"Recent posts
#1
26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...
Last post by WiteWulf - Today at 01:39:53 PMThank you, that's gone some way to explaining a previous problem I had.
When I initially set the OPNsense device up I tried setting my 'LAN IPv6 Configuration Type' to 'Identity Association' (as per some docs I found), but my LAN clients didn't receive an IPv6 configuration. Changing that to 'Track Interface (legacy)' "just worked", so I left it at that. It seems that this automatically configures a DHCPv6/RA for the LAN, and I suspect this ignores any changes made in the dnsmasq settings UI.
I assume, then, that I need to manually configure an RA or DHCPv6 range when using 'Identity Association'? I'll have a detailed read of your article you linked to and have a go at that. Thanks again.
When I initially set the OPNsense device up I tried setting my 'LAN IPv6 Configuration Type' to 'Identity Association' (as per some docs I found), but my LAN clients didn't receive an IPv6 configuration. Changing that to 'Track Interface (legacy)' "just worked", so I left it at that. It seems that this automatically configures a DHCPv6/RA for the LAN, and I suspect this ignores any changes made in the dnsmasq settings UI.
I assume, then, that I need to manually configure an RA or DHCPv6 range when using 'Identity Association'? I'll have a detailed read of your article you linked to and have a go at that. Thanks again.
#2
German - Deutsch / Re: pkg repository / freeBSD o...
Last post by Patrick M. Hausen - Today at 01:37:27 PMDann mach das FreeBSD-Repo wieder weg. Du musst es ja hinzugefügt haben, OPNsense tut das nicht.
Wenn du wieder nur das OPNsense-Repo hast, kannst du z.B.
probieren.
HTH,
Patrick
Wenn du wieder nur das OPNsense-Repo hast, kannst du z.B.
Code Select
pkg-static install -f pkg
probieren.
HTH,
Patrick
#3
German - Deutsch / pkg repository / freeBSD oder ...
Last post by Fenchel - Today at 01:30:05 PMHallo zusammen,
bei mir wird bei pkg das repository freeBSD angezeigt, nicht OPNsense.
Beim Update erscheint folgender Fehler:
...
All repositories are up to date.
Child process pid=69797 terminated abnormally: Segmentation fault
Upgrading package manager from version '2.6.2_1' to '2.3.1_1'
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
...
Ich nutze Version 26.1.10
Habt ihr eine Idee?
Gruß Fenchel
bei mir wird bei pkg das repository freeBSD angezeigt, nicht OPNsense.
Beim Update erscheint folgender Fehler:
...
All repositories are up to date.
Child process pid=69797 terminated abnormally: Segmentation fault
Upgrading package manager from version '2.6.2_1' to '2.3.1_1'
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
...
Ich nutze Version 26.1.10
Habt ihr eine Idee?
Gruß Fenchel
#4
26.1, 26,4 Series / Re: Help With DHCP, IPv6 and D...
Last post by meyergru - Today at 12:50:35 PMSome IPv6 clients act in an unexpected way w/r to DHCPv6 and its options. For example, Android devices cannot use DHCPv6 at all but use router advertisements (RA) instead. Some can use the RDNSS option.
That being said, I use RA in "unmanaged" mode for many reasons, but mainly because that is guaranteed to work, but I do not use IPv6 DNS servers - those are not strictly needed if your clients can also do IPv4, because the IPv4 DNS server will also serve IPv6 adresses. This is all described here.
I would rather instruct OpnSense itself to make use of your PiHole as upstream server and not instruct clients to use that directly.
Alas, I cannot give much info about how to do it with DNSmasq, because I use Kea and Unbound. All I know is that DNSmasq has restrictions on its builtin RA mechanism, however, you can disable that and use RADVD instead.
That being said, I use RA in "unmanaged" mode for many reasons, but mainly because that is guaranteed to work, but I do not use IPv6 DNS servers - those are not strictly needed if your clients can also do IPv4, because the IPv4 DNS server will also serve IPv6 adresses. This is all described here.
I would rather instruct OpnSense itself to make use of your PiHole as upstream server and not instruct clients to use that directly.
Alas, I cannot give much info about how to do it with DNSmasq, because I use Kea and Unbound. All I know is that DNSmasq has restrictions on its builtin RA mechanism, however, you can disable that and use RADVD instead.
#5
26.7 Development Series / Re: OPNsense 26.7-BETA images
Last post by newsense - Today at 12:44:31 PMI may be affected by this NAT issue as well, however my experience is a bit different ( or @patient0 didn't test for it)
My tests so far:
- test vm on 26.1 upgraded to 26.7.b, pretty much bare bones in terms of settings ( the only two rules there allow me to https/ssh from wan to manage it ). One Linux vm behind it. Traffic works as expected. Rules not migrated to New. NAT untouched.
- local hardware FW upgraded to 26.7.b. Rules not migrated. Traffic flows through the FW from vlans. NAT on hybrid. WireGuard server operational and allows me to connect to the FW mgmt but I don't have access to internet over WireGuard post upgrade - which sounds like a NAT issue
Interestingly IPsec works fine and I can remote into machines in various vlans.
- another FW and the first one who saw 15.1 couple weeks ago. Worked just fine with the kernel and when I installed base no traffic passed through. Rules not migrated and NAT hybrid.
- last FW, same HW as the first one in this post, upgraded to 26.7.b. Rules not migrated and NAT hybrid although now only the LAN exists. No traffic passing through from lan to wan however I can ZeroTier and manage it remotely and everything works apart from the lan-wan traffic issue.
I kept the one with the WireGuard issue on 26.7.b for now and I'll see what happens in the meantime.
When testing only the 15.1 kernel ( before 26.7.b was ready ) all these firewalls ran fine on it which is a good sign.
My tests so far:
- test vm on 26.1 upgraded to 26.7.b, pretty much bare bones in terms of settings ( the only two rules there allow me to https/ssh from wan to manage it ). One Linux vm behind it. Traffic works as expected. Rules not migrated to New. NAT untouched.
- local hardware FW upgraded to 26.7.b. Rules not migrated. Traffic flows through the FW from vlans. NAT on hybrid. WireGuard server operational and allows me to connect to the FW mgmt but I don't have access to internet over WireGuard post upgrade - which sounds like a NAT issue
Interestingly IPsec works fine and I can remote into machines in various vlans.
- another FW and the first one who saw 15.1 couple weeks ago. Worked just fine with the kernel and when I installed base no traffic passed through. Rules not migrated and NAT hybrid.
- last FW, same HW as the first one in this post, upgraded to 26.7.b. Rules not migrated and NAT hybrid although now only the LAN exists. No traffic passing through from lan to wan however I can ZeroTier and manage it remotely and everything works apart from the lan-wan traffic issue.
I kept the one with the WireGuard issue on 26.7.b for now and I'll see what happens in the meantime.
When testing only the 15.1 kernel ( before 26.7.b was ready ) all these firewalls ran fine on it which is a good sign.
#6
26.7 Development Series / Re: OPNsense 26.7-BETA images
Last post by patient0 - Today at 12:10:28 PMQuote from: Monviech (Cedrik) on Today at 12:09:04 PMCan you open a ticket on github with this issue?Yes, I'll do that later this evening.
#7
26.7 Development Series / Re: OPNsense 26.7-BETA images
Last post by Monviech (Cedrik) - Today at 12:09:04 PMCan you open a ticket on github with this issue? We will look into it. Thanks for testing.
#8
26.1, 26,4 Series / Help With DHCP, IPv6 and DNS P...
Last post by WiteWulf - Today at 12:02:01 PMHi folks, first time poster. I've recently moved to OPNsense (26.1.10, running as a VM on Proxmox) from OpenWrt. The migration went really well for the most part, but there's one thing I can't figure out and would like help with please.
I have a PiHole running on my network (in docker on a different device to OPNsense), and use DHCP Option 6 to tell my clients to use it as their DHCP server, with Unbound on the OPNsense device as the fallback. This was all I had to do on OpenWrt to get all LAN client DNS queries to go via my PiHole and I replicated this in dnsmasq on OPNsense. My IPv6 clients didn't receive an IPv6 DNS server with OpenWrt.
Since moving to OPNsense I noticed that some of my devices had started showing ads again, but saw that PiHole was still serving (some) requests on the LAN.
OPNsense is configuring the IPv6 clients on the LAN to use it's Unbound service for DNS over IPv6, so I added DHCP Option 23 with the Pihole and Unbound servers' IPv6 addresses on dnsmasq hoping that would override whatever default setting was being applied.
My clients are acting on the DHCP Option 6 and configuring the PiHole and OPNsense as their IPv4 DNS servers, but ignoring the DHCP Option 23, and only configuring the OPNsense device for DNS over IPv6. Both DHCP Options are set to 'Force'.
Consequently:
a) IPv6 enabled devices prefer to use DNS over IPv6, and are only using Unbound on OPNsense (thus bypassing the PiHole)
b) IPv4 only devices are correctly using the PiHole as instructed via DHCP Option 6
I've tried both renewing DHCP leases and restarting my clients with no change in behaviour. I've checked that the PiHole is serving queries over IPv6.
How do I correctly tell my IPv6 clients to use the PiHole server?
I have a PiHole running on my network (in docker on a different device to OPNsense), and use DHCP Option 6 to tell my clients to use it as their DHCP server, with Unbound on the OPNsense device as the fallback. This was all I had to do on OpenWrt to get all LAN client DNS queries to go via my PiHole and I replicated this in dnsmasq on OPNsense. My IPv6 clients didn't receive an IPv6 DNS server with OpenWrt.
Since moving to OPNsense I noticed that some of my devices had started showing ads again, but saw that PiHole was still serving (some) requests on the LAN.
OPNsense is configuring the IPv6 clients on the LAN to use it's Unbound service for DNS over IPv6, so I added DHCP Option 23 with the Pihole and Unbound servers' IPv6 addresses on dnsmasq hoping that would override whatever default setting was being applied.
My clients are acting on the DHCP Option 6 and configuring the PiHole and OPNsense as their IPv4 DNS servers, but ignoring the DHCP Option 23, and only configuring the OPNsense device for DNS over IPv6. Both DHCP Options are set to 'Force'.
Consequently:
a) IPv6 enabled devices prefer to use DNS over IPv6, and are only using Unbound on OPNsense (thus bypassing the PiHole)
b) IPv4 only devices are correctly using the PiHole as instructed via DHCP Option 6
I've tried both renewing DHCP leases and restarting my clients with no change in behaviour. I've checked that the PiHole is serving queries over IPv6.
How do I correctly tell my IPv6 clients to use the PiHole server?
#9
26.7 Development Series / Re: OPNsense 26.7-BETA images
Last post by patient0 - Today at 11:49:19 AMQuote from: Monviech (Cedrik) on Today at 11:22:16 AMegardless of automatic or manual being selected after the apply?Yep, the output of `pfctl -s nat` is identical for both Automatic or Hybrid (not using Manual) (the "inet all -> (vtnet1:0)" line):
Code Select
root@OPNsense:~ # pfctl -s nat
no nat proto carp all
nat on vtnet0 inet all -> (vtnet1:0) port 1024:65535
nat on vtnet0 inet from (vtnet1:network) to any port = isakmp -> (vtnet0:0) static-port
nat on vtnet0 inet from (lo0:network) to any port = isakmp -> (vtnet0:0) static-port
nat on vtnet0 inet from 127.0.0.0/8 to any port = isakmp -> (vtnet0:0) static-port
nat on vtnet0 inet from (vtnet1:network) to any -> (vtnet0:0) port 1024:65535
nat on vtnet0 inet from (lo0:network) to any -> (vtnet0:0) port 1024:65535
nat on vtnet0 inet from 127.0.0.0/8 to any -> (vtnet0:0) port 1024:65535
no rdr proto carp all
no rdr on vtnet1 proto tcp from any to (vtnet1) port = ssh
no rdr on vtnet1 proto tcp from any to (vtnet1) port = http
no rdr on vtnet1 proto tcp from any to (vtnet1) port = https #10
26.7 Development Series / Re: OPNsense 26.7-BETA images
Last post by Monviech (Cedrik) - Today at 11:22:16 AMDoes the rule show via
# pfctl -s nat
regardless of automatic or manual being selected after the apply?
# pfctl -s nat
regardless of automatic or manual being selected after the apply?
