Recent posts

#1
26.1, 26,4 Series / Re: Unable to get IPv6 Traffic...
Last post by johnshill - Today at 03:33:03 PM
Thank you, I gave it another try by manually carving out another /64 from my /56 and assigning it to the WG interface.

My subnets in Overview > Interfaces followed this pattern: xxxx:xxxx:xxxx:xx00:yyyy:yyyy:yyyy:yyyb/64, xxxx:xxxx:xxxx:xx01:yyyy:yyyy:yyyy:yyyc/64, xxxx:xxxx:xxxx:xx02:yyyy:yyyy:yyyy:yyyd/64,

Thus, I codified xxxx:xxxx:xxxx:xx03:10:10:50:1/64 on the interface, and my config looks as follows:
[Interface]
PrivateKey = <redacted>
Address = 10.10.50.2/32,xxxx:xxxx:xxxx:xx03::1/128
DNS = 10.10.50.1,xxxx:xxxx:xxxx:xx03:10:10:50:1

[Peer]
PublicKey = <redacted>
Endpoint = ddns.mydomain.com:51820
AllowedIPs = 0.0.0.0/0,::/0

Internet is fine, but still no IPv6 sadly...
#2
26.1, 26,4 Series / Re: CALL FOR TESTING: Multi-dh...
Last post by franco - Today at 12:50:28 PM
Just to illustrate the multi-dhcp6c was reverted on master via https://github.com/opnsense/core/commit/d404edeb9 and lives in a separate branch "multi_dhcp6c" now.

The other half with the IAID has been changed according to Maurice's feedback:

https://github.com/opnsense/core/commit/18b63ebeaf
https://github.com/opnsense/core/commit/a43360d860

We will be able to go ahead with this (and the previous changes for that feature) but there is no rush to do so at the moment. The defaults won't change and this makes room for working on https://github.com/opnsense/core/issues/10286 for Kea dynamic PD support progressing here https://github.com/opnsense/core/pull/10252


Cheers,
Franco
#3
Quote from: newsense on Today at 09:11:58 AMI'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.

The options aren't exactly excellent but some are better than others.

Completely wrong way of thinking. Absence of updates means that there is nothing to fix or add. And thats a good thing. Saying that appliance sucks because it doesnt get its BIOS updated every month is just silly. My Asus AMD board has had its BIOS updated 15 times so far just so they can fix "small" bugs and introduce new ones. Same goes with Intel platforms. Every month you have a BIOS update because ME firmware has been updated. This is borderline crazy.

As for Protectli, i got my coreboot on my Protectli Vault FW6E updated 3 times. So please, do not spread false information. And lack of customization on coreboot BIOS is a feature. Thats how the firmware is designed. This is why you have a choice with Protectli. You can switch between coreboot or AMI very easy. It just so happens that i dont need any "features" that AMI offers.
#4
Quote from: patient0 on Today at 08:43:17 AM
Quote from: passeri on Today at 08:38:27 AMCoreboot
No coreboot in the DEC740 I got, do you know which models got coreboot?
Yes. Mine. Otherwise, check the product page. :)

It was mentioned above as a positive feature, so I mentioned it is available in a quad-port Deciso router.
#5
First step: log in to the Maxmind or IPinfo portal where you registered to set up your (assumed) free account, then check with their tools, where they locate that address.
#6
25.7, 25.10 Legacy Series / Geoblocking, IP not blocked
Last post by gctwnl - Today at 10:28:50 AM
(Not upgraded yet, will soon)

I have some geoblocking in my firewall (mainly to prevent direct attacks/spam from a few countries). One of these countries is China, a rather large source of this. But I just noticed that 101.47.29.67 was not blocked, while it is clearly Chinese. That made me wonder: are there tables I have to update or anything else I should do?
#7
>>>do you know which models got coreboot?

They're listed on the download page, iirc the 600 series.


I'm fed up with the coreboot hoax.

Either you get some old-ish hw from Protectli who comes and dies with the only coreboot that was initially made for it ot you get the same HW with AMI, far more configurable and from what I've seen you may get anywhere between 1-3 bios updates throughout the years.

On the Deciso side the last coreboot update was in 2024 and the main takeaway is that it was an update.

For the rest of the Deciso HW they seem to get between 1-2 EFI updates from Oxyde/year.


The options aren't exactly excellent but some are better than others.
#8
Quote from: passeri on Today at 08:38:27 AMCoreboot
No coreboot in the DEC740 I got, do you know which models got coreboot?
#9
If it is affordable then I recommend Deciso appliances.
  • Coreboot
  • Small and efficient, with good WAF
  • One year of business edition, or consider that a donation
  • Releases work, or at least are a better bet to do so than on a third party box
If your DNS use is internal rather than public-facing then definitely use the router for that and DHCP. All the management tools are there.

eta: I formerly used a mini-pc for Opnsense. If or when I need to replace the 697, it will be with a Deciso appliance for all the above reasons.
#10
General Discussion / NAT redirect - DNS timeout
Last post by jbernardo - Today at 08:35:19 AM
Hello,
I have a working setup with a pi-hole doing DHCP+DNS and using the opnsense unbound as upstream DNS server. DNS queries are fast, everything works, ads/malware/telemetry is blocked by the pi-hole.
Next step for me would be to redirect any queries from my LAN to any DNS server other than the pi-hole.For that, I added a "Destination NAT" rule, with protocol TCP/UDP, any destination/port DOMAIN (53), redirect target IP - the IP of the pi-hole, target port DOMAIN (53), inverted source my pi-hole IP.
Now, queries to any DNS server outside the LAN show as "RDR" in the log, and appear in the pi-hole query log. But, the query result never makes it back to dig or nslookup, it always ends with ";; communications error to 1.1.1.1#53: timed out"
What am I missing here? Do I need a firewall rule?
Thank you.