Messages

1

16.7 Legacy Series / OPNSense CLI interface on Roadmap?

« on: January 28, 2016, 09:50:54 am »

Hi!

Then MS closed TMG Server development I started searching alternatives, more then 2 years ago
I choesed Vyatta, after some time I falining love into CLI, but after a few months Vyatta was sold to Brocard and Open Source project was closed. I switched to pfSense.

Configuration with CLI is very fast and very easy to edit template config.
After open source project Vyatta was closed, community forked project, now it is VyOS, it based on PERL

If OPNsens has API will it be easy to add CLI?
Or CLI is somewere in roadmap?

2

General Discussion / Re: IPv6 Subnetting and routing from a /48 tunnelbroker network

« on: January 27, 2016, 10:48:43 pm »

Forget to add screenshot with RA config...

3

General Discussion / Re: Switch apinger to dpinger possible?

« on: January 27, 2016, 07:08:00 pm »

Hi!

Problem with apinger only on VMs!
To eliminate this issue only one time provider must be enabled!
On Hyper-V VM


Or ntpd inside VM Guest

If Hyper-V host time wrong even few seconds, guest VM updating time from NTP server, after that VM Integration service adjusting guest VM clock immediately to Hyper-V time value.


And this breaking apinger

4

General Discussion / Re: IPv6 Subnetting and routing from a /48 tunnelbroker network

« on: January 27, 2016, 04:04:25 pm »

So you have the tunnel with the routed /48 at your opnsense and just assign on the different interfaces the appropriate /64 subnets, right? No other routingsetting on opnsense at this point to set? That was the thing I wasn't sure about. Thank you very much.

Hi!
If you not sure, just try


You do all things like in pfSense or other network appliance!
You can do it even with Windows Server!!!

The other thing I won't really understand at the moment is the Prefix delegation range on the DHCPv6 server how this will be used, but that is another question...

You can set RA Subnet on Router Adverstiment tab and turn off DHCPv6, then you must set DNSv6 servers manualy on clients. Or if youre DNSv4 server reply to DNSv6 query - youre done.

Not necessary to set DNSv6 server manualy.

If you want to use IPv6 on Android phone, RA must be turned ON, Android does not recieve IP with DHCPv6 use Router Adverstiment!!!

Or you can set IPv6 manually on all of youre clients like with IPv4

To understand prefix delegation DHCPv6 and RA you must learn IPv6
I have done that long time ago here

5

General Discussion / Re: Switch apinger to dpinger possible?

« on: January 27, 2016, 10:44:20 am »

This is cron job

If at least one gw has ping > 500 service restarted

After yestarday I think that all the problems linked to time issues

Hyper-V is quite fragile when it comes to clocks and NTP, the suggestion from the pfSense forum sounds interesting... have you ever tried to "disarm" NTP by providing an invalid server?

System: Settings: General: NTP server: "no"

I will try this.

Rising Probe Interval to 10 sec of GW also helped

on pfSense same Probe Interval but I have many issues with apinger on different Hyper-V hosts

I will try to rise Probe Interval there...

sorry for my English

6

General Discussion / [SOLVED] Switch apinger to dpinger possible?

« on: January 26, 2016, 06:32:15 pm »

I have same issue in OPNSense like in pfSense
Issue and potiential fix for apinger monitoring of IPv6 GIF interfaces



After apinger restart all ok



Currently I have other issues in pfSense with apinger, I fixed it like this
pfsense 2.1-release - Gateway aPinger broken?

Code: [Select]

<?php
require_once("/etc/inc/service-utils.inc");
require_once("/etc/inc/globals.inc");
require_once("/etc/inc/gwlb.inc");
$log_file = "/var/log/apinger.log";

$log_date = date('d/m/Y H:i:s', time());


$counter = 0;
$a_gateways = return_gateways_array();
$gateways_status = array();
$gateways_status = return_gateways_status(true);

foreach ($a_gateways as $gname => $gateway) {
if ($gateways_status[$gname]) {
$str_data = $gateways_status[$gname]['delay'];
$pos = substr($str_data,0,strpos($str_data, "ms"));
if (floatval($pos) > 500 ) {
$counter++;

}
}
}
if ($counter > 0) {

service_control_restart(apinger,restartservice);
$log_data = 'Counter = '.$counter. ' date: '.$log_date. ' | service restarted!'. PHP_EOL;
file_put_contents($log_file, $log_data, FILE_APPEND);
} 
?>


OPNSense running as guest on Hyper-V host

7

General Discussion / Re: IPv6 Subnetting and routing from a /48 tunnelbroker network

« on: January 26, 2016, 06:09:08 pm »

Hi!

I am not using he.net tunnelbroker any more. My ISP delegated to me native IPv6 /60 subnet

This is my HE Account:


You do it like in pfSense

Building a Tunnel

Enable ICMP
Don't forget to enable ICMP on the WAN interface, if ICMP is blocked the tunnelbroker will not allow a tunnel to be configured. The source IP address on this rule should be the remote endpoint IP of the gif tunnel, or any.


Create GIF Interface
Now navigate to the assign gif interfaces screen on OPNSense where the address information from Hurricane Electric or Sixxs may be entered. Navigate to Interfaces: Other Types: GIF.
The HE or Sixxs Server IPv4 address goes into the gif remote address
The HE or Sixxs Client IPv6 address goes into the gif tunnel local address
The HE or Sixxs Server IPv6 address goes into the gif tunnel remote address

Enter a Description and click Save.


Assign GIF Interface
Go to Interfaces: Assignments and choose the GIF interface to be used for an OPT interface. In this example, the OPT interface is named HE_IPv6. Click Save and Apply Changes if they appear.


Configure OPT Interface

With the OPT interface assigned, the OPT interface may be enabled from the Interfaces menu. Keep IPv6 Configuration Type set to None.


Go to System: Gateways: All
And configure gateway:


If all of the settings were entered correctly and the tunnel broker is working, the gateway will now be listed as online


Set Up LAN for IPv6

Before configuring LAN interfaces split youre /48 subnet to /64 subnets use IPv6 Calculator or etc.
Choose prefered /64 subnet for each LAN interface


Configure interfaces
First LAN




And how much you need
------------


------------



Set Up DHCPv6 and RA

Go to Services: DHCPv6: Server and configure all IPv6 Interfaces
DHCP


RA


Try it out

Check IPv6 addresses



Don't forget to add firewall rules to allow IPv6 on all configured interfaces.