"
I use huge, high-DPI monitor. OPNsense's defaults of only showing 7 or so entries per page in various places don't work for me. I habitually change these to 20 pretty much every time I click on anything. Is there any way to alter these defaults?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
Virtual private networks / Trouble setting up transparent reverse IPv6 proxy
February 07, 2025, 01:00:55 PM
Hello, I'll try to sum up what I'm trying to achieve:
OPNsense box
Gateway server
Clients on the internet
Hitting up gateway server's public IP address and get served the OPNsense hosted content
It all works great for IPv4: clients are connecting, the service running on OPNsense is seeing connecting clients' original IP addresses despite the connections getting tunnelled over WG. Happy times.
Not much luck with replicating the same functionality over IPv6, though. I basically tried to replicate everything I've done in parallel but using IPv6, just sharing WireGuard instances with IPv4.
What is working:
Where it fails:
Although the clients' tunnelled incoming connection requests seem to arrive at OPNsense:
they never get SYN ACK'ed on any of OPNsense interfaces, seemingly. As if it wouldn't know what to do with them.
Both WireGuard peers have their AllowedIPs set to 0.0.0.0/0, ::/0. Like I said, I tried to replicate my working IPv4 setup as closely as possible with differences only where needed. As the iptables build I have on the gateway server doesn't seem to support IPv6 DNAT, I used the following nft rule to try to achieve DNAT66 functionality:
Any help greatly appreciated.
Cheers
OPNsense box
- A service running there needs to receive (and respond to) incoming connections arriving via a WireGuard tunnel. Original source (public) addresses of the connecting clients need to be preserved.
- WireGuard instance (configured using the official plugin) connects to the "gateway server" (see below).
- Gateway configured in OPNsense and pointing at "gateway server's" WireGuard peer address
- Floating firewall rule bound to the WG interface applying policy-based routing by means of having its "reply-to" option set to aforementioned WG gateway
Gateway server
- An iptables/nftables rule that forwards incoming connections arriving at its public address to OPNsense WireGuard peer address.
For IPv4: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.11.0.2
Clients on the internet
Hitting up gateway server's public IP address and get served the OPNsense hosted content
It all works great for IPv4: clients are connecting, the service running on OPNsense is seeing connecting clients' original IP addresses despite the connections getting tunnelled over WG. Happy times.
Not much luck with replicating the same functionality over IPv6, though. I basically tried to replicate everything I've done in parallel but using IPv6, just sharing WireGuard instances with IPv4.
What is working:
- IPv6 pings between OPNsense box's and the gateway server's WG addresses
- Server process binding on IPv6 socket, properly responding when being hit from the gateway using OPNsense's WG v6 peer address
- Client's SYN packets arriving at OPNsense's IPv6 WG peer address when they try to connect to gateway's server's public IPv6 address
Where it fails:
Although the clients' tunnelled incoming connection requests seem to arrive at OPNsense:
Code Select
12:43:02.036721 IP6 2600:reda::cted:xxxx:xxxx:4c94.35388 > fd16:eb69:819d::2.8080: Flags [S], seq 2816276090, win 64800, options [mss 1440,sackOK,TS val 4265021634 ecr 0,nop,wscale 7], length 0
0x0000: 6001 241e 0028 0633 2600 3c17 0000 0000 `.$..(.3&.<.....
0x0010: f03c 95ff feeb 4c94 fd16 eb69 819d 0000 .<....L....i....
0x0020: 0000 0000 0000 0002 8a3c 1f90 a7dc f67a .........<.....z
0x0030: 0000 0000 a002 fd20 55e1 0000 0204 05a0 ........U.......
0x0040: 0402 080a fe37 10c2 0000 0000 0103 0307 .....7..........
they never get SYN ACK'ed on any of OPNsense interfaces, seemingly. As if it wouldn't know what to do with them.
Both WireGuard peers have their AllowedIPs set to 0.0.0.0/0, ::/0. Like I said, I tried to replicate my working IPv4 setup as closely as possible with differences only where needed. As the iptables build I have on the gateway server doesn't seem to support IPv6 DNAT, I used the following nft rule to try to achieve DNAT66 functionality:
Code Select
table ip6 nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
ip6 daddr 2a01:reda::cted:xxxx:xxxx:e72c tcp dport 443 dnat to fd16:eb69:819d::2
}
}Any help greatly appreciated.
Cheers
#3
23.7 Legacy Series / Solution for interfaces changing around
November 11, 2023, 03:42:40 PM
Hello everyone
I know for a fact that this very topic was being discussed in the past but, for the life of me, I wasn't able to find it again.
So, I'm using OPNsense under hypervisor (moving from vSphere to Proxmox right now) and the quirk that gives me headaches is the fact that when I add or remove virtual network interface(s) on hypervisor level, FreeBSD (and thus OPNsense's) IF names (like opt<number>) get reassigned and the whole configuration basically gets FUBAR'd until sorted out manually, while the GF screams "What's happened to the Internet?" from another room while doing so.
I seem to recall there was some optional tool that allowed one to bind IF name to its MAC address, solving this mess once and for all. Could anyone point me to this, pretty please?
Regards,
Zbig
I know for a fact that this very topic was being discussed in the past but, for the life of me, I wasn't able to find it again.
So, I'm using OPNsense under hypervisor (moving from vSphere to Proxmox right now) and the quirk that gives me headaches is the fact that when I add or remove virtual network interface(s) on hypervisor level, FreeBSD (and thus OPNsense's) IF names (like opt<number>) get reassigned and the whole configuration basically gets FUBAR'd until sorted out manually, while the GF screams "What's happened to the Internet?" from another room while doing so.
I seem to recall there was some optional tool that allowed one to bind IF name to its MAC address, solving this mess once and for all. Could anyone point me to this, pretty please?
Regards,
Zbig
#4
22.7 Legacy Series / DHCP service "Additional Pools" logic
January 19, 2023, 12:04:05 AM
Hello
I have a case where a couple of clients from my network have to get assigned some non-default DNS servers but I don't want to setup a separate (V)LAN for them. Figured that would be a perfect use case for DHCP server's "Additional Pools" given how it allows me to carve out a separate pool from the network and configure pretty much everything the "main" pool allows. As there doesn't seem to be a separate "DHCP Static Mappings" section for additional pools, I reckoned I'll just make a regular ("top-level") DHCP mapping, assign an IP from my additional pool there, leave the "DNS servers" fields empty and this way it would fetch proper DNS IP's from the additional pool's configuration. This turned out not to be the case: the clients in question got assigned the default, system-wide DNS address.
Am I doing something wrong here? If the "main/additional" DHCP pool configurations are not being resolved hierarchically the way I was expecting them to and the additional pools don't offer their own DHCP reservation UI, what is the practical use case for having them in the first place?
Cheers,
Zbig
I have a case where a couple of clients from my network have to get assigned some non-default DNS servers but I don't want to setup a separate (V)LAN for them. Figured that would be a perfect use case for DHCP server's "Additional Pools" given how it allows me to carve out a separate pool from the network and configure pretty much everything the "main" pool allows. As there doesn't seem to be a separate "DHCP Static Mappings" section for additional pools, I reckoned I'll just make a regular ("top-level") DHCP mapping, assign an IP from my additional pool there, leave the "DNS servers" fields empty and this way it would fetch proper DNS IP's from the additional pool's configuration. This turned out not to be the case: the clients in question got assigned the default, system-wide DNS address.
Am I doing something wrong here? If the "main/additional" DHCP pool configurations are not being resolved hierarchically the way I was expecting them to and the additional pools don't offer their own DHCP reservation UI, what is the practical use case for having them in the first place?
Cheers,
Zbig
#5
22.1 Legacy Series / Unified firewall and port forward ruleset for multi-WAN setup
March 27, 2022, 08:15:07 PM
I use a dual-WAN setup where I have a main cable broadband interface that's backed up by a failover mobile broadband interface and I use default gateway switching for the failover/switch-back. I use several port forward and firewall rules for incoming traffic that are currently assigned to the main WAN interface only. Is there any elegant way of making them apply to both primary and the secondary WAN that is short of manually duplicating them? Would the use of floating firewall rules and assigning port forwards to both WAN networks do the trick?
#6
22.1 Legacy Series / Console video/text mode
February 02, 2022, 11:18:17 AM
Hello
Is there any way to configure the video mode used in console on 22.1? Back when using 21 series, my VMware VM's console output looked like <Exhibit_1>: information-dense, with nice, small and slim font. But when switched to 22.1 (by means of creating a fresh VM, clean install and XML config import), it is now using 80x25 mode with chunky fonts as per <Exhibit_2>. I can't seem to recall ever manually changing any setting that could be related to that. Also, I was using os-vmware plugin with 21 as I am with 22.1. Needless to say, it doesn't make me lose any sleep but I'd appreciate any suggestions.
EDITed to add:
Please note the first screenshot (from series 21) got clipped width-wise by the forum software so it doesn't fully convey the difference as seen IRL.
Cheers and thank you for all the great work,
Zbig
Is there any way to configure the video mode used in console on 22.1? Back when using 21 series, my VMware VM's console output looked like <Exhibit_1>: information-dense, with nice, small and slim font. But when switched to 22.1 (by means of creating a fresh VM, clean install and XML config import), it is now using 80x25 mode with chunky fonts as per <Exhibit_2>. I can't seem to recall ever manually changing any setting that could be related to that. Also, I was using os-vmware plugin with 21 as I am with 22.1. Needless to say, it doesn't make me lose any sleep but I'd appreciate any suggestions.
EDITed to add:
Please note the first screenshot (from series 21) got clipped width-wise by the forum software so it doesn't fully convey the difference as seen IRL.
Cheers and thank you for all the great work,
Zbig
Pages1
