Messages

1096

20.1 Legacy Series / Re: Firewall/routing - DMZ to LAN - preserve Source IP

« on: February 24, 2020, 09:35:36 pm »

Automatic outbound NAT rule generation is enabled by default. Go to Firewall / NAT / Outbound and have a look at the Automatic rules section. If there are any rules, NAT is active. To disable it, switch to Disable outbound NAT rule generation.

Cheers

Maurice

1097

20.1 Legacy Series / Re: DHCP Leases and DNS registration

« on: February 21, 2020, 02:41:03 pm »

Is there anyway to see directly the DHCP registered names in Unbound?

On the console:

Code: [Select]

cat /var/unbound/dhcpleases.conf
Cheers

Maurice

1098

German - Deutsch / Re: MNet auf OpnSense mit DS-lite

« on: February 21, 2020, 12:15:59 am »

Moin,

DS-Lite wird von OPNsense noch nicht richtig unterstützt, d. h. es lässt sich nicht einfach so einschalten. Da wurde mal dran gearbeitet, ist aber wohl wieder eingeschlafen. Wenn man den IPv4-Tunnel manuell konfiguriert soll es funktionieren. Ist aber eher für Fortgeschrittene.

Alternativ einen beliebigen DS-Lite-tauglichen Router (z. B. die Provider-Box oder was mit OpenWrt) davor hängen, IPv6 via Prefix Delegation und IPv4 eben über Doppel-NAT.

Die Provider-Box benötigst Du nicht zum telefonieren. Die SIP-Zugangsdaten kann man direkt mit jedem IP-Telefon / -Telefonanlage verwenden. Da die Telefonie über IPv6 läuft gibt es da keine Probleme mit NAT.

Grüße

Maurice

1099

20.1 Legacy Series / Re: outband traffic on many IP addresses generated on fresh install

« on: February 19, 2020, 06:23:27 pm »

These are DNS requests to the root servers. Nothing strange at all.

Cheers

Maurice

1100

German - Deutsch / Re: Wemacom Glasfaseranschluss + OPNsense

« on: February 12, 2020, 06:59:36 pm »

Moin,

Das VLAN kannst Du unter Interfaces | Other Types | VLAN anlegen. Tag und Priority von der Fritzbox übernehmen. Dann unter Interfaces | Assignments dieses VLAN dem WAN-Interface zuordnen.

Grüße

Maurice

1101

20.1 Legacy Series / Re: Strange DNS lookups from firewall

« on: February 12, 2020, 02:40:14 pm »

By default, unbound works as a recursive resolver. It will only use the DNS servers from System / Settings / General if you enable forwarding mode.

Cheers

Maurice

1102

20.1 Legacy Series / Re: IPv6RD broken again?

« on: February 11, 2020, 08:45:02 pm »

@Space, I couldn't help but notice that you don't mention 6rd at all. Which this topic is about.

1103

19.7 Legacy Series / Re: IPv6 ULA + track interface

« on: January 30, 2020, 02:30:21 pm »

Ok, it seems the main difference between our setups is that you use Dual Stack in the LANs while mine are mostly IPv6-only. So if the router doesn't advertise an IPv6 prefix, the network is down for good. No fallback to IPv4.
(There is also NAT64 involved and a separate IPv4-only VLAN for legacy devices.)

Not every solution works for everyone. Let's leave it at that. :-)

Cheers

Maurice

1104

19.7 Legacy Series / Re: Strange routing issues

« on: January 29, 2020, 01:15:05 am »

Did you try "Disable force gateway" in Firewall / Settings / Advanced?

Cheers

Maurice

1105

19.7 Legacy Series / Re: IPv6 ULA + track interface

« on: January 29, 2020, 12:52:39 am »

Thank you for the explanation. I'm still not sure I fully understand your solution for the "WAN down -> LAN down" issue, so let me give you an example:

• You have a file server connected to both the GUA VLAN as well as the ULA VLAN.
• You have laptops connected to the GUA VLAN only. They need a GUA for Internet access and can't be on both VLANs (because Wi-Fi).
• Now the WAN goes down, so the laptops lose their GUAs and are stuck with link-local only.
• How are the laptops supposed to reach the file server now? That's my main concern with this solution: I don't want local connectivity to depend on the WAN being up.

You don't have that issue if you advertise both prefixes in the same VLAN. Btw, there is now an (unmerged) patch for the "Virtual IP breaks tracking" issue ready for testing on GitHub (thanks to marjohn56)!

Cheers

Maurice

1106

German - Deutsch / Re: IPSec Mobile Clients - ich schaff es nicht...

« on: January 27, 2020, 08:48:19 pm »

Unter Windows 10 musst Du als VPN-Typ IKEv2 konfigurieren, nicht L2TP/IPsec.

Grüße

Maurice

1107

19.7 Legacy Series / Re: IPv6 ULA + track interface

« on: January 27, 2020, 03:45:37 pm »

I'm using an OPT-Interface/vLAN.

Some boxes are on both networks: Prefix-vLAN and ULA-vLAN.

Interesting. I once considered this but ultimately went for the (semi-working) Virtual IP solution.

The primary reasons were:

• Connecting a device to multiple VLANs only works via Ethernet (not Wi-Fi) and requires VLAN support in the device (or multiple Ethernet ports). So pretty much servers only. No embedded devices like printers etc.
• If the WAN goes down, the (WAN-tracking) GUA VLANs lose their prefix. So if the WAN goes down, you lose almost all local connectivity, too.

Were you able to work around this?

Cheers

Maurice

1108

19.7 Legacy Series / Re: IPv6 ULA + track interface

« on: January 16, 2020, 12:35:52 pm »

ULAs can be added as Virtual IPs, but this doesn't survive a reboot because of a bug in OPNsense:

https://github.com/opnsense/core/issues/3310

If you need this feature, please make noise on GitHub. The bug currently doesn't seem to have a very high priority.

Cheers

Maurice

1109

German - Deutsch / Re: IPv6 statische IPs und VLAN

« on: December 30, 2019, 07:11:28 pm »

Vielleicht ein Skript schreiben, das immer nach dem Startup ausgeführt wird und den Interfaces nach erfolgter Prefix delegation nohe eine IPv6 ULA erzeugt...

Gib Bescheid, falls Du so etwas hinbekommst.
(Mein Workaround ist tatsächlich die manuelle Rekonfiguration nach jedem Reboot und die Hoffnung auf einen Bugfix in 20.1.)

Grüße

Maurice

1110

German - Deutsch / Re: IPv6 statische IPs und VLAN

« on: December 30, 2019, 03:13:19 pm »

ULAs kann man als Virtual IP / IP Alias hinzufügen, läuft aber leider noch nicht hundertprozentig stabil: https://github.com/opnsense/core/issues/3310