"Recent posts
#1
Zenarmor (Sensei) / Re: Elasticsearch service fail...
Last post by sy - Today at 10:08:38 PMHi,
This might be an issue related to the Elasticsearch installation from the mimugmail repository. In the previous message, I meant to ask why you didn't install it from the Zenarmor repository if you're only using Elasticsearch for Zenarmor. Have you tried reaching out to the mimugmail repository owner for assistance?
This might be an issue related to the Elasticsearch installation from the mimugmail repository. In the previous message, I meant to ask why you didn't install it from the Zenarmor repository if you're only using Elasticsearch for Zenarmor. Have you tried reaching out to the mimugmail repository owner for assistance?
#2
General Discussion / Re: Stop Dnsmasq sending ULA p...
Last post by meyergru - Today at 10:01:48 PMFor what purpose do you need the static IPs?
I see two cases:
1. You have static IPv6 prefixes - in that case, you can just use the IPv6 that is derived by the 64 bit VLAN prefix plus the EUI-64 suffix that is associated with the MAC of your server's NIC (i.e. which can be directly calculated from it). This will give you a 128 bit IPv6 with /64 to build your CIDR. The gateway will be either fe80:: plus the EUI-64 of the OpnSense interface or better, create a VIP of fe80::1/64 for any VLAN interface on OpnSense and use that as the gateway address, since it is easier to remember.
Patrick is right about how to allow RA assigments to interfaces in Proxmox and firewall rules, I do it like this in the bridge interface (explanation for bridge-mcsnoop is here):
$IFACE will be auto-filled with the interface name that you specify this in, you do not have to replace it yourself.
2. You have dynamic IPv6 prefixes - that is unfortunate, because you can only address your servers via DNS names and not assign any fixed IPv6 to them. I handle that by using a reverse proxy that translates the external WAN IPv6 of OpnSense to an IPv4 backend in a DMZ VLAN, preferably via HAproxy for more complex needs. That way, the internal server is always contacted via its RFC1918 IPv4, but externally, via the WAN IPv6, for which OpnSense does the dynamic DNS updates. For many DynDNS services, it is better to have the WAN prefix the same as for the internal VLANs, so I always use "request prefix only" and use a specific prefix for my WAN. That way, OpnSense can handle DynDNS for any local machine.
If it is a non-proxyable protocol or if the TLS / TCP termination has to be on the internal server, you can also do port-forwarding, which works for IPv6 just as it does for IPv4.
Most of that is explained here.
There is a small caveat, however: I found that Windows uses SLAAC in a different fashion: They normally do not use a MAC-derived EUI-64, but a fixed, randomized value. However, that is static, too, and the method can also be changed to MAC-based generation if need be via registry settings.
I see two cases:
1. You have static IPv6 prefixes - in that case, you can just use the IPv6 that is derived by the 64 bit VLAN prefix plus the EUI-64 suffix that is associated with the MAC of your server's NIC (i.e. which can be directly calculated from it). This will give you a 128 bit IPv6 with /64 to build your CIDR. The gateway will be either fe80:: plus the EUI-64 of the OpnSense interface or better, create a VIP of fe80::1/64 for any VLAN interface on OpnSense and use that as the gateway address, since it is easier to remember.
Patrick is right about how to allow RA assigments to interfaces in Proxmox and firewall rules, I do it like this in the bridge interface (explanation for bridge-mcsnoop is here):
Code Select
bridge-mcsnoop 0
accept-ra 2
autoconf 1
pre-up echo 2 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
post-up echo 2 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
$IFACE will be auto-filled with the interface name that you specify this in, you do not have to replace it yourself.
2. You have dynamic IPv6 prefixes - that is unfortunate, because you can only address your servers via DNS names and not assign any fixed IPv6 to them. I handle that by using a reverse proxy that translates the external WAN IPv6 of OpnSense to an IPv4 backend in a DMZ VLAN, preferably via HAproxy for more complex needs. That way, the internal server is always contacted via its RFC1918 IPv4, but externally, via the WAN IPv6, for which OpnSense does the dynamic DNS updates. For many DynDNS services, it is better to have the WAN prefix the same as for the internal VLANs, so I always use "request prefix only" and use a specific prefix for my WAN. That way, OpnSense can handle DynDNS for any local machine.
If it is a non-proxyable protocol or if the TLS / TCP termination has to be on the internal server, you can also do port-forwarding, which works for IPv6 just as it does for IPv4.
Most of that is explained here.
There is a small caveat, however: I found that Windows uses SLAAC in a different fashion: They normally do not use a MAC-derived EUI-64, but a fixed, randomized value. However, that is static, too, and the method can also be changed to MAC-based generation if need be via registry settings.
#3
General Discussion / Re: Stop Dnsmasq sending ULA p...
Last post by Patrick M. Hausen - Today at 09:58:38 PMSLAAC is automatic but deterministic. You just check which address a system got and it will keep that forever - unless the MAC address changes wich is rarely the case. Or keep the lower 64 bits and change the upper ones in case of a dynamic prefix.
In Proxmox edit /etc/network/interfaces and add this to the entry for e.g. vmbr0 or whatever your management interface is:
Afterwards you can use a Dynamic IPv6 Host type alias in OPNsense for firewall rules.
HTH,
Patrick
In Proxmox edit /etc/network/interfaces and add this to the entry for e.g. vmbr0 or whatever your management interface is:
Code Select
post-up echo "2" > /proc/sys/net/ipv6/conf/vmbr0/accept_ra
Afterwards you can use a Dynamic IPv6 Host type alias in OPNsense for firewall rules.
HTH,
Patrick
#4
General Discussion / Re: Stop Dnsmasq sending ULA p...
Last post by OPNenthu - Today at 09:42:49 PMAlright- was a fun experiment, and there is a working solution if needed. Let me wind this thread down with a pointed community question:
I'd really rather stick to the simplicity of SLAAC GUAs for my IPv6 needs and not do DHCPv6 at all, but the problem is I don't know how to assign static IPs to servers. For example when setting up a management interface in Proxmox, how does one fill this out if not using ULAs or static GUAs?
You cannot view this attachment.
I can't presently enable host-side firewalling in Proxmox because all my IPv6 traffic is getting default dropped since I can't specify networks and clients in rules owing to dynamic ISP prefixes. What are the options, short of business-class internet plans?
Thanks!
I'd really rather stick to the simplicity of SLAAC GUAs for my IPv6 needs and not do DHCPv6 at all, but the problem is I don't know how to assign static IPs to servers. For example when setting up a management interface in Proxmox, how does one fill this out if not using ULAs or static GUAs?
You cannot view this attachment.
I can't presently enable host-side firewalling in Proxmox because all my IPv6 traffic is getting default dropped since I can't specify networks and clients in rules owing to dynamic ISP prefixes. What are the options, short of business-class internet plans?
Thanks!
#5
General Discussion / Re: UI - firewall rules
Last post by keeka - Today at 09:21:19 PMThanks.
When automation rules eventually supersede firewall rules, will port-forward rules create their corresponding firewall rule under automation rules? Will that functionality remain available?
When automation rules eventually supersede firewall rules, will port-forward rules create their corresponding firewall rule under automation rules? Will that functionality remain available?
#6
25.1, 25.4 Series / Re: OPNsense haproxy SSL_TLS_S...
Last post by TECbill - Today at 09:00:51 PMHmm...is it possible then so set the according sni req.hdr(host),host_only parameter manually?
If so, where exactly do we have to add it?
Thanks!
If so, where exactly do we have to add it?
Thanks!
#7
25.1, 25.4 Series / Re: OPNsense haproxy SSL_TLS_S...
Last post by meyergru - Today at 08:53:55 PMHardly, unless someone actually does a feature request on Github...
#8
25.1, 25.4 Series / Re: OPNsense haproxy SSL_TLS_S...
Last post by TECbill - Today at 08:51:29 PMJust came here to report I have exactly the same issue.
Glad I'm not the only one as I finally know that I'm not crazy running into this issue as I have not changed anything on the web config within the last half year and suddenly this issue came up.
Is there any fix planned already for this?
Thanks!
Glad I'm not the only one as I finally know that I'm not crazy running into this issue as I have not changed anything on the web config within the last half year and suddenly this issue came up.
Is there any fix planned already for this?
Thanks!
#9
Hardware and Performance / Re: Adding Speed Parameters to...
Last post by BrandyWine - Today at 08:50:08 PMQuote from: pfry on September 17, 2025, 09:25:16 AMI'm not aware of any cable testing or training as part of any Ethernet link establishment - the link is simply negotiated to the highest common advertised speedNot the case in 802.3bz, as long as the devices are fully 802.3bz compliant. "NBASE-T Downshift" is the coding name for the learning. It's a method to detect if the cable is causing packet issues, the coding can then do a speed downshift in an effort to remedy the packet issue, this helps keep data moving err free but sacrificing some speed.
A good read (https://archive.nbaset.ethernetalliance.org/wp-content/uploads/2017/05/NBASET-Downshift-WP-1217.pdf)
Alien noise in home environments can be an issue just like a bundle of Cat5e/6 in structured wiring in buildings. More rare in the home though.
Quotehowever, the quality of the cable, how
cables are bundled together, or "alien noise"
IEEE 802.3bz Auto-Negotiation Detail
The 2.5GBASE-T and 5GBASE-T standards use IEEE 802.3bz
Auto-Negotiation, specified in Clause 28, Clause 126.6, Annex
28B, Annex 28C, and Annex 28D.
As part of the link-training sequence,
#10
25.1, 25.4 Series / Re: [SOLVED]Recent VOIP discon...
Last post by keeka - Today at 08:34:04 PMAfter several weeks on and off troubleshooting the problem, it turned out to be nothing to do with opnsense or my pbx. The issues were with the other end's fttp/voip setup! Consider the above a red herring.
