151
20.7 Legacy Series / Re: ipv6 wan stops working after a while
« on: November 20, 2020, 06:37:14 pm »I believe it is superseded by opnsense-patch 9a4a908
see https://github.com/opnsense/core/pull/4461
Thanks!
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Thanks!
152
20.7 Legacy Series / Re: ipv6 wan stops working after a while
« on: November 20, 2020, 06:30:52 pm »
Apparently not fixed yet, and if you applied the patch for rtadvd (which is a direct replacement for radvd and native to freebsd) you'll need to reapply it after upgrade.
opnsense-patch 9a4a908 (per link above in this thread)
Edit: modified patch version (per below)
opnsense-patch 9a4a908 (per link above in this thread)
Edit: modified patch version (per below)
153
20.7 Legacy Series / Re: Add restart CRON Job for RADVD
« on: November 16, 2020, 09:11:29 pm »
If it's radvd crashing or becoming non-responsive, there's a potential fix here, it's working well for me and others (with maybe one exception).
https://github.com/opnsense/core/issues/4338#issuecomment-727215881
https://github.com/opnsense/core/issues/4338#issuecomment-727215881
154
20.7 Legacy Series / Re: syslog-ng spamming general log once per minute
« on: September 24, 2020, 02:48:29 am »
Thanks @MTR for posting this...working well so far. 
155
20.7 Legacy Series / Re: PiHole Best setup?
« on: September 23, 2020, 05:39:32 pm »
Pihole here does all DNS requests. I route requests from pihole via HTTPS (encrypted) direct to cloudflare (via local cloudflared daemon...previously linked). I use unbound on OPNsense only for resolving local host names. So I have forwarding mode unchecked. In services, dhcpv4 I have my piholes defined as dns, in radvd I have the same pihole ipv6 addresses specified (only for LAN, not VLANs...VLANs don't have ipv6 enabled here).
156
20.7 Legacy Series / Re: PiHole Best setup?
« on: September 23, 2020, 05:31:40 pm »
Here I have pihole configured to use cloudflare via DoH so it's a direct outbound request, not via OPNsense DNS. Info here:
https://docs.pi-hole.net/guides/dns-over-https/
The solution of routing port 53 requests NOT originating from pihole was discussed a couple weeks ago here (last post summarizes a solution):
https://forum.opnsense.org/index.php?topic=18834.0
Also, cloudflare has 1.1.1.2 and 1.0.0.2 servers that filter known malware sites. See here, half way down the page if interested:
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
https://docs.pi-hole.net/guides/dns-over-https/
The solution of routing port 53 requests NOT originating from pihole was discussed a couple weeks ago here (last post summarizes a solution):
https://forum.opnsense.org/index.php?topic=18834.0
Also, cloudflare has 1.1.1.2 and 1.0.0.2 servers that filter known malware sites. See here, half way down the page if interested:
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
157
20.7 Legacy Series / Re: PiHole Best setup?
« on: September 23, 2020, 04:14:00 pm »
I would say the "best way" is to make it work like you want it to in your environment. Lots of variables. Are you using both ipv4 and ipv6? Where does the pihole exist and what security do you need/desire for the different hosts and vlans? Do you want nat rules to reroute dns requests heading outbound bypassing pihole? There's so many things you can do, I don't think there's a best way. You might try one of the guides and see what issues you run into, there's plenty out there.
158
20.7 Legacy Series / Re: How to use own IPv6 DNS server with a track LAN interface?
« on: September 17, 2020, 03:25:32 pm »This (the link local address) only works if pihole is within the same VLAN.
Thanks...useful tip.
159
20.7 Legacy Series / Re: How to use own IPv6 DNS server with a track LAN interface?
« on: September 16, 2020, 03:08:18 pm »
I neglected to mention and maybe this was the crux of your question...which ipv6 address do you use for your rpi. If that's what you're asking, just use the link local (fe80...) address, that should never change (at least that's my understanding) since it's tied to the mac address. Global unicast address will change so I don't think you can use those unless there's some automated way to update. You can get that address from your rpi using ifconfig. Cheers.
160
20.7 Legacy Series / Re: How to use own IPv6 DNS server with a track LAN interface?
« on: September 15, 2020, 02:55:24 am »
I put ipv6 dns address in router advertisements and system dns. To put them in radvd settings you need to enable manual settings in the interface settings page. Then you’ll see a new page in services where you can add dns addresses. You can also add a nat rule to capture dns inbound lan interface not from your rpi and route them to the rpi. I have two rules, one for ipv4 and one for ipv6. Works great.
161
General Discussion / Re: IPv6 working inconsistently, strange firewall behaviour
« on: September 14, 2020, 06:33:38 pm »
This *might* be related as an acknowledged problem. It may be causing different issues for different setups. For me, I get no ipv6 on boot until resaving both my WAN and LAN interfaces. From there forward I'm ok, except radvd does not seem to reply to solicitations.
https://github.com/opnsense/core/issues/4338
https://github.com/opnsense/core/issues/4338
162
20.7 Legacy Series / Re: radvd stops announcing IPv6 prefix after a while (radvd freeze?)
« on: September 08, 2020, 07:37:39 pm »
Yesterday after a cold boot, I didn't notice I had no IPv6 until 90 minutes later and it required me to save/apply an unchanged WAN interface followed by a save/apply an unchanged LAN interface. Then routing started. It looked like I had IPv6 addresses on hosts, but no connectivity (ipv6 monitored by Nagios ping). There are a few more ipv6 threads that may be related (one solved by moving to 21.1 development version). In my experience testing, unrelated to the above problem (maybe), it looks like radvd is not responding to host solicitations directly. It advertises and I increased the frequency of that using manual settings.
https://forum.opnsense.org/index.php?topic=18868.0
https://forum.opnsense.org/index.php?topic=18549.0
https://forum.opnsense.org/index.php?topic=18591.0
Just an FYI. Oh, and I have not seen the problem you describe where radvd stops altogether. You might want to try manual router adv settings. Something definitely seems wrong as compared to 20.1.x series.
Cheers.
https://forum.opnsense.org/index.php?topic=18868.0
https://forum.opnsense.org/index.php?topic=18549.0
https://forum.opnsense.org/index.php?topic=18591.0
Just an FYI. Oh, and I have not seen the problem you describe where radvd stops altogether. You might want to try manual router adv settings. Something definitely seems wrong as compared to 20.1.x series.
Cheers.
163
20.7 Legacy Series / Re: Upgraded to 20.7 now Wife cannot connect to work - I'm in trouble - any ideas
« on: August 30, 2020, 07:29:29 pm »
I had a couple issues with having hardware acceleration enabled (which seemed fine prior to 20.7), disabled that, rebooted and the odd-ness stopped. Can't say it's related to connectivity though. There is also a new issue for some with ipv6 taking some time for hosts to obtain an address (stateless), but no issues with ipv4.
Are you sure it's not on the blackberry service/server itself? Coincidence maybe?
Are you sure it's not on the blackberry service/server itself? Coincidence maybe?
164
20.7 Legacy Series / Re: Force redirect DNS to pihole
« on: August 26, 2020, 07:08:25 pm »LAN is: 172.16.1.1/24
pihole is at 172.16.1.5
opnsense unbound is obviously at 172.16.1.1
I'm trying to redirect all DNS traffic to the pihole. pihole should then go to 172.16.1.1 (to allow local dns resolution to work) then the router goes out to 8.8.8.8 or whatever.
Then I added a forward NAT:
Interface: LAN
Protocol: TCP/UDP
Source LAN address
Source port range: DNS
Destination / Invert: Checked
Destination:172.16.1.5/32
Destination Port: DNS
Redirect target IP: 172.16.1.5
Redirect target port: DNS
NAT reflection: Disable
This isn't working, as I can change the DNS setting manually on a PC on the LAN and happily bypass the firewall.
What am I missing?
Source port should be ANY, not DNS (destination is DNS). You'll also need a second rule for ipv6 if you're using ipv6. For ipv6, use the link-local address on the pihole as that won't change. Not sure you need that first rule.
EDIT: did you include pihole's ip address in your DHCP settings so hosts know where to go?
165
20.7 Legacy Series / Re: syslog-ng - stopped working after recent upgrade?
« on: August 22, 2020, 06:13:39 pm »I have tried the new package, and it no longer seems to crash, which is good.
However, after disabling circular logging, it still generates these messages:
Aug 20 09:29:47 haanjdj.ddns.net syslog-ng[6085]: Destination timeout has elapsed, closing connection; fd='27'
Same here. And thanks @franco.
Code: [Select]
2020-08-22T12:11:32 syslog-ng[21334] Destination timeout has elapsed, closing connection; fd='28'
2020-08-22T12:11:03 syslog-ng[21334] Destination timeout has elapsed, closing connection; fd='27'
2020-08-22T12:10:56 syslog-ng[21334] Destination timeout has elapsed, closing connection; fd='7'
2020-08-22T12:09:56 syslog-ng[21334] Destination timeout has elapsed, closing connection; fd='7'
2020-08-22T12:08:56 syslog-ng[21334] Destination timeout has elapsed, closing connection; fd='28'
2020-08-22T12:08:51 syslog-ng[21334] Destination timeout has elapsed, closing connection; fd='7'
2020-08-22T12:07:51 syslog-ng[21334] syslog-ng starting up; version='3.27.1'