Glad it was helpful!

Same. Looking at switching internal network over

I learnt more about ipv4 then I did at a university

As long as you use a dot between, there should not be any problem. For example, instead of .local you can use .domain.local, so devices should be: device1.domain.local, device2.domain.local and mDNS would still be mdnsdevice.local

pfsense will also give you some explanation not to use it.

Reserving .local is one of the biggest blunders in computer networking I can think of

Tayga is available in OPNsense but not nearly as performant as Jool, which being a Linux kernel module isn't available on OPNsense. But it's definitely an option, and Tayga can act as either side of a 464XLAT setup. Multihoming is a bit more tricky, due to combinations of IPv6 being really designed for you to use BGP instead (the correct way to multihome) and bsd pf having quirks around gateway addressing and source-address-based routing and stuff like that. So both are on the todo list, but behind the more basic stuff. But thanks!

The UI is really good! It just has a ton of features packed in that it can be intimidating.

No problem 👍

Juicy!

Glad I could help!

Checking the box to use the settings from DHCPv6 will use OPNsense's own IP for DNS and domain, because that's the default for DHCPv6.

It's not something I've talked about yet, but I could probably make a little video on that

Both on the list!

Could you tell briefly what makes you prefer opnsense over pfsense?

@@Mikesco3 could you tell us your preference and why?

DoT is an RFC standard and more widely used than DNSCrypt

Working on it!

As far as i know you dont need subnetting. Your /48 /54 or whatever would be your prefix provided by your isp, has 64-48bits (2¹⁶) reserved for your subnet. So, u Will have 2¹⁶ subnet and every single One has 2⁶⁴ Client. You could subnetting ipv4 style but Is not necessary/raccomanded/useful.sry for my english.

You don't subnet the same way as in v4 (essentially randomly + NAT), you end up with either a subnet id (for small sites) or a hierarchy of what the nibbles mean (on more complex routed sites). It's much more organized and easy to follow.

@@apalrdsadventures so how do you do network segregation with vlans and ipv6?

@@vaidkun same as ipv4, except you dont need a broadcast ip. You still have a network ipv6 address like 2001:db8:acad:1::/64 - 2001:db8:acad:2::/64 until 2001:db8:acad:ffff/64. I.e. 2001:db8:acad:1::1 Is the router interface and the 2⁶⁴ Minus 1 are the availables host address.

Subnets are /64, and the ISP gives you something larger (/56, /60, ..) so you can create subnets out of the remaining bits in the address. With a /56 you can create 256 subnets for your extra interfaces/vlan interfaces.

Proxmox is a bit of a special thing since it does name-resolving in the cluster (even for a single node) using the hosts file, and isn't really designed to deal with DHCP (even static addresses). So that could be related to your issues.

@@apalrdsadventures thanks for the response! I joined the Discord, and I may ask further questions there about Proxmox soecifically. Would definitely love a continuation of this video with static IP setups in Opnsense.

In general this is how I did the basics of it, but the next video will be on subnetting and network management with subnets. Probably will be ~3 weeks for that video, depending on how many other projects I'm working on.

Glad you like it!

I'm working on them!

Unless you're using development builds (OPNsense is open-source after all, so you are free to), it's not a rolling release. They publish new versions with feature updates every 6 months and continuously publish security updates for current and several previous versions with support going back ~4 major versions. They are just able to get new features introduced in under a year and release when they say they will.

​@@apalrdsadventures That release cycle sounds like a desktop OS, for a router i think a slower one is better. Sometimes less is more.... ;)

In general they are doing updates which track with FreeBSD's releases. FreeBSD's releases tend to be yearly in the spring, so they are following that with a summer OPNsense release.

Zerotier isn't something I use myself, I actually use Nebula instead

They changed their license, instead do consider Netbird, they are new and have a dfsg approved license.

​@@apalrdsadventures built-in Wireguard is better than nebula right ? Why choosing nebula over wireguard ?

eh it depends on your use case. Nebula is designed to make a point to point routed network without any previous knowledge of the other nodes in the network, other than the lighthouse. It also adds features like identity to its certificate. Wireguard provides the absolute bare minimum to pass traffic and provides nothing else for managing and discovering endpoints and configuring routes. Some platforms like Tailscale build on the Wireguard crypto to provide a lot more, but they also introduce the single point of failure Headscale server. OpenVPN is often hated for being slow, but this is partially because it provides a ton of useful features for managing remote user access like server-side configuration of client routes, enterprise user authentication (usernames/passwords and connections to identity databases), and things like that. Nebula (and OpenVPN) also use AES instead of ChaCha cipher, which is significantly faster if you have hardware acceleration for it. Wireguard stays fast by implementing no features.

Opnsense does support a alias type called dynamic host. This allows you to specify the second half of the v6 address and opnsense will automatically add the current prefix.

You can also create an alias for a MAC address, and it will resolve to all of the IPv4/IPv6 addresses of that host.

I use draw.io but the desktop app version

With proper zero trust, OPNsense isn't involved at all

@@apalrdsadventuresthanks for the response i've been watching your videos forever, but I meant a complete end to end zero trust network setup from creating the vlans to host the lxc to routing the ports across other vlans to access the resource

Ah that's a bit different than a 'zero-trust network architecture' that's a sorta IT buzzword right now. In that setup, each node is responsible for its own session validation and the network infrastructure does a lot less (since firewalling is end to end and not a box in the middle).

Basically, with SLAAC the router advertises the prefix (/64) and nodes are free to chose their own suffix (last /64 to make a /128) using a number of algorithms of their choice. A very common algorithm used to be EUI64 (basically, take the MAC address and add ff:fe in the middle to make it 64 bits - xxxx:xxFF:FExx:xxxx). A lot of servers and Linux server-focused distros do this, as well as IoT devices with more minimal network stacks. Often you can guess the address for IoT devices based on the MAC address sticker on the box. The other common option is called 'stable privacy', where the host takes the hash of the prefix + some internal and unique but stable identifier like a serial number or uuid or mac address to come up with its suffix. This is stable over time, but can't be guessed, and is also guaranteed to change on new networks (so the suffix can't be tracked as the device moves across subnets). This is the address you want to use for incoming traffic, but it will change if the prefix does. The temporary address are randomly generated and will change regularly. If an OS is using non-EUI64 addresses it should have both a stable privacy and a temporary address. I don't recall what Windows calls them. Linux denotes the 'temporary' addresses in `ip a` and macos denotes the stable addresses as 'secured'.

draw.io

Internal (OSPF / friends) or external (BGP)?

In general FreeBSD / OPNsense does not have a lot of functional network drivers. I wouldn't expect to get it working.

If it's a 64-bit PC platform it should work.

My experience with OpenWRT is that the functionality is all there in packages but the UI is severely lacking compared to OPNsense. There are Linux programs which will do almost anything, and you can install them, but that doesn't mean it's well integrated into the UI / distribution.

@@apalrdsadventures No, it is not. It's a mixed bag, since it's designed for embedded devices, there's no decent way of performing upgrades compared to OPNSense. Also, I need Unbound for getting multiple domain resolution which is not working in OpenWRT's dnsmasq and using unbound under OpenWRT has to be done with some kind of wizardry to get it working without messing up dnsmasq+DHCP... I will go with OPNSense this winter, as I will use the integrated HAProxy with it. Need to get it running in my lab these days for debugging/testing all my config until it's perfect for day to day usage. Also, love the diagnostics and reporting tools in OPNSense, makes everything more "visible" instead of just "working"... or not.

You probably need to configure multiple upstream interfaces in Unbound, it defaults to only doing queries via WAN. You also need gateway monitoring for this to work, and it might not have that configured by default.

@@apalrdsadventures When you say multiple upstream interfaces, what does that mean exactly. As for gateway monitoring, I did have to set that up manually. It's interesting that this topic isn't one that appears to be covered by anyone, but it makes more sense to have DoT in every scenario including multi wan configurations.

@@apalrdsadventures Turns out "Disable Gateway Monitoring" was checked. I have failover working now with just Unbound DNS entries and no entries in System-- Settings-- General. Onto another thing to learn! Intrusion detection perhaps! 😉

Unbound lets you configure explicitly which interfaces to use for outgoing DNS lookups. This needs to be set to allow all of the WANs.

It does, and it can do policy routing across the tunnel. The UI for individual clients isn't fantastic, but you can add peers and assign them to tunnel adapters.

Thanks!

/59 is such a weird size! At least make it line up with the nibbles!

@@apalrdsadventures Absolutely, but at least Telekom (DTAG) gives me a /56

The prefix 100.64/10 is formally assigned to be used by ISPs for carrier grade NAT. Tailscale is squatting in an improper IPv4 semi-private range (they should be using the RFC1918 space, 10/8, 172.16/12, and 192.168/16). But no, it's only a filter on packets entering/leaving that interface, not via tunnels which run over that interface.

@@apalrdsadventuresThanks for the quick and clear reply! Your video and style of explanation is by far the best I've found on these topics here. You're clear and explain what's important without wasting time or skipping important stuff. Really looking forward to more of this. I looked at Tailscale's FAQ, and their explanation for the use of the ISP CG-NAT space is "Philosophically, Tailscale is a service provider creating a shared network on top of the regular Internet."

One of the problems you'll see is that IPv6 addresses are globally scoped and not NATed, so whichever ISP you use to assign IPs to clients will be the ISP that traffic must go out of. For failover it's common to use NPTv6 on the second WAN, so traffic gets address translated on the backup, but you can also assign certain WANs to specific LANs or specific clients for load balancing.

I might need to research more on all of this, I understand most of the theory but not too much on practice, maybe I'm just too used to how my decos handle bridging ipv6's by just adjusting a configuration.

OPNSense is more of a firewall and Mikrotik is more of a router. Generally the firewall goes first.