"
OPNsense 25.1.10 aarch64 packages and sets released.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Tutorials and FAQs / Re: OPNsense aarch64 firmware repository
June 21, 2025, 12:17:03 PM
OPNsense 25.1.9 aarch64 packages and sets released. Includes hotfix 25.1.9_2.
#3
Tutorials and FAQs / Re: OPNsense aarch64 firmware repository
June 13, 2025, 03:21:24 PM
OPNsense 25.1.8 aarch64 packages and sets released. Includes hotfix 25.1.8_1.
#4
Virtual private networks / Re: Unsolicited UDP backscatter towards Wireguard client fills firewall logs
May 29, 2025, 12:10:33 AM
After a successful handshake, the remote peer remembers the IP address and port of your local peer. It keeps sending packets to this address / port until you connect from a different address / port.
#5
Tutorials and FAQs / Re: OPNsense aarch64 firmware repository
May 21, 2025, 05:55:52 PM
OPNsense 25.1.7 aarch64 packages and sets released. Includes hotfix 25.1.7_2.
[Update 2025-05-26]
Hotfix 25.1.7_4 released.
[Update 2025-05-26]
Hotfix 25.1.7_4 released.
#6
General Discussion / Re: IPv4 outbound NAT: usecase for a non /32 translation target
May 18, 2025, 04:32:58 PM
If you have a public IPv4 subnet (like a /28) and not just a single address, you can balance outbound NAT connections across multiple addresses. That's especially useful if you have many clients.
The 'Pool Options' setting specifies how connections are balanced.
Cheers
Maurice
The 'Pool Options' setting specifies how connections are balanced.
Cheers
Maurice
#7
25.1, 25.4 Production Series / Re: KPN FttH DHCPv6 - not working
May 09, 2025, 05:24:05 PM
IPv6 over PPPoE uses Router Advertisements and / or DHCPv6 for addresses, prefixes, DNS and other information. PPP itself (IPV6CP to be specific) is only used for setting up the link (which seems to work according to your log).
So you should take a look at the DHCPv6 logs and the WAN interface information.
If your ISP uses neither SLAAC nor DHCPv6 for assigning a WAN address, you can use the "Optional prefix ID" setting to generate a WAN address from the delegated prefix.
Cheers
Maurice
So you should take a look at the DHCPv6 logs and the WAN interface information.
If your ISP uses neither SLAAC nor DHCPv6 for assigning a WAN address, you can use the "Optional prefix ID" setting to generate a WAN address from the delegated prefix.
Cheers
Maurice
#8
25.1, 25.4 Production Series / Re: Kea DHCPv6 PD range syntax with dynamic prefix
May 09, 2025, 11:37:23 AM
Got it. So currently, dnsmasq can't do downstream PD at all (correct?) and Kea can't handle dynamic prefixes?
ISC it is. ¯\_(ツ)_/¯
Cheers
Maurice
ISC it is. ¯\_(ツ)_/¯
Cheers
Maurice
#9
25.1, 25.4 Production Series / Kea DHCPv6 PD range syntax with dynamic prefix
May 09, 2025, 02:16:38 AM
I gave Kea a try by replicating my ISC DHCPv6 configuration.
ISC (works): PD range from ::80:0:0:0:0 to ::f0:0:0:0:0, PD size 60.
Kea (new): Prefix ::80:0:0:0:0, prefix length 57, delegated length 60.
But Kea doesn't merge the range and instead literally leases 0:0:0:80::/60 to 0:0:0:f0::/60.
Any hints appreciated.
Cheers
Maurice
ISC (works): PD range from ::80:0:0:0:0 to ::f0:0:0:0:0, PD size 60.
Kea (new): Prefix ::80:0:0:0:0, prefix length 57, delegated length 60.
But Kea doesn't merge the range and instead literally leases 0:0:0:80::/60 to 0:0:0:f0::/60.
Any hints appreciated.
Cheers
Maurice
#10
Tutorials and FAQs / Re: OPNsense aarch64 firmware repository
May 09, 2025, 01:44:06 AM
OPNsense 25.1.6 aarch64 packages and sets released. Includes hotfix 25.1.6_2.
[Update 2025-05-10]
Hotfix 25.1.6_4 released.
[Update 2025-05-10]
Hotfix 25.1.6_4 released.
#11
General Discussion / Re: OPNsense - Multi-WAN - established VPN connection still using Tier 2 Gateway
May 08, 2025, 09:31:55 PM
Other states do indeed get killed on failback. I tested this with an SSH session which gets reset when the primary WAN goes up again.
The default route successfully fails back to the primary WAN. WireGuard doesn't seem to be bothered though.
There is no firewall rule which allows incoming connections to the affected wg instance. Also, the secondary WAN is an LTE connection and the ISP blocks all inbound connections anyways.
The default route successfully fails back to the primary WAN. WireGuard doesn't seem to be bothered though.
There is no firewall rule which allows incoming connections to the affected wg instance. Also, the secondary WAN is an LTE connection and the ISP blocks all inbound connections anyways.
#12
General Discussion / Re: OPNsense - Multi-WAN - established VPN connection still using Tier 2 Gateway
May 08, 2025, 08:47:06 PM
Unfortunately, doesn't work for me for WireGuard. It still sticks to the secondary WAN despite the primary WAN going up again. Only restarting WireGuard forces it to fail back to the primary.
Probably not a firewall issue, but a WireGuard issue?
Not using gateway groups, but default gateway switching.
Probably not a firewall issue, but a WireGuard issue?
Not using gateway groups, but default gateway switching.
#13
Tutorials and FAQs / Re: Use os-ndproxy to proxy ISP provided /64 Prefix from WAN to LAN
May 08, 2025, 06:43:08 PM
Just to make sure it's actually a WAN issue (not a LAN issue), I'd try a ping test from OPNsense itself. Source address: LAN interface address, destination address: something on the Internet. This won't work without ndproxy, but doesn't depend on a client in the LAN.
I made sure the interfaces are not in promiscuous mode when testing (no packet capture running).
Are you only testing with physical Intel NICs? So far, I've done all my testing with VMs. Maybe the driver plays a role in this... ND offloading? Just a guess.
I made sure the interfaces are not in promiscuous mode when testing (no packet capture running).
Are you only testing with physical Intel NICs? So far, I've done all my testing with VMs. Maybe the driver plays a role in this... ND offloading? Just a guess.
#14
Tutorials and FAQs / Re: Use os-ndproxy to proxy ISP provided /64 Prefix from WAN to LAN
May 07, 2025, 09:57:13 PM
I did build ndproxy 3.2.1402000_2 and os-ndproxy 1.1 and can't reproduce the behaviour. It just works, without enabling promiscuous mode, joining a multicast group or enabling promiscuous mode for multicast packets (allmulti).
Did you try a ping from OPNsense itself, setting the source address to the LAN interface address (2003:a:1704:XXXX:XXXX:eaff:fe01:3db4)?
Cheers
Maurice
Did you try a ping from OPNsense itself, setting the source address to the LAN interface address (2003:a:1704:XXXX:XXXX:eaff:fe01:3db4)?
Cheers
Maurice
Code Select
hn0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=80018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
ether 00:15:5d:d2:76:3c
inet6 fe80::215:5dff:fed2:763c%hn0 prefixlen 64 scopeid 0x5
inet6 fd01:2345:6789:abcd::a prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=121<PERFORMNUD,AUTO_LINKLOCAL,NO_DAD>
hn1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=80018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
ether 00:15:5d:d2:76:87
inet6 fe80::215:5dff:fed2:7687%hn1 prefixlen 64 scopeid 0x6
inet6 fd01:2345:6789:abcd:215:5dff:fed2:7687 prefixlen 64 autoconf pltime 14400 vltime 86400
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
#15
Virtual private networks / Re: Unsolicited UDP backscatter towards Wireguard client fills firewall logs
May 07, 2025, 02:42:41 PM
WireGuard is essentially stateless and there are no "clients" and "servers", just peers. As long as you don't explicitly disable the WG instances at the remote sites, they're always up. Any traffic directed towards the allowed IPs configured at the remote WG instances will be sent through the tunnels. It doesn't matter whether a WG client on your local site is running or not.
Cheers
Maurice
Cheers
Maurice
