"
Nope. ATT went native IPv6 a long while ago, so it's pure IPv6. no 6RD.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#181
19.1 Legacy Series / Re: [SOLVED] DHCP: update a foreign (to OPNSense) nameserver with nsupdate/t-sig?
April 03, 2019, 07:43:20 PM #182
19.1 Legacy Series / Re: [SOLVED] DHCP: update a foreign (to OPNSense) nameserver with nsupdate/t-sig?
April 03, 2019, 06:36:12 PM
working great with https://github.com/aus/pfatt (with a minor mod to skip some pfSense specifics).
Now I can get all the info I need/want, and it all works.
Thanks for a great product! (running on an old protectli FW1).
Now I can get all the info I need/want, and it all works.
Thanks for a great product! (running on an old protectli FW1).
#183
19.1 Legacy Series / Re: DHCP: update a foreign (to OPNSense) nameserver with nsupdate/t-sig?
April 03, 2019, 02:30:58 AM
Well, I'll be.... If I set up a static address on an interface, I get the ability to set all this up already.
Never mind.
Never mind.
#184
19.1 Legacy Series / Re: DHCP: update a foreign (to OPNSense) nameserver with nsupdate/t-sig?
April 03, 2019, 12:41:20 AM
Basically if we're using ISC DHCPD, where can I add statements to the dhcpd.conf that won't get wiped by the GUI making changes.
#185
19.1 Legacy Series / [SOLVED] DHCP: update a foreign (to OPNSense) nameserver with nsupdate/t-sig?
April 02, 2019, 10:52:02 PM
I'm coming back to OPNSense after a LONG break and was wondering if the DHCPD in current production can support doing DNS updates to a foreign (to OPNSense) DNS server (my server on a different network, using BIND 9.13.x) via an NSUPDATE type message, but using T-SIG keys?
#186
17.7 Legacy Series / Re: 6RD status?
October 12, 2017, 03:38:47 PM
Yep. And it may make me rethink what I use for a firewall. I may move to a Ubiquiti USG (I have Ubiquiti AP's anyway).
I sent a tersely worded PM to Jim. I'm *NOT* happy. I also posted to the freebsd-net list about this.
I sent a tersely worded PM to Jim. I'm *NOT* happy. I also posted to the freebsd-net list about this.
#187
17.7 Legacy Series / Re: 6RD status?
September 23, 2017, 04:04:48 PM
I'm actually on the 2.4-RC, and you are correct that it's mostly working, and I'm in that bug thread.
I'm also (somewhat) friendly with the netgate folk (they & I are in Austin, TX).
I'll poke at them.
I'm also (somewhat) friendly with the netgate folk (they & I are in Austin, TX).
I'll poke at them.
#188
17.7 Legacy Series / 6RD status?
September 23, 2017, 03:39:28 AM
I'm currently back to pfSense as they correctly support ATT Fiber's 6rd IPv6. I really(!) prefer Opnsense, but *NEED* 6RD to work.
What's the current 6rd status in Opnsense 17.7?
What's the current 6rd status in Opnsense 17.7?
#189
17.7 Legacy Series / Re: ATT Fiber/IPv6/DMZ+ mode
August 16, 2017, 05:00:01 AM
Got ATT to swap me to a Arris NVG899 Gateway, and all works with pfSense. OpnSense has issues with the 6rd setup.
#190
17.7 Legacy Series / Re: ATT Fiber/IPv6/DMZ+ mode
August 11, 2017, 01:27:58 PM
Ok, game over:
notice Aug 11 06:25:31
IN=br1 MAC=d4:b2:7a:9e:cf:04 SRC=184.105.253.10 DST=76.250.255.117 LEN=76 TTL=248 PROTO=41 Drop all traffic not from the border relay
I set up a HE.net tunnel, and it doesn't work either in DMZ+
Above is a smoking gun.
notice Aug 11 06:25:31
IN=br1 MAC=d4:b2:7a:9e:cf:04 SRC=184.105.253.10 DST=76.250.255.117 LEN=76 TTL=248 PROTO=41 Drop all traffic not from the border relay
I set up a HE.net tunnel, and it doesn't work either in DMZ+
Above is a smoking gun.
#191
17.7 Legacy Series / Re: ATT Fiber/IPv6/DMZ+ mode
August 11, 2017, 05:36:38 AM
I get addresses delegated to the lan but they do *NOT* work. My suspicion is that the 5268AC doesn't really pass *EVERYTHING* to the DMZ+ device.
ATT Support has been exactly *USELESS*
ATT Support has been exactly *USELESS*
#193
17.7 Legacy Series / Re: ATT Fiber/IPv6/DMZ+ mode
August 09, 2017, 04:40:53 PM
it was a hack that didn't work out.
Now what I have is:
ATTONT-> ONT Port on 5268AC
5268AC ETH1 -> WAN port on OpnSense
LAN port on OpnSense -> my LAN
The 5268AC is set in DMZ+ mode for the OPNSense MAC
The WAN port on OPNSense is set for SLAAC (for v6) and DHCP (for V4)
ping6 from within the FW works fine.
if I put a static V6 address on the LAN port, and have radvd running, my LAN devices get a IPV6 address, but no IPv6 connectivity.
What am I missing?
(here's the post I made to freebsd-net with more details):
I just moved into a brand new house, and it has ATT Fiber. I have their
gateway (Pace/Arris 5268AC) in DMZ+ mode with an OPNsense (FreeBSD 11)
Firewall Router as the DMZ Host.
I can get IPv6 on the router / FW:
root@home-fw:~ # ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2602:304:cfaf:f750:242:43ff:feac:29c --> 2607:f8b0:4000:812::200e
16 bytes from 2607:f8b0:4000:812::200e, icmp_seq=0 hlim=55 time=10.084 ms
16 bytes from 2607:f8b0:4000:812::200e, icmp_seq=1 hlim=55 time=10.103 ms
^C
--- ipv6.l.google.com ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 10.084/10.093/10.103/0.010 ms
root@home-fw:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=42098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
ether 00:42:43:ac:02:9c
inet6 fe80::242:43ff:feac:29c%em0 prefixlen 64 scopeid 0x1
inet6 2602:304:cfaf:f750:242:43ff:feac:29c prefixlen 64 autoconf
inet 76.250.255.117 netmask 0xfffffc00 broadcast 76.250.255.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=42098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
ether 00:42:43:ac:02:9d
inet6 fe80::242:43ff:feac:29d%em1 prefixlen 64 scopeid 0x2
inet6 2602:304:cfaf:f751::1 prefixlen 64
inet 192.168.200.11 netmask 0xfffffc00 broadcast 192.168.203.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em2: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
ether 00:42:43:ac:02:9e
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
em3: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
ether 00:42:43:ac:02:9f
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
syncpeer: 0.0.0.0 maxupd: 128 defer: off
root@home-fw:~ # ndp -a
Neighbor Linklayer Address Netif Expire S Flags
fe80::f6f5:d8ff:fedb:e124%em1 f4:f5:d8:db:e1:24 em1 23h58m15s S
fe80::20d:5dff:fe10:b4fb%em1 00:0d:5d:10:b4:fb em1 23h52m14s S
2602:304:cfaf:f751::1 00:42:43:ac:02:9d em1 permanent R
fe80::f6f5:d8ff:fead:65f4%em1 f4:f5:d8:ad:65:f4 em1 23h59m58s S
fe80::230:48ff:fecf:2b1c%em1 00:30:48:cf:2b:1c em1 23h53m48s S
fe80::f6f5:d8ff:feae:4136%em1 f4:f5:d8:ae:41:36 em1 23h58m8s S
2602:304:cfaf:f751:c412:15dc:8924:30d7 68:5b:35:9f:90:21 em1 23h55m0s S
fe80::f6f5:d8ff:feac:48d0%em1 f4:f5:d8:ac:48:d0 em1 23h59m35s S
fe80::242:43ff:feac:29d%em1 00:42:43:ac:02:9d em1 permanent R
fe80::f6f5:d8ff:fec9:776e%em1 f4:f5:d8:c9:77:6e em1 23s R
fe80::1842:632e:39ae:76d3%em1 68:5b:35:9f:90:21 em1 23h56m26s S
fe80::5a9c:fcff:fe0b:6e07%em1 58:9c:fc:0b:6e:07 em1 23h59m59s S
fe80::f6f5:d8ff:fedf:11ec%em1 f4:f5:d8:df:11:ec em1 23h58m8s S
2602:304:cfaf:f751:d7:b8ff:fe51:f200 02:d7:b8:51:f2:00 em1 12s R
fe80::d7:b8ff:fe51:f200%em1 02:d7:b8:51:f2:00 em1 7s R
2602:304:cfaf:f750::1 d4:b2:7a:9e:cf:05 em0 23h56m55s S R
2602:304:cfaf:f750:230:48ff:fecf:2b1c (incomplete) em0 expired I 3
fe80::d6b2:7aff:fe9e:cf05%em0 d4:b2:7a:9e:cf:05 em0 9s R R
2602:304:cfaf:f750:242:43ff:feac:29c 00:42:43:ac:02:9c em0 permanent R
fe80::242:43ff:feac:29c%em0 00:42:43:ac:02:9c em0 permanent R
root@home-fw:~ #
ATT uses 6RD:
6rd IPv6 Internet Connection Type Value
Default Gateway 2602:300:c533:1510::1
6rd BR 12.83.49.81
6rd Prefix 2602:300::/28
6rd Delegated Prefix 2602:304:cfaf:f750::/60
6rd MTU 1472
How can I extend this to the LAN?
I currently have the LAN defined with an address out of subnet 1.
and if I have my Mac or FreeBSD box SLAAC, the IPv6 packets do not traverse to the
internet.
If I tcpdump the LAN interface, I see the packets enter, but nothing leaves.
Anyone have an idea on what I'm missing here?
(or is the Pace/Arris box getting in the way?
Now what I have is:
ATTONT-> ONT Port on 5268AC
5268AC ETH1 -> WAN port on OpnSense
LAN port on OpnSense -> my LAN
The 5268AC is set in DMZ+ mode for the OPNSense MAC
The WAN port on OPNSense is set for SLAAC (for v6) and DHCP (for V4)
ping6 from within the FW works fine.
if I put a static V6 address on the LAN port, and have radvd running, my LAN devices get a IPV6 address, but no IPv6 connectivity.
What am I missing?
(here's the post I made to freebsd-net with more details):
I just moved into a brand new house, and it has ATT Fiber. I have their
gateway (Pace/Arris 5268AC) in DMZ+ mode with an OPNsense (FreeBSD 11)
Firewall Router as the DMZ Host.
I can get IPv6 on the router / FW:
root@home-fw:~ # ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2602:304:cfaf:f750:242:43ff:feac:29c --> 2607:f8b0:4000:812::200e
16 bytes from 2607:f8b0:4000:812::200e, icmp_seq=0 hlim=55 time=10.084 ms
16 bytes from 2607:f8b0:4000:812::200e, icmp_seq=1 hlim=55 time=10.103 ms
^C
--- ipv6.l.google.com ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 10.084/10.093/10.103/0.010 ms
root@home-fw:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=42098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
ether 00:42:43:ac:02:9c
inet6 fe80::242:43ff:feac:29c%em0 prefixlen 64 scopeid 0x1
inet6 2602:304:cfaf:f750:242:43ff:feac:29c prefixlen 64 autoconf
inet 76.250.255.117 netmask 0xfffffc00 broadcast 76.250.255.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=42098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
ether 00:42:43:ac:02:9d
inet6 fe80::242:43ff:feac:29d%em1 prefixlen 64 scopeid 0x2
inet6 2602:304:cfaf:f751::1 prefixlen 64
inet 192.168.200.11 netmask 0xfffffc00 broadcast 192.168.203.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em2: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
ether 00:42:43:ac:02:9e
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
em3: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
ether 00:42:43:ac:02:9f
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
syncpeer: 0.0.0.0 maxupd: 128 defer: off
root@home-fw:~ # ndp -a
Neighbor Linklayer Address Netif Expire S Flags
fe80::f6f5:d8ff:fedb:e124%em1 f4:f5:d8:db:e1:24 em1 23h58m15s S
fe80::20d:5dff:fe10:b4fb%em1 00:0d:5d:10:b4:fb em1 23h52m14s S
2602:304:cfaf:f751::1 00:42:43:ac:02:9d em1 permanent R
fe80::f6f5:d8ff:fead:65f4%em1 f4:f5:d8:ad:65:f4 em1 23h59m58s S
fe80::230:48ff:fecf:2b1c%em1 00:30:48:cf:2b:1c em1 23h53m48s S
fe80::f6f5:d8ff:feae:4136%em1 f4:f5:d8:ae:41:36 em1 23h58m8s S
2602:304:cfaf:f751:c412:15dc:8924:30d7 68:5b:35:9f:90:21 em1 23h55m0s S
fe80::f6f5:d8ff:feac:48d0%em1 f4:f5:d8:ac:48:d0 em1 23h59m35s S
fe80::242:43ff:feac:29d%em1 00:42:43:ac:02:9d em1 permanent R
fe80::f6f5:d8ff:fec9:776e%em1 f4:f5:d8:c9:77:6e em1 23s R
fe80::1842:632e:39ae:76d3%em1 68:5b:35:9f:90:21 em1 23h56m26s S
fe80::5a9c:fcff:fe0b:6e07%em1 58:9c:fc:0b:6e:07 em1 23h59m59s S
fe80::f6f5:d8ff:fedf:11ec%em1 f4:f5:d8:df:11:ec em1 23h58m8s S
2602:304:cfaf:f751:d7:b8ff:fe51:f200 02:d7:b8:51:f2:00 em1 12s R
fe80::d7:b8ff:fe51:f200%em1 02:d7:b8:51:f2:00 em1 7s R
2602:304:cfaf:f750::1 d4:b2:7a:9e:cf:05 em0 23h56m55s S R
2602:304:cfaf:f750:230:48ff:fecf:2b1c (incomplete) em0 expired I 3
fe80::d6b2:7aff:fe9e:cf05%em0 d4:b2:7a:9e:cf:05 em0 9s R R
2602:304:cfaf:f750:242:43ff:feac:29c 00:42:43:ac:02:9c em0 permanent R
fe80::242:43ff:feac:29c%em0 00:42:43:ac:02:9c em0 permanent R
root@home-fw:~ #
ATT uses 6RD:
6rd IPv6 Internet Connection Type Value
Default Gateway 2602:300:c533:1510::1
6rd BR 12.83.49.81
6rd Prefix 2602:300::/28
6rd Delegated Prefix 2602:304:cfaf:f750::/60
6rd MTU 1472
How can I extend this to the LAN?
I currently have the LAN defined with an address out of subnet 1.
and if I have my Mac or FreeBSD box SLAAC, the IPv6 packets do not traverse to the
internet.
If I tcpdump the LAN interface, I see the packets enter, but nothing leaves.
Anyone have an idea on what I'm missing here?
(or is the Pace/Arris box getting in the way?
#194
17.7 Legacy Series / Re: ATT Fiber/IPv6/DMZ+ mode
August 09, 2017, 03:47:41 PM
No go. If I set WAN to SLAAC, remove the 2nd interface to the 5268AC, I can ping6 from the FW, but can NOT get IPv6 to work on the LAN.
see my post to freebsd-net@FreeBSD.org.
see my post to freebsd-net@FreeBSD.org.
#195
17.7 Legacy Series / ATT Fiber/IPv6/DMZ+ mode
August 08, 2017, 08:01:33 PM
I've just moved into a nice new house with ATT Fiber. ATT'S RG (Pace 5268AC) doesn't pass IPv6 through to the DMZ+ host (will be the firewall). It *DOES* however allow IPV6 to other devices connected to it's own switch.
Should I be able to route IPv6 from another interface to my LAN and do Firewall stuff? My suspicion is YES, but I'm not near it right now.
Basically the setup:
+--->WAN port on OPNSENSE (IPv4/DMZ+)----+
ATTONT->ONT PORT on 5268AC ---| |----> LAN port on OPNSENSE
+--->OPT1 port on OPNSENSE (IPv6/DHCPv4) .+
Would this allow me to have dual stacked hosts on the LAN ?
Should I be able to route IPv6 from another interface to my LAN and do Firewall stuff? My suspicion is YES, but I'm not near it right now.
Basically the setup:
+--->WAN port on OPNSENSE (IPv4/DMZ+)----+
ATTONT->ONT PORT on 5268AC ---| |----> LAN port on OPNSENSE
+--->OPT1 port on OPNSENSE (IPv6/DHCPv4) .+
Would this allow me to have dual stacked hosts on the LAN ?
