[Solved]IPv6, bridging, Sophos port numbers, and packet filtering woes.

Started by HiTekRedNek, June 21, 2025, 04:35:16 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 21, 2025, 04:35:16 AM Last Edit: June 24, 2025, 04:26:50 PM by HiTekRedNek Reason: solved
I'm having some issues that may or may not be related.  I recently moved my OPNsense setup from a VM running in proxmox, with a passed-through WAN port to a used Sophos SG-135v2.

Upon doing so, I've noticed that the two sets of 4 ports seem to be swapped. So, across the back, from 0 to 7, left to right, it actually counts as follows: 4567 0123, but the lights on the front indicate the physical ports. No real issue, just have to take note of that.

So, I have set up igb0 as WAN, it gets a CGnat'd DHCPv4 address and a /56 DHCPv6 address from my ISP (Starlink)

I have then bridged the remaining igb1-7 into bridge0 and have it assigned to LAN.

All interfaces are
  • Enabled.

In LAN, I have my LAN IPv4 address/net set to 172.16.0.1/24, and the IPv6 is set to track my WAN IP. This seems to pull a proper IPv6 address.

So far, so good.

Now, I was randomly losing access between devices on different ports of the Sophos, and noticed that the firewall was actually blocking packets from interfaces that were part of the bridge going to other interfaces that were also part of the bridge, so I created a floating rule that allows all in/out between all interfaces of the bridge. That seems to fix that little issue, but is this the recommended way to do it, and why is that not a default setting? Or do I have something broken?

And finally, none of my clients are getting an IPv6 address. ISC DHCP6 is enabled, shows the LAN IPv6 address, and Router Advertisements are set to Assisted (the only other option is Disabled).

... Help?

June 22, 2025, 12:52:14 AM #1
You did set the two tunables when creating the bridge and adding the member interfaces, right? https://docs.opnsense.org/manual/how-tos/lan_bridge.html
June 23, 2025, 03:44:16 AM #2
Quote from: cookiemonster on June 22, 2025, 12:52:14 AMYou did set the two tunables when creating the bridge and adding the member interfaces, right? https://docs.opnsense.org/manual/how-tos/lan_bridge.html

I'm fairly certain I did at some point. I'll try to set up the bridge again, bring doubly sure to follow that howto. I was getting really frustrated and gave up on the extra ports/interfaces for now.

Thanks.

 
June 23, 2025, 04:15:28 PM #3
So, apparently, I messed up somewhere along the way, because I just finished setting up the bridge again, and now everything seems to be working just fine.

Including pf and DHCPv6.

Only thing left is to see if I can sort out why the two sets of ports seem to be inverted. Probably just a case of driver load order, tbh.

Thanks for your help!
June 23, 2025, 04:45:57 PM #4
Quote from: cookiemonster on June 22, 2025, 12:52:14 AMYou did set the two tunables when creating the bridge and adding the member interfaces, right? https://docs.opnsense.org/manual/how-tos/lan_bridge.html

So apparently I spoke too soon.

My lan clients are getting a proper IPv6 address now. But IPv6 connectivity fails. I cannot ping IPv6 addresses. All responses just get lost in the ether. I'm not seeing anything in the firewall logs that jump out at me either. Any ideas?
June 23, 2025, 04:59:34 PM #5
You did place the (e.g.) "LAN" assignment and IP address configuration for IPv4 and IPv6 on the bridge interface and not on any member, did you?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 24, 2025, 12:35:26 AM #6 Last Edit: June 24, 2025, 01:08:08 AM by HiTekRedNek Reason: Added link
Quote from: Patrick M. Hausen on June 23, 2025, 04:59:34 PMYou did place the (e.g.) "LAN" assignment and IP address configuration for IPv4 and IPv6 on the bridge interface and not on any member, did you?

Correct, only the [LAN] is set up for IPv4 static, and IPv6 Track Interface (WAN), and none of the bridge members have anything other than "None" for both IPv4 and IPv6.

https://imgur.com/a/ND1prPy

I cannot even ping my opnsense router over IPv6, but the router itself has IPv6 connectivity.

*sigh* IPv6 is so much more complicated, and every single bit of knowledge I have from it is self-taught. Apparently, the devices that aren't getting ipv6 access aren't getting RA announcements, so I'm having to manually set the default gateway for those devices. Despite the fact that somehow they WERE working with IPv6 before I created the bridge. *pulls out hair*
June 24, 2025, 08:31:27 AM #7
Unterfaces > Devices > Bridge > edit your bridge > enable linc-local.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 24, 2025, 02:23:12 PM #8
Quote from: Patrick M. Hausen on June 24, 2025, 08:31:27 AMUnterfaces > Devices > Bridge > edit your bridge > enable linc-local.

It was already enabled. Thanks.
Print
Go Up Pages1
User actions