Messages

I was wondering whether it would be possible for the predefined network variables that can be used in firewall rules (eg WAN address, WAN net, LAN address, LAN net etc) to also be made available as options to use for Hosts or Networks when creating an Alias. At the moment, only other Aliases appear as options to select in the dropdown.

Thanks

I was wondering if there is an existing way to implement RFC7217 (stable privacy IPv6 addresses) in OPNsense. I couldn't see anything in the web interface. I did find a reference online to it being configurable in a BSD environment through /etc/dhcpcd.conf, although I am not entirely sure how to translate that to the OPNsense scenario.

I am aware of the tunables for temporary addresses (privacy extensions to SLAAC), but that is different (RFC4941).

Thanks

I've been investigating adding an IPv6 global unicast address to my OPNsense box's loopback.

I've achieved it by creating a new loopback device, assigning a new interface to that device, and then assigning a static IPv6 address to that interface using my prefix and an unused prefix ID. That works fine.

But that results in a new loopback interface being created (lo1, separate to the existing lo0), and also means that if my prefix changes, I need to manually update the static IP. That's not the end of the world, but:

• is there a way to add the GUA to the existing lo0 instead - I couldn't see a way in the web interface
• is it possible to generate the address by SLAAC instead of creating a static IP - I tried to use Track Interface and configure the interface to use SLAAC, but that seemed to kill dhcp6c

In the end, it probably doesn't really matter if I can't change my current approach, but I was curious if I could streamline it.

Thanks

One clarification I believe for Page 9. The password that should be entered in the OPNsense backups configuration page should be a strong password for encryption of the backups, not the default "notasecret" password that applies to the p12 key. Given that the p12 key password is a standard password used by Google for all keys generated, I believe OPNsense itself supplies that password when using the key.

Thanks both for your responses.

This is quite the mystery. Doing a package capture on OPNsense (the VLAN10 and VLAN49 interfaces) actually shows what appears to be the repeater working - for example, a multicast packet from an Apple TV in VLAN49 to the VLAN49 interface does appear to be repeated in VLAN10 (with the VLAN10 IP of OPNsense being the source). At least that is the case for IPv4 (224.0.0.251); IPv6 (ff02::fb) does not appear to be repeated.

I'm still though seeing all kinds of strange and inconsistent behaviour on devices, which I won't bore you with.

I have tried a permissive rule in the firewall, allowing all traffic from VLAN49 to anywhere, just for testing. It didn't make a difference.

I wonder now whether it's not OPNsense but rather the other elements in the network - particularly APs, but maybe switches - that could be having an effect (if so, damn you Ubiquiti!). It's odd because with the same switches and APs with the USG as the router, I had greater success with mDNS repeating usually working.

I guess I will keep testing different configurations, and hoping the others in the forum may have insights too.

Sounds like what is happening is that the ISP router is taking the prefix, which means OPNsense can't get anything. (The only thing it is getting is an address on its WAN address from the ISP router out of the prefix - ie the OPNsense box is treated like any other host on the LAN side of the network from the ISP router.)

I don't have a double router setup like you but I think what you probably need to do is disable IPv6 on the ISP router so that it doesn't get in the way. Not sure whether you then need to bridge it to OPNsense.

Unless your ISP is really stingy I reckon you are getting a larger prefix, like a /60 or even a /56. You are seeing a /64 on your PC when connecting likely because your router is configured to hand that out (either it has a prefix ID set for that interface or is simply handing out the lowest /64 out of the delegated prefix). Check with your ISP to find out what prefix size they give out or just google it.

You should be getting two things from your ISP - a /64 out of which a /128 is assigned to your WAN interface, and then a separate prefix (as I said, likely /60 or even /56) out of which /64s can be allocated on the LAN side (using prefix IDs of 0-F for a /60 prefix and 00-FF for a /56 prefix).

You really should be keeping your LAN side networks as /64. That's the basic assumption for IPv6 (eg SLAAC does not work with smaller networks) and you are likely to encounter other issues with something like /80 networks.

Interesting. So what's the destination for those firewall rules? 224.0.0.251 or firewall IP?

Have you set the correct prefix delegation size on the WAN interface?

I'd also check that you've selected an appropriate Router Advertisement mode under Services>Router Advertisements (eg "Stateless" if you intend using SLAAC). You may need to enable "Allow manual adjustment of DHCPv6 and Router Advertisements" under the Interfaces menu for the relevant interface for this purpose.

Is IPv6 allowed under Firewall>Settings>Advanced?

I will be very interested to hear how you go.

TBH, I'm not sure the firewall was causing my issues as I didn't see any IPv4 multicast being blocked by the default deny rule in OPNsense, even without allow rules being included.

Fingers crossed. This is a bit of a killer for me - I really don't want to go back to the USG (it's now abandonware), and I'm not inclined to switch to pfSense (I understand that it has an Avahi plugin which works reliably).

I did. I included rules on each interface, ie:

VLAN10 - allow UDP into the interface from VLAN10 net to 224.0.0.251 port 5353
VLAN49 - allow UDP into the interface from VLAN49 net to 224.0.0.251 port 5353

I also included similar rules for IPv6, although I understand that mdns-repeater may only work with IPv4? That is:

VLAN10 - allow UDP into the interface from fe80::/10 to ff02::fb port 5353
VLAN49 - allow UDP into the interface from fe80::/10 to ff02::fb port 5353

Do they look right?

I know this is not a new topic, but I'm really struggling to get mDNS repeated/relayed across VLANs, after spending days searching the forum and the web and trying various setups.

I recently replaced the UniFi Security Gateway in my network with an OPNsense box. I've managed to set up everything to replicate the network topology I had with the USG and have now introduced the box into the network.

My network includes a number of VLANs. Of relevance here are VLAN10 and VLAN49. VLAN10 includes my trusted devices and VLAN49 includes IoT type devices, including an AirPrint printer and AppleTVs.

Generally VLAN49 is prevented from communicating with VLAN10 (but not vice versa). With the USG I had implemented a mDNS repeater that meant VLAN10 could find all the Bonjour devices in VLAN49.

I am trying to replicate that with OPNsense. I have used both the os-mdns-repeater and os-udpbroadcast-relay plugins (separately), but without success. I have tried those plugins with firewall rules accepting traffic on port 5353 in both VLANs, but without success.

I just cannot figure out what I am doing incorrectly. If anyone has a setup similar to mine and has mDNS successfully being repeated/relayed across VLANs - particularly for AirPrint and AirPlay - could they please let me know how they have achieved it?

Thanks

Thanks both! Great that it is such a simple answer (told you it was a noob question!). Cheers

Hi, brand new to OPNsense and the forum. I have a bit of a noob question.

I am looking at getting a Lenovo ThinkCentre M720 Tiny to run OPNsense. I realise it is overkill for the purpose, but I can get the box at a really good price, so it is hard to resist. Down the track I might look to run other things on it.

The configuration I am looking at (with an added Intel 4 port NIC) does not have a serial or VGA port. Only USB2, USB3, DisplayPort and HDMI. Can I still install OPNsense on it? This thread (https://forum.opnsense.org/index.php?topic=3972.0) suggests it is possible, but I wanted to make sure.

If it is possible, what version of the installer do I use?

Thanks.