I learned more about IPv6 through this video than through my own lazy I-really-should-start-to-learn-this Google sessions. Great job, thanks for sharing.
@apalrdsadventures Жыл бұрын
Glad it was helpful!
@DavidBroome1978 Жыл бұрын
Same. Looking at switching internal network over
@CaptainW_rCrimes9 ай бұрын
I learnt more about ipv4 then I did at a university
@NetBandit70 Жыл бұрын
The one guy who gets that .local is reserved.
@JoaquinVacas Жыл бұрын
As long as you use a dot between, there should not be any problem. For example, instead of .local you can use .domain.local, so devices should be: device1.domain.local, device2.domain.local and mDNS would still be mdnsdevice.local
@CRK19185 ай бұрын
pfsense will also give you some explanation not to use it.
@ImperiumLibertas4 ай бұрын
Reserving .local is one of the biggest blunders in computer networking I can think of
@KeithTingle Жыл бұрын
You are a CLEAR communicator. I am sure you are not the only person advocating for IPv6 on YT but you are the only person I follow that covers this topic and its great, would love to see something similar for pfSense users, I am a little lost with IPv6 & pfSense
@gjvdspam5 ай бұрын
Yes! This is a proper vid. No music, good sound. You manage to explain in a nice manner, enthusiastic, clear voice, knowledgeable, to the point, the right ratio of prep and free willy. Like it a lot, learned a thing or two too.
@bobcauthen Жыл бұрын
Well done... no one has covered setup covering rules (including what WAN looks like) AND include IPv6. Thanks for making this!
@LilaHikes4 ай бұрын
I bought a Protectli on my own accord 2 years ago for my home network. I've been an extremely satisfied customer. And OPNSense is a godsend vs the fork it is derived from. Even though I have (obviously) already set mine up, I always get something new by watching these types of videos. Many thanks.
@vaughnbay10 ай бұрын
Good vid! It is easy to see why the general computing public has stiff armed IPV6 for years. It is complex! You did a good job of explaining it.
@berniemeowmeow Жыл бұрын
Great video! OPNsense looks a lot more intuitive than I was expecting. Will give it a try.
@apalrdsadventures Жыл бұрын
The UI is really good! It just has a ton of features packed in that it can be intimidating.
@elcapitanomontoya10 ай бұрын
New OPNsense user here - was losing my mind about port forwarding and was ready to give up before watching this. This is an excellent video for explaining how it works and getting it set up!
@apalrdsadventures10 ай бұрын
Glad I could help!
@UnderEu Жыл бұрын
Suggestions for a next video: - Going IPv6-only, how to add 464XLAT w/ NAT64 + Tayga for obsolete IP connectivity. - IPv6 multi-homing: Using more than one WAN link and how to address that (no pun intended) on the LAN. And that's not something you can provide on a single video but I wish every network/tech creator in this platform put the same effort as you for talking about the current Internet Protocol, instead of ignoring it with all their forces and continue putting even more content like it's 1970. Keep up with the excellent work, the real hero of this platform regarding ACTUAL current IP technology. :)
@apalrdsadventures Жыл бұрын
Tayga is available in OPNsense but not nearly as performant as Jool, which being a Linux kernel module isn't available on OPNsense. But it's definitely an option, and Tayga can act as either side of a 464XLAT setup. Multihoming is a bit more tricky, due to combinations of IPv6 being really designed for you to use BGP instead (the correct way to multihome) and bsd pf having quirks around gateway addressing and source-address-based routing and stuff like that. So both are on the todo list, but behind the more basic stuff. But thanks!
@martymccafferty7510 Жыл бұрын
Thanks for the IPV6 setup walk through.
@apalrdsadventures Жыл бұрын
No problem 👍
@d3xbot Жыл бұрын
OOH Yes! Can't wait for this series!
@gzoechi Жыл бұрын
I watched a few of your videos lately and find them quite educational and pleasant to watch. Great stuff. I'm also interested in the topics you mentioned at the end.
@sirsquirrel0 Жыл бұрын
Dude. What a great video. I was trying to get SLAAC working in my environment and it was missing the Router Advertisements enablement. It’s all sorted now and I’m all fully up and running using ipv6. Todays objectives are complete 😎
@Felix-ve9hs Жыл бұрын
25:14 if you leave the "Domain search list" field empty, the domain of the OPNsense hostname will be used. And it is also possible to add multiple domains to the field :)
@apalrdsadventures Жыл бұрын
Checking the box to use the settings from DHCPv6 will use OPNsense's own IP for DNS and domain, because that's the default for DHCPv6.
@freakbyte Жыл бұрын
Easy to understand as usual, looking forward to the next OPNsense video. Thanks!
@Mikesco3 Жыл бұрын
I'm really grateful for the info on IPv6, specially when you were talking about it in direct application, you already cleared a few misunderstandings I had.
@martymccafferty7510 Жыл бұрын
I love OPNsense. Thanks for this video.
@onkelfabs6408 Жыл бұрын
More topics: - Masquerading with chained routers - IPSec Client to VPN Provider - Static Routes when using VPN - VLAN - Load Balancing - Separate server subnets
@camaycama747911 ай бұрын
Juicy!
@carldorbeus9025 Жыл бұрын
Tack!
@apalrdsadventures Жыл бұрын
Thanks!
@gustersongusterson4120 Жыл бұрын
Hell Yeah! Learning opnsense has been on my to do list. All the requested video topics on open sense that you mentioned are great. Maybe a short video about integration with Tailscale or headscale?
@ЮраПивненко-и8м Жыл бұрын
alll good,waiting for next part!!
@apalrdsadventures Жыл бұрын
Working on it!
@rapacious_rapscallion3 ай бұрын
One of the best OPNsense intro videos I’ve seen to date. Thanks for putting this together. Can you also tackle the topic of using wireless mesh routers as access points in an OPNsense environment in a future video? Thanks.
@SriniVas-uk3jp20 сағат бұрын
Thanks for the video. Good information on the IPv6.
@davecreese2383 Жыл бұрын
Great information. Helpful comments too. Thank you. I have my weekend project.😊
@wkipo8 ай бұрын
unfortunately I only can like this video once. Great Job!
@FrankMather Жыл бұрын
Awesome Job, thank you. I'm a OpnSense noob. this helps a lot.
@cmespy2005 Жыл бұрын
Awesome job
@robertpiper6860 Жыл бұрын
Lol I just fail doing this yesterday! Perfect timing!
@PortsmouthHarbourBoats Жыл бұрын
Been running opnsense here for a few years now. using an HP prodesk 600 2.5 with a quad Intel pro1000 and now i350. rock solid 1gb FTTP
@sneezingfrog8 ай бұрын
Excellent content, well presented. Really appreciate you putting this together.
@NetBandit70 Жыл бұрын
OpnSense suggestions: IPS/(IDS), logging, SIEM Traffic capture (PCAP) for compliance/analysis Modern, secure proxy (not just http)
@MaigoManville Жыл бұрын
Great video! I hope you can cover hosting multiple web servers behind OPNSense and complete VPN setup next.
@apalrdsadventures Жыл бұрын
Both on the list!
@Tntdruid Жыл бұрын
So much great info 👍
@timeobserver8220 Жыл бұрын
Duuude I learnt sooo much about IPv6 in this thanks
@asdvhoiwe Жыл бұрын
Thanks for this video, I've been trying to learn more about networking and this has been super helpful for me : )
@clarkanton9595 Жыл бұрын
It would be great to hear your thoughts and explanations for using haproxy to deliver both a layer 7 by host header and layer 4 using SNI
@En-Pea-Sea5 ай бұрын
Headphone jack can be used for on-hold music provider or overhead pager, alarm siren, all sorts of cool things.
@camaycama74799 ай бұрын
You're the man! Congrats 👏
@JuanCarlosHerediaMayer Жыл бұрын
Thank you very much for sharing this very useful video. You made my day. Keep it going.
@fedemtz6 Жыл бұрын
I would love a video on your lab setup focusing on dhcpv6 prefix delegation for testing routers. I have yet to watch your video on your network so it might be there
@apalrdsadventures Жыл бұрын
It's not something I've talked about yet, but I could probably make a little video on that
@21Lettere Жыл бұрын
What do you think about IPv6 and VPNs? (like WireGuard, OpenVPN). How can we tunnel all our data leaving the firewall into our personal VPN and be sure that no data leaks outside?
@OmarMunoz7 ай бұрын
great video thanks for taking the time to go through config with explanations.
@achillesserrano47467 ай бұрын
Awesome demo
@JPrez-io6qj6 ай бұрын
First, thanks for the video. I got my IPv6 going from ISP to LAN finally! One question I don't seem to understand, around the 33:10 mark you mention a specific IPv6 IP and how its called different things on different OSes. Does this auto generated IPv6 SLAAC IP never change? You made the rules to allow traffic in - but on a restart of the laptop or after so many days/hours will this IP change? In my head, normally you have to map a MAC address to a IP so it gets the same one everytime.
@apalrdsadventures6 ай бұрын
Basically, with SLAAC the router advertises the prefix (/64) and nodes are free to chose their own suffix (last /64 to make a /128) using a number of algorithms of their choice. A very common algorithm used to be EUI64 (basically, take the MAC address and add ff:fe in the middle to make it 64 bits - xxxx:xxFF:FExx:xxxx). A lot of servers and Linux server-focused distros do this, as well as IoT devices with more minimal network stacks. Often you can guess the address for IoT devices based on the MAC address sticker on the box. The other common option is called 'stable privacy', where the host takes the hash of the prefix + some internal and unique but stable identifier like a serial number or uuid or mac address to come up with its suffix. This is stable over time, but can't be guessed, and is also guaranteed to change on new networks (so the suffix can't be tracked as the device moves across subnets). This is the address you want to use for incoming traffic, but it will change if the prefix does. The temporary address are randomly generated and will change regularly. If an OS is using non-EUI64 addresses it should have both a stable privacy and a temporary address. I don't recall what Windows calls them. Linux denotes the 'temporary' addresses in `ip a` and macos denotes the stable addresses as 'secured'.
@JamesTenniswood Жыл бұрын
Really interesting, thanks for sharing!
@shephusted2714 Жыл бұрын
you should cover ram allocation and ids/ips - suricata is multi threaded and uses a lot of cpu, also think about pkt cap - you probably want a dedicated pkt cap box ahead of the opnsense box - selks works - you can do pkt cap on opnsense but better to have a dedicated machine - think about doing ha opnsense, think about setting up ntp with a usb gps dongle - opnsense does do link agg well so you may be able to add your phone and get faster speeds with dual wan - the licensing is great with opnsense and it is rock solid - updates always work. it is a great distro to resell - building out a hyper opnsense box with a few 2.5 but also 4 40gbe would be a nice way to go for some smb and prosumers but it can be done for less than the protechli mini pc and this is where you want to go eventually - ws, dual nas and vm server all on 40g
@Prowlyi6 ай бұрын
Incredible overall
@corsgdgr Жыл бұрын
if its possible i like to see multiwan setups for fail over or/and bonding. keep up your excellent work!
@Doesntcompute2k Жыл бұрын
Clustering your OPNsense fw would make a good video. And automated (config) backups of said device. I've always put an external USB flash memory stick for the config backups of pfSense and OPNsense. You could ALMOST do a full series just on add-ons/extensions to pfSense/OPNsense alone. Setup of DNS fw, logging, yada About to move my main (and 2nd to last!) pfSense fw to OPNsense. Should be "fun." 8 10Gbps, 6 1Gbps, and 1 1Gbps admin port. I love old, used Netscalers and F5's. LOL I've moved nine other of my firewalls to OPNsense. I only need to keep two pfSense (current/prev-version) and they will of course be VMs.
@Mikesco3 Жыл бұрын
Could you tell briefly what makes you prefer opnsense over pfsense?
@yakikadafi62698 ай бұрын
@@Mikesco3 could you tell us your preference and why?
@dozerd42 Жыл бұрын
Great video! I would love to see static IP setup and configuration on Opnsense for homelab servers. I just setup a Proxmox node, I thought I assigned it the correct static IP and MAC combo, but I might need to fix it. I have no idea how to change the static IP configuration from the leases page.
@apalrdsadventures Жыл бұрын
Proxmox is a bit of a special thing since it does name-resolving in the cluster (even for a single node) using the hosts file, and isn't really designed to deal with DHCP (even static addresses). So that could be related to your issues.
@dozerd42 Жыл бұрын
@@apalrdsadventures thanks for the response! I joined the Discord, and I may ask further questions there about Proxmox soecifically. Would definitely love a continuation of this video with static IP setups in Opnsense.
@martyb3783Ай бұрын
Great video.
@ronaldvargo4113 Жыл бұрын
When are you following up on this. I would like to see how you stood up IPv6 on OPNsense and your VLAN strategy.
@apalrdsadventures Жыл бұрын
In general this is how I did the basics of it, but the next video will be on subnetting and network management with subnets. Probably will be ~3 weeks for that video, depending on how many other projects I'm working on.
@Stev.3n Жыл бұрын
May have to go give this a go after the recent PFsense changes.
@allaboutcomputernetworks9 ай бұрын
Thank you so much for making this lovely video!!....👍
@apalrdsadventures9 ай бұрын
Glad you like it!
@Cynyr Жыл бұрын
Does opnsense handle ipv6 prefix delegations in some sort of semi intelligent way? by that i mean if i punch a hole for port 666 to my laptop and my PD from my ISP changes do i need to go an edit all of the firewall rules? what if i have an android/iphone/windows computer that is constantly re-gen'ing it's IPv6 addr, does opnsense support ddns for lan clients via SLACC?
@phiwatec2576 Жыл бұрын
Opnsense does support a alias type called dynamic host. This allows you to specify the second half of the v6 address and opnsense will automatically add the current prefix.
@apalrdsadventures Жыл бұрын
You can also create an alias for a MAC address, and it will resolve to all of the IPv4/IPv6 addresses of that host.
@autohmae Жыл бұрын
1:50 audo jack output on a firewall... I know their used to be an open source project which could use audio background sounds for monitoring. Say what ? Well, it would have different background sounds it would play constantly, the audio level or how often it repeated the background noise would correspond with events. For example the amount of network traffic corresponds to the sound of a waterfall. The more network traffic, the louder/wilder the waterfall got. The number of 404 responses on a webserver would correspond with the sound of a frog, etc. 🙂
@martymccafferty7510 Жыл бұрын
Using IP aliases make the firewall rules more readable
@protacticus630 Жыл бұрын
Thank you very much! Does this setup support port forwarding or require some additional changes?
@RupertoCamarena Жыл бұрын
Please more opnsense Videos ❤️✌🏾
@apalrdsadventures Жыл бұрын
I'm working on them!
@jagdtigger Жыл бұрын
Not to take away from the videos value or anything, but for a firewall id use something that values stability and security above update frequency and bleeding edge features...
@apalrdsadventures Жыл бұрын
Unless you're using development builds (OPNsense is open-source after all, so you are free to), it's not a rolling release. They publish new versions with feature updates every 6 months and continuously publish security updates for current and several previous versions with support going back ~4 major versions. They are just able to get new features introduced in under a year and release when they say they will.
@jagdtigger Жыл бұрын
@@apalrdsadventures That release cycle sounds like a desktop OS, for a router i think a slower one is better. Sometimes less is more.... ;)
@apalrdsadventures Жыл бұрын
In general they are doing updates which track with FreeBSD's releases. FreeBSD's releases tend to be yearly in the spring, so they are following that with a summer OPNsense release.
@BrandonPeccoralo Жыл бұрын
Great video. Only comment is I have experienced nightmares with the Intel i225 series, but if any, v3 is the safest to go with
@bar73818 ай бұрын
Thanks Destiny
@dono4225 күн бұрын
How did you get a /56 address from your ISP? I have been trying for almost 15 years to get a /56 IPv6 address at home but still no success; only /64. I have switched ISPs three times, but they all tell me that I need a business account which is much more expensive. (I have a /48 at work, but company policy is for IPv4 only.)
@apalrdsadventures24 күн бұрын
DHCPv6-PD, residential ISPs are supposed to give out /56 (per RIPE guidelines). Comcast does /60s which is not great. Some regions are really bad about this though, especially APNIC ones.
@BrianG61UK Жыл бұрын
I'd like a video on using DNSCrypt rather than DNS over TLS. For VPN server in the router I like either WireGuard or 2nd choice OpenVPN.
@apalrdsadventures Жыл бұрын
DoT is an RFC standard and more widely used than DNSCrypt
@MaeveFirstborn Жыл бұрын
If I had to guess, the headphone jack is so you can put it on a sound bar and hear the notifications from the power cycling?
@alexfair Жыл бұрын
Hello good friend, thanks for the great video. My use case was not covered by your excellent content. But if you could please help me with the following that would be great. OPNSense configuration: Bare metal install (no issues with this part), the device has 6 network ports, 1 will be used for WAN, how do I treat the other 5 ports like a traditional switch? Must I use a bridge?
@teemuhyvarinen4408 Жыл бұрын
Would love too see Zerotier edge device/ network routing done with Opnsense, any chance? 😊
@apalrdsadventures Жыл бұрын
Zerotier isn't something I use myself, I actually use Nebula instead
@mzs114 Жыл бұрын
They changed their license, instead do consider Netbird, they are new and have a dfsg approved license.
@camaycama747911 ай бұрын
@@apalrdsadventures built-in Wireguard is better than nebula right ? Why choosing nebula over wireguard ?
@apalrdsadventures11 ай бұрын
eh it depends on your use case. Nebula is designed to make a point to point routed network without any previous knowledge of the other nodes in the network, other than the lighthouse. It also adds features like identity to its certificate. Wireguard provides the absolute bare minimum to pass traffic and provides nothing else for managing and discovering endpoints and configuring routes. Some platforms like Tailscale build on the Wireguard crypto to provide a lot more, but they also introduce the single point of failure Headscale server. OpenVPN is often hated for being slow, but this is partially because it provides a ton of useful features for managing remote user access like server-side configuration of client routes, enterprise user authentication (usernames/passwords and connections to identity databases), and things like that. Nebula (and OpenVPN) also use AES instead of ChaCha cipher, which is significantly faster if you have hardware acceleration for it. Wireguard stays fast by implementing no features.
@laszlotakacs668 Жыл бұрын
Hy! Great video! In the future, i'd like to see a full config tutorial on how to make a config like pfBlockerNG on pfSense. So many people are like that plugin, and sice it isn't here in OPNSense (but I hear it can be configured the same but just not through a dedicated plugin) a howto on config (IP Block, DNSBL, GeoIP) may be useful. I am very interested in it, too.
@Sevalecan7 ай бұрын
I'm sitting here setting up my opnsense nested behind my pfsense router until I'm ready to drop it in fully working. I'm sure there's any number of people who would say "don't do that just put it on the WAN and figure it out", but I already figured out ipv6 subnetting and larger than 64 prefix to fix routing and IP assignment to the nested LAN, and I even had it almost working yesterday minus DNS... And now the routing is not working again. So, let's see what you got in the troubleshooting section of the vid.
@mohamedfarhanal-subaey167011 ай бұрын
thank you for great video and would you please clear it for me that I have fiberoptic device work as bridge with privet ip If I configure opnsense devise PPPoE could I get public ip?
@MiroslavIvanovimbmf Жыл бұрын
Greetings, what is the software do you use for drawing diagrams? Thank you!
@apalrdsadventures Жыл бұрын
I use draw.io but the desktop app version
@camaycama747911 ай бұрын
Thank you! Question, what software you use for your diagrams drawing?
@apalrdsadventures11 ай бұрын
draw.io
@mzs114 Жыл бұрын
Hi, what would be a good alternative based on Debian? Cuz, at the "company" I have made them switch to Debian from end user devices to servers, having uniformity on the switch/firewall will help. :)
@apalrdsadventures Жыл бұрын
Depending on your needs, there aren't a ton of options. You can build a firewall out of 'bare' iptables / firewalld and `ip route` if you want to do things more manually. For a setup like the video it's not super hard to do with dnsmasq + firewalld, but there is no web UI for guidance. VyOS is Debian-based and tries to create a single CLI to configure, but it's not particularly excellent. OpenWRT (which is not Debian based but is Linux) works well but has a very minimal web UI since it's designed to fit on converted router hardware. The OPNsense UI is much better than either of those options.
@Doesntcompute2k Жыл бұрын
You don't need Debian for the firewall. You need something that works AND can be managed. pfSense and OPNsense are BSD-based. The best you can get for security. Sophos has a free-for-home/paid-for-work firewall (Xstream) which is fantastic. Not Debian-based of course. Appliance or VM. We've got 22,000+ Linux instances and around 200 firewalls and we don't know what the firewalls are based on. They're commercial hardware appliances with some hardened Linux (my guess) or BSD. Rolling your own firewall using Linux? For home, sure. Not too hard. For a work environment? LOL Nope. Not if you have many services/people/requirements/ACLs/GPE/yada. ACLs and Group Policies will kill you alone. I used to do it on the OLD Red Hat Linux v7/v9 days. Also remember in a work setup you always want clustered firewalls. It's never a good plan to not plan on something going down, or needing to take it down for administration/updates. I duplicate mine at home for the same reason.
@apalrdsadventures Жыл бұрын
Depends on what sort of network you are building. If you're building out a datacenter or SaaS type backend network and you are doing a lot of dynamic routing, yeah building it all on Linux is probably not a bad good idea. Building an access network for a bunch of client laptops to use Word? yeah no don't roll your own.
@autohmae Жыл бұрын
@@Doesntcompute2k not with Linux, but BSD with pf isn't actually that difficult.
@mzs114 Жыл бұрын
Thanks for the detailed replies everyone! Good inputs, I will checkout out VyOS, currently there are no immediate plans, but just a thought as the recent move is helping the teams where I work. Thanks again!
@goodcitizen4587 Жыл бұрын
way cool, thanks
@vaidkun Жыл бұрын
want to see more IPv6 stuff. for example, vlans using ipv6 subnetting.
@LakedaimonII Жыл бұрын
As far as i know you dont need subnetting. Your /48 /54 or whatever would be your prefix provided by your isp, has 64-48bits (2¹⁶) reserved for your subnet. So, u Will have 2¹⁶ subnet and every single One has 2⁶⁴ Client. You could subnetting ipv4 style but Is not necessary/raccomanded/useful.sry for my english.
@apalrdsadventures Жыл бұрын
You don't subnet the same way as in v4 (essentially randomly + NAT), you end up with either a subnet id (for small sites) or a hierarchy of what the nibbles mean (on more complex routed sites). It's much more organized and easy to follow.
@vaidkun Жыл бұрын
@@apalrdsadventures so how do you do network segregation with vlans and ipv6?
@LakedaimonII Жыл бұрын
@@vaidkun same as ipv4, except you dont need a broadcast ip. You still have a network ipv6 address like 2001:db8:acad:1::/64 - 2001:db8:acad:2::/64 until 2001:db8:acad:ffff/64. I.e. 2001:db8:acad:1::1 Is the router interface and the 2⁶⁴ Minus 1 are the availables host address.
@apalrdsadventures Жыл бұрын
Subnets are /64, and the ISP gives you something larger (/56, /60, ..) so you can create subnets out of the remaining bits in the address. With a /56 you can create 256 subnets for your extra interfaces/vlan interfaces.
@Voigt_Analytics7 ай бұрын
Great video! Can you help me with my OPNsense / FreeBDS driver problem? I'm using a Sophos XG 125w firewall with OPNsense. But I can't get the Wifi interface working because of missing drivers; vendor = 'Qualcomm Atheros'; device = 'QCA986x/988x 802.11ac Wireless Network Adapter'
@apalrdsadventures7 ай бұрын
In general FreeBSD / OPNsense does not have a lot of functional network drivers. I wouldn't expect to get it working.
@OlaviEsker10 ай бұрын
As a home user, I have not understand the benefit of using IPv6 over older IPv4 ?
@LakedaimonII Жыл бұрын
Not an expert here. Here we still use pppoe even with 2.5/1 gbps connection. Would you suggest to use pf-opn/sense in a bare metal little monster box due the issue in a virtualized mode? Or they fixed the one core CPU "problem" and now performance are good?
@apalrdsadventures Жыл бұрын
If you're doing PPPoE that specific tunnel driver is still single-thread limited. Other than that, there isn't a single core limitation. I personally don't virtualize the perimeter router since it's so critical to the network that I want it to have dedicated hardware, even if that hardware is small and fanless.
@LakedaimonII Жыл бұрын
@@apalrdsadventuresthanks, super helpful video. Your isp gives you a /62 prefix for real? So disgusting! Vodafone do the same here in Europe. Im super lucky with my fully compilant /48.
@apalrdsadventures Жыл бұрын
The standards orgs have decided on /48 as the smallest routable prefix, and suggested ISPs give /48 to customers but /56 to residential (which is still 256 subnets). I actually get a /60 directly from my ISP (which is still small), which I then further delegate to a /62 for the lab network. So you're seeing OPNsense getting a prefix delegation from my main router which got a larger delegation from the upstream ISP.
@ShujitoDMАй бұрын
Hi theere! I've got two isps, both spew a /64, one I can configure through pppoe and it results on ipv6's on the lan, the other doesn't do pppoe just dhcp and dhcp6, can't get to have ipv6 work on that one. I can give up and just go with ipv4 but I want to do load balancing with ipv6 too. Can anything be done about that?
@apalrdsadventuresАй бұрын
One of the problems you'll see is that IPv6 addresses are globally scoped and not NATed, so whichever ISP you use to assign IPs to clients will be the ISP that traffic must go out of. For failover it's common to use NPTv6 on the second WAN, so traffic gets address translated on the backup, but you can also assign certain WANs to specific LANs or specific clients for load balancing.
@ShujitoDMАй бұрын
I might need to research more on all of this, I understand most of the theory but not too much on practice, maybe I'm just too used to how my decos handle bridging ipv6's by just adjusting a configuration.
@UCcdTp7XpCkVLkaRCsDcifFg3 ай бұрын
connect wan using wifi and lan using eth is posible? for router/firewall travel
@aperson1181 Жыл бұрын
Is Opensense already pre-installed? Is it worth it to go from ER to OpenSense?
@joshxwho10 ай бұрын
The headphone jack is so you can listen to the packets, have you not seen the movie Hackers?
@Viking88884 ай бұрын
I can't seem to find any info on my particular use case with OPNsense and you appear to know a thing or two, so I'll ask you. I have gone over multi wan failover and load balancing and had it working by using the docs and also from watching many videos, but then I watched this video and saw that using unbound dns would give me a more secure dns, so I did what you said and also removed the dns entries in system ---> settings ---> general, but it borked my ability to bring in anything from the internet. So I started fresh and set things up with unbound in mind first and then added my neighbours internet connection as failover. When my WAN connection is disconnected, opnsense won't switch over even though I set "Allow default gateway switching". This setting is the only advice in the opnsense docs for unbound dns users with multiple wan connections (that I could find). Any help or even a video on the subject would be very much appreciated.
@apalrdsadventures4 ай бұрын
You probably need to configure multiple upstream interfaces in Unbound, it defaults to only doing queries via WAN. You also need gateway monitoring for this to work, and it might not have that configured by default.
@Viking88884 ай бұрын
@@apalrdsadventures When you say multiple upstream interfaces, what does that mean exactly. As for gateway monitoring, I did have to set that up manually. It's interesting that this topic isn't one that appears to be covered by anyone, but it makes more sense to have DoT in every scenario including multi wan configurations.
@Viking88884 ай бұрын
@@apalrdsadventures Turns out "Disable Gateway Monitoring" was checked. I have failover working now with just Unbound DNS entries and no entries in System-- Settings-- General. Onto another thing to learn! Intrusion detection perhaps! 😉
@apalrdsadventures4 ай бұрын
Unbound lets you configure explicitly which interfaces to use for outgoing DNS lookups. This needs to be set to allow all of the WANs.
@fishmonkeycow924610 ай бұрын
Great video! Would be cool to see how you set a vpn on it, wireguard or something along those lines :)
@hypersigil Жыл бұрын
During setup of the WAN, "block private networks" says that it includes in the blocking "carrier-grade NAT addresses (100.64/10)". This is the space that Tailscale assigns IPv4 addresses to your Tailscale-connected clients in. I'm not too clear on whether this means that someone using Tailscale clients on both sides of the router would thus need to leave this setting unchecked. Anyone understand this?
@apalrdsadventures Жыл бұрын
The prefix 100.64/10 is formally assigned to be used by ISPs for carrier grade NAT. Tailscale is squatting in an improper IPv4 semi-private range (they should be using the RFC1918 space, 10/8, 172.16/12, and 192.168/16). But no, it's only a filter on packets entering/leaving that interface, not via tunnels which run over that interface.
@hypersigil Жыл бұрын
@@apalrdsadventuresThanks for the quick and clear reply! Your video and style of explanation is by far the best I've found on these topics here. You're clear and explain what's important without wasting time or skipping important stuff. Really looking forward to more of this. I looked at Tailscale's FAQ, and their explanation for the use of the ISP CG-NAT space is "Philosophically, Tailscale is a service provider creating a shared network on top of the regular Internet."
@CancunManny2 ай бұрын
After watching this video I ended up with more questions than answers. Seems this video is great at explaining how things should be if all went correctly, but doesn't seem to talk much about what to do in case things are not the way they are supposed to. Somehow my computer with ethernet cable connection is getting an IPv6 address, but the address doesn't seem to match with ANYTHING on OPNsense or with my ISP modem/router.
@CL-gj9mf11 ай бұрын
Hello I use a 4G mobile router supplied by my ISP and my Opensense router behind it... I noticed that my ISP did not share any prefix information for the subnet. So I am unable to fully configure my Opensense router to IPV6 mode following your advice. I don't know, if you have any suggestions to solve this problem? I will be very pleased, if you do.
@apalrdsadventures11 ай бұрын
It’s likely you’ll have to use SLAAC on WAN. The mobile router is probably doing nat and v6 router advertisement itself, at least that’s what mobile hotspots usually do. That also means you only get a single preset, because that’s all the mobile router will pass through.
@CL-gj9mf11 ай бұрын
@@apalrdsadventures Hi, I followed your advice. It had add a new entry in the gateway's lobby, called LAN_TRACK6. I reboot it, and it seems to work. I will add a comment if i experience a new issue. Thanks for your answer.
@andrewheath1792 Жыл бұрын
What software are you using to map your network visually on your computer?
@apalrdsadventures Жыл бұрын
draw.io
@onkelfabs6408 Жыл бұрын
You of all guys would happen to know if it can run on a dual core thin client. Does it?
@eDoc2020 Жыл бұрын
If it's a 64-bit PC platform it should work.
@TinkerLynx11 ай бұрын
I found your channel about a week ago, and as I'm currently migrating all of my home server stuff off of vmware onto a new proxmox box they have bean a real help. I'd also like to replace my EdgeRouter 4 with OPNsense. I was originally considering hyperconverged, but that little protectli box looks pretty good. However I need an SFP wan port and to support a 1000/250 connection. Would you have any suggestions?
@apalrdsadventures11 ай бұрын
@ServeTheHomeVideo has a lot of great reviews on mini boxes depending on what you need. I'll refer you to him.
@TinkerLynx11 ай бұрын
Okay, I'll take a look at his articles (those are usually pretty good), I just can't stand his videos.
@apalrdsadventures11 ай бұрын
He's the only one I know that has thoroughly tested a large number of mini-PCs with a wide variety of IO for mini servers and networking. If you're doing SFP+ fiber you can also just use a managed switch and bring in WAN on a VLAN. Like any other interface, create the vlan, then move WAN to that interface.
@TinkerLynx9 ай бұрын
I finished the bulk of my network re-work last night. After a lot of research and thought I decided to run OPNSense in a VM, It has a dual NIC passed through for the WAN port (and a spare if I need it later) With my LAN interface on a Proxmox bridge to my 10gb switch (along with a few more interfaces for DMZ, an old forum I host, and my own services). One of the main reasons I switched was to implement IPv6, of course I now know my damn ISP doesn't support it. But despite that I can say I like OPNSense a lot more then the UBNT router it replaced, Your videos have bean some of the most straightforward ones I've found. if you ever setup a patreon I'll support you on that (I'll send you a bit on ko-fi for now). Thank you.
@danieltur-bes203610 ай бұрын
So I tried doing a opnsense router and I couldn't get out to the internet. My isp gives me a 10.0.0.1 ip address so I will need to uncheck the one box that is checked so it doesn't block me getting out to the internet if I understand you correctly?
@apalrdsadventures10 ай бұрын
Yes, that's true. They should be using 100.64/10 (which is designated for CGNAT) instead of 10/8, but some ISPs do it wrong. In any case though you'll need to uncheck the RFC1918 box.
@danieltur-bes203610 ай бұрын
@apalrdsadventures ok thanks and is there anything else I may have to do?
@apalrdsadventures10 ай бұрын
unchecking the box should be all you need to do. Also I would avoid using the 10 subnet range on your own if your ISP is also using parts of it.
@danieltur-bes203610 ай бұрын
@apalrdsadventures ok I unchecked that box. It shows my wan connection is up and my tv is working through wifi but my pc won't connect to the internet. It shows I am connected. Any ideas?
@ahmad1980595 Жыл бұрын
Thanks Bro
@asbestinuS Жыл бұрын
Thanks for the video! I'd like to see IPSec with mobile clients / captive portal / wlan controller / useful apps or software packets? Thanks!
@luigitech3169 Жыл бұрын
Thanks for the video, luckly i don't have to use ipv6. I prefer adguard for dns stuff
@HBTechnoDude10 ай бұрын
What can you do if your ISP doesn't give you an IPV6 prefix delegation?
@faisaltaufiqAbdi4 ай бұрын
which one is better? , to put opnsense before mikrotik or to put opnsense after mikrotik, the purpose is to protect Local Area Network and server, thanks before
@apalrdsadventures4 ай бұрын
OPNSense is more of a firewall and Mikrotik is more of a router. Generally the firewall goes first.
@Felix-ve9hs Жыл бұрын
17:28 or a /59 if you are a Vodafone cable internet customer :^) I really don't understand why these ISPs have to be so scrimpy with their v6 prefixes, but here we are...
@apalrdsadventures Жыл бұрын
/59 is such a weird size! At least make it line up with the nibbles!
@Felix-ve9hs Жыл бұрын
@@apalrdsadventures Absolutely, but at least Telekom (DTAG) gives me a /56
@JorgeBeyoglonian Жыл бұрын
How to use the other ports of the router as extra LAN ports.
@InsaiyanTech9 ай бұрын
Man I wish you showed how to virtualize it since that’s the route I’m trying to do this