Topics

Trying to make this work with my on-prem K8s ingress.

The scenario is
- k8s cluster that peers with opnsense via BGP (and FRR of course)
- service subnet advertisement is done with a ULA subnet (and ingress pinned to a static LB IP)
- All hosted on a separate VLAN

Target setup
- Use NPTv6 to direct all external traffic to that specific ULA ipv6 address

Questions
- what are my settings for nptv6?

I've tried it and I *think* it should listen to the K8s vlan interface since that technically has an ipv6 address (courtesy of track interface), then internal should be...the entire ULA ipv6 address? And then lastly track interface being my K8s vlan interface yes?

When doing that it says "not listening on that interface" but selecting WAN as the interface works (maybe I misunderstand but I feel like that would be wrong but maybe it still is the right choice as providing all the actual external traffic.)

Then lastly I'd set up dynamic DNS to query the IP for traffic on the K8s vlan interface (like the rest I do, just with listening to that interface instead.) Or should that also be on WAN?

Apologies. I've looked but seems there is not a lot of info out there via blogs/videos and the opnsense docs have me confused just a bit (my lack of knowledge, not their lack of detail.)

I could be wrong because I honestly did not know of this before this version but it's not working for me. I'm unsure if it's specific to this version or not.

I made sure I have no errors in the new blocklist features and I've reloaded it since then but have NOT rebooted yet.

I see "Cannot read properties of undefined (reading 'total')" in the dev tools on the page. I have let it go a couple hours since fixing the issues with dnsbl of unbound.

One thing I will note is that I store /var/log in RAM to avoid excessive writes to my NVME. Will that at all affect the operation of the reporting? In Services-Unbound-Logging I see all the logs clearly. In Reporting-Unbound DNS I have nothing on Overview nor anything in the Details tab. I've enabled/disabled it and cleared the stats for it but no change over several hours.

Not a huge deal- just would prefer to have some nicer tools to look at what is going on vs. parsing through logs on Loki.

Edit- along with this, I get weird errors every few weeks it seems that generate crash reports. At first I thought it was something AMD related but maybe not. I debated trying opnsense-bootstrap which, to my understanding, wipes out all the opnsense stuff and reinstalls it from scratch (while somehow not wiping the config?) So I could run that, reboot, and it reinstalls all my plugins and keeps my config? I'm not above doing that or reinstalling if necessary but have never done so and have a lot of config done (multiple VLANs, multiple WG tunnels, policy tagging, etc. etc. that I absolutely do not want to set back up in case of issues.)

It seems to me (based on looking at the key usage specs) that CAs generated by opnsense are not designed to be used with revocation?

I ask this because I've had an old CA and am standing up a new one and see that my CAs are listed under revocation but are unable to export a CRL. Ones I've imported from a vendor or two are able to but clicking on the export button or anything else for mine does nothing.

Also, unsure but the docs say to click the "+" button to add one but I see no button like that on mine. Changed the theme back to the included stock "opnsense-dark" and still didn't see it.

I am planning out my migrations from ISC DHCP to dnsmasq as my install shouldn't need all the bells and whistles of Kea.

The question I am running into is what the 1:1 match is for router advertisement modes from the old ISC implementation (Services-Router Advertisements) to dnsmasq (dnsmasq-DHCP Ranges-RA mode). Hoping this also serves as a clarifying post for people who come after me (I searched and didn't find what I needed.

dnsmasq

```
ra-only tells dnsmasq to offer Router Advertisement only on this subnet, and not DHCP.

slaac tells dnsmasq to offer Router Advertisement on this subnet and to set the A bit in the router advertisement, so that the client will use SLAAC addresses. When used with a DHCP range or static DHCP address this results in the client having both a DHCP-assigned and a SLAAC address.

ra-stateless sends router advertisements with the O and A bits set, and provides a stateless DHCP service. The client will use a SLAAC address, and use DHCP for other configuration information.

ra-names enables a mode which gives DNS names to dual-stack hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network segment and MAC address and assumes that the host will also have an IPv6 address calculated using the SLAAC algorithm, on the same network segment. The address is pinged, and if a reply is received, an AAAA record is added to the DNS for this IPv6 address. Note that this is only happens for directly-connected networks, (not one doing DHCP via a relay) and it will not work if a host is using privacy extensions. ra-names can be combined with ra-stateless and slaac.

ra-advrouter enables a mode where router address(es) rather than prefix(es) are included in the advertisements. This is described in RFC-3775 section 7.2 and is used in mobile IPv6. In this mode the interval option is also included, as described in RFC-3775 section 7.3.

off-link tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
```

So I am wondering if my translation is right as I am using unmanaged currently on ISC-

(dnsmasq / ISC )
- ra-only = unmanaged (will basically serve DNS servers but clients use SLAAC for addressing)
- slaac = assisted
- ra-stateless = stateless DHCP
- ra-names = NA - seems an additional option you can use with slaac to resolve names for both v4 and v6 addresses on the same network
- ra-advrouter = router only?
- off-link = or this is router only?

I'm mainly interested for my use case in unmanaged. What this did for me in ISC was
- SLAAC addresses
- doled out DNS servers
- doled out a ULA prefix for clients

I didn't need dhcpv6 and it properly allowed clients to use ipv6 DNS which did ad blocking, etc. via unbound. Looking to replicate the same for dnsmasq. Apologies for formatting. I am trying to see about doing it a little cleaner.

I've reasoned about this a bit and can't get it.

I used the road warrior setup for wireguard. The idea being that I could use mainly mobile phones to connect back home and get all the benefits of ad blocking, LAN access, etc.

While at home, I can confirm that adblocking and such works just fine though I will note that I run only IPv4 on my main wifi VLAN. That DHCP server offers up my main LAN IP as the sole DNS provider.

For wireguard, I followed the guide all the way through 5 (so I have a WG interface.) I can see the rule automatically added in NAT outbound.

• 
  Firewall rules for the WG interface
  block ipv6
  (linked NAT port forward ---> IPv4 tcp/udp * * dst ! LAN_ADDRESS on 53 )
  IPv4 tcp/udp * * 127.0.0.3 53

That loopback is a new interface that I created and unbound listens on.

Now...in my wireguard configs I set my main LAN_ADDRESS as the sole dns server. DNS is NOT set on wireguard local (server) portion and disable routes is unchecked.

I can use termux and do nslookup on known domains that are redirected to 0.0.0.0.

nslookup 2no.co 8.8.8.8

Returns 0.0.0.0 and I can see in the unbound logs that it answers that itself. I can't seem to understand just how ads are getting in then.

If I open a game I can see via PCAPdroid that it's looking for certain domains and some are blocked, some aren't. It can be the same domain and one attempt is "error" and one is succeeded. Usually takes 15 seconds for the first ad to get through but then it's constant.

I feel like I'm missing something but can't see what. Anyone else have this going without issue?

Edit- apologies if it's a little scattered. I can provide any more info on request. Just not sure where to look at this moment.

Trying to configure GeoIP and am unsure what I am doing wrong.

I'm trying to make my firewall aliases smaller by selecting the countries I want to allow then just inverting them.
So I've selected maybe 15 countries and made a GeoIPv4 alias (only IPv4 entries).

I then go to make a rule on my LAN with
- reject
- ipv4
- in
- destination ! GeoIPv4

This does not work. It seems to just block any and all traffic on the LAN. I've upped the max firewall entries from 400k to 800k, recreated the alias etc. and nothing seems to work. My only real thought is I either need to make it out direction OR make a newer alias including GeoIPv4 and LAN in one (so I can hit my dns, etc.)