Topics

1

18.7 Legacy Series / IPv6 routing via OpenVPN won't work

« on: June 24, 2018, 06:28:19 pm »

Hello,

I am working in the configuration of some router using OPNsense.
Here is the desired behavior:
- Two internal VLANs: one "direct" and the other "secure".
- Two "WANs": the main one: on the internet (IPv4 & IPv6) and the other is a OpenVPN client (to AirVPN).

I want to redirect the "direct" lan to the main WAN, and the "secure" lan to the VPN client.

Here are the issue:
I cannot make this to work in IPv6.

Let me explain:
- IPv6 works perfectly for the "direct" lan, the clients are on a /64 public subnet and the routing is working fine.
- IPv4 works perfectly on both LANs, using NAT with a /24 subnet for the "direct" lan, and redirect gateway to OpenVPN for the "secure" lan.

But:
- IPv6 never gets out when coming from the "secure" lan to the vpn.

Here is what I have found while digging into the issue:
- The VPN client works correctly both in IPv4 and IPv6.
- I can make this configuration work by manually setting IPv6 addresses on the VPN interface (using xxxx:xxxx::1 for the gateway, and the VPN assigned IP for the interface IP).
- It seems that, on VPN connect, the IPv6 settings are not assigned to the interface (like it's done for IPv4).

Am I right ?

Thanks a lot,

Quentin

2

18.1 Legacy Series / 1.8.6 / 1.8.7 - LAN IPv6 not working (wrong gateway / mac address ?)

« on: May 11, 2018, 12:12:01 am »

Hello,

I'm using an OPNsense box at home, to provide me two VLAN from my LAN (guests and sandbox VLANs).
I only use one Ethernet interface, where untagged traffic is LAN and two VLANs are defined. Traffic is managed by a Netgear switch. The LAN router is NOT the OPNsense box, but the main home router, on the LAN network.

Everything works correctly in IPv4. LAN computers can reach the OPNsense box correctly. Guests users and Sandbox users access the internet using OPNsense (with the LAN IP as the output IP - NAT on the LAN interface).

I currently have a very strange behavior in IPv6.
I have made a /64 delegation for sandboxed clients. It's working fine. No IPv6 for guests clients.
But I'm not able to reach the OPNsense from the LAN... I can reach it from the WAN, but it seemb that the ICMP response for the LAN client is sent to the WAN gateway...

Here is a simple tcpdump capture:

Code: [Select]

01:15:51.616287 xx:xx:xx:xx:xx:89 (oui Unknown) > xx:xx:xx:xx:xx:cb (oui Unknown), ethertype IPv6 (0x86dd), length 94: xx::xx:ad47 > opnsense.xx: ICMP6, echo request, seq 460, length 40
01:15:51.616340 xx:xx:xx:xx:xx:cb (oui Unknown) > xx:xx:xx:xx:xx:3c (oui Unknown), ethertype IPv6 (0x86dd), length 94: opnsense.xx > xx::xx:ad47 ICMP6, echo reply, seq 460, length 40
01:15:51.616547 xx:xx:xx:xx:xx:3c (oui Unknown) > xx:xx:xx:xx:xx:cb (oui Unknown), ethertype IPv6 (0x86dd), length 190: fe80::xx:c3c > opnsense.xx: ICMP6, redirect, xx::xx:ad47 to xx::xx:ad47, length 136
Here is how I understand it:
- The LAN client sends the ping request
- The OPNsense box sends the reply to the wrong MAC address (the LAN gateway one), but the correct IP address.
- The LAN router sends a IPv6 redirect to the OPNsense

--> Nothing comes back to the LAN client...

I'm thinking about something wrong in the routing table, but a ping from the OPNsense to the LAN client works...

I'm looking for some ideas about how to diagnose the issue...

Thanks,

Quentin

3

17.7 Legacy Series / Huge headache trying to configure NAT and Multi-WAN...

« on: August 16, 2017, 06:01:10 pm »

Hello,

I'm trying to configure some port-forwarding on my router without any success...

Here is my situation:
A simple configuration: 1 Wan, 1 Lan to start with
On top of this, I have one VPN client and one VLAN (over the LAN port) for VPN users.

What I've succeeded to do:
- LAN users use the default gateway
- VPN Vlan users use the VPN gateway

What I cannot succeed to do:
I'm trying to forward some port from the VPN client to one of the VPN Vlan computers. But I'm not able to establish any connection through this port forwarding.

When analyzing TCP dumps, I can see that incoming packets from the VPN client are well forwarded to the Vlan client, but outgoing packets from the Vlan client are going out from the Wan interface !

I can't figure out why this happens, the only rule for Vlan users is the "use-gateway" rule, and it's not respected...

Do you have any ideas of where I can look at ?

Thanks a lot,

Quentin

4

16.7 Legacy Series / Captive portal not using mac address correctly

« on: December 23, 2016, 01:17:27 pm »

Hello,

I've juste set-up my opnSense box.
I have one bridged connection between my LAN and my WLAN for the local network, one LAN for the internet access and I'm trying to setup a guest WLAN.

The wireless network works, but I'm unable to use the captive portal function.

It seems that the way to get the mac address have changed, in the logs, I get: "h0_wlan2 expires in 1005 sec" instead of the mac address.

This causes the clients to be disconnected immediately, and they cannot have internet access...

How can I fix this ?

Thanks,

Quentin