Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - schnipp

#31
Quote from: schnipp on December 22, 2024, 11:09:38 AM
Quote from: mooh on December 05, 2024, 01:22:09 PMI think what you're looking for is IPv6 privacy extensions. See https://forum.opnsense.org/English_Forums/General_Discussion/IPv6_privacy_extensions_for_WAN_interface

Not sure if that still correct as the article is quite old by now.

It still works like a charme :-)

I have restructured my network (Fritzbox acted as the WAN Gateway in front of the Opnsense and now moved behind the Opnsense in a dedicated VLAN). This is the first time the IPv6 privacy extensions do not work anymore.

  • If only an IPv6 prefix is requested via DHCPv6 and the public WAN address is derived from that prefix, IPv6 privacy will not work. It is not clear to me why the WAN address is generated from the MAC address in this case. The subnet technically allows WAN addresses to be derived via SLAAC.
  • When requesting an IPv6 prefix and IPv6 address via DHCPv6, IPv6 privacy also does not work because the prefix length of the public IPv6 address is 128 (no available subnet).


#32
Quote from: meyergru on December 05, 2024, 06:05:19 PM[...]
On the other hand, the IPv6 privacy settings do not work for me, maybe either because I use the specified settings or maybe because my WAN is pppoe.

In the past (before switching away from DSL) I did not encounter any problems using IPv6 privacy extensions together with PPPoE
#33
Quote from: mooh on December 05, 2024, 01:22:09 PMI think what you're looking for is IPv6 privacy extensions. See https://forum.opnsense.org/English_Forums/General_Discussion/IPv6_privacy_extensions_for_WAN_interface

Not sure if that still correct as the article is quite old by now.

It still works like a charme :-)
#34
In addition (excerpt from unbound documentation)

Quoteoutgoing-interface: <IPv4/IPv6 address or IPv6 netblock>

[...]
If an IPv6 netblock is specified instead of an individual IPv6 address, outgoing UDP queries will use a randomised source address taken from the netblock to counter spoofing.

Maybe, it's better to configure the whole IPv6 netblock instead of a single GUA ULA. Perhaps, this does not work in FreeBSD. So, more tests are needed.
#35
While restructuring my network, I noticed that Unbound is not able to communicate with external DNS servers over IPv6.

Debug logging showed the following error message:

2024-12-20T18:24:50    Error    unbound    [5544:1] error: can't bind socket: Can't assign requested address for fe80::ff:fe00:fe port 24152 (len 28)
Further checking showed that in the Unbound configuration (/var/unbound/unbound.conf) for outgoing communication, the link-local address is configured for IPv6. This obviously cannot work because this network is not routable. Manually editing the Unbound configuration to the GUA ULA temporarily solves the problem until OPNsense rewrites the configuration.

Either the persistent GUA ULA of the interface or the assigned network (/64) must be configured as the IPv6 address. In the latter case, Unbound should also take temporary addresses (IPv6 Privacy Extensions) into account. However, I have not tried the latter.

Can anyone reproduce the problem that OPNsense for Unbound configures the link-local address for outgoing IPv6 communication?

My WAN interface configuration:
- DHCPv6
- Only request IPv6 prefix
- Sent Prefix Hint
- IPV6 Privacy Extensions enabled

OPNsense 24.7.11_2-amd64
#36
Ich verstehe Dein Setup nicht so ganz.


  • Du hast NAT komplett auf ,,manuell" stehen. Ist in der vorgeschalteten Fritzbox die korrekte IPv4-Route für die Opnsense eingetragen?
  • Checkpoint Mobile hat mit dem Squid nichts zu tun. Wofür möchtest Du den Squid einsetzen?
#37
Quote from: maze-m on November 29, 2024, 12:20:03 AM
Das wäre natürlich sehr sehr cool 😍

Für ZScaler Private Access sind Firewallregeln mit folgenden Zielports zu erstellen:


  • TCP/443
  • UDP/443

BTW ich habe mit Deinen Beitrag unter https://forum.opnsense.org/index.php?topic=38892.msg190418#msg190418 angesehen. Dort scheint einiges nicht ganz richtig zu sein:


  • Entferne bitte die manuell hinzugefügten NAT-Regeln (IPsec über NAT-T benötigt diese nicht)
  • Setze das Gateway in den zugehörigen Firewallregeln bitte mal auf Default zurück

Falls es mit dem Checkpoint VPN-Client dann immer noch nicht funktioniert, findest Du hier weitere Infos zur Diagnose
#38
General Discussion / Re: Migration of network structure
November 30, 2024, 10:35:28 AM
Quote from: mooh on November 28, 2024, 02:51:18 PM
[...]

Also, dnsmasq can create artificial SRV records.

All that said, I don't expect SIP servers to change their names or addresses on a regular basis. So, all this flexibility is probably overkill.

Unfortunately, one of my former ISPs did change from time to time. I'll have a look on dnsmask. If nothing on that works, I'll use the ASN as a fallback solution. Thanks.
#39
General Discussion / Re: Migration of network structure
November 30, 2024, 10:32:07 AM
Quote from: bimbar on November 28, 2024, 10:35:36 AM
I have had quite a few SIP setups that worked without inbound forwarding, modern SIP is supposed to be able to detect NAT and work through it.

Do you have one for "Deutsche Glasfaser"? Unfortunately, every SIP provider implements differently, so that there is no global setup. Otherwise, I have analyse the SIP communication and perform configuration on that results.
#40
General Discussion / Re: Migration of network structure
November 30, 2024, 10:30:17 AM
Quote from: meyergru on November 27, 2024, 08:13:55 PM
1. That largely depends on if the ONT does EEE, so I would worry only if the problem turns up.
2. IHMO these were mostly configuration errors by newbies who did not follow all instructions by the letter or tried more sophistcated setups (like LAN bridges, again, without following instructions closely).
3. AFAIK, no. But why would you? The SIP IPs are known beforehand, so you can put them into a firewall alias. SIP nowadays does need a port forward, but if you know your ISP, you can also limit inbound connections to their ASN.
I always restrict such devices to my IoT network, where they cannot do much harm, anyway.

Thank you very much.
Regarding the third point, one of my former ISPs sometimes changed SIP entrys in DNS, so that I had to reconfigure rules in the Opnsense. ASN is my fallback scenrario in case reconfiguration is often needed .
#41
Quote from: maze-m on November 24, 2024, 12:41:49 AM
Danke dir für die ausführliche Rückmeldung. Wireshark wird leider bei mir ein Problem werden, weil ich auf dem FIrmen-Notebook zwar Admin-Rechte habe und somit Wireshark instalieren könnte, allerdings vermutlich die IT-Securoty Abteilung nicht so begeistern davon wäre :( (arbeite bei ner VW-Konzern-Tochter)......

Ich kann die Sichtweise der Security gut nachvollziehen. Ich bin genauso wenig begeistert, wenn Leute in unserer Firma heruntergeladene Software aus dem Internet ausführen.

Was spricht dagegen, den Paketmitschnitt in der Opnsense zu machen (die unterstützt das) und die Aufzeichnung auf Deinem privaten Rechner analysieren?

Quote from: maze-m on November 24, 2024, 12:41:49 AM
Ich hatte schon den Diensleister - welcher für die Checkpoint Mobile Sachen zuständig ist - kontaktiert, da wir zur Zeit auf ZScaler Client VPN migrieren und angefragt, ob es damit vielleicht weniger Probleme gibt.
Leider konnte man mir da nicht sagen, ob mein Problem damit eher behoben wird.

Nach der Migration auf ZScaler (Private Access) benötigst Du den VPN Client nicht mehr. Damit sollte Dein Problem behoben sein.

BTW Seltsam, dass ich keine E-Mail bezüglich der Antworten in diesem Thread erhalten hatte
#42
German - Deutsch / Re: Deutsche Glasfaser IPv6 Ausfälle
November 27, 2024, 06:25:45 PM
Die geschilderten Probleme konnte ich in der Vergangenheit (seit 02/2024 läuft bei mir Deutsche Glasfaser) glücklicherweise nicht feststellen. Allerdings möchte ich meine Netzwerkstruktur ändern (Link) und habe die Befürchtung, dass mich dieses Problem dann möglicherweise auch ereilen kann :-o.
#43
For historical reasons, I have the following network structure:

  • Fiber ONT (Deutsche Glasfaser) <-> Fritzbox 7490 (router mode) <-> Opnsense <-> ...

The above scenario worked fine for the last year (without interruptions). But the signal reception of my DECT phones connected to the Fritzbox is not good in some parts of my house, so I want to move the Fritzbox to a new location. This is a good time to remove the Fritzbox from the WAN side of the Opnsense and put it as a dedicated device in a separate VOIP VLAN. So far, so good. A few questions arise.

  • The network card in the WAN (Intel X553) had repeated connection losses in the past, which I solved by disabling EEE (Energy Efficient Ethernet) on the Fritzbox. I am not sure if the Opnsense network card (Intel X553) supports configuring EEE itself (setting the system tunable "dev.ix.n.eee_state=0" via SSH results in a hung SSH session. Finally, this parameter is not set). Does anyone have recommendations to avoid such connection loss issues in advance?

  • There were some discussions in the forum in the past about missing IPV6 prefix and address assignments (especially in case of connection loss) with Deutsche Glasfaser. On my Fritzbox, such problems never occurred in the past. Does anyone know the reasons some users have pointed to? I think the DHCP DUID should be persistent at least during boot cycles. Is that correct?

  • Modern SIP clients should derive the IP address for the SIP server by querying the SRV DNS record instead of directly querying the A record. Does the Opnsense firewall support DNS-based firewall rules based on SRV records?


#44
Quote from: maze-m on September 05, 2024, 11:38:59 PM

Mein eigentliches Problem ist gar nicht mal die Fritzbox selber. Surven, Streamen von Amazon Prime Video, Youtube etc. läuft auch mit der Fritzbox super.
Ich habe aber das Problem, dass ich mich nicht meinem Arbeitsplatz-Notebook in unser VPN verbinden kann (siehe https://forum.opnsense.org/index.php?topic=38892.msg190418#msg190418)...

Dies wiederum scheint am Doppel-NAT zu liegen (siehe Reply 1 und Reply 5 in dem Thread). Daher bin ich zur Zeit viel am überlegen, die Fritzbox komplett rauszunehmen und ein ordentliches Setup mit OPNSense zu fahren.

[...]

Ich hatte mich in den letzten (mindestens 6-7 Jahren) über Checkpoint Mobile ins Firmen-VPN eingewählt. Das lief mit unterschiedlichen Szenarien (Single-, Double- und Tripple-NAT) in Verbindung mit der Opnsense immer einwandfrei. Daher vermute ich mal, dass entweder der VPN-Client uns/oder der VPN-Server nicht richtig konfiguriert sind.

Der Checkpoint Mobile verwendet IPSec als Protokoll. Wenn es wirklich nur über NAT klemmt, dann sind Server und Client vermutlich nicht für NAT-T konfiguriert und verwenden natives IPSec. In einem solchen Fall muss jede NAT-Instanz selbst ,,IPSec-Passthrough" unterstützen. Je nach Implementierung funktioniert dies auch nur mit einer gleichzeitigen Verbindung zu demselben Ziel.

Am besten ist es, den IPSec-Handshake einmal mit Wireshark aufzuzeichnen.
#45
Schau mal hier, ich hatte vor langer Zeit die Opnsense hinter einer Fritzbox mittels PPPoE-Passthrough ins Internet gelassen und gleichzeitig einige Funktionen der Firtzbox weitergenutzt. Evtl. funktioniert das noch.

https://www.ip-phone-forum.de/threads/fritzbox-7412-als-modem-an-opnsense-andere-idee.297783/