- The one and only OPNsense port forwarding guide you ever need
·
opnsense
· So you are in the pitty situation that you need to make an IPv4 legacy system or application reachable but your port forwarding rules are not working? And watching a painfully 21 minute long YouTube video from a bearded guy did not help you in any way? Hold back your tears because you have just found the one and only port forwarding guide for OPNsense.
In order for port forwarding to work you need to things:
- WireGuard on OPNsese: wg0 is not a WireGuard interface
·
opnsensewireguard
· My WireGuard on OPNsense 22.1 suddenly stopped working out of nowhere and would not restart:
root@firewall:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: ‘wg0’ is not a WireGuard interface
wg-quick: ‘wg0’ already exists
Checking the wg0 interface via ifconfig told me that was a lie:
root@firewall:~ # ifconfig wg0
wg0: flags=8002<BROADCAST,MULTICAST> metric 0 mtu 1420
options=80000
groups: tun wireguard
nd6 options=103<PERFORMNUD,ACCEPT_RTADV,NO_DAD>
A hanging interface is thankfully not new to me. I’ve dealt with many of them before when I was still OpenVPN.
- OPNsense: RA Interface static vs dynamic
·
opnsenseipv6
· RA Interface: static vs dynamic Some time ago I suggested adding a checkbox (🖇️ 🔐) so users can stop radvd from deprecating the IPv6 prefix on shutdown and created a corresponding pull request. This was not merged because the team was not happy about how I implemented it. But they promised to add this feature which they actually did pretty quick.
Under Services -> Router Advertisements -> LAN you can now choose between two options for RA Interface:
- OPNsense: Prefer source address
·
opnsenseipv6wireguard
· Note: This post is about IPv6 addresses. I assume it works with legacy IP, too (untested).
Problem Before switching to a modem I had configured a static WAN address. I chose that address to be also used as WireGuard endpoint address. WireGuard has one major problem: You can’t configure the address it’s listening on. It relies on the underlying operating system to fill in the source address. And this can cause problems on a machine with multiple interfaces and addresses like an OPNsense firewall as you will see now.
- OPNsense: OpenVPN automatic gateway creation
·
opnsense
· Note: The title is actually a little bit clickbait. On pfSense the config option is called “gateway creation”. This option is missing on OPNsense. I had to reimplement the functionality.
The audience for this blogpost are advanced users. Knowledge you must have:
How VPNs work, especially OpenVPN (inside vs outside tunnel, tunnel network) How IP routing works General configuration of OPNsense Connecting via ssh to your OPNsense and CLI basics (UNIX permissions, creating files, navigating the filesystem, etc) If you don’t have the required knowledge you may misconfigure something.
- OPNsense: Tayga NAT64/DNS64 installation
·
opnsenseipv6
· Have you ever dreamed of running a pure IPv6 only network? I have. But until the IPv4 defenders finally kick the bucket we have to rely on transition methods. In this case NAT64 in combination with DNS64 so IPv6 only hosts can talk to IPv4 legacy systems transparently. And here is how you can do it with OPNsense and the help of a recursive BIND resolver.
With OPNsense 20.1.1 Michael (🖇️ 🔐) built a plugin for the NAT64 application tayga.
- OPNsense: Route subnet over VPN
·
opnsense
· The piracy rate of movies and TV series dropped significantly after Netflix made its breakthrough. With one monthly subscription you had access to a huge amount of content just one click away. It has never been easier and comfortable. Congratulations to the publishers for stepping out of your comfort zones. Your loss of piracy was reduced quite a bit. But you greedy bastards are pushing your customers towards piracy again. You enforce geoblocking or don’t license your stuff to established streaming servives.
- pfSense/OPNsense: Statisches IPv6 Routing hinter Fritz!Box
·
opnsense
· Mein ISP stellt mir nun glücklicherweise eine statisches IPv6 Prefix zur Vergügung. Wie ich dieses nun hinter meine OPNSense bekommen habe schreibe ich hier zusammen.
Dies ist ein Follop-Up zu meinem Artikel pfSense/OPNsense: IPv6 Delegation hinter Fritz!Box - 2019 Version.
Netzstruktur Das Netz sieht wie folgt aus:
[Fritz!Box 7590] <--L2--> [OPNSense/WAN] --> L2: DMZ --> L2: LAN --> L2: GUEST Die Fritz!Box bekommt vom ISP das Prefix 2001:0DB8:37f:b000::/56. Dieses Prefix soll hinter der OPNSense erreichbar sein.