Messages

1

21.1 Production Series / Re: THANK YOU

« on: January 30, 2021, 12:55:40 pm »

+1
A big thank you!! Great job!

smooth update, no problems for my config yet

br br

2

20.7 Legacy Series / Re: How to use DNS over TLS in 20.7.3

« on: January 08, 2021, 09:45:53 am »

... and this 'new' topic DoT with ipv6 is already there

https://forum.opnsense.org/index.php?topic=20670.0

However, the interest was unfortunately not too high 

Br br

3

20.7 Legacy Series / Re: How to use DNS over TLS in 20.7.3

« on: January 07, 2021, 03:21:22 pm »

Hmmmm 

Yes, I have ipv6 (what sense would it make otherwise to ask for a DoT ipv6 server??). And yes we are in course to transition towards an ipv6 only set up. And yes according to the spec of Unbound,  DoT should also work over ipv6. The used ipv6 DNS server addresses are valid ones from the DoT providers.

If I would follow your logic, then we would much likely still use Telex for text messaging. Opnsense' great ipv6 capabilities is one of the main differentiator against many other firewalls around.

Br br

4

20.7 Legacy Series / Re: How to use DNS over TLS in 20.7.3

« on: January 07, 2021, 02:48:07 pm »

Hi there,

Thank you very much for this information. So far I can get this working now with all kind of DoT servers with ipv4 addresses.

But as soon as I put under [UnBound DNS]->[Misc] an ipv6 address and restart unbound, my log file gets flooded with

Code: [Select]

unbound[99672]: [99672:1] debug:    rtt=2494
unbound[99672]: [99672:1] debug: servselect ip4 1.0.0.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: selrtt 275
unbound[99672]: [99672:1] debug: sending to target: <.> 2606:4700:4700::1001#853
--> unbound[99672]: [99672:1] error: outgoing tcp: bind: Can't assign requested address
unbound[99672]: [99672:1] debug:    ip6 2606:4700:4700::1111 port 853 (len 28)
unbound[99672]: [99672:1] debug:    ip4 1.1.1.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)(see marked line -->)

Any idea how to get this working too?

Thanks a lot

BR br

5

20.7 Legacy Series / unbound - DoT Servers with ipv6 address

« on: December 29, 2020, 09:02:17 pm »

High there,

I have a question around unbound and ipv6 based DNS servers:

I am running my sense behind a fritzbox with Telekom as ISP. The fritzbox acts as a gateway and is talking in ipv6 via Link local addresses (fe80: XXX ....) with the WAN interface of the Sense. I have configured DoT with unbound and from the sense itself, I can query directly the ipv6 addresses of the configured DoT servers. Also all ipv4 queries work fine.

Not so from LAN: when running unbound on debug level 4, I get the following error messages:

Code: [Select]

unbound[99672]: [99672:1] debug: iter_handle processing q with state QUERY TARGETS STATE
unbound[99672]: [99672:1] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
unbound[99672]: [99672:1] debug: servselect ip6 2606:4700:4700::1001 port 853 (len 28)
unbound[99672]: [99672:1] debug: servselect ip6 2620:fe::11 port 853 (len 28)
unbound[99672]: [99672:1] debug: servselect ip4 9.9.9.11 port 853 (len 16)
unbound[99672]: [99672:1] debug: servselect ip4 1.1.1.1 port 853 (len 16)
unbound[99672]: [99672:1] debug:    rtt=2494
unbound[99672]: [99672:1] debug:    rtt=2915
unbound[99672]: [99672:1] info: sending query: apple-dns.net. DS IN
unbound[99672]: [99672:1] debug: dnssec status: not expected
--> unbound[99672]: [99672:1] error: outgoing tcp: bind: Can't assign requested address
unbound[99672]: [99672:1] debug:    ip4 1.0.0.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: attempt to get extra 3 targets
unbound[99672]: [99672:1] debug:    rtt=275
unbound[99672]: [99672:1] debug:    rtt=376
unbound[99672]: [99672:1] debug:    rtt=376
unbound[99672]: [99672:1] debug:    rtt=2494
unbound[99672]: [99672:1] debug: servselect ip4 1.0.0.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: selrtt 275
unbound[99672]: [99672:1] debug: sending to target: <.> 2606:4700:4700::1001#853
--> unbound[99672]: [99672:1] error: outgoing tcp: bind: Can't assign requested address
unbound[99672]: [99672:1] debug:    ip6 2606:4700:4700::1111 port 853 (len 28)
unbound[99672]: [99672:1] debug:    ip4 1.1.1.1 port 853 (len 16)
unbound[99672]: [99672:1] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
unbound[99672]: [99672:1] debug: servselect ip6 2606:4700:4700::1001 port 853 (len 28)

When I delete all ipv6 addresses from the DoT list, there is no error message. Obviously, unbound can not contact the ipv6 DNS server from LAN via the gateway (see marked line) - but why ? 

I could imagine that this might be a config issue. Does anyone has an advice for me where to look into?

Thank you very much for your advice

BR br

6

German - Deutsch / Re: IPv6 am Client geht nicht nach Aussen

« on: November 26, 2020, 09:33:49 am »

Deine Gateways sehen komisch aus: Dein ipv6 gateway hat zB schon mal keine IP Adresse (Weder LL noch eine andere)

Wie bekommt denn Deine Opnsense von der Deutschen Glasfaser die ganzen ipv6 Parameter? Wie hast du denn Deine WAN Schnittstelle auf der Sense Konfiguriert? Soweit ich weiß sendet auch die Deutsche Glasfaser einen Präfix

Ansonsten gabs da mal den hier:
https://forum.opnsense.org/index.php?topic=13172.0

Br br

7

German - Deutsch / Re: IPv6 am Client geht nicht nach Aussen

« on: November 25, 2020, 08:03:56 pm »

Routen und gateways brauchst Du, um rauszukommen. Die richtet die OPnsense passend zu Deiner Netzkonfiguration ein.

Verstehe noch nicht so ganz, was da alles an Deinem re0 (=WAN ?!) dranhängt: einmal ein 100.75.... (das ist das Carrier grade NAT der DGF) und einmal ein 185.22. ... wofür ist letzteres?

Kannst Du denn von der OPnsense rauspingen per ipv6? 

Br br

8

German - Deutsch / Re: IPv6 am Client geht nicht nach Aussen

« on: November 25, 2020, 05:36:47 pm »

Hmm ...

da wären noch ein paar weitere Infos sehr hilfreich, um Dir helfen zu können:

• Wie sieht denn die Anbindung aus (NT, Fritz!Box dazwischen, ...)?
• Wie bekommst du denn die IPv6 Adressen im LAN: SLACC, DHCPv6; welche informationen werden weitergegeben damit? (Gateway, DNS Server, ...)
• Hast Du ein ipv6 (default) gateway?
• Welche ipv6 Routen wurden denn eingerichtet?

Fragen über Fragen ...

Die Firewall default Regel aus dem LAN nach WAN ist sowohl für ipv4 als auch für ipv6 'alles durchlassen' - es sei denn Du hast da was anderes dazugepackt ...

Br br

9

20.7 Legacy Series / Re: DNS over TLS with ipv6 forward-addresses - can't get it working

« on: November 12, 2020, 04:38:12 pm »

Hi chris42,

Do you see also this?

https://forum.opnsense.org/index.php?topic=19746.0

Br br

10

20.7 Legacy Series / DNS Servers with ipv6 addresses not usable with LL ipv6 gateway addresses

« on: October 24, 2020, 01:28:05 pm »

Hi there,

after successfully upgrade to 20.7.4 I digged again into an issue which I notified in 20.7.3 already. It seems to be that neither for dnsmask nor for unbound, DNS Servers with ipv6 addresses (as eg configured in System->Einstellungen->Allgemein) can be used as the static host routes for those DNS Servers are not configured properly when the resolve.conf is rebuild.

Reason seems to be that IF the ipv6 gateway address is link local, the route command is misconfigured in /usr/local/etc/inc/system.inc: function system_resolvconf_generate($verbose = false).

There is an error message generated in system.log

Code: [Select]

Oct 24 12:15:43 OPNsense.zuhause.xx opnsense[9135]: /usr/local/etc/rc.newwanipv6: The command '/sbin/route add -host -'inet6' '2001:470:20::2' 'fe80::3ea6:2fff:fe15:9055%'' returned exit code '71', the output was
 'route: fe80::3ea6:2fff:fe15:9055%: Name does not resolve'Note the '%' sign in the 'fe80 ....' gateway address which is either obsolete or (perhaps even better) needs a Zone ID like the WAN interface name which would make the address look like 'fe80::3ea6:2fff:fe15:9055%igb1' as an example.

Such an error message is contained for all configured DNS Servers with ipv6 addresses

Adding a proper zone ID or removing the '%' make these error messages disappear and the ipv6 DNS servers are started to be used (however there may be configs where missing zone IDs are not appropriate)

Not sure whether this is appropriate to be fixed in system.inc here:

Code: [Select]

Line 202 ff
            (...)
            $gwname = $syscfg[$dnsgw];
            if (($gwname != '') && ($gwname != 'none')) {
                $gatewayip = $gateways->getAddress($gwname);
                if (is_ipaddrv4($gatewayip)) {
                    /* dns server array starts at 0 */
                    $dnscountermo = $dnscounter - 1;
                    system_host_route($syscfg['dnsserver'][$dnscountermo], $gatewayip);
                }
                if (is_ipaddrv6($gatewayip)) {
                    /* dns server array starts at 0 */
                                       <--- check/add Zone ID if $gatewayip is LL, similar as eg in system_default_route()
                    $dnscountermo = $dnscounter - 1;
                    system_host_route($syscfg['dnsserver'][$dnscountermo], $gatewayip);
                }
Please let me know whether it is appropriate to open a bug for this on GitHub

br br

11

20.7 Legacy Series / DNS over TLS with ipv6 forward-addresses - can't get it working

« on: October 17, 2020, 11:08:15 am »

Good morning,

I am on 20.7.3. and I am trying to get DNS over TLS working with unbound. Everything works fine as long as I use IPv4 forwarder addresses in the Services->Unbound TLS->Misc which I put eg in the form 9.9.9.9@853.

When I am adding an ipv6 address like eg 2a05:fc84::42@853 and I restart unbound, the ipv4 forward-addresses are still used/working properly, but my /var/log/resolver/resolver.log gets flooded with

Code: [Select]

Oct 17 10:54:33 OPNsense.zuhause.xx unbound[37717]: [37717:2] error: outgoing tcp: bind: Can't assign requested addressNo request to the ipv6 server is then sent indeed. Removing the address and restarting unbound make the error message disappear again.

My resulting /var/unbound/etc/dot.conf looks like

Code: [Select]

server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 9.9.9.9@853
  forward-addr: 149.112.112.112@853
  forward-addr: 1.1.1.1@853
  forward-addr: 1.0.0.1@853
  forward-addr: 2a05:fc84::42@853
which looks correct to me

There has been an (pretty much) earlier thread on that error message and DoT
https://forum.opnsense.org/index.php?topic=12301.0
after which the DoT (GUI) functionality has been substantially expanded/refactored, however I use recommended forward addresses for my region.

ipv6 Gateway and Wan addresses are both LL. When I run unbound in debug mode, all queries which try to use

Code: [Select]

outgoing-interface: fe80::XXX:YYY:ZZZ:a21dcreate the error message above.

Has someone an idea what could be wrong here or how to debug this further?

Thanks a lot

Br br

12

20.7 Legacy Series / DoT ipv6 unbound - ipv6 static route error - zone ID missing ?!

« on: October 15, 2020, 09:50:31 pm »

High there,

has someone successfully activated DoT with ipv6 addresses? I tested around and whatever DNS Server  ipv6 address I am using in unboundDNS->misc->DNS over TLS servers, I always get my system.log flooded with
 

Code: [Select]

OPNsense.zuhause.xx unbound[88380]: [88380:0] error: outgoing tcp: bind: Can't assign requested address
When I use only ipv4 addresses all is behaving fine.

Could this be related to the other error message from above?

Br br

13

20.7 Legacy Series / unbound - ipv6 static route error - zone ID missing ?!

« on: October 14, 2020, 07:46:48 pm »

Hi all,

I am just trying to get up DoT with unbound and when I restart unbound after a config change I get the following error message

Code: [Select]

Oct 14 18:44:10 OPNsense.zuhause.xx opnsense[99771]: /services_unbound.php: The command '/sbin/route add -host -'inet6' '2001:470:20::2' 'fe80::3ea6:2fff:fe15:9055%''
 returned exit code '71', the output was 'route: fe80::3ea6:2fff:fe15:9055%: Name does not resolve'
2001:470 ....is one of my ipv6 DNS Servers configured in system->general, while the fe80 address is my ipv6 gateway. I have these lines in the system log file for each ipv6 dns server.

It seems that there is the Zone ID of my WAN interface missing/incomplete.

Any idea how to correct ?

Looking forward to your reply

Br br

14

20.7 Legacy Series / syslog-ng: logging reduced/incomplete

« on: September 28, 2020, 02:24:12 pm »

Hi there,

I updated yesterday finally to 20.7.3 from 20.1.9_1, which ran very smooth on my X11-SBA LN4F Supermicro System. All services came up again, there is one thing left which is syslog-ng.

After the restart I had both syslog and syslog-ng running which I solved by deactivating circular logs. Since then, syslog-ng runs stable. However, not all relevant running services are being logged. According to /usr/local/etc/syslog-ng.conf.d/syslog-ng-local.conf, I should see dedicated directories in /var/log/ for

• configd +
• dhcpd +
• dnsmasq
• filter +
• gateways *
• ipsec
• lighttpd +
• ntpd *
• openvpn
• pkg *
• portalauth +
• ppp
• haproxy/relayd
• routing +
• squid
• suricata
• system +
• syslog-ng +

and some more, containing timestamped log files for the individual services. I assume, that indeed loggers are created only if the corresponding service is running.

Service Logs in table above having a '+' are created and contain logs, lines having a '*' have a running service but no logs are created, no tag in the table means that the corresponding service is not active. Saving the config and restart of the service did not help.

Any idea how to get the missing logs for the running services up?

Br br

15

20.1 Legacy Series / Re: Really a BAD realase.

« on: February 07, 2020, 12:29:50 pm »

  Same here - my complete internal headphone lighting blew up!