edits won't stick.

Is this a tracking interface? Franco added the option to leave the DHCPv6 range empty some time ago and I tested this back then. But it might be possible that it was only ever tested with static interfaces. I'll check.

Cheers

Maurice

6

20.1 Production Series / Re: haproxy for ipv4 and ipv6 to ipv4; ipv6 doesnt work?

« on: May 26, 2020, 07:12:54 pm »

To approach this from a different angle: Can you access any IPv6 service running on OPNsense from the Internet? VPN, SSH, ...?
If you're not sure, you could e. g. allow SSH access from the Internet for testing.

7

German - Deutsch / Re: IPv6 auf WAN nicht erreichbar

« on: May 26, 2020, 07:02:52 pm »

Du könntest mal schauen, ob die angezeigte Gateway-Adresse hier überall die gleiche ist:

- System / Gateways / Single
- System / Routes / Status (IPv6-Default-Route)
- Interfaces / Overview (WAN)

Grüße

Maurice

8

20.1 Production Series / Re: No ping from WAN to OPT1 (outbound NAT is disabled)

« on: May 26, 2020, 03:23:49 pm »

Most likely yet another case of the fantastic default reply-to behaviour. Disable reply-to in Firewall / Settings / Advanced and you should be good.

For some fun reading, you might want to search the forum and / or GitHub for "reply-to"...

Cheers

Maurice

9

General Discussion / Re: DHCP registration with subzones for multi subnets.

« on: May 26, 2020, 12:04:07 pm »

Is it even possible to setup this in that way?

Unfortunately not. Per host domains are possible by using DHCP static mappings, but per subnet domains for dynamic leases are currently not supported.

Cheers

Maurice

10

20.1 Production Series / Re: Force Internal IP over specific gateway

« on: May 25, 2020, 05:10:36 pm »

Is there any solution ...

Yes. (*)

... or is it time to put my Cisco 1900 back in service ?

Your choice.

Cheers

Maurice


(*) Add the PBR rule to the interface the server is connected to and make it an in-rule.

11

German - Deutsch / Re: IPv6 Routing

« on: May 25, 2020, 04:41:53 pm »

Schon richtig, dass die meisten ISPs für das CPE-WAN ein Subnetz verwenden, dass außerhalb des delegierten Präfixes liegt.
Das CPE-LAN-Subnetz ist aber immer ein /64 aus dem delegierten Präfix. Daher kann das CPE nicht das komplette Präfix (hier: /60) an einen anderen Router (hier: OPNsense) weiterdelegieren, sondern maximal die Hälfte (hier: ein /61 des /60).

Jetzt sind wir aber ziemlich off Topic. Der OP hat ja schlicht das Problem, dass das Zwangs-CPE bei der Prefix Delegation Mist baut. Und um eine Fritzbox handelt es sich dabei nicht.

12

20.1 Production Series / Re: opening WebIF and ssh does not work, hidden pf rules ?!?

« on: May 25, 2020, 12:39:01 pm »

Is the WAN a DHCP interface? Is the host you're trying to connect from in the WAN subnet? If yes and yes, try 'disable reply-to' in the firewall rules.

13

20.1 Production Series / Re: Track interface different subnet

« on: May 25, 2020, 02:06:10 am »

Downstream PD works with track interfaces. If you get a /56 from your ISP, the downstream PD size is /62 in automatic mode. If this works, but a /60 PD size in manual mode doesn't, then you probably miscalculated the PD range from / to values. You might want to post the output of:

cat /var/dhcpd/etc/dhcpdv6.conf

14

20.1 Production Series / Re: Track interface different subnet

« on: May 24, 2020, 01:03:48 pm »

Advertising a /60 prefix in Router Advertisements would indeed be highly unusual. In OPNsense this could only be done by configuring an interface statically or by using virtual IPs. This prefix would then also be routed correctly.

But you also mention prefix delegation which is a DHCPv6 feature and completely unrelated to prefixes advertised in RAs. As franco mentioned, adjusting the downstream PD size is possible by switching to manual RA & DHCPv6 mode in the interface's tracking settings.

Cheers

Maurice

15

20.1 Production Series / Re: os-acme-client error in 20.1.7

« on: May 23, 2020, 07:50:25 pm »

Already fixed: https://github.com/opnsense/plugins/commit/ee799d8c75f7aaffaee97439c95fd98263eb1b38