"Recent posts
#1
26.1 Series / Re: 26.1.4 - Unexpected Error
Last post by ezhik - Today at 05:40:33 PMQuote from: franco on Today at 02:45:54 PMOkay, fair.
Cheers,
Franco
Gentle chuckle. Thank you.
#2
Q-Feeds (Threat intelligence) / Re: NEW GUI (TIP Portal) - Fee...
Last post by Q-Feeds - Today at 05:39:45 PMThank you! Glad you like it!
#3
26.1 Series / Re: CALL FOR TESTING: Multi-dh...
Last post by franco - Today at 05:14:43 PMHere's the isolated change (will apply to a clean 26.1.3/4)
# opnsense-patch https://github.com/opnsense/core/commit/2db56bfee
> Random yes, but wrong? I'm not aware of any RFCs requiring IAIDs to have semantic meaning or structure. Any 32-bit unsigned integer is fine.
Permanently mangled then. Deleting an interface can negatively affect the default ID generation.
> Just keep in mind that changing IAIDs can break existing setups. If DHCPv6 static bindings are configured on the upstream DHCPv6 server, an IAID change can cause a mismatch. I recently had that issue in the real world when OpenWrt changed their IAID calculation logic.
I don't doubt that. In practice the default WAN is always 0 though.
> Which is not that uncommon, e. g. if you have two lines from the same ISP. Also, duplicate IAIDs (in the context of a given DUID and IA type) are a clear violation of the DHCPv6 specifications (RFC 9915), which I think we shouldn't do for no good reason.
We do not / cannot know that so we always mitigate it seems. The reason to change it is a good one, but the repercussions are definitely there too.
> have no strong opinion about multiple DUIDs. While it doesn't seem intuitive (a DUID literally Uniquely IDentifies a Device, not a DHCPv6 client instance), I see no harm in it. And there might be use cases where it's actually helpful.
It's not often asked for but the use case is there:
https://forum.opnsense.org/index.php?topic=23012.0
https://forum.opnsense.org/index.php?topic=46607.0
Embedding the DUID into the configuration also has some benefits for maintenance regardless of multi-WAN.
Cheers,
Franco
# opnsense-patch https://github.com/opnsense/core/commit/2db56bfee
> Random yes, but wrong? I'm not aware of any RFCs requiring IAIDs to have semantic meaning or structure. Any 32-bit unsigned integer is fine.
Permanently mangled then. Deleting an interface can negatively affect the default ID generation.
> Just keep in mind that changing IAIDs can break existing setups. If DHCPv6 static bindings are configured on the upstream DHCPv6 server, an IAID change can cause a mismatch. I recently had that issue in the real world when OpenWrt changed their IAID calculation logic.
I don't doubt that. In practice the default WAN is always 0 though.
> Which is not that uncommon, e. g. if you have two lines from the same ISP. Also, duplicate IAIDs (in the context of a given DUID and IA type) are a clear violation of the DHCPv6 specifications (RFC 9915), which I think we shouldn't do for no good reason.
We do not / cannot know that so we always mitigate it seems. The reason to change it is a good one, but the repercussions are definitely there too.
> have no strong opinion about multiple DUIDs. While it doesn't seem intuitive (a DUID literally Uniquely IDentifies a Device, not a DHCPv6 client instance), I see no harm in it. And there might be use cases where it's actually helpful.
It's not often asked for but the use case is there:
https://forum.opnsense.org/index.php?topic=23012.0
https://forum.opnsense.org/index.php?topic=46607.0
Embedding the DUID into the configuration also has some benefits for maintenance regardless of multi-WAN.
Cheers,
Franco
#4
German - Deutsch / Re: Telekom Magenta SIP mit VM...
Last post by Patrick M. Hausen - Today at 05:08:12 PMQuote from: falkt on Today at 04:28:34 PMIch habe zum Test einfach mal die Paketfilterung ganz abgeschaltet.
Damit hast du dann allerdings auch kein NAT für IPv4.
#5
26.1 Series / Re: CALL FOR TESTING: Multi-dh...
Last post by Maurice - Today at 04:52:09 PMQuote from: franco on Today at 03:40:11 PMBecause they are purely random and wrong.Random yes, but wrong? I'm not aware of any RFCs requiring IAIDs to have semantic meaning or structure. Any 32-bit unsigned integer is fine.
Quote from: franco on Today at 03:40:11 PMI don't mind another look or proposal.Just keep in mind that changing IAIDs can break existing setups. If DHCPv6 static bindings are configured on the upstream DHCPv6 server, an IAID change can cause a mismatch. I recently had that issue in the real world when OpenWrt changed their IAID calculation logic.
Quote from: franco on Today at 03:40:11 PMBut that only matters for IAID+DUID pairs when the multi-WAN connections are going to the exact same server.Which is not that uncommon, e. g. if you have two lines from the same ISP. Also, duplicate IAIDs (in the context of a given DUID and IA type) are a clear violation of the DHCPv6 specifications (RFC 9915), which I think we shouldn't do for no good reason.
Quote from: franco on Today at 03:40:11 PMI must admit the IAID changes are not for multi-WAN and we can test without them to go forward in 26.1.x regardless.I agree, it's a good idea to split these two issues.
Quote from: franco on Today at 03:40:11 PMLet me prepare a patch for that.I'll be happy to test it.
Quote from: franco on Today at 03:40:11 PMSure, I'll try to reword.Thanks a lot!
Quote from: franco on Today at 03:40:11 PMThere isn't a strong demand, but with multi-dhcp6 it's a possibility to leverage.I have no strong opinion about multiple DUIDs. While it doesn't seem intuitive (a DUID literally Uniquely IDentifies a Device, not a DHCPv6 client instance), I see no harm in it. And there might be use cases where it's actually helpful.
Cheers
Maurice
@demyers
Quote from: demyers on Today at 04:04:16 PMAt the risk of going off topicPlease don't, this is a CFT.
#6
General Discussion / Re: internal DNS issues
Last post by nero355 - Today at 04:50:46 PMQuote from: donee on Today at 02:34:50 PMI feel like a idiot.That sucks, but if you want help you need to post more information about your setup and settings applied ;)
#7
25.1, 25.4 Legacy Series / Re: default hw.vtnet.csum_disa...
Last post by franco - Today at 04:33:23 PMI think so.
Some still flow into stable/14 from Timo that seem loosely related, but all the main ones have been cherry-picked some time during 25.7.x.
Cheers,
Franco
Some still flow into stable/14 from Timo that seem loosely related, but all the main ones have been cherry-picked some time during 25.7.x.
Cheers,
Franco
#8
German - Deutsch / Re: Telekom Magenta SIP mit VM...
Last post by falkt - Today at 04:28:34 PMNeuigkeiten!
Ich habe zum Test einfach mal die Paketfilterung ganz abgeschaltet.
Die Log Meldungen das tel.t-online.de nicht erreichbar wäre bleibt, dafür kann aber nun wohl SIP Pakete in die Richtung abschicken.
Und es gibt eine Meldung das NAT: UDP geblockt wird.
Die Outbound Rule sagt aber was anderes.
Irgendjemand ne Idee?
Ich habe zum Test einfach mal die Paketfilterung ganz abgeschaltet.
Die Log Meldungen das tel.t-online.de nicht erreichbar wäre bleibt, dafür kann aber nun wohl SIP Pakete in die Richtung abschicken.
Und es gibt eine Meldung das NAT: UDP geblockt wird.
Die Outbound Rule sagt aber was anderes.
Irgendjemand ne Idee?
#9
26.1 Series / Re: Rule or alias not matching
Last post by clarknova - Today at 04:07:45 PMI removed the redundant '10.15.4.0/24' from the 'allowed_internet' alias and this fixed the problem.
edit: never mind, this did not fix the problem.
edit: never mind, this did not fix the problem.
#10
26.1 Series / Re: Upgrade to 26.1.3 hung on ...
Last post by franco - Today at 04:07:30 PMIt's a nice thing to have, but sometimes not as elaborate as it could be, e.g. inside PHP process.
Cheers,
Franco
Cheers,
Franco
