Topics

Hello Everyone,
in my Network I have a custom DNS server that is configured to reply differently based on the host that uses it. My current setup is:

Code Select Expand


____________________________________________________________________
|                                                                   |
|                             |---------------- Internal Clients    |
|                             |                                     |
|                             |                                     |
------- ISP Router-------- OPNsense Box-------- External Clients    |                                                                 
|                             |                                     |
|                             |                                     |
|                             |----------------- DNS & Server       |
|                                                                   |
|____________________________________________________________________


The clients, external clients and servers do not share interfaces; they are on VLANs attached to different physical NICs.
My setup is pretty easy: The DNS has a fixed IPv4, it is announced to all IPv4 clients via DHCP.

On IPv6 I have to track the WAN-Interface. Now since I do this, the default behavior seems to be that OPNSense will announce itself as the DNS server on DHCPv6. This is not what I want, since I want all clients to directly use the custom DNS server. But it seems like I cannot announce it as it's IPv6 Address will change based on the tracked interface and I cannot find a way to set it dynamically.

I thought about assigning ULA to all clients manually but I stumbled upon this discussion: https://forum.opnsense.org/index.php?topic=33902.0 wich states that ULA has problems ansd should not be used.

So I'm curious: What's the correct way to solve this? I thought about using the IPv4 DNS as the upstream DNS server of OPNsense but it will not solve my problem as the DNS Server itself is meant to be filtering based on the requesting host. This won't work if it only sees the gateway doing all the requests.

Thanks in Advance
symon

Hello,
I have a opnsense appliance inside my local network and since it has limited hardware I am just using it as a VPN endpoint. I opted for wireguard as VPN software. This is the network layout:

Code Select Expand


____________________________________________________________________
|                                                                   |
|                             |---------------- Internal Clients    |
|                             |                                     |
|                             |                                     |
------- ISP Router-------------------- OPNsense Box-----VPN Clients |                                                                 
|                             |                                     |
|                             |                                     |
|                             |----------------- DNS & Server       |
|                                                                   |
|____________________________________________________________________


The internal ISP IPv4-Subnet is 192.168.178.0/24  and the OPNsense VPN-net is 10.0.10.0/24.
The ISP-Router also gives out ULA (since I am running a DNS-Resolver for IPv6 and the given prefix from the ISP changes every few days). The IPv6-Net internally is fd00::/64. Also full IPv6-Adresses (2001::) are given out to internal clients as well as a /60 prefix is delegated to the OPNSense Box.

The wanted scenario is: Roadwarriors should be able to connect via Wireguard, all traffic should be rerouted through VPN and the internal as well as external services should be reachable via both IPv4 and IPv6. The IPv4 part (OPNSense Box is doing a NAT) is working quite well already.

However I have problems with IPv6. I am really unexperienced with IPv6 so please correct me if I made wrong assumptions.
Since the prefix is rolling I decided it would be the best to give out ULA internally (so the DNS server is always reachable on a fixed address. So I gave the Wireguard-Endpoint the network fd01::/64. I also added an outbound NAT-Rule (see picture below). Also here are my configs for the clients:

Code Select Expand


interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  endpoint: ip:55916
  allowed ips: 10.0.10.4/32
  latest handshake: 32 seconds ago
  transfer: 76.46 KiB received, 78.96 KiB sent

peer: (hidden)
  endpoint: ip:8886
  allowed ips: 10.0.10.2/32, fd01::10/128
  latest handshake: 1 minute, 55 seconds ago
  transfer: 235.91 KiB received, 2.03 MiB sent

peer: (hidden)
  endpoint: ip:34636
  allowed ips: 10.0.10.3/32, fd01::30/128
  latest handshake: 4 minutes, 51 seconds ago
  transfer: 213.72 KiB received, 1.31 MiB sent


However no IPv6 Access seems to be possible through the connection. The settings on the test-client (iPhone) are:

Code Select Expand


[Interface]
Address = 10.0.10.2/24, fd01::10/64
PrivateKey = [mobile.seckey]
DNS = 192.168.178.2, fd00::2

[Peer]
PublicKey = [vpn-server.pubkey]
PresharedKey = [vpn.psk]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = endpoint_domain:51820


Is there anything wrong with the setup? Or did I maybe mess something up with the network interface names or did I miss something? How is IPv4 working like charm, where IPv6 does not?

Maybe this helps debugging: I can see in the live-view, that the firewall lets packets from IPv6 NAT pass. Also (I am currently checking with https://ipv6-test.com ) the test says that "DNS6 + IP4" is working. Is it possible, that my NAT rule should be differentiating between internal and external addresses?

Hello everyone,
I am fairly new to IPv6 so please bear with me as I might just have gotten something wrong. Also this are my first steps with Opnsense as I just got a HW instance (TERRA, Opnsense 20.1.7) and am fiddling around.

My setup is the following: I use the Opnsense appliance behind a consumer grade router (router, switch, wifi... as provided by my ISP) to split the network up into several virtual networks (using VLAN-Tags and some more switches). So basicly it just creates some VLANs, adds a DHCP4 to each one and then NATs to the outside. This is working very nicely for IPv4.

Now I would like to add IPv6 to my networks (this time no NAT, off course). Sadly the ISP machine does not support prefix delegation. So the WAN-Interface will receive one IPv6 /64 prefix. This is not enough for multiple subnets.
So my first question is: The correct way to solve this problem without changing the ISP box should be to relay all DHCP6 requests from the subnets to the WAN-net so that the clients will be assigned /64-Prefixes from the upstream router and the Opnsense-Box can track those to provide appropriate firewalling. Is that correct?

If that is the case: how is this accomplished? The WAN-Prefix should be changing every now and then as well as the ISP-Boxes IPv6. So what is the correct IP to put in Services->DHCPv6->relay->Destination Server?Also what are the correct settings for Interfaces->VLANXX->IPv6 Configuration Type?

Or did I miss the whole concept?
Thanks for helping me out.