Messages

346

17.1 Legacy Series / Re: Help with IPv6

« on: March 30, 2017, 04:27:29 pm »

A bit more information, I tested pinging between the 3 interfaces on the firewall, LAN/GLAN/WAN, and my Windows server, SRV which is on the LAN network, and these were the results:


LAN > WAN - OK
GLAN > WAN - OK
WAN > LAN - FAIL
WAN > GLAN - FAIL
SRV > LAN - OK
SRV > GLAN - OK
SRV > WAN - OK
WAN > SRV - FAIL
LAN > SRV - OK
GLAN > SRV OK


So the problem could lie with the WAN interface not being able to ping the other interfaces, so any idea where I look to fix that?

347

17.1 Legacy Series / Re: Help with IPv6

« on: March 30, 2017, 02:38:08 pm »

Ok, well I'm now confused.


I just noticed that the WAN IP has changed, just slightly, though things were still the same and not fully working, but now my ISP has finally come back to me with my prefix and it doesn't match up with the IP their DHCPv6 is giving my WAN interface.


So knowing what the ISP is saying is my prefix, is it possible for it to not match the DHCPv6 address I get assigned?

348

17.1 Legacy Series / Re: Help with IPv6

« on: March 30, 2017, 11:05:06 am »

Just an update, it's still not fully working i.e. none of my internal devices can communicate to the Internet via IPv6, but internally everything is working, and the firewall itself is able to send traffic so I don't think it's my ISP.


I've also added a rule to allow IPv6 ICMP from external and that works fine from a test website I found.


Any ideas? Do I need to enable another option somewhere to allow the traffic to from the LAN to the WAN interfaces? The "Default allow LAN IPv6 to any rule" is present and I don't see the traffic being blocked.

349

17.1 Legacy Series / Re: Help with IPv6

« on: March 29, 2017, 10:38:05 pm »

Yes, it seems to be working - all my devices are getting IPv6 IPs now which is nice :-)

Code: [Select]

C:\WINDOWS\system32>ping -6 ipv6.google.com


Pinging ipv6.l.google.com [2a00:1450:4007:812::200e] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.


Ping statistics for 2a00:1450:4007:812::200e:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\WINDOWS\system32>ping -6 2001:4860:4860::8844


Pinging 2001:4860:4860::8844 with 32 bytes of data:
Request timed out.


Ping statistics for 2001:4860:4860::8844:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\WINDOWS\system32>nslookup ipv6.google.com 192.168.1.10
Server:  homer.windowsserver.local
Address:  192.168.1.10


Non-authoritative answer:
Name:    ipv6.l.google.com
Address:  2a00:1450:4007:812::200e
Aliases:  ipv6.google.com

350

17.1 Legacy Series / Re: Help with IPv6

« on: March 29, 2017, 10:14:33 pm »

Quick update as I am making progress:

WAN - working, I can ping ipv6.google.com

LAN - working, I assigned it a subnet, can ping ipv6.google.com

Internal PC - I enabled "Unmanaged" router advertisements for the LAN DHCPv6 server (nothing else changed), I renewed the IPs on my workstation, it gets what looks like two IPv6 addresses based off the subnet assigned (one is designated temp), I can ping LAN and WAN, but I cannot ping ipv6.google.com

351

17.1 Legacy Series / Re: Help with IPv6

« on: March 29, 2017, 09:32:24 pm »

Great, and sorry for all the questions but I was trying things out and nothing works. I'm hoping this thread will be useful to others should they come looking.


When I set an interface to "Static IPv6" the address setting asks for what I assume the "/" number after it (the advanced help is greyed out for this which isn't helpful), so does that mean I assign it the subnet and choose 64? When I do this all I see assigned to the interface is just the subnet.

352

17.1 Legacy Series / Re: Help with IPv6

« on: March 29, 2017, 08:22:04 pm »

Ok got that, so if my IPv6 address is:

2065:456:1:88fd:325:22aa:eda2:2fc4/64

Then would my prefix be:

2065:456:1:88::0/56

And then if I wanted to I can subnet it for example:

2065:456:1:8801::0/64
2065:456:1:8802::0/64
etc

And avoid the one being used by the WAN link i.e.

2065:456:1:88fd::0/64

353

17.1 Legacy Series / Re: Help with IPv6

« on: March 29, 2017, 07:14:24 pm »

I'm trying to confirm what the /56 prefix is that I've been assigned, but I can't figure out how to get the firewall to tell me. Any ideas?

354

17.1 Legacy Series / Re: Not rebooting properly during console upgrade

« on: March 29, 2017, 05:05:16 pm »

Ok, would that also explain why earlier I tried twice to reboot from the console menu, and only when I went to the shell and typed "reboot" did it actually reboot?

I'm was not able to see the main screen at the time to see if it showed anything, but the SSH session did not show any PIDs it was waiting for.

355

17.1 Legacy Series / Re: Not rebooting properly during console upgrade

« on: March 29, 2017, 03:46:30 pm »

Code: [Select]

root@bart:~ # cat /etc/rc.conf.d/squid/*
squid_enable=NO
Would I be right that the last PID mentioned in the screen shot is the one for the process it's waiting for? If so, I'll try to remember if it happens next update to look up the process from it.

356

17.1 Legacy Series / Re: Help with IPv6

« on: March 29, 2017, 03:24:04 pm »

Thanks Bart. Spookily my ISP just called to tell me that IPv6 should be enabled, but the only extra information I could get out of them was that I was to use DHCPv6 for the WAN connection, and to use /56 for the prefix delegation size and not /64.

But how to now get a static from my public IP I don't know - see, I'm very new at this ;-) The firewall tells me I have a public IPv6 address with a /64 subnet, the IPv6 test ping to ipv6.google.com works (I did sit the WAN "DHCPv6 Prefix Delegation size" to 56).

357

17.1 Legacy Series / Re: Not rebooting properly during console upgrade

« on: March 29, 2017, 03:09:55 pm »

Code: [Select]

acme_http_challenge_enable=YES
acme_http_challenge_conf="/var/etc/lighttpd-acme-challenge.conf"
acme_http_challenge_pidfile="/var/run/lighttpd-acme-challenge.pid"
acme_http_challenge_opnsense_bootup_run="/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh"
captiveportal_enable="NO"
#
# Automatic generated configuration for netflow.
# Do not edit this file manually.
#
flowd_enable="YES"
#
# Automatic generated configuration for netflow.
# Do not edit this file manually.
#
flowd_aggregate_enable="YES"
haproxy_enable=YES
haproxy_opnsense_bootup_run="/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh"
haproxy_pidfile="/var/run/haproxy.pid"
haproxy_config="/usr/local/etc/haproxy.conf"
# haproxy_flags=""
firewall_enable="NO"
firewall_script="/usr/local/etc/rc.ipfw"
dummynet_enable="YES"
#
# Automatic generated configuration for netflow.
# Do not edit this file manually.
#
netflow_enable="YES"


0'
.?1'
..
0'squid¦¦suricata_enable="YES"
suricata_opnsense_bootup_run="/usr/local/opnsense/scripts/suricata/setup.sh"


# IPS mode, switch to netmapsuricata_netmap=YES

358

17.1 Legacy Series / Re: Not rebooting properly during console upgrade

« on: March 29, 2017, 02:59:46 pm »

Code: [Select]

root@bart:~ # ls /etc/rc.conf.d
acme_http_challenge     flowd_aggregate         netflow
captiveportal           haproxy                 squid
flowd                   ipfw                    suricata
root@bart:~ # ls /etc/rc.conf
ls: /etc/rc.conf: No such file or directory

359

17.1 Legacy Series / Help with IPv6

« on: March 29, 2017, 02:36:35 pm »

I finally have an IPv6 address from my ISP so OPNsense is working just fine in this respect (I have a PPPoE connection, with a VLAN, the IPv6 address is set on the WAN interface as DHCPv6, using IPv4 connectivity).


Now that it's working where do I go next? I'd like to get this working internally now as I have a small test project that can use IPv6 and want to use this to further my knowledge of IPv6.


I'm assuming I need to now enable IPv6 on the LAN interface so what IPv6 option do I set? I did look in the wiki, skipping past the tunnel stuff to "Step 3", and it mentions using "Static IPv6", but no information on what address to use.


BTW, is the wiki search function meant to work, because I enter a search term e.g. ipv6, press enter and all I see is "Searching......"

360

17.1 Legacy Series / Not rebooting properly during console upgrade

« on: March 29, 2017, 02:23:43 pm »

Thought I would report this as it's now the 3rd time in a row where upgrading the firewall from the console seems to get stuck during the reboot.


I've waited well over 10 minutes, but always end up having to press Ctrl-C, then choosing "Reboot" from the menu.


Nothing seems to be harmed afterwards, I just never had this with v16.