151
General Discussion / Re: Cannot connect to or ping switch IP
« on: October 25, 2024, 09:41:00 am »
It sounds like you have not configured the new switch with a default route (gateway) pointing to the firewall (probably 192.168.1.1).
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
152
General Discussion / Re: mDNS Relay Issues with OPNsense and FritzBox Exposed Host Setup
« on: October 25, 2024, 09:34:57 am »
I assume you mean that the WAN interface of OPNsense is connected to the FRITZ!Box's LAN?
You say "A printer connected on the LAN side" ... the LAN side of what? The FRITZ!Box or OPNsense?
Where is the mDNS client? How are you testing it?
I don't have a FRITZ!Box, but I wouldn't expect the "exposed host" function to do anything with multicast (don't know, though).
If you're expecting to receive mDNS on the WAN interface of your OPNsense bopx, you will need a firewall rule to allow it too.
You say "A printer connected on the LAN side" ... the LAN side of what? The FRITZ!Box or OPNsense?
Where is the mDNS client? How are you testing it?
I don't have a FRITZ!Box, but I wouldn't expect the "exposed host" function to do anything with multicast (don't know, though).
If you're expecting to receive mDNS on the WAN interface of your OPNsense bopx, you will need a firewall rule to allow it too.
153
General Discussion / Re: User can’t connect because of CGNAT
« on: October 24, 2024, 09:54:19 pm »
Huh? You wouldn't be seeing her CGNAT private address - you'd be seeing whatever public address she gets (dynamically) NAT'ed to. I don't know why it's not working, but I don't think it's because of private IP blocking. A quick Google suggests that SoftEther VPN is supposed to be capable of traversing CGNAT.....
154
24.7 Production Series / Re: DHCP Static Mapping within DHCP range
« on: October 24, 2024, 06:31:16 pm »
Reservations generally should be *outside* the range ("pool") of addresses that are "up for grabs". Kea DHCP supposedly allows for in-pool reservations, but I'm not sure that OPNsense leverages that properly. AFAIK, ISC DHCP doesn't support in-pool reservations at all.
155
General Discussion / Re: Opnsense with RT6600ax ap mode
« on: October 24, 2024, 03:19:31 pm »
Not sure where the hangup is here - you configure the SSID on the AP, because the AP is providing WiFi service. OPNsense has nothing to do with it. I don't know the Synology stuff, but from a YouTube video that a quick Google search found, it appears that you would create or modify a "Local Network" under "Network Center" and specify your SSID there.
156
24.7 Production Series / Re: Static IPv6 for router
« on: October 23, 2024, 10:07:59 pm »I think you could just create a loopback interface and give it a static IPv6 ULA, and point to that in any static DNS client config. From a quick test, it seems to work for me.
Hopefully the follow up is as reasonable, how would I do this?
Incase you still want to try it.... Interfaces -> Other Types -> Loopback, click '+", give it a description, then Interfaces -> Assignments, assign it, edit it, set IPv6 Configuration Type to Static, and give it a ULA, which should start with 'fd' - e.g. I used fdd7::1/128 for testing.
157
General Discussion / Re: Opnsense with RT6600ax ap mode
« on: October 23, 2024, 10:04:36 pm »
The SSID would be configured on the AP. OPNsense wouldn't even know it's there.
158
24.7 Production Series / Re: Static IPv6 for router
« on: October 23, 2024, 05:25:22 pm »
It's a reasonable question!
I think you could just create a loopback interface and give it a static IPv6 ULA, and point to that in any static DNS client config. From a quick test, it seems to work for me.
Another possible approach would be to use a ULA prefix for your LAN, and use NPTv6 to map this to a /64 from your delegated /56 dynamically. If you intend to run any services on your LAN and want to be able to give them static v6 addresses, it would work for that too...
I think you could just create a loopback interface and give it a static IPv6 ULA, and point to that in any static DNS client config. From a quick test, it seems to work for me.
Another possible approach would be to use a ULA prefix for your LAN, and use NPTv6 to map this to a /64 from your delegated /56 dynamically. If you intend to run any services on your LAN and want to be able to give them static v6 addresses, it would work for that too...
159
24.7 Production Series / Re: NUC running OPNsense 24.7 can't see WAN interface from Adtran 422G GFast NTU
« on: October 22, 2024, 05:19:05 pm »
With a PC connected to the LAN, point a browser at 192.168.1.1. The first time you login to the WebUI as root, you should be presented with a wizard. One of the wizard steps is "Configure WAN Interface". That's where you'd select PPPoE and enter your credentials. Alternatively (or if you've already dismissed the wizard) you could navigate as Patrick suggests...
160
24.7 Production Series / Re: NUC running OPNsense 24.7 can't see WAN interface from Adtran 422G GFast NTU
« on: October 22, 2024, 02:42:06 pm »
You need to find out what configuration your ISP requires (unless you already know) - perhaps they do PPPoE (in which case you'll need a username and password), or/and use a tagged VLAN.
It's also possible that you are required to use a registered MAC address - if so, you might be able to get around that by spoofing the one from the ISP router.
Are you able to access the LAN side of your OPNsense NUC? If not, you may have the NICs backwards....
It's also possible that you are required to use a registered MAC address - if so, you might be able to get around that by spoofing the one from the ISP router.
Are you able to access the LAN side of your OPNsense NUC? If not, you may have the NICs backwards....
161
24.7 Production Series / Re: Issues with static IPv6 configurations from /56
« on: October 22, 2024, 09:57:59 am »
Nice! That's what I meant by "there would need to be some way to tell OVH to route prefixes to the WAN address of your OPNsense instance" in my original response. Glad you found it!
162
General Discussion / Re: Proxmox / OPNsense
« on: October 21, 2024, 11:15:39 am »
Your description is vague/confusing. Also, you've attached the same screenshot twice - did you have another one that you intended to share?
What do you mean by "it keeps attaching the 10.0.1.1 IP"?
How is the WAN interface configured? (e.g. DHCP client, PPPoE, etc)
How is the LAN interface configured?
How are the interfaces assigned in OPNsense? (e.g. vtnet0 for LAN, vtnet1 for WAN)
How are the VM's virtual NICs configured in Proxmox? (e.g. net0 uses bridge vmbr1, etc)
What do you mean by "it keeps attaching the 10.0.1.1 IP"?
How is the WAN interface configured? (e.g. DHCP client, PPPoE, etc)
How is the LAN interface configured?
How are the interfaces assigned in OPNsense? (e.g. vtnet0 for LAN, vtnet1 for WAN)
How are the VM's virtual NICs configured in Proxmox? (e.g. net0 uses bridge vmbr1, etc)
163
General Discussion / Re: DoT for dns Local/LAN / adguard home and bind
« on: October 20, 2024, 02:30:39 pm »QuoteWhat problem are you actually trying to solve here anyway? It seems like a lot of complexity for a problem that's not really clear (to me)....
The key idea I came up with is that dns traffic on LAN is plane dns, and was wondering if that could be changed to encrytped dns on LAN. Thisway making it impossible for the utopian case that DNS would be sniffed by something on LAN network
But having Bind do TLS on localhost for AGH doesn't get you there - the clients on your LAN will (presumably) still be talking to AGH over port 53 with no "security".
Quote
p.s. your config works for Bind. It starts and runs.
<...snip...>
Adguard home - DNS Settings - Upstream DNS Servers - tls://127.0.0.1:853 or 127.0.0.1:853 - don't work or connect.
I would expect because the cert is not trusted.
164
General Discussion / Re: DoT for dns Local/LAN / adguard home and bind
« on: October 20, 2024, 01:27:38 pm »
Where did you get that config? It doesn't appear to be correct. Derived from some random stackexchange Google result, the following "works", but it will clobbered if you make any changes to the Bind config using the OPNsense WebUI...
Add this to the options section:
and add a new section:
named should start with that, and be listening on port 853, using the cert normally used for the OPNsense WebUI.
I wouldn't expect AGH to trust that cert, though - both in that it's self-signed, and in that its identity (probably) doesn't line up with what AGH will be looking for (the DNS name or IP address that you use in the DoT URL). I don't see any immediately obvious way to tell AGH to trust a given self-signed cert, so even if you could craft one with the required identity, I'm not sure how you'd get AGH to trust it. It might be possible. I'm not sure.
What problem are you actually trying to solve here anyway? It seems like a lot of complexity for a problem that's not really clear (to me)....
Add this to the options section:
Code: [Select]
listen-on port 853 tls local-tls { 127.0.0.1; };and add a new section:
Code: [Select]
tls local-tls {
cert-file "/var/etc/cert.pem";
key-file "/var/etc/key.pem";
};named should start with that, and be listening on port 853, using the cert normally used for the OPNsense WebUI.
I wouldn't expect AGH to trust that cert, though - both in that it's self-signed, and in that its identity (probably) doesn't line up with what AGH will be looking for (the DNS name or IP address that you use in the DoT URL). I don't see any immediately obvious way to tell AGH to trust a given self-signed cert, so even if you could craft one with the required identity, I'm not sure how you'd get AGH to trust it. It might be possible. I'm not sure.
What problem are you actually trying to solve here anyway? It seems like a lot of complexity for a problem that's not really clear (to me)....
165
General Discussion / Re: [solved] wan access from private source ip when wan interface is on private net
« on: October 20, 2024, 11:12:42 am »This configuration doesn't exist in backup-and-restore options
Are you saying that you enabled Firewall -> Settings -> Advanced -> "Disable reply-to" and then made a backup (System -> Configuration -> Backups -> Download), but that setting was not included in the resulting XML file? (it should be opnsense->system->disablereplyto in the XML). It looks OK to me, though I haven't tried to restore this config to see if it gets applied. What release was the backup made on? Was it restored on the same release?