OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of mfld-pub »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - mfld-pub

Pages: [1]
1
21.1 Legacy Series / 21.1.8 os-tor - TOR service, no longer advertises directory port
« on: July 07, 2021, 02:47:48 pm »
Upgrading from 21.1.7 to 21.1.8 updates the tor plugin. After updating and rebooting I notice that the Directory Port is no longer advertised. Has anyone else seen this today ?

I can see that metrics.torproject.org shows "0" for my directory port. In the config in OpnSense it is set correctly. Did not touch the config. Only change I initiated was 21.1.7 to 21.1.8 update.

2
21.1 Legacy Series / Native IPv6, in rules on WAN OK, but nothing connects unless pfctl -d
« on: June 21, 2021, 06:01:52 am »
Hey all,

Super weird. I have installed OPNsense 21.1.7 on bare metal. IPv4 and IPv6 WAN assignments are static /29  and /64. IPv6 gateway is the ::1 of my /64. IPv6 WAN address is the ::2 of my IPv6 prefix.

I.e. WAN address: 2001:DB8:1212:3000::2/64, Gateway address 2001:DB8:1212:3000::1

OPNsense can make outbound connections over IPv6 just fine. But inbound only ICMP works.

For testing, I disabled Block Bogons and Block Private on WAN. Now I made some inbound rules on WAN:

allow ICMP (v4/v6) from any
allow TCP/22, TCP/443 IPv4 from an alias and log it.
allow TCP/22, TCP/443 IPv6 from an alias and log it.

I checked the alias table and it has been populated with the expected IPv6 addresses.

Now when I connect from a whitelisted address to OPNsense over IPv6 on tcp/443 or tcp/22 I can see the firewall logging the allow. But no connectivity can take place.

It just times out.

For testing I took everything out of the equation, no blocking of RFC1918, no blocking of BOGON, and put an allow rule as my very first firewall rule on WAN to allow IPV6 proto any from any.

Not sure how to scale this screenshot for the forum, so have attached the jpg below, too:


Again I can now ping OPNsense but NOT connect ssh or https over IPv6.

As a final measure to see if this is perhaps an upstream issue of sorts I ssh in (via IPv4) and do
Code: [Select]
pfctl -d
At that point IPv6 connections are accepted. I can SSH / https to the box over IPv6! How ? Why ? Whiskey Tango Foxtrot?

Attached a sanitized packet capture where I try to ssh from 2604:aa10:9211:2:68c2:f15e:579d:af88 to the WAN address. It shows the pass rule on WAN is working but then things break when OPNsense is trying to reply.

Gateway status shows up, OPNsense can initiate IPv6 conversations successfully. I do not get it.



Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2