Messages

256

23.7 Legacy Series / Re: LAN clients cannot ping internet IPv6 addresses

« on: November 13, 2023, 07:49:49 pm »

Hi,

did you already check with IPv6 on WAN as DHCPv6? Tracking interface for LAN works (to my knowledge) with DHCPv6 on WAN only, not SLAAC.

How is LANs Router Advertisement configured? Managed, Assisted, None,...

Furthermore, are the WAN and LAN IPs on different prefixes? It does not become clear to me.

In any case, you should be able to inspect the traffic from LAN to the internet and check if ICMP packages even come in on LAN and if yes whether there is any response that might get lost.

257

German - Deutsch / Re: IPv6 Konfiguration

« on: November 02, 2023, 05:24:23 pm »

Bei nicht-/64 garantiert dir niemand für irgendwas. Bei /64 müsstest du noch zusehen, wie du DNS an den Client bringst. SLAAC reicht da nicht, d.h. du brauchst RA auf "Stateless" oder gleich "Assisted" oder "Managed".

Und natürlich entsprechende Pass Regeln in der Firewall.

Gateway bleibt auf Auto.

258

German - Deutsch / Re: IPv6 Konfiguration

« on: November 02, 2023, 12:06:48 pm »

Hi,

"Track Interface" wie schon erwähnt nur, wenn WAN per DHCPv6 versorgt wird. Steht WAN auf statisch, richtest du entsprechend statische Adressen für jedes Subnetz ein - und musst natürlich darauf achten, dass sie sich nicht überschneiden.

Also z.B.:  (Beispiel /56-er Netz)

xxxx:xxxx:xxxx:xx00::1/64
xxxx:xxxx:xxxx:xx01::1/64
xxxx:xxxx:xxxx:xx02::1/64

Ich übernehme z.B. wenn möglich die VLAN ID in den Präfix.

xxxx:xxxx:xxxx:xx<VLAN_ID>::1/64

259

23.7 Legacy Series / Re: Unknown gateway in Reporting -> Health -> Quality

« on: November 02, 2023, 10:45:38 am »

Hi,

the health page does not show the configured gateways but the gateways it has information about. So I guess there was this gateway some time before and has been removed ever since.

You can dump the collected report on the settings page and it should be removed.

260

German - Deutsch / Re: IPv6 Konfiguration

« on: November 02, 2023, 10:30:42 am »

Ja, es kann immer noch schlimmer kommen. Man könnte Kunde bei EWE sein (egal ob Privat oder Geschäftlich).

https://twitter.com/Moin_EWE/status/1250416373055901696?lang=de

261

German - Deutsch / Re: IPv6 Konfiguration

« on: November 02, 2023, 10:22:00 am »

Hi,

nebenbei bemerkt: ein /62 Präfix ist aber schon ziemlich jämmerlich. Eigentlich sind /64-er Subnetze normal und es gibt sogar RFC 7421 dazu, welches die Probleme mit nicht-/64-er Subnetzen diskutiert.

https://www.rfc-editor.org/rfc/rfc7421#section-4.2

Dazu noch ein paar Fragen:
Hast du eine öffentliche IPv6 am Client erhalten und passt diese auf das Subnetz?
Gibt es die entsprechenden Pass Regeln auf dem Interface?


Ansonsten könntest du per Packet Capture anschauen, ob der IPv6 Traffic überhaupt über das WAN raus geht bzw. Antworten kommen.

262

German - Deutsch / Re: Probleme beim Portforwarding

« on: November 02, 2023, 10:10:00 am »

Hi,

ist dein WAN per DHCP von der Fritzbox konfiguriert oder statisch?

Ich hatte den Fall, dass dieses Setup nicht funktioniert, wenn bei statischer Konfiguration das Upstream Gateway gesetzt ist und nicht auf automatisch steht. Das findeset du unter Interfaces -> WAN -> IPv4 Upstream Gateway, sofern statische Konfiguration ausgewählt.

In diesem Fall wurden alle Antworten auf weitergeleitete Pakete an das Default Gateway gesendet statt in das Netzwerksegment. Ist vielleicht auch hier so?

263

General Discussion / Re: Routing while NAT port forwarding

« on: October 31, 2023, 05:06:29 pm »

After additional digging I find the reason:

The IPv4 Upstream Gateway setting on the WAN interface page was set to the actual gateway instead of "Auto-Detect". Selecting Auto-Detect covered my use case completely.

Sorry for bothering.

264

General Discussion / Routing while NAT port forwarding [Solved]

« on: October 31, 2023, 05:04:37 pm »

Hi,

I have an issue understanding something, however I must admit that my expectations might be wrong.

Test setup is:

• OPNSense Box 1 (Router 1) has LAN 10.0.1.1/24, WAN is public ISP provided, static IP
• OPNSense Box 2 (Router 2) has WAN 10.0.1.99 and LAN 10.0.64.1/24. Router2's WAN is in fact connected to the router 1's LAN network.
  
• Router 1 does not know about 10.0.64.0/24, no route to that network configured.
• Router 2 is configured statically on WAN and LAN, no DHCP Client involved on WAN. Configured 10.0.1.1 as default upstream gateway. Router 2 uses outbound NAT.

My Expectation 1: [passed]
TCP to public internet or services in Router 1's LAN are successful from Router 2's LAN. OPNsense outputs traffic to Router 1's LAN without the gatway via layer 2

My Expectation 2: [failed]
I can enable port forwarding on Router 2 to allow services from behind Router 2 to be exposed to Router 1's LAN.

So, I created a port forwarding and allowed an associated firewall rule. Observation: No access to exposed service via forwarded port from clients in Router 1's LAN 10.0.1.0/24.

Observing the live view in both OPNsenses it turned out that

• first the client in 10.0.1.0/24 connects to the forwarded port and the traffic is forwarded correctly.
  
• answers are sent to the default GW of Router 2, i.e. Router 1 which issues a state rule violation in live traffic view
• After disabling the default GW, it works as expected, traffic goes directly back to the client via layer 2

I would have thought that the default GW should not be part of the equation no matter if I just use outbound NAT or port forwarding. The destination IP is in the WAN networks range and should not require a gateway. Did I miss something?

265

German - Deutsch / Re: IPv6 IPSec VPN OPNsense 23.7.7_3

« on: October 31, 2023, 02:16:05 pm »

Hast du auch die Firewall Regel für IPsec auf Destination Any geändert?

266

General Discussion / Re: Add DHCP Scope for VirtualIP

« on: October 29, 2023, 11:48:33 am »

Hi,

the way you are trying to achieve is not what you want do. You cannot distinguish between IP ranges in the DHCP protocol setup phase with a client. Furthermore, you'd have interference with other protocols at a latter stage.

What you would have to do is to create another interface, assign the IP and configure DHCP server for it. You typically achieve that using different VLAN.

What exactly is it you want to achieve? Do you have managed switch(es) in use to deploy VLAN?

267

Virtual private networks / Re: OpenVPN to VLAN

« on: October 26, 2023, 08:24:27 am »

wouldnt having the LAN be able to access the VLAN nullify the point of segregating the networks? maybe im misunderstanding but if the vlan and lan can talk to each other, is there any separation?

The reason behind network segmentation is to reduce the attack surface dramatically: You allow only those services that are supposed to happen. Yes, an attacker having credentials for your SSH or is able to explot a security issue is not withold by the firewall. However: An attempt to access e.g. SMB/CIFS shares is rendered impossible.

That way you only need to make sure SSH services are secure and safe (up-to-date, adequate credentials' strength, matching certificates, allowed users only, ...)

No VPN will help you with that.

Always keep in mind that a

firewall / VPN / (arbitrary security measure with or without intelligence) / correct service configuration /  application layer gateway / ids / ips / dns bl / ....

can only be a puzzle piece of your IT's security and should match your requirements.

268

General Discussion / Re: Does it not route? (can't acces webGUI via LAN)

« on: October 24, 2023, 06:07:52 pm »

Hi,

is the old router still in place when you're connected via the switch? That would still hand out IPs via DHCP while nobody does it on a direct link.

Or other issue: Is LAN already mapped to a VLAN or to the plain interface in OPNsense?

269

Virtual private networks / Re: My DNS is leaking! DNS leak check sites know my home IP somehow

« on: October 24, 2023, 06:04:26 pm »

because it somehow knows my home IP!  What a disaster

It does know your DNS server's IP. At least given you're talking about the leak test.

270

Virtual private networks / Re: My DNS is leaking! DNS leak check sites know my home IP somehow

« on: October 24, 2023, 02:39:32 pm »

Hi,

I don't know if I understand you correctly. But your local unbound DNS resolver really knows what hostnames you looked up. So yeah you're leaking this kind of data to your pi hole.

That's what it says.

However, your pi hole could connect via VPN to hide your original IP. To identify roughly your location an IP address is enough.