Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Javier®

Pages1
#1
25.7, 25.10 Legacy Series / Protocol hopopt
October 24, 2025, 10:16:21 AM
Hello everyone, just one question, why is this protocol not allowed in Opnsense

RFC2710
MLD message types are a subset of the set of ICMPv6 messages, and MLD messages are identified in IPv6 packets by a preceding Next Header value of 58. All MLD messages described in this document are sent with a link-local IPv6 Source Address, an IPv6 Hop Limit of 1, and an IPv6 Router Alert option [RTR-ALERT] in a Hop-by-Hop Options header.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290407
#2
25.7, 25.10 Legacy Series / Wireguard - Dnsmasq
September 23, 2025, 04:07:51 PM
Hello everyone, I'm trying to configure WireGuard using the IPv6 prefix I received to avoid NAT for IPv6 traffic. I created a WireGuard instance with the assigned prefix and a unique IP address, and automatically, in the Dnsmasq leases, the connected devices switch from LAN to VPN (strange).
VPN is the name of the WireGuard interface.

You cannot view this attachment.

You cannot view this attachment.

You cannot view this attachment.  <--- From LAN to VPN

What am I doing wrong?

Thanks

If it is relevant, I only request the prefix and size.
And manually I configure prefix ID, interface ID

You cannot view this attachment.
#3
25.1, 25.4 Legacy Series / RFC 4890
June 08, 2025, 11:12:53 PM
Hi, would it be a good idea to change the automatically generated rules for RFC 4890?

# RFC 4890, section 4.4
pass quick inet6 proto icmp6 to { (self) ff02::/16 } icmp6-type \
   { 133 134 135 136 141 142 130 131 132 143 148 149 151 152 153 }

This is after martians.

# RFC 4890, section 4.3
pass quick inet6 proto icmp6 icmp6-type { 1 2 3 4 128 129 144 145 146 147 }

Is this a good idea ?
#4
25.1, 25.4 Legacy Series / Version 2 Multicast Listener Report
March 12, 2025, 08:59:15 AM
Hello, version 2 of Multicast is icmpv6 type 143, is it necessary for the proper functioning of IPv6?
Freebsd doesn't recognize it:

Num  Abbrev.     Description
        1     unreach     Destination unreachable
        2     toobig     Packet too big
        3     timex        Time exceeded
        4     paramprob     Invalid IPv6 header
        128  echoreq     Echo service request
        129  echorep     Echo service reply
        130  groupqry     Group   membership query
        130  listqry     Multicast listener query
        131  grouprep     Group   membership report
        131  listenrep     Multicast listener report
        132  groupterm     Group   membership termination
        132  listendone     Multicast listener done
        133  routersol     Router solicitation
        134  routeradv     Router advertisement
        135  neighbrsol     Neighbor solicitation
        136  neighbradv     Neighbor advertisement
        137  redir        Shorter route   exists
        138  routrrenum     Route   renumbering
        139  fqdnreq     FQDN query
        139  niqry        Node information query
        139  wrureq     Who-are-you request
        140  fqdnrep     FQDN reply
        140  nirep        Node information reply
        140  wrurep     Who-are-you reply
        200  mtraceresp     mtrace response
        201  mtrace     mtrace messages
#5
25.1, 25.4 Legacy Series / 25.1.3 released
March 11, 2025, 07:05:16 PM
Hello, I have updated to 25.3.1 and have read the release notes.
fixes the state tracking for ICMPv6 neighbor discovery packets through pf.
I have looked in /tmp/rules.debug

pass in log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "09af71b030142498e74912f2a9231e00" # IPv6 RFC4890 requirements (ICMP)
pass out log quick inet6 proto ipv6-icmp from {(self)} to {fe80::/10} icmp6-type {128,129,133,134,135,136} keep state label "247d6ba2cf9b0caa4e483f8f98f7a480" # IPv6 RFC4890 requirements (ICMP)
pass out log quick inet6 proto ipv6-icmp from {(self)} to {ff02::/16} icmp6-type {128,129,133,134,135,136} keep state label "247d6ba2cf9b0caa4e483f8f98f7a480" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "27d6e2944dd9de7c2bc048c4d1e9ad96" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {ff02::/16} icmp6-type {128,133,134,135,136} keep state label "27d6e2944dd9de7c2bc048c4d1e9ad96" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "9d29c2425a82c03746ea76b6cbdaa92e" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {::} to {ff02::/16} icmp6-type {128,133,134,135,136} keep state label "8f5ab8e9f0470eb9496ed94ec777ecf6" # IPv6 RFC4890 requirements (ICMP)

the rules haven't changed.
#6
25.1, 25.4 Legacy Series / Policy lo0
February 26, 2025, 06:26:45 PM
Hi, it is possible to return to the policy of lo0 explicitly following ?
#7
25.1, 25.4 Legacy Series / ( solved )Multicast flood "listener reportmax resp delay"
February 25, 2025, 04:08:43 PM
Hello everyone, with the default firewall rule ff02::/16, there should be no problem for the firewall to accept ff02::1:ff00:1, I have locks every two minutes, I would have to update the card Drivers network ?, thanks

 block in on igc1: (class 0xe0, hlim 1, next-header Options (0) payload length: 32) fe80::2eb:d5ff:feed:2819 > ff02::1:ff00:1: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ff00:1

igc0: <Intel(R) Ethernet Controller I226-V> mem 0x80800000-0x808fffff,0x80900000-0x80903fff at device 0.0 on pci2
igc0: EEPROM V2.17-0 eTrack 0x80000303
igc0: Using 1024 TX descriptors and 1024 RX descriptors
igc0: Using 4 RX queues 4 TX queues
igc0: Using MSI-X interrupts with 5 vectors
igc0: Ethernet address: xxxxxxxxxxxxx
igc0: netmap queues/slots: TX 4/1024, RX 4/1024

igc1: <Intel(R) Ethernet Controller I226-V> mem 0x80500000-0x805fffff,0x80600000-0x80603fff at device 0.0 on pci3
igc1: EEPROM V2.17-0 eTrack 0x80000303
igc1: Using 1024 TX descriptors and 1024 RX descriptors
igc1: Using 4 RX queues 4 TX queues
igc1: Using MSI-X interrupts with 5 vectors
igc1: Ethernet address: xxxxxxxxxxxxxx
igc1: netmap queues/slots: TX 4/1024, RX 4/1024

#8
25.1, 25.4 Legacy Series / Solicited Nodes Multicast Group
February 20, 2025, 05:43:24 PM
Hello everyone, my ISP sends me an ICMP ff02::1:f00:1, I have created a firewall rule in WAN to allow.
If i don't believe the rule my local network soon you do not have ipv6 internet access.

WAN --- allow --- ipv6-icmp ---- fe80::/10 ---->> ff02::1:ff00:0/104

As RFC 4291 section 2.7.1 states:

Solicited-node multicast address are computed as a function of a node's unicast and anycast addresses. A solicited-node multicast address is formed by taking the low-order 24 bits of an address (unicast or anycast) and appending those bits to the prefix FF02:0:0:0:0:1:FF00::/104.

#9
24.7, 24.10 Legacy Series / [SOLVED] ipv6
December 03, 2024, 06:15:14 PM
Hi everyone, after upgrading to 24.7.10 I get this error.
dhcp6c transmit failed: Permission denied
before everything worked fine, now I don't have ipv6


The problem was that I had rules in Nat that with the update were not good
Pages1