Topics

1

22.7 Legacy Series / [SOLVED] IPv6 working only on one interface

« on: January 19, 2023, 08:26:30 pm »

Hi there,
I have a bit of a trouble pinning down an issue.
Configured IPv6 and normally it was working on 2 interfaces. A LAN with physical connection and a WLAN_GUEST, based on a vlan coming from an access point.

I get an IPv6 from my ISP and a /56 prefix. Can easily ping IPv6 addresses from opnsense.
Also I get IPV6 working in the WLAN_GUEST. Devices get an IPv6 and can communicate with websites on that.

But for some reason devices in the LAN are not getting any IPv6. I compared all the configs and they seem to be the same.
Only difference is the different Prefix ID.

I know IPv6 was working in LAN before but I have no clue on how to debug this now. Does anyone has a hint?

Kind regards
  Chris

2

22.7 Legacy Series / Having crash/panic, where is report send?

« on: November 13, 2022, 07:56:01 am »

Hi there,

after some time my connectivity gets lost. I need to then connect via serial console and reload all services. When doing so the box crashes with a panic.
After rebooting, I get a crash reporter offering me to send a report. However the report contains quite a bit personal information. So where is this send to? Any open space, like forum or github issue?

Kind regards
  Christian

3

20.7 Legacy Series / WAN behaviour different on reboot compared to reload

« on: November 12, 2020, 01:56:12 pm »

Hi there,

while trying to get IPv6 working (again), I figured, that after reboot, my WAN and LAN interface does not get an IPv6. I need to reload the WAN interface to trigger IPv6 for the WAN and LAN interface.

Working on 20.7.4 with following WAN configuration:
- IPv4: PPPoE
- IPv6: DHCPv6
DHCPv6 client configuration:
- Request only an IPv6 prefix: not set
- Präfixdelegationsgröße: 64
- Sende einen IPv6-Präfixhinweis: set
- IPv4-Verbindung verwenden: set
- Verwende VLAN-Priorität: Deaktiviert

Any idea what this could be? Let me know if I can provide specific logging.

4

19.7 Legacy Series / DHCPv6 static IPv6s not dished out

« on: September 28, 2019, 01:51:23 pm »

I am setting up a DHCP6 + SLAAC LAN network
- I am receiving a /56 prefix from my provider
- My LAN is configured within IPv6  to track interface with manual adjustments
- I left the RA settings alone
- DHCPv6 is configured to dish out IPv6 in a range from ::2:0:0:10 to ::2:0:0:0:ffff
- DHCPv6 is configured to dish out one static IPv6 (::2:0:0:9) identified by DUID

This setup seems to partially work as IPv6 via DHCP and routing information via RA is send out to the clients. However the static IPv6 is not correctly sorted. The system with the DUID requesting an IPv6 is getting one out of the dynamic pool. (I tried to manually set the static lease and use the +)

Does anyone got the static lease working or knows how to debug it?

BTW: I am using OPNsense 19.7.4_1 (amd64, LibreSSL)

5

German - Deutsch / Unbound Überbrückung per VLAN möglich?

« on: June 28, 2019, 02:04:49 pm »

Hallo,

ich habe mehrere VLANs an meinem Opnsense laufen und Unbound als DNS Forwarder eingestellt.
Für mein lokales LAN habe ich zusätzlich eine Überbrückung für die darin betriebenen Rechner eingerichtet. Entsprechend liefert unbound lokale Adressen an Stelle von globalen Adressen zurück.

Nun tut unbound dies allerdings auch in anderen VLANs als meinem lokalen LAN, z.B. Gäste oder IoT Netz. Kann ich in unbound irgendwo einstellen, dass die Überbrückung nur für ein bestimmtes VLAN gilt? (Ohne unbound für andere VLANs komplett zu deaktivieren?)

Danke
  Chris

6

General Discussion / Add local IPv6 to DNS and firewall config?

« on: April 05, 2019, 04:13:08 pm »

Hi there,

is there a possibility to add IPv6 DNS entries to unbound on Opnsense and the firewall configuration? Similar to a dyndns option?

To explain a bit further what I am looking for (might be a completely different solution possible):
I have a docker setup behind Opnsense in which multiple containers will spawn which have outside access. I am able to update my regular DNS via dyndns, hence making them reachable. However within Opnsense the IPv6 of the containers are not known. As I see the configuration, I could delegate a prefix or use DHCP for the docker host, but would never be able to know the IPv6s of the containers.
Therefore I cannot configure the Opnsense firewall per container but only for a delegated subnet. Now out of IPv4 that would not have been a problem, as docker would only expose configured ports for a container via the NAT configuration. With IPv6 this is different, as - no NAT - all ports are exposed.
Hence I need to setup extra IPv6 filtering for each container on the docker host.

tldr;: What I am looking for:
Basically the possibility to have a central firewall in Opnsense
- register IPv6 of each container similar to dyndns in Opnsense, e.g. unbound
- access registered container in firewall to use as targets in rules
- trigger mechanism, as when container IPv6 is updated to reload firewall rules.

Anyone has an idea, if this is remotely possible?

7

18.7 Legacy Series / IPv6 router advertisements reset privacy extension lifetime

« on: September 17, 2018, 12:33:08 pm »

Hi there,

I observed an odd behaviour on my laptop regarding the privacy extensions for IPv6. I correctly get a global dynamic IPv6 with lifetime 14400. However every few seconds the counter on the lifetime is reset to 14400, basically converting the temporary address into a fixed one.
I started a tcpdump and could observe, that the reset happens when a router advertisement for my prefix is received:

Code: [Select]

12:27:12.631357 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, reachable time 0s, retrans time 0s
  prefix info option (3), length 32 (4): a:b:c:d::/64, Flags [onlink, auto, router], valid time 86400s, pref. time 14400s
...
This has the 14400 seconds in there as well. Hence I assume that the router advertisement is resetting the ip configuration.

Question is now what to do, to have privacy extensions working again? Is it some configuration in opnsense or on the laptop?

Thanks
  Chris

8

18.7 Legacy Series / Understand tracking on DHCPv6 with prefix delegation

« on: August 15, 2018, 05:15:13 pm »

Hi there,

I think I managed to setup my IPv6, so that it receives a prefix from my provider and this is distributed into the network.
I am using on my LAN interface the track interface option for IPv6. As I am no IPv6 expert, tracking somewhat would imply for me that Opnsense would know about the IPv6s being used in the network?

Is the prefix distribution handled like an IPv4 DHCP, hence the IPv6 is dished out by the DHCPv6 or is it a mere information service about prefix and DNS and the IP is determined by the client?

If the IPs get dished out, I would expect to see a lease or something similar in Opnsense? If it is not being dished out, is there some sort of monitoring possible? Coming out of an ipv4 world, it feels a bit weird to be blind on the router of what is happening in the LAN.

Regards
  Chris