Topics

Hi there,
I started to streamline my setup and use dynamic IPv6 hosts within alias. Next step would be moving my dyndns to opnsense. However when I try to configure this in the advanced option of the dyndns and try to enter the same content I put into the alias for the dynamic IPv6 hosts in the dyndns config, I get the error:

Entry is not a valid partial ipv6 address definition (e.g. ::1000).

Am I using this wrong or is this a bug?

Using 25.7.3_7

Kind regards
  Christian

I am trying to get a simple setup running: Route all traffic through wireguard for a roadwarrior, ipv4 and ipv6.

I got ipv4 working with no issues whatsoever, however ipv6 seems to be more tricky.
The original guide is not very specific with examples and I feel it is missing routes?
https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I also checked this setup, but it seems more to be about reaching local servers.
https://forum.opnsense.org/index.php?topic=36082.0

What I am looking for, is to connect to wireguard and then have all traffic routed through the tunnel. So far I only get so far, that the client is getting ipv4 and ipv6 out of the VPN network. I am not sure, if this is actually needed for the ipv6 part? I would think, that my prefix would extend ipv6s into the tunnel for the calling client and that one would need to route all traffic into the tunnel?
Added complexity: I have a dynamic prefix on the ipv6 of the server.

Anyone knows where to look, to figure out what is wrong or how to set it up?

So the issue I had in 23.7, persists in 24.1: https://forum.opnsense.org/index.php?topic=38109.0

Randomly I wake up to an unresponsive opnsense and the concole only prints:

Code Select Expand

swap_pager: out of swap space
swp_pager_getswapspace(3): failed

It seems to be connected to log2ram and some logspam. This nights crash came only after reactivating log2ram a few days ago.
As written in the other thread, I observed (log2ram deactivated), that DHCP6 seems to crash after some time and then log gets spammed with:

Code Select Expand

<13>1 2024-03-01T23:05:33+01:00 opnsense.xxx.xxx kernel - - [meta sequenceId="6806"] <7>cannot forward src fe80:b::xxxx:xxxx:xxxx:xxxx, dst xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, nxt 6, rcvif bridge0, outif pppoe1

I am yet not sure why DHCP6 crashes? I am only running it on my WAN interface. Also I do not see any logging options for DHCP specifically? Is there a way to activate it somewhere?

Kind regards
  Christian

Hi there,
I have a weird phenomenon. OPNsense works fine for about a week, but then it completely becomes unresponsive. No routing, no webUI, nothing.
Have to log in via serial console. On there, I get only the following message repeated:

Code Select Expand

swp_pager_getswapspace(2): failed
swap_pager: out of swap space

I am not sure, if out of swap is the error causing this or a result of another error (e.g., then filling up the logs).
Not sure on how to analyze this properly. Any ideas?

Kind regards
  Chris

Hi there,
I have a bit of a trouble pinning down an issue.
Configured IPv6 and normally it was working on 2 interfaces. A LAN with physical connection and a WLAN_GUEST, based on a vlan coming from an access point.

I get an IPv6 from my ISP and a /56 prefix. Can easily ping IPv6 addresses from opnsense.
Also I get IPV6 working in the WLAN_GUEST. Devices get an IPv6 and can communicate with websites on that.

But for some reason devices in the LAN are not getting any IPv6. I compared all the configs and they seem to be the same.
Only difference is the different Prefix ID.

I know IPv6 was working in LAN before but I have no clue on how to debug this now. Does anyone has a hint?

Kind regards
  Chris

Hi there,

after some time my connectivity gets lost. I need to then connect via serial console and reload all services. When doing so the box crashes with a panic.
After rebooting, I get a crash reporter offering me to send a report. However the report contains quite a bit personal information. So where is this send to? Any open space, like forum or github issue?

Kind regards
  Christian

Hi there,

while trying to get IPv6 working (again), I figured, that after reboot, my WAN and LAN interface does not get an IPv6. I need to reload the WAN interface to trigger IPv6 for the WAN and LAN interface.

Working on 20.7.4 with following WAN configuration:
- IPv4: PPPoE
- IPv6: DHCPv6
DHCPv6 client configuration:
- Request only an IPv6 prefix: not set
- Präfixdelegationsgröße: 64
- Sende einen IPv6-Präfixhinweis: set
- IPv4-Verbindung verwenden: set
- Verwende VLAN-Priorität: Deaktiviert

Any idea what this could be? Let me know if I can provide specific logging.

I am setting up a DHCP6 + SLAAC LAN network
- I am receiving a /56 prefix from my provider
- My LAN is configured within IPv6  to track interface with manual adjustments
- I left the RA settings alone
- DHCPv6 is configured to dish out IPv6 in a range from ::2:0:0:10 to ::2:0:0:0:ffff
- DHCPv6 is configured to dish out one static IPv6 (::2:0:0:9) identified by DUID

This setup seems to partially work as IPv6 via DHCP and routing information via RA is send out to the clients. However the static IPv6 is not correctly sorted. The system with the DUID requesting an IPv6 is getting one out of the dynamic pool. (I tried to manually set the static lease and use the +)

Does anyone got the static lease working or knows how to debug it?

BTW: I am using OPNsense 19.7.4_1 (amd64, LibreSSL)

Hallo,

ich habe mehrere VLANs an meinem Opnsense laufen und Unbound als DNS Forwarder eingestellt.
Für mein lokales LAN habe ich zusätzlich eine Überbrückung für die darin betriebenen Rechner eingerichtet. Entsprechend liefert unbound lokale Adressen an Stelle von globalen Adressen zurück.

Nun tut unbound dies allerdings auch in anderen VLANs als meinem lokalen LAN, z.B. Gäste oder IoT Netz. Kann ich in unbound irgendwo einstellen, dass die Überbrückung nur für ein bestimmtes VLAN gilt? (Ohne unbound für andere VLANs komplett zu deaktivieren?)

Danke
  Chris

Hi there,

is there a possibility to add IPv6 DNS entries to unbound on Opnsense and the firewall configuration? Similar to a dyndns option?

To explain a bit further what I am looking for (might be a completely different solution possible):
I have a docker setup behind Opnsense in which multiple containers will spawn which have outside access. I am able to update my regular DNS via dyndns, hence making them reachable. However within Opnsense the IPv6 of the containers are not known. As I see the configuration, I could delegate a prefix or use DHCP for the docker host, but would never be able to know the IPv6s of the containers.
Therefore I cannot configure the Opnsense firewall per container but only for a delegated subnet. Now out of IPv4 that would not have been a problem, as docker would only expose configured ports for a container via the NAT configuration. With IPv6 this is different, as - no NAT - all ports are exposed.
Hence I need to setup extra IPv6 filtering for each container on the docker host.

tldr;: What I am looking for:
Basically the possibility to have a central firewall in Opnsense
- register IPv6 of each container similar to dyndns in Opnsense, e.g. unbound
- access registered container in firewall to use as targets in rules
- trigger mechanism, as when container IPv6 is updated to reload firewall rules.

Anyone has an idea, if this is remotely possible?

Hi there,

I observed an odd behaviour on my laptop regarding the privacy extensions for IPv6. I correctly get a global dynamic IPv6 with lifetime 14400. However every few seconds the counter on the lifetime is reset to 14400, basically converting the temporary address into a fixed one.
I started a tcpdump and could observe, that the reset happens when a router advertisement for my prefix is received:

Code Select Expand

12:27:12.631357 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, reachable time 0s, retrans time 0s
  prefix info option (3), length 32 (4): a:b:c:d::/64, Flags [onlink, auto, router], valid time 86400s, pref. time 14400s
...

This has the 14400 seconds in there as well. Hence I assume that the router advertisement is resetting the ip configuration.

Question is now what to do, to have privacy extensions working again? Is it some configuration in opnsense or on the laptop?

Thanks
  Chris

Hi there,

I think I managed to setup my IPv6, so that it receives a prefix from my provider and this is distributed into the network.
I am using on my LAN interface the track interface option for IPv6. As I am no IPv6 expert, tracking somewhat would imply for me that Opnsense would know about the IPv6s being used in the network?

Is the prefix distribution handled like an IPv4 DHCP, hence the IPv6 is dished out by the DHCPv6 or is it a mere information service about prefix and DNS and the IP is determined by the client?

If the IPs get dished out, I would expect to see a lease or something similar in Opnsense? If it is not being dished out, is there some sort of monitoring possible? Coming out of an ipv4 world, it feels a bit weird to be blind on the router of what is happening in the LAN.

Regards
  Chris