Topics

1

German - Deutsch / Mehrere Webserver, IPv4 + IPv6

« on: September 16, 2024, 07:29:06 pm »

Hallo zusammen
ich möchte mehrere Webserver in meinem LAN haben.
z.B. Nextcloud, Gitea als Beispiel.

Ich habe von meinem ISP 1 Public IPv4 Adresse, sowie ein /56 IPv6 Netz.
Jetzt habe ich dynamisches DNS eingerichtet mit DuckDNS. Das funktioniert sehr gut, die IPs (beide, v4 und v6) werden zuverlässig updated.

Nun habe ich aber das folgende Problem:
wenn ich über IPv4 aus dem Internet auf einen der Webserver zugreifen möchte, dann brauchts dazu ein NAT Portforward. Soweit so gut.
Wenn ich aber aus dem Internet via IPv6 auf einen der Webserver zugreifen möchte, dann müsste ich ja theoretisch auf die globale IPv6 des Webservers direkt zugreifen?
Wie konfiguriert man das richtig? weil, der dynamische DNS Client in der opnsense weiss ja die IPv6 Adressen der Hosts nicht, da diese dynamisch sind. Wie geht es richtig? dann müsste ich eigentlich in jedem Host nochmal einen dynamischen DNS Client laufen lassen, aber gerade so Zeug soll ja die opnsense mir abnehmen und an einer zentralen Stelle erledigen...

Das Problem ist dann auch noch
wie greife ich auf git.meinedomain.com und nextcloud.meinedomain.com zu, wenn beide auf dieselbe IPv4 auflösen?

2

Virtual private networks / Wireguard NAT rules for multiple ports

« on: September 06, 2024, 01:03:47 pm »

Good day,
I run a Wireguard VPN on the default port 51820. So far it works just perfect, I use it a lot and even have my Android phone connected to the VPN at all times. Perfect.
However, soon I will have holidays and will travel a lot. I know from experience that airport and hotel WiFis and also some countries block certain UDP ports, and for this reason, I would like to have my Wireguard VPN reachable on multiple ports. For instance, I want to have one Wireguard setup that can be contacted via UDP ports 80, 123, 443, 51820.

I have configured the following firewall rules:
a) one rule that allows IPv4+IPv6 for the 51820/UDP port. This allows me reliably connect from externally to my Wireguard.

b) one NAT rule, that works for IPv4 only. It forwards the ports listed under my alias "wg_alt_ports" to 51820 on the lo0 interface, see picture attached.

c) I have created the alias "wg_alt_ports" as shown in the screenshot, which I use to redirect UDP ports 80, 123, 443 and so on to 51820.

d) the NAT rule redirects the incoming Wireguard packets from 80/UDP, 123/UDP and so on, to 127.0.0.1. See screenshot.

This setup as shown works very well and allows me to use any of the UDP ports in the wg_alt_ports list. However, I am a bit concerned if this is all correctly set up? can I safely use this, or is there a more elegant or secure way?

3

General Discussion / Unbound cannot register DHCP leases

« on: July 03, 2024, 11:38:24 am »

Good day,

I am using ISC DHCPv4 and Unbound.
On the Unbound config page, I have configured the following items:

* Enable Unbound
* Network Interfaces: ALL
* Enable DNSSEC Support
* Register ISC DHCP4 Leases
* Register DHCP Static Mappings
* TXT Comment Support
*  Local Zone Type: transparent (this was the default, not sure what it actually means).

I notice that generally, Unbound works more or less fine, is a bit slow from time to time, but it works and can resolve hosts on the internet. I also see that the DHCPv4 server works fine, it gives out leases to my computers on the LAN and it works.
However, I want the host names of the individual computers be registered in DNS so that I can access the hosts by their name. For this very reason, I activated "Register DHCP4 leases". However, I notice unter Services - ISC DHCPv4 - Log file a lot of entries like the following:

Unable to add forward map from <some hostname> to 192.168.20.36: REFUSED

The log is literally flooded with such REFUSED entries.
And indeed, it is not possible to resolve host names on the LAN. I wonder why this is and how I can fix it?
I have seen that other people have already seen this issue, but I found no proper solution so far. What is the cause for this problem and where shall I start digging?

thanks a lot!

4

General Discussion / Correct config with IPv4 and v6

« on: June 06, 2024, 03:59:23 pm »

Good day

so I have my opnsense firewall up and running. It works perfect.
I have from my ISP an IPv6 /56 prefix delegation, which works perfect.
Behind the opnsense in my LAN, my PCs get an IPv4 and IPv6 assigned by opnsense, and the IPv6 uses the correct prefix and can successfully access the internet. So all works!

Now I have a couple questions how to configure the firewall correctly.

1. I have set up a Wireguard VPN using the built-in opnsense Wireguard function.
IT WORKS JUST PERFECT. However, of course, to access the VPN from the outside world, I must allow access to the firewall IP + port. Please see my attached image with the interfaces. Of course, my WAN interface gets a public IPv4 from the ISP. Further, the WAN interface has a link local IPv6. And then, the LAN, DMZ and so on interfaces get a public IPv6 via the prefix delegation.
I now want my Wireguard to be accessible worldwide by both IPv4 and IPv6. So what destination address do I need to configure in the firewall rules under "destination" ?
I tested two configurations, both of which work, and I wonder which one is the "good" one:

a) Allow destination = WAN interface IPv4 or LAN interface IPv6, port 51820 --> works (the WAN interface has no public IPv6 assigned, I am not sure why??!)
b) Allow destination = "this firewall", port 51820 --> works too

2. I operate a little web server in the DMZ net that I also want to access from the internet. Of course the web server has its own IPv6 address. And also its internal private IPv4. I have set up a NAT rule for the IPv4 net, and that works nicely. How shall I set up the IPv6 rules for the web server? e.g. shall I just allow traffic to the IPv6 of the web server, or shall I better use NPTv6? which is the correct way?

5

General Discussion / opnsense noob, I want to configure IPv6

« on: May 29, 2024, 09:49:02 pm »

Good day,
so I have the following setup. I have glass fibre FTTH. The ISP modem is very crappy, so I wanted to replace it by opnsense. I run the opnsense on my Proxmox server. The ISP modem is set to bridge mode, i.e. it is only sort of a "media converter" from glass fibre to RJ45. This is then connected to opnsense.

So far, it worked more or less out of the box: the WAN interface gets its WAN address, both IPv4 and IPv6.
I also enabled the DHCPv4 server, which also works very well. My LAN clients get their IPv4 configured, and also the DNS server and default gateway. Very good!

But now comes the trouble. On my LAN client, I can use IPv4, but IPv6 does not work at all. I have the following config:

a) under Interfaces -> Overview, I can see:


interface: WAN (wan)
link type: dhcp
ipv4: 80.xx.xx.112/21
ipv6: fe80::be24:11ff:xxxx:xxxx/64
gateway: 80.208.xxx.xxx, fe80::200:5ff:fe02:1

to me, the noob I am with IPv6, this looks good, as obviously opnsense gets its address configured automatically by the ISP. Perfect!

Then, I have configured:
Interfaces -> LAN -> IPv6 connection type -> track interface
Interfaces -> LAN -> track IPv6 interface -> WAN, prefix ID 0, allow manual adjustment
Interfaces -> WAN -> IPv6 config type -> DHCPv6
Interfaces -> WAN -> DHCPv6 client config -> request only prefix, prefix delegation size 57, send IPv6 prefix hint, use IPv4 connectivity.

I have NOT activated the Kea DHCPv6 Server, but I have enabled the router advertisements. I have configured
Router advertisements -> LAN -> managed advertisements, advertise default gateway, use DNS config from the DHCPv6 server.

What irritates me now a lot is the following:

I can, on a client in the LAN, do the following

ping -4 google.com

and he can resolve the IPv4 and ping works fine.
However, if I try the same with IPv6, so

ping -6 google.com

he still can successfully resolve the IPv6 address, and then ping just waits forever. No response, no nothing. How is this possible?
Also I visit in the browser the webpage https://test-ipv6.com/ and he can detect my external IPv4, but reports "you have no IPv6 connectivity". Which is weird.

When I disable the bridge mode of the ISP's modem and use it as normal router, it sends router advertisements and configures my LAN hosts with IPv6 and then the full IPv6 connectivity works. But not with opnsense. I wonder where I did the misconfiguration or if just my router is so shitty that it does not work properly?

Can anybody please help?

thanks a lot!