106
Tutorials and FAQs / Re: OPNsense aarch64 firmware repository
« on: March 21, 2024, 01:38:45 pm »
OPNsense 24.1.4 aarch64 packages and sets released.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
107
German - Deutsch / Re: IPv6 Verständnisfrage
« on: March 20, 2024, 01:16:23 pm »
@trixter Es geht doch nicht um die Anzahl der Adressen, sondern die der Subnetze sowie um die Art des Routings. Jedes (V)LAN benötigt prinzipbedingt ein eigenes /64. Hast Du z. B. ein "Standard-Netz", ein Gäste-Netz, eine DMZ und ein VPN-Interface für Road Warriors, dann benötigst Du schon 4x /64, also ein /62.
108
General Discussion / Re: Static internal IPv6 setup with dynamic PD
« on: March 20, 2024, 12:42:07 pm »
I skimmed through that thread real quick and it seems what they are concerned about is deploying only ULAs and translating them to GUAs (NPT) for Internet access. But that's not what I recommend at all. Instead, use GUAs and ULAs simultaneously. GUAs for Internet access, ULAs for the Intranet only. I don't see an issue there, this is common practice.
109
General Discussion / Re: Static internal IPv6 setup with dynamic PD
« on: March 20, 2024, 01:48:28 am »
You can deploy static ULAs (virtual IPs) in addition to the dynamic GUAs. Then advertise the ULA of your DNS resolver.
Cheers
Maurice
Cheers
Maurice
110
24.1 Legacy Series / Re: ICMP-reply from OPNsense fw may have wrong dest MAC-Address.
« on: March 19, 2024, 04:53:58 pm »
No, for a basic setup, you don't have to mess with reply-to, that's why it's an advanced option.
The automatic reply-to is a bit controversial and there have been heated discussions about it, but it is what it is. Once you know about it, it's not a big deal.
The automatic reply-to is a bit controversial and there have been heated discussions about it, but it is what it is. Once you know about it, it's not a big deal.
111
General Discussion / Re: Beginner with IPv6 and struggle
« on: March 18, 2024, 10:07:00 pm »
When you connect OPNsense directly to the ONU, the /56 gets delegated to OPNsense and you can use it for your LANs. But if you connect the rental router to the ONU and OPNsense to the rental router, the /56 gets delegated to the rental router. It is then up to this router to delegate a subnet (e. g. a /60) to OPNsense. Whether or not it can do this is the question. More often than not, these basic ISP routers are only meant for directly connecting devices and don't support downstream prefix delegation. So if you don't have to, I wouldn't use this rental router at all.
Some ISPs don't assign a WAN address. If you made sure "Request only an IPv6 prefix" is disabled, then that's probably why you only see a link-local address on the WAN interface.
OPNsense doesn't support automatic DS-Lite configuration, but you can manually set up a 4in6 GIF tunnel.
Cheers
Maurice
Some ISPs don't assign a WAN address. If you made sure "Request only an IPv6 prefix" is disabled, then that's probably why you only see a link-local address on the WAN interface.
OPNsense doesn't support automatic DS-Lite configuration, but you can manually set up a 4in6 GIF tunnel.
Cheers
Maurice
112
24.1 Legacy Series / Re: ICMP-reply from OPNsense fw may have wrong dest MAC-Address.
« on: March 18, 2024, 09:01:46 pm »Attached is the only rule in the table which shows up for a search on "reply-to"
Yes, that's probably the default allow LAN to any rule. As you can see, it has the option reply-to (vmx5 192.168.4.1), which causes all replies to be sent to the MAC address of your pfSense firewall. You need to edit this rule and disable reply-to (which is absolutely possible).
I tried adding an explicit rule in the firewall rules for ICMP from LAN-net to this-firewall
didn't work, can't seem to place it above all the built-in rules.
You don't have to place it above the automatically generated rules, only above the default allow LAN to any rule.
Can't think this is what it's supposed to be doing on fresh install, with only 2 interfaces & nothing else configured. What am I missing?
Your LAN interface uses DHCP and dynamically configures a (default) gateway. This is not a standard setup, LAN interfaces typically have a static configuration and no gateway. Your configuration causes OPNsense to consider this a WAN-type interface, which results in the automatically added reply-to.
113
German - Deutsch / Re: IPv6 Verständnisfrage
« on: March 18, 2024, 08:50:35 pm »
Das LAN-Interface sollte als /64 konfiguriert werden. Ist nicht zwingend, aber gängig und macht manches einfacher.
Floating Rules sind nur in Ausnahmefällen sinnvoll, hier sehe ich spontan keinen Grund dafür. Wo läuft denn der Mailserver? Auch auf der Nginx-Kiste?
Floating Rules sind nur in Ausnahmefällen sinnvoll, hier sehe ich spontan keinen Grund dafür. Wo läuft denn der Mailserver? Auch auf der Nginx-Kiste?
114
24.1 Legacy Series / Re: ICMP-reply from OPNsense fw may have wrong dest MAC-Address.
« on: March 17, 2024, 02:16:33 am »
Look up the firewall rule which allows the pings in Firewall: Diagnostics: Statistics: Rules. Does it have a reply-to (gateway) option? If so, you have to explicitly disable reply-to in the rule's advanced features.
Cheers
Maurice
Cheers
Maurice
115
24.1 Legacy Series / Re: DNS Rebind
« on: March 17, 2024, 02:06:35 am »
A certificate for domain.com is not valid for router.domain.com. That's why your browser generates a certificate mismatch error when using router.domain.com.
When using domain.com instead, OPNsense prevents access to the WebGUI because of the hostname mismatch - it knows its FQDN is actually router.domain.com.
If you want to use domain.com:
- Add domain.com to the Alternate Hostnames in System: Settings: Administration.
If you want to use router.domain.com:
- Create a certificate specifically for the OPNsense WebGUI (CN=router.domain.com) or
- add router.domain.com as an alt name to your domain.com certificate or
- create a wildcard certificate for *.domain.com.
Cheers
Maurice
When using domain.com instead, OPNsense prevents access to the WebGUI because of the hostname mismatch - it knows its FQDN is actually router.domain.com.
If you want to use domain.com:
- Add domain.com to the Alternate Hostnames in System: Settings: Administration.
If you want to use router.domain.com:
- Create a certificate specifically for the OPNsense WebGUI (CN=router.domain.com) or
- add router.domain.com as an alt name to your domain.com certificate or
- create a wildcard certificate for *.domain.com.
Cheers
Maurice
116
Virtual private networks / Re: IPV6 over Wireguard
« on: March 17, 2024, 01:34:22 am »
You only have to add ::/0 on the client side. This sets the default IPv6 route via the tunnel (if this is what you want to do).
On the server side, add the /56 which you want to route to the client.
It doesn't matter whether you use a /64 or /127 for the tunnel addresses. The first /64 of the routed /56 might be a good choice (2001:db8:abcd:ef00::/64).
On the server side, add the /56 which you want to route to the client.
It doesn't matter whether you use a /64 or /127 for the tunnel addresses. The first /64 of the routed /56 might be a good choice (2001:db8:abcd:ef00::/64).
117
Virtual private networks / Re: IPV6 over Wireguard
« on: March 15, 2024, 02:10:28 pm »
Just add the /56 to the allowed IPs of the peer it should get routed to.
Cheers
Maurice
Cheers
Maurice
118
General Discussion / Re: Default Gateway disappearing for DHCPv6
« on: March 14, 2024, 04:05:51 pm »
DHCPv6 does not provide default gateway information, that's what Router Advertisements are for. And these might get blocked by your vSwitch.
Cheers
Maurice
Cheers
Maurice
119
German - Deutsch / Re: FTTH von DNS:NET mit eigenem GPON (Huawei MA5671A) an OPNsense
« on: March 14, 2024, 11:22:31 am »
Hat dein Anbieter kein IPv6? Damit kämst Du ohne Tricks von außen in dein Netzwerk. Öffentliche IPv4-Adressen werden bei Privatkunden-Anschlüssen zunehmend seltener.
120
24.1 Legacy Series / Re: Puzzled
« on: March 14, 2024, 10:27:26 am »
One packet is TCP, the other is UDP. Does your rule handle both?
Cheers
Maurice
Cheers
Maurice