Topics

I followed this tutorial a while back to access my web services from outside my network and it's worked pretty well via IPv4. Now I'd like to enable IPv6 access but I can't seem to get it working. When I run the Qualys SSL server test it works via IPv4, but it gives the message "Unable to connect to the server" under the IPv6 test. I added the IPv6 address assigned to my router to my DNS hostname (should it be the IPv6 address(es) of the web service(s) instead?).

I've assigned static IPv6 addresses to my services and I checked that they can be pinged. I tried adding just a couple of them under 'HAProxy > Real Servers' with their IPv6 addresses and added them alongside their IPv4 server in the corresponding backends just to test it, but I still get the same error (is this the right way to do it?).

I also have the following in my firewall rules (I added the ICMP rules after reading this article):



Have I missed something?

There's something else I've noticed as I write this - if I run the SSL test on the google.co.uk domain:



I see that their IPv6 address seems to have some sort of 'hostname' attached to it as well as the IPv4. Mine only has a 'hostname' on the IPv4 address. Is this also a factor?

Hi,

Just updated to 23.1.1 and I noticed that I don't seem to get an IPv6 address on my WAN. I didn't change any settings before updating. I currently have the following settings for WAN for IPv6:

Code Select Expand

IPv6 configuration type: DHCPv6
Configuration mode: Basic
Request only an IPv6 prefix: [ticked]
Prefix delegation size: 56
Use IPv4 connectivity: [ticked]

This is my LAN setup for v6:

Code Select Expand

IPv6 configuration type: Track interface
IPv6 interface: WAN
IPv6 prefix ID: 1
Manual configuration (Allow manual adjustment of DHCPv6 and Router Advertisements): [ticked]

When I go to Services > DHCPv6 > [LAN], it says 'No available address range for configured interface subnet size'. Again I didn't change anything here before updating and it was working previously.

This worked before updating to 23.1.1 so I'm not sure what's happened. Where could I look to troubleshoot why my router doesn't get a v6 address anymore?

Hi,

I currently have a DDNS hostname which points to my IP address and this is currently setup to redirect to one of my Docker containers on my server in the HAProxy settings. I have a second container which I also want to access remotely and I was wondering if I can do this in such a way that I could type a "folder" name after the hostname that would correspond to the container I want to access.

For instance, if I have Docker containers named 'first' and 'second', I would like to be able to type the following in the web browser to access each one respectively:

https://[hostname]/first
https://[hostname]/second

Is this possible in HAProxy?

Greetings,

I have Nextcloud setup on my home server and I want to be able to access it from both inside and outside my network via my DDNS hostname, which I've managed to get working...sort of.

It loads the login page fine if I use Firefox, Chrome or Brave (Chromium-based). But it turns out not all browsers are created equally after all...well either that or my configuration is wrong somewhere.  If I use Microsoft Edge it takes its time to give the error text "ERR_CONNECTION_TIMED_OUT", which is weird since it's now also Chromium-based. I also tested with a couple of mobile browsers including Samsung Internet Browser, SmartCookieWeb (both of which timed out in similar fashion), and Bromite (Chromium-based, this one works).

What could Firefox and Chrome be doing to load it which apparently Edge cannot do? Is this even an HAProxy issue? Any ideas?

I'm investigating the possibility of upgrading the PC on which my OPNsense installation runs for something newer, and I wanted to ask about configuration backups. At the moment I have a few plugins installed and running on my existing setup and wondered whether the plugins (or the record of them being installed) and/or their data get backed up when you create a config backup. Or would I need to manually reinstall/reconfigure the corresponding plugins on any new installation?

When I look at the Restore section under System > Configuration > Backups and open the drop-down menu to choose what to restore, I couldn't see anything mentioning plugins so I wasn't sure if it gets grouped under something else without explicitly listing it.

I recently heard about this OPNsense plugin called Sensei, which by the sounds of it basically adds all sorts of network protection tools as well as extra web filtering to your installation.  Is this like Suricata on steroids?  Would Sensei replace all its functionality making Suricata unnecessary, or could the two work side-by-side?

I found the following thread on this forum...

https://forum.opnsense.org/index.php?topic=15349.0

...but it's just over a year old so I thought I'd start a new thread to ask my question about this.  Is it possible to use some of the commands in that script to also set a password for the config before downloading, just like you'd set one in the web GUI when manually downloading the config?

I'd like to get an email alert from OPNsense when my WAN connection has dropped and reconnected. As a bonus it would be nice if it could also show me the new IP addresses (v4 and v6) within the email. How could I do this?

Not sure if this is the right part of the forum to ask but here we go...

I recently signed up to NoIP's dynamic DNS service so I could link it up to my OPNsense box.  I notice that OPNsense currently supports linking your IPv4 address to your NoIP hostname, but not the IPv6 address.  I don't know if NoIP's IPv6 service wasn't available at the time NoIP was initially added to the list of providers, or if it's been tested before but not included because of some issues.

In case it's the former I wanted to ask if it could be added, so I guess this thread is sort of a feature request.  If it helps the developers here's a link I found to the details required for integrating their update service into 3rd party products, including the IPv6 related stuff:

https://www.noip.com/integrate/request

I tested this with my own hostname by resetting my broadband connection to get new IP addresses (I have both v4 and v6 enabled), then I copied/pasted their HTTPS update request link (modified with my account details, hostname, and the IPv6 address to be linked) into my browser to see if it updated my hostname's IP address.  It gave a message that said "good <newipv4address>,<newipv6address>".  I then logged into my NoIP account and both the v4 and v6 addresses got updated (maybe because I have both running on my network).

I'd like to try out the Intrusion Detection feature in OPNsense but I see that there are...rather a lot of choices of different rulesets to choose from.  I won't select all of them as I'd assume this would use more resources and possibly block things I don't want blocked.

Does anyone recommend any particular ruleset(s)?  If it makes any difference I'm playing online games quite a lot at the moment and I have a file server which also runs torrents behind my VPN.

Greetings,

I've recently bought a new pico-ITX PC to use as my home router and I've chosen to use OPNsense for this.  When I boot into the DVD ISO image I notice it starts by default in live mode.  I've read it can also be run permanently in such a mode ("embedded", I think?) if you want.  Just out of curiosity, I have a couple of questions about this:

- Aside from reducing the number of read/write operations for certain types of flash media (depending on the user's chosen hardware), would there be any other benefit(s) in running OPNsense this way vs. a more permanent installation (e.g. security-wise)?

- I see that you can install plugins for extra functionality in OPNsense.  If I run it in live mode, are these plugins 'installed' in RAM with the rest of the system, or can they be saved onto non-volatile storage (i.e. to reduce recovery time from a power outage)?

- Would backing up the config in live mode just restore your core settings, or would it also include whatever plugins (or their respective config) you chose?