1
Tutorials and FAQs / Re: OPNsense aarch64 firmware repository
« on: November 21, 2024, 03:25:51 pm »
OPNsense 24.7.9 aarch64 packages and sets released. Includes hotfix 24.7.9_1.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.7 Production Series / Re: DHCPv6. DNS servers
« on: November 12, 2024, 12:15:46 pm »
Yes, link-local addresses are static. But they can't be routed, so this only works if the DNS server and the clients are in the same LAN.
3
General Discussion / Re: How to NAT behind a single public IP (DIA) without 2nd router?
« on: November 12, 2024, 11:13:04 am »
You can add the additional addresses to the WAN interface using virtual IPs. Then, adjust your outbound NAT rule(s) to use the desired virtual IP.
Cheers
Maurice
Cheers
Maurice
4
24.7 Production Series / Re: DHCPv6. DNS servers
« on: November 09, 2024, 12:13:44 am »
Is OPNsense your DNS server (Unbound / Dnsmasq)? Then you don't have to manually enter DNS server addresses in the ISC DHCPv6 settings. If left empty, the interface address will be used.
If your DNS servers are separate machines in your network, then you'll have to use their link-local addresses or deploy ULAs.
Cheers
Maurice
If your DNS servers are separate machines in your network, then you'll have to use their link-local addresses or deploy ULAs.
Cheers
Maurice
5
German - Deutsch / Re: IPv6 DHCP
« on: November 08, 2024, 11:57:58 pm »
Das WAN-Interface hast Du statisch mit der Adresse 2A00:XXXX:XXXX:5700:227C:14FF:FEF5:2EC9/64 konfiguriert?
Funktionieren Pings und Traceroutes direkt von OPNsense ins Internet? Auch, wenn Du die Source-Adresse explizit auf 2A00:XXXX:XXXX:5701::1 setzt?
Dass 2A00:XXXX:XXXX:5700:227C:14FF:FEF5:2EC9 nicht im Traceroute auftaucht ist normal. OPNsense ist nur ein Hop. Bei Traceroutes aus dem LAN sollte nach der OPNsense-LAN-Adresse (2A00:XXXX:XXXX:5701::1) direkt die Gateway-Adresse des ISPs (2A00:XXXX:XXXX:5700::1) kommen.
Grüße
Maurice
Funktionieren Pings und Traceroutes direkt von OPNsense ins Internet? Auch, wenn Du die Source-Adresse explizit auf 2A00:XXXX:XXXX:5701::1 setzt?
Dass 2A00:XXXX:XXXX:5700:227C:14FF:FEF5:2EC9 nicht im Traceroute auftaucht ist normal. OPNsense ist nur ein Hop. Bei Traceroutes aus dem LAN sollte nach der OPNsense-LAN-Adresse (2A00:XXXX:XXXX:5701::1) direkt die Gateway-Adresse des ISPs (2A00:XXXX:XXXX:5700::1) kommen.
Grüße
Maurice
6
Tutorials and FAQs / Re: OPNsense aarch64 firmware repository
« on: November 06, 2024, 05:02:30 pm »
Thanks to your little trick, I was able to start building yesterday once you uploaded the packages. 
Just had to double-check the commit hashes today and rebuild opnsense-update.
Just had to double-check the commit hashes today and rebuild opnsense-update.
7
Tutorials and FAQs / Re: OPNsense aarch64 firmware repository
« on: November 06, 2024, 03:49:56 pm »
OPNsense 24.7.8 aarch64 packages and sets released.
8
24.7 Production Series / Re: Tayga NAT64
« on: November 06, 2024, 12:39:08 am »The default interface for me was wireguard
That's... interesting. I'll add a hint to the how-to that the NAT rule must be added to the WAN interface. Thanks for the heads-up!
>> traceroute6 2001:db8:64:ff9b::8.8.8.8
traceroute6 to 2001:db8:64:ff9b::8.8.8.8 (2001:db8:64:ff9b::808:808) from MyIP6Subnet:dd0f::6464, 64 hops max, 28 byte packets
1 MyIP6Subnet-dd0f--4646.dynamic6.isp.ropa.net 0.139 ms 0.107 ms 0.062 ms
2 2001:db8:64:ff9b::c0a8:efff 0.084 ms 0.099 ms 0.069 ms
3 2001:db8:64:ff9b::1fdc:4201 46.116 ms 4.677 ms 5.398 ms
4 2001:db8:64:ff9b::c32a:f445 4.283 ms 4.029 ms 3.945 ms
5 * * *
6 2001:db8:64:ff9b::808:808 4.284 ms 4.235 ms 4.240 ms
works - yipie
Glad it works. And by the way, as long as you use Tayga for Internet access only, there's nothing wrong with using 64:ff9b::/96. You just won't see hops with private IPv4 addresses in traceroutes.
Cheers
Maurice
9
24.7 Production Series / Re: Tayga NAT64
« on: November 05, 2024, 12:04:46 pm »
The outbound NAT rule is incorrect. See the documentation:
Go to Firewall ‣ NAT ‣ Outbound, add a new rule, set Source address to Single host or network, enter your Tayga IPv4 Pool, leave all other settings to their default values and save.
So the interface must be WAN (which should be the default setting when adding a new rule) and the source must be 192.168.240.0/20.
Let me know if you think this should be made more obvious in the how-to.
Cheers
Maurice
Go to Firewall ‣ NAT ‣ Outbound, add a new rule, set Source address to Single host or network, enter your Tayga IPv4 Pool, leave all other settings to their default values and save.
So the interface must be WAN (which should be the default setting when adding a new rule) and the source must be 192.168.240.0/20.
Let me know if you think this should be made more obvious in the how-to.
Cheers
Maurice
10
24.7 Production Series / Re: Web GUI certificate with an external CA
« on: November 05, 2024, 11:52:05 am »
System: Settings: Administration: SSL Certificate
Cheers
Maurice
Cheers
Maurice
11
24.7 Production Series / Re: Tayga NAT64
« on: November 05, 2024, 11:46:32 am »
Are you sure the 1st hop is your own public IPv4 address? This should be the gateway address.
Do you use hybrid or manual outbound NAT? And can you provide details about the outbound NAT rule you created?
Do you use hybrid or manual outbound NAT? And can you provide details about the outbound NAT rule you created?
12
24.7 Production Series / Re: WAN Failover: Gateway group does not activate tier 2 Gateway
« on: November 05, 2024, 01:57:06 am »
Gateway groups require policy-based routing to work, they don't change OPNsense's default gateway.
If you want the default gateway to change in case of a gateway failure, you don't need a gateway group. Just enable default gateway switching instead (System: Settings: General).
Cheers
Maurice
If you want the default gateway to change in case of a gateway failure, you don't need a gateway group. Just enable default gateway switching instead (System: Settings: General).
Cheers
Maurice
13
24.7 Production Series / Re: Tayga NAT64
« on: November 05, 2024, 01:36:46 am »I added the two host overrides for nat64 prefix discovery:
ipv4only arpa AAAA (IPv6 address) 64:ff9b::192.0.0.170 nat64 prefix discovery
ipv4only arpa AAAA (IPv6 address) 64:ff9b::192.0.0.171 nat64 prefix discovery
That's not required. With DNS64 enabled, Unbound synthesizes these just like every other A to AAAA conversion.
My traceroute result (via root shell):
>> traceroute6 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from OneOfMyStaticIPv6Subnet:dd0f::6464, 64 hops max, 28 byte packets
1 OneOfMyStaticIPv6Subnet-dd0f--4646.dynamic6.isp.ropa.net 0.175 ms 0.131 ms 0.070 ms
2 * * *
3 * *^C
The 2nd hop should be the IPv4 NAT64 Interface Address, translated to IPv6. But in your case, this is an RFC1918 address (192.168.239.255) and you're also using the well-known NAT64 prefix (64:ff9b::/96). Under these circumstances, Tayga will refuse to perform a translation.
Just for verification, you could temporarily use a different NAT64 prefix, like 2001:db8:64:ff9b::/96. You should then see a response from the 2nd hop (2001:db8:64:ff9b::192.168.239.255).
The 3rd hop should be OPNsense's upstream IPv4 gateway. If you perform a traceroute 8.8.8.8, does this gateway actually respond?
Do I actually have to assign and enable the nat64 interface and assign the ip4/ipv6 addresses used in the tayga config?
No, this shouldn't be required.
Cheers
Maurice
14
German - Deutsch / Re: Die beste Konfiguration des WAN Anschlusses
« on: November 02, 2024, 12:54:49 pm »
Die bei Router Advertisements einstellbare Präfix-Länge bezieht sich nur auf zusätzliche Routen. Solange Du dort nicht manuell Routen einträgst, hat die /128 keine Bedeutung.
Das hat nichts mit dem Präfix zu tun, das radvd advertised - das ist immer das Präfix, das das LAN-Interface selbst hat. Damit SLAAC funktioniert, muss das ein /64 sein. Bei Tracking wird es aus dem vom Provider zugewiesenen Präfix und der beim LAN-Interface konfigurierten Präfix-ID gebildet. Stimmt die beim WAN-Interface konfigurierte Prefix delegation size nicht mit der vom Provider tatsächlich zugewiesenen Präfix-Länge überein, dann ist das resultierende LAN-Präfix kein /64. Daher die Warnung von radvd: "prefix length should be 64"
Das hat nichts mit dem Präfix zu tun, das radvd advertised - das ist immer das Präfix, das das LAN-Interface selbst hat. Damit SLAAC funktioniert, muss das ein /64 sein. Bei Tracking wird es aus dem vom Provider zugewiesenen Präfix und der beim LAN-Interface konfigurierten Präfix-ID gebildet. Stimmt die beim WAN-Interface konfigurierte Prefix delegation size nicht mit der vom Provider tatsächlich zugewiesenen Präfix-Länge überein, dann ist das resultierende LAN-Präfix kein /64. Daher die Warnung von radvd: "prefix length should be 64"
15
German - Deutsch / Re: Die beste Konfiguration des WAN Anschlusses
« on: November 02, 2024, 12:59:22 am »
Wie gesagt, in der WAN-Konfiguration (DHCPv6 client) muss die Prefix delegation size eingestellt werden, die der Provider tatsächlich zuweist. Falls das /48 ist, dann muss das auch so konfiguriert werden (und nicht /56). Dann sollten die radvd-Warnungen betreffs falscher Präfix-Länge nicht mehr auftreten.