What is opnsense?
- 3
- Find More Discussions
Discussion Favorited!
Favoriting means this is a discussion worth sharing. It gets shared to your followers' Disqus feeds, and gives the creator kudos!
Share- Tweet this discussion
- Share this discussion on Facebook
- Share this discussion via email
- Copy link to discussion
Home Network Guy Mod Assad must stay 4 years ago see moreOPNsense in an open source router/firewall software. It is similar to pfSense since they forked that project over 5 years ago. You can install this software on any PC that has multiple Ethernet ports (you can use a single port but that is not recommended) and use it in place of your home router or it can be used only for firewall purposes for your network.
Home Network Guy Mod Assad must stay 4 years ago see moreYes, it is very good. It's rock solid and performs well. It give you a lot of control over your network -- much more than most (or all) consumer grade routers. Since it is more advanced, it does have a learning curve especially if you are not familiar with more advanced networking concepts. This software allows you to have a really basic network or a fairly sophisticated one depending on how you configure the software.
Assad must stay Home Network Guy 4 years ago see morenice, i was wondering if turning on IPv6 gives any benefits, because microsoft says it helps with xbox online, but there were so many options i didnt know what they are or which were best for my network. like can you explain to me if i should choose DHCPv6 or SLAAC? also should i allow pings from the WAN port or no? thanks :)
Home Network Guy Mod Assad must stay 4 years ago see moreThe benefits of IPv6 for Xbox is that you do not need to have your Xbox behind a NAT router/firewall. Your Xbox can have its own public IPv6 address. It would eliminate the NAT issues that plague many users.
Even though I wrote about IPv6 and spent quite a bit of time trying to implement it in my network, I’m not currently using IPv6. My home network was complex enough that I didn’t have enough time to work through all the issues, and I just wanted things to work. For example, my IP security cameras that I am using as baby monitors have to be manually set to use IPv6 instead of IPv4 and the iOS app that I was using was defaulting to IPv6 (could be the case that all iOS apps default to IPv6 if it’s in use) so my app couldn’t communicate with my cameras. I didn’t want to mess with changing several cameras especially since most of my free time is when the kids are asleep, and I need to use the cameras! Hehe.
As far as using DHCPv6 vs SLAAC on the WAN side may depend on what your ISP requires. I imagine DHCPv6 will be used in most cases. On the LAN side you can probably use either one. I can’t recall if you can use the “Track Interface” option with SLAAC. I chose DHCPv6 on the LAN side because I have the option to statically set IPv6 addresses and in theory it’s a little more secure because MAC addresses aren’t used as the second half of your IPv6 address (unless newer SLAAC implementations have changed).
I think many people prefer not to allow ping on the WAN side since it may provide a little extra security, but I think there are many other ways for someone to discover you are online. I allow pings on my local network for troubleshooting, but I block pings to my management VLAN to keep it a little more isolated.
Assad must stay Home Network Guy 4 years ago see moredo you know if IPv6 can make things slower? my internet lately has been weird, i use to get almost 300mbps which is what im paying for but now its all over the place, sometimes over 200, sometimes between 100-200, sometimes less than 100, sometimes even in the single digits! do you think i should call a comcast tech to come out?
also, if my router is using my ISP's DNS servers, but in windows i set my NIC to use different DNS servers, or vice versa, am i using both? or which one? i never understood that. thanks!
Home Network Guy Mod Assad must stay 4 years ago see moreI don't think IPv6 would necessarily slow things down -- at least nothing noticeable. That is assuming that your ISP has IPv6 configured properly. I suppose if IPv6 was implemented poorly in the networks you are connecting to, perhaps that could cause reliability/connectivity issues.
I believe if you have manually specified alternate DNS servers for your device, it should always use those unless maybe the device's software/OS falls back to other DNS servers if it cannot connect to your specified DNS servers. All of your other devices would use your ISP DNS servers (unless they also have alternate DNS servers built in). Roku devices (at least older models) may be one of those which defaults to Google's DNS servers if it cannot reach out to your default DNS servers. When devices are programmed that way, you cannot prevent them from using those servers unless you block them with a firewall rule.
You can modify the firewall rules in OPNsense to force all of your devices to use the same DNS servers. The nice about doing that is that if you want all of your DNS traffic encrypted and/or filtered, you can ensure all devices on your network have the same protections applied. It also prevents rogue (potentially hacked) devices from using alternate DNS servers on your network which can bypass the network level DNS encryption/filtering.
Ken W 4 years ago see moreThank you for a very helpful article on configuring IPv6. One thing I am trying to do is to get all my clients to register their hostname with the DHCPv6 server and then have those hostnames added to Unbound. So far I've only managed to get them to register their MAC address in the hostname field. Any suggestions other than statically assigning IPv6 addresses?
I got this far by showing the Dynamic DNS settings on the DCHPv6 LAN tab and then enabling: Enable registration of DHCP client names in DNS. Then I added a domain and the IPv6 address of the name server (router address). I had to manually release and renew the DHCPv6 leases on my windows clients, but this only populated the MAC address. Thanks again for your help so far!
Home Network Guy Mod Ken W 4 years ago see moreThat is one thing which gave me trouble. I noticed that not all of the devices would show up in the DHCPv6 leases like they would in IPv4 and it seems like only some would show their hostnames. My feeling from looking online is that IPv6 features are not as polished as IPv4 and that is not an issue with just OPNsense as it seems like IPv6 is not as well supported with other applications/devices. I hope this changes over time. Perhaps there are some tricks that can be done to have IPv6 functioning as well as IPv4, but I am thinking the IPv6 features need more work to perfect (across the industry as a whole too).
To work around the issue, there may be no other option but to statically map some of the devices that do not register their names in DNS. The funny thing in my personal network is that I have ended up statically mapping (via DHCP) a majority of the devices on my network so that I can have better hostnames or apply firewall rules to specific devices (in addition to firewall rules for each network/VLAN). Since statically mapping devices via DHCP is all done in OPNsense with the web GUI, it is way more convenient than configuring each device individually so it not a lot of work to setup and maintain. Of course for those with tons of devices, it would be more unwieldy but it is doable. Just be sure to backup your router configuration because it would be a lot of work to start over from scratch if your router crashes (it's also useful in case you hose your configuration and/or you want to experiment).
After experimenting with IPv6 to write this how-to, I turned it off on my network for the time being because it was causing issues that I did not have time to resolve. Some devices would default to IPv6 while others were happy to continue using IPv4 (or maybe the software does not support IPv6 addressing). I also wondered at how useful would it be to have everything on my internal network using IPv6 other than gaining experience in using IPv6. I know it is will be useful at some point to use it to access remote websites/services since the world is out of IPv4 addresses, but in my local network I am not so sure of the utility other than being able to have more than one public facing IP address, which would be nice when hosting various services on your network. The IPv6 address space is so huge and more awkward to use on a small network because of how long the address is and since hexadecimal is used. It's way easier to type and remember 192.168.1.1 than an IPv6 address. hehe.
Firehawk Portugal 3 years ago see moreHi, you've said "I decided to use DHCPv6 for assigning addresses to my VLAN interfaces and network devices" which only works with static IP, but then proceeded to explain how to use "track interface" and SLAAC. I really wanted to see how you could do it in a more "IPv4 way" using just static addresses and DHCP because I'm finding a lot of problems. Typically I get connectivity but RA and DHCPv6 don't work.
Home Network Guy Mod Firehawk Portugal 3 years ago see moreI set the WAN to DHCPv6 to get an IPv6 address range from my ISP, which is similar to IPv4 except with IPv6 the ISPs will often allow you to request a larger address space so that you can have separate publicly addressable networks (but protected by the firewall) within your home network. On the LAN interface (and other interfaces if you have multiple networks), I am using "Track Interface" along with a prefix ID, which uses the DHCPv6 provided address on the WAN for the first half of the IPv6 address. The remaining portion of the address is dynamically assigned via Router Advertisements. I have configured my RA to be "Managed" which doesn't use SLAAC. The help comment in OPNsense says that "Managed" uses stateful DHCPv6. That may not necessarily work for all devices according to some research I did a while ago, which is why I made the comment that you may need to set it to "Assisted" to allow both stateful DHCPv6 and SLAAC.
I just tried to avoid using SLAAC in case it uses the MAC address for the second portion of the address which can reduce some privacy since your MAC address is now exposed as a publicly addressable IP (I think I've seen where the MAC address is no longer recommended for implementations of SLAAC so I'm not sure if OPNsense generates a unique identifier or not).
To be honest, I don't perfectly have everything set up in my network for IPv6. It was something I was experimenting with. I thought it would be nice to be able to implement IPv6 only at some point since that is supposed to be the future, but it certainly complicates small networks especially if your IPv6 address from the ISP can change and you wish to have a more complex network (with running various services and using firewall rules to restrict specific devices). I wish they assigned static IPv6 address ranges because the address space is so large that it should be possible to do. Having a dynamic address is a pain when you want to run servers that are exposed to the Internet and there's the issue of internal servers if your IPv6 is being assigned from your ISP and it changes. (There are ways to create static IPv6 addresses.. whether is is only the 2nd half of the IPv6 address or by using local IPv6 address ranges but that adds more configuration)
Rob H 2 years ago see moreHello! Thank you so much for this post. I can confirm this procedure still works in April 2022 with the latest OPNsense production release (22.1), although a few things tripped me up:
1. Some of the firewall rules you added are covered by auto-generated or default rules now. Specifically, the WAN rule to allow DHCPv6 from the ISP is covered by an auto-generated rule so it's not necessary. And on the LAN side, there are default rules that cover "Allow Access to All Other Destinations". This is important because they'll match before your VLAN block rule unless the user changes the order explicitly.
2. If your LAN interface is a bridge, you must Enable link-local address in the bridge settings. Otherwise, DHCPv6 and RA won't work.
3. Users might want to consider adding a WAN rule that allows ICMPv6 Echo Requests to pass through. I'm not sure what breaks if this isn't allowed, but https://ipv6-test.com complains without it.Thanks again!
Home Network Guy Mod Rob H 2 years ago see moreThanks for the feedback! I'm glad it still works to this day, but you are correct in that I need to update this guide. I feel like I have a little better understanding of IPv6 than when I first wrote the guide.
1. I am pretty certain that the DHCPv6 rule was not an autogenerated rule on the WAN interface several years ago because I could not obtain an IPv6 address without adding the rule and I found another post which helped me overcome that hurdle. I'm am glad it is autogenerated now because that is an essential rule for basic functionality for IPv6 when using DHCPv6. It's one less thing to worry about. As for the LAN rules, I'm assuming you are referring to the default "allow all" rule? I would have to check the guide, but I may (or may not) have mentioned removing or changing the default rule to do the block VLANs/allow all other rules. Nowadays, I prefer to use the "destination invert" and basically create an "allow all" rule which just allows access to anything that's NOT a private network since I can combine 2 rules into a single, more elegant rule. My newer guides use that single rule instead (I find it easier to explain).
2. That is good to know (I'm assuming by "bridge" you are referring to using OPNsense purely as a firewall as opposed to a router/firewall?). I haven't used bridges in OPNsense so that may be helpful to those who do use them.
3. I actually do that on my firewall but I may not have mentioned it when I originally wrote the guide. I will mention it when I do updates! I'm also not quite sure which ICMP types should be or is safe to allow on the WAN because ICMP is more crucial to proper functionality of IPv6 than IPv4.
cmonty14 2 years ago see moreHello Dustin,
thanks for sharing this tutorial.
I started evaluation of migrating from public static IPv4 to dual stack.Based on the information I collected my ISP would provide a IPv6 /56 subnet.
This would allow me to define 256 /64 subnets.
I guess this is more than enough for a homelab.In my homelab I have defined network segmentation with a DMZ subnet 172.16.10.0/24.
In this subnet I'm running several services that require a public IP.
My understanding is that with IPv6 each service gets its unique public IP.Question:
Do I need to configure 2 NICs for each server, means 1 NIC for public IPv6 and 1 NIC for subnet 172.16.10.0/24?
Or can I assign IPv4 and IPv6 to the same NIC?Regards
ThomasHome Network Guy Mod cmonty14 2 years ago see moreYou can most certainly run both IPv4 and IPv6 on the same interfaces/networks. It is called “dual stack” since you’re using both IP stacks on your network. Not sure how long it will be until everything is IPv6. I’m wondering if it will happen in my lifetime or not. Hehe
Jay Quin a year ago see moreGreat tutorials! Your guides have made setting up OPNsense so much easier!
I was wondering for the final rule(s) to block the separate VLANs/Interfaces from connecting can you rely on OPNsense default of block everything not defined by a rule? Another option that might work is using the built-in aliases for each interface (i.e. interface name net). Using the built-in aliases would probably require a separate rule per interface, but you wouldn't have to worry about your ipv6 interface changing. Note I haven't tried this yet.
I recently switched recently from pfsense to OPNsense for the additional features (i.e. zerotier, crowdsec). One thing pfense has over OPNsense is the documentation. Luckily the two products are very similar and I recently learned a lot about ipv6 from the pfsense manual. It's spread throughout the manual but very thorough.
Home Network Guy Mod Jay Quin a year ago see moreThanks, I’m glad you found them useful!
Yes, you can use the built in interface aliases. When you have several networks that is not very scalable because you have to update every interface’s firewall rules to include new networks that you add. I tend to prefer to block all private IP addresses but then allow DNS (and NTP, etc) before that block rule. The final block rule can be written to block all private IP addresses but allow all other addresses so you can have Internet access.
As for the possibility of dynamically changing IPv6 addresses, OPNsense recently added the ability to create dynamic IPv6 aliases which can be used in firewall rules but that is only for individual hosts since you have to select an interface. That certainly helps for individual access but doesn’t help with blocking all of the “private” IPv6 addresses unfortunately. If you have few networks you could use the built in addresses. However if you have several networks, using the full IPv6 address range as described in the guide is the best way to go even though it may mean you have to change it. At least it’s contained to a single alias so you only need to update it in one place. I have found that with Xfinity, that my IPv6 addresses don’t seem to change even after I swapped modems. I even kept my IPv4 address as well.
Ram a year ago edited see moreShould we use ICMP or should we use IPv6-ICMP in the firewall rules - wan?
see here some other post about ipv6-ICMP
Home Network Guy Mod Ram a year ago see moreSorry for the delay. I took a break for the holidays and I'm getting caught up. I took a look at that blog post. The nice thing about selecting "ICMP" in OPNsense in conjunction with selecting the protocol "IPv6" is that OPNsense is smart enough to select ICMPv6 so you shouldn't run into the situation described on that blog post. He was manually writing IP tables entries so it's a lot easier to shoot yourself in the foot.
One thing that I actually do now instead of how I mentioned it in the guide is to allow ALL ICMPv6 traffic instead of just the specific types that I listed. It reduces the number of firewall rules and it seems to get me a better IPv6 score because it no longer says that ICMPv6 is being filtered. Since IPv6 relies heavily on ICMP more than IPv4, it's probably best to enable all (or most) ICMPv6 on your network. There may be some attack vectors that could be exploited but I haven't really heard of that being a big issue for IPv6 users but if anyone comes across that information, I'd like to see it!
Ram Home Network Guy a year ago see morethank you for your reply and update info on your config settings.
I am very new to ipv6 and will seek more info also.
thanks again for your help, info and wonderful site.
Stan O Barber 9 months ago see moreHello. I am running OPNSense 23.1.6 and am having a problem keeping DHCPv6 running.
When I first configured it, all worked as was outlined in your article, but when I rebooted DHCPv6 stopped because it could not get the prefix from the WAN interface.
Is there some way to "kick" this so that it will acquire the prefix and restart DHCPv6?
Home Network Guy Mod Stan O Barber 9 months ago see moreI’m not quite sure how to force it to work properly. It may depend on the ISP since they may do things differently.
However I think OPNsense had a few minor issues in the last few releases relating to DHCPv6. I think they are resolved now. I noticed on mine it would periodically stop running and drop the DHCPv6 addresses. I would try restarting it a few times and it would eventually work. I don’t see that happening in the latest versions, which is good.
Stan O Barber Home Network Guy 8 months ago see moreOK, I have three ISPs configured currently so I can choose three different approaches : Comcast, T-Mobile and Verizon. Let me know if any of these are working for you. I am guessing you still may with Comcast.
Home Network Guy Mod Stan O Barber 8 months ago see moreI’m still with Comcast but hoping to switch to fiber if it comes to my neighborhood soon (perhaps this Summer). IPv6 works fine for me with Xfinity and they even allow a /60 prefix delegation so you can easily have multiple networks with IPv6.
Gregory Shimansky 7 months ago see moreHello! Thank you for the guide. I found two mistakes in it and I have a question. Mistakes are in the following sentences:
Keep in mind that a prefix size of “/60” is considered to be a larger prefix size than “/64” because it allows the last 4 bytes of the first 64 bytes of an IPv6 address to be assigned to various subnetworks/VLANs and For the “IPv6 Prefix ID”, you may enter anything from 0 to F (hexadecimal) since we have 4 bytes to allocate to our local networks (up to 16 networks). These bytes should be bits instead.And the question is about setting a firewall rule that denies access to other VLANs by prohibiting traffic to any private network addresses. Isn't it a bit too much? Such rule would disable any traffic not just to other VLANs, it disables traffic inside of the same VLAN subnet too unless it is handled by a switch somewhere below the router. What if I have two computers in the same VLAN but that are connected to two different ports on the router? This rule should make it impossible to connect between them.
Home Network Guy Mod Gregory Shimansky 7 months ago see moreIPv6 addresses are 128 bits long. IP addressing typically refers to addressing in bits so half of the IPv4 address is 64 bits long (https://en.m.wikipedia.org/... which is used as the network portion of the IPv6 address. The last 64 bits are used for assigning to devices within each network. Prefix delegation allows you to divide up the first half of the IPv6 address into multiple networks.
As for the block all private IP addresses rule— of devices are on the same network/VLAN, that rule will NOT block them because the network traffic does not need to be routed to other networks. If you have multiple interfaces that are NOT bridged together, they are treated as separate networks and WILL be blocked by that rule. However, you simply add rules above the block all rule to allow access to anything you want on other networks.
It’s easier to block access to all private networks to isolate each network when you have several separate networks/VLANs because you would have to go to each interface and block all of the other networks individually (using an alias would be beneficial) but if you did that and added a new network/VLAN, now you have to update all your rules again or update all your aliases. Blocking all private networks has the benefit of not accidentally allowing access to a new network (creating a potential security hole) depending on how you constructed your rules.
I hope this helps answer your questions.
Gregory Shimansky Home Network Guy 7 months ago see moreYes you are right when you write about 64 bits parts of the address in IPv6. In the original article you wrote "64 bytes" which is obviously wrong and that is why I quoted two sentences with mistakes. I highlighted wrong use of bytes word where it should actually be bits.
After reading around I realized that the setup for VLANs that I plan to implement is not typical for opnsense. I was going to bridge three local interfaces and use one for wired LAN clients via a manged switch and two for two wireless VLAN-enabled APs using all except WAN router ports as a managed switch. It is a typical home setup for a local network to span across all router ports except that I want to have more than one such local network and use VLANs for that.
Apparently FreeBSD does not allow to use VLANs on a bridge at all but instead allows to bridge several VLAN interfaces into one virtual. And even for that setup it is recommended to use a switch for switching instead of loading router with switch job. Why I want to connect wireless APs directly to the router is that they both support 2.5G ethernet speed while managed switch is "only" gigabit (managed switches for 2.5G are very expensive yet). With this setup I could not only utilize all router ports with useful functions but also get 2.5G connectivity between wireless clients.
Home Network Guy Mod Gregory Shimansky 7 months ago see moreAhh, I thought you meant I needed to change bits to bytes! Sorry about that. Thanks for pointing that out! I will correct that. I think I've accidentally made that mistake elsewhere since I recall making that fix on some (probably other) guide a while ago.
Yeah it makes sense why you would want to bridge the interfaces. That is always the confusing thing when buying a box that has multiple interfaces-- you would expect it to act as a switch. It can be done but it has to be done via software which is generally not recommended. However, it is possible you may be ok creating a bridge unless you are heavily loading your system or at least utilizing all of the available bandwidth in the system (PCIe lanes, etc all need to be considered). I have tried bridging a couple of 2.5G ports for the fun of it and it seemed to work ok with some speed tests but I did not push that system to the limits. I basically had all of the other services turned off and used that system purely as a software based network switch which minimizes the load on the device.
Gregory Shimansky 7 months ago edited see moreIt looks like my ISP (AT&T fiber) provides me only with /64 prefix. At least I couldn't make it lease me anything else on the WAN interface. Whatever I tried I am still getting /64 only addresses vary a little. How would you proceed with this? Is it totally impossible to split this /64 subnet into smaller ones for VLAN addresses allocation?
After googling around I found this helpful post about AT&T fiber. Apparently people request multiple /64 subnets for each network interface. I am now trying this approach and have some good progress with it, some of my clients finally got IPv6 addresses.
Home Network Guy Mod Gregory Shimansky 7 months ago see moreSo using prefix delegation options in the web interface don't work? You had to resort to editing a configuration file manually? I haven't experienced that issue with Comcast but it's possible that AT&T requires configuration that is not exposed via the web interface.
Gregory Shimansky Home Network Guy 7 months ago see moreYes, interesting how it work in AT&T, essentially they allocate a /60 subnet for my addresses but I have to make multiple requests for /64 subnets to get prefixes for my VLAN subnets. Only the least significant hex digits changes (I got 0, c, d, e, f) so it looks very much like getting a whole /60 in separate pieces. I also had to select prefix length 60 for WAN interface in order for opnsense interface to allow me to use Track Interface for my VLANs with different IDs (cannot use the same 0 id for more than one interface). I understand that setting /60 bits for WAN prefix doesn't have any effect because Config File Override is being used to run custom DHCP6C script, but it is still necessary for multiple Track Interface settings.
I got everything working for wired clients when I discovered another problem with TP-Link EAP670 wireless APs have problems in their firmware that makes VLAN clients to fail to obtain DHCPv6 addresses. Guess I'll have to wait for fixed firmware before I can use IPV6 for all of my devices.
One thing I don't like in opnsense is that I have to specify DNS v6 address in Router Advertisements and DHCPv6 settings as a complete IPV6 address including potentially dynamic subnet prefix. It would be great to be able to specify this address as a dynamic v6 address in firewall aliases when prefix value is taken from interface name and fill in only address suffix that is statically assigned in DHCPv6.
Home Network Guy Mod Gregory Shimansky 7 months ago see moreThat’s odd how you have to manually configure the prefix delegation to get the addresses properly assigned to your networks.
As for DHCPv6, you can enter ::1000 to ::2000 for amexample. You don’t have to enter the full IPv6 address. And OPNsense added a dynamic IPv6 alias type that you can select when creating aliases. That solves a lot of dynamic IPv6 issues but there are still other areas where I think I could be improved. They are slowing improving IPv6 features over time.
Gregory Shimansky Home Network Guy 7 months ago see moreYes in DHCPv6 settings for static address allocation I can only enter the suffix of the address. I am writing about DNS Server settings in Router Advertisements and DHCPv6 server for each interface. In order to specify my pi-hole IPv6 address in RA and DHCPv6 I have to specify a full address there because DNS Server settings don't specifying dynamic IPv6 address.
Home Network Guy Mod Gregory Shimansky 7 months ago see moreYeah, I understand.. Dynamic IPv6 cannot be used everywhere, unfortunately. That is why some people resort to setting up ULAs for their internal networks and only use the GUAs to access IPv6 networks/websites on the Internet. I have my IPv6 set up just for Internet usage and not for my internal networks because I didn't want to deal with the headaches associated with dynamic IPv6 addresses changing and causing problems. For me, that was a reasonable compromise because I can still be "future proof" for accessing IPv6 networks on the Internet while using the private IPv4 addresses on my internal networks to minimize networking issues.
Home Network Guy Comment Policy
Please read our Comment Policy before commenting.