HOW TO SETUP OPNsense: From First Boot to Fully Functional (with IPv6!)
Вставка
- Опубліковано 31 тра 2024
- From first boot to a fully functional OPNsense home network with both IPv6 and IPv6, come along for my basic setup guide! By the end of this video, you can have your brand new OPNsense router working at least as well as your old consumer router, and ready for some more advanced projects in the future!
Feel free to suggest the more advanced OPNsense projects in the comments or on my Discord!
/ discord
My blog:
www.apalrd.net/
Support me on Ko-Fi if you enjoy my content and find it useful:
ko-fi.com/apalrd
Timestamps:
00:00 - Introduction
00:34 - Hardware
03:50 - First Boot Wizard
09:57 - Basics of IPv6 Delegation
15:02 - Debug Internet Connectivity
20:43 - DHCP and Router Advertisements
26:29 - Hardening DNS
32:15 - Hosting and Port Forwarding
37:04 - Next Steps - Наука та технологія
The one guy who gets that .local is reserved.
As long as you use a dot between, there should not be any problem.
For example, instead of .local you can use .domain.local, so devices should be:
device1.domain.local, device2.domain.local and mDNS would still be mdnsdevice.local
I learned more about IPv6 through this video than through my own lazy I-really-should-start-to-learn-this Google sessions. Great job, thanks for sharing.
Glad it was helpful!
Same. Looking at switching internal network over
I learnt more about ipv4 then I did at a university
You are a CLEAR communicator. I am sure you are not the only person advocating for IPv6 on YT but you are the only person I follow that covers this topic and its great, would love to see something similar for pfSense users, I am a little lost with IPv6 & pfSense
Suggestions for a next video:
- Going IPv6-only, how to add 464XLAT w/ NAT64 + Tayga for obsolete IP connectivity.
- IPv6 multi-homing: Using more than one WAN link and how to address that (no pun intended) on the LAN.
And that's not something you can provide on a single video but I wish every network/tech creator in this platform put the same effort as you for talking about the current Internet Protocol, instead of ignoring it with all their forces and continue putting even more content like it's 1970.
Keep up with the excellent work, the real hero of this platform regarding ACTUAL current IP technology. :)
Tayga is available in OPNsense but not nearly as performant as Jool, which being a Linux kernel module isn't available on OPNsense. But it's definitely an option, and Tayga can act as either side of a 464XLAT setup. Multihoming is a bit more tricky, due to combinations of IPv6 being really designed for you to use BGP instead (the correct way to multihome) and bsd pf having quirks around gateway addressing and source-address-based routing and stuff like that. So both are on the todo list, but behind the more basic stuff.
But thanks!
Good vid! It is easy to see why the general computing public has stiff armed IPV6 for years. It is complex! You did a good job of explaining it.
Well done... no one has covered setup covering rules (including what WAN looks like) AND include IPv6. Thanks for making this!
I watched a few of your videos lately and find them quite educational and pleasant to watch. Great stuff. I'm also interested in the topics you mentioned at the end.
Thanks for the IPV6 setup walk through.
No problem 👍
Hell Yeah! Learning opnsense has been on my to do list. All the requested video topics on open sense that you mentioned are great. Maybe a short video about integration with Tailscale or headscale?
Easy to understand as usual, looking forward to the next OPNsense video. Thanks!
More topics:
- Masquerading with chained routers
- IPSec Client to VPN Provider
- Static Routes when using VPN
- VLAN
- Load Balancing
- Separate server subnets
Juicy!
Great video! OPNsense looks a lot more intuitive than I was expecting. Will give it a try.
The UI is really good! It just has a ton of features packed in that it can be intimidating.
New OPNsense user here - was losing my mind about port forwarding and was ready to give up before watching this. This is an excellent video for explaining how it works and getting it set up!
Glad I could help!
Dude. What a great video. I was trying to get SLAAC working in my environment and it was missing the Router Advertisements enablement. It’s all sorted now and I’m all fully up and running using ipv6. Todays objectives are complete 😎
OpnSense suggestions:
IPS/(IDS), logging, SIEM
Traffic capture (PCAP) for compliance/analysis
Modern, secure proxy (not just http)
Great information. Helpful comments too. Thank you. I have my weekend project.😊
Excellent content, well presented. Really appreciate you putting this together.
I love OPNsense. Thanks for this video.
I'm really grateful for the info on IPv6, specially when you were talking about it in direct application, you already cleared a few misunderstandings I had.
Thanks for this video, I've been trying to learn more about networking and this has been super helpful for me : )
great video thanks for taking the time to go through config with explanations.
OOH Yes! Can't wait for this series!
Awesome Job, thank you. I'm a OpnSense noob. this helps a lot.
You're the man! Congrats 👏
Thank you very much for sharing this very useful video. You made my day. Keep it going.
Duuude I learnt sooo much about IPv6 in this thanks
So much great info 👍
Awesome demo
Really interesting, thanks for sharing!
Thank you so much for making this lovely video!!....👍
Glad you like it!
25:14 if you leave the "Domain search list" field empty, the domain of the OPNsense hostname will be used.
And it is also possible to add multiple domains to the field :)
Checking the box to use the settings from DHCPv6 will use OPNsense's own IP for DNS and domain, because that's the default for DHCPv6.
Lol I just fail doing this yesterday! Perfect timing!
Using IP aliases make the firewall rules more readable
alll good,waiting for next part!!
Working on it!
Great video!
I hope you can cover hosting multiple web servers behind OPNSense and complete VPN setup next.
Both on the list!
Awesome job
Been running opnsense here for a few years now. using an HP prodesk 600 2.5 with a quad Intel pro1000 and now i350. rock solid 1gb FTTP
unfortunately I only can like this video once. Great Job!
It would be great to hear your thoughts and explanations for using haproxy to deliver both a layer 7 by host header and layer 4 using SNI
I would love a video on your lab setup focusing on dhcpv6 prefix delegation for testing routers. I have yet to watch your video on your network so it might be there
It's not something I've talked about yet, but I could probably make a little video on that
Thank you very much! Does this setup support port forwarding or require some additional changes?
if its possible i like to see multiwan setups for fail over or/and bonding. keep up your excellent work!
What do you think about IPv6 and VPNs? (like WireGuard, OpenVPN). How can we tunnel all our data leaving the firewall into our personal VPN and be sure that no data leaks outside?
you should cover ram allocation and ids/ips - suricata is multi threaded and uses a lot of cpu, also think about pkt cap - you probably want a dedicated pkt cap box ahead of the opnsense box - selks works - you can do pkt cap on opnsense but better to have a dedicated machine - think about doing ha opnsense, think about setting up ntp with a usb gps dongle - opnsense does do link agg well so you may be able to add your phone and get faster speeds with dual wan - the licensing is great with opnsense and it is rock solid - updates always work. it is a great distro to resell - building out a hyper opnsense box with a few 2.5 but also 4 40gbe would be a nice way to go for some smb and prosumers but it can be done for less than the protechli mini pc and this is where you want to go eventually - ws, dual nas and vm server all on 40g
Thanks Destiny
May have to go give this a go after the recent PFsense changes.
Clustering your OPNsense fw would make a good video. And automated (config) backups of said device. I've always put an external USB flash memory stick for the config backups of pfSense and OPNsense. You could ALMOST do a full series just on add-ons/extensions to pfSense/OPNsense alone. Setup of DNS fw, logging, yada
About to move my main (and 2nd to last!) pfSense fw to OPNsense. Should be "fun." 8 10Gbps, 6 1Gbps, and 1 1Gbps admin port. I love old, used Netscalers and F5's. LOL I've moved nine other of my firewalls to OPNsense. I only need to keep two pfSense (current/prev-version) and they will of course be VMs.
Could you tell briefly what makes you prefer opnsense over pfsense?
@@Mikesco3 could you tell us your preference and why?
thank you for great video and would you please clear it for me that I have fiberoptic device work as bridge with privet ip If I configure opnsense devise PPPoE could I get public ip?
Great video. Only comment is I have experienced nightmares with the Intel i225 series, but if any, v3 is the safest to go with
Hy! Great video! In the future, i'd like to see a full config tutorial on how to make a config like pfBlockerNG on pfSense. So many people are like that plugin, and sice it isn't here in OPNSense (but I hear it can be configured the same but just not through a dedicated plugin) a howto on config (IP Block, DNSBL, GeoIP) may be useful. I am very interested in it, too.
way cool, thanks
If I had to guess, the headphone jack is so you can put it on a sound bar and hear the notifications from the power cycling?
I'm sitting here setting up my opnsense nested behind my pfsense router until I'm ready to drop it in fully working. I'm sure there's any number of people who would say "don't do that just put it on the WAN and figure it out", but I already figured out ipv6 subnetting and larger than 64 prefix to fix routing and IP assignment to the nested LAN, and I even had it almost working yesterday minus DNS... And now the routing is not working again. So, let's see what you got in the troubleshooting section of the vid.
I'd like a video on using DNSCrypt rather than DNS over TLS. For VPN server in the router I like either WireGuard or 2nd choice OpenVPN.
DoT is an RFC standard and more widely used than DNSCrypt
That's impressive! Thanks a lot for sharing your knowledge!
P.S. baremetal vs VM Firewall?
Great video! Would be cool to see how you set a vpn on it, wireguard or something along those lines :)
Please more opnsense Videos ❤️✌🏾
I'm working on them!
Thanks Bro
Thanks for the video, luckly i don't have to use ipv6. I prefer adguard for dns stuff
Hello good friend, thanks for the great video.
My use case was not covered by your excellent content. But if you could please help me with the following that would be great.
OPNSense configuration:
Bare metal install (no issues with this part), the device has 6 network ports, 1 will be used for WAN, how do I treat the other 5 ports like a traditional switch? Must I use a bridge?
What can you do if your ISP doesn't give you an IPV6 prefix delegation?
When are you following up on this. I would like to see how you stood up IPv6 on OPNsense and your VLAN strategy.
In general this is how I did the basics of it, but the next video will be on subnetting and network management with subnets. Probably will be ~3 weeks for that video, depending on how many other projects I'm working on.
Thanks for the video! I'd like to see IPSec with mobile clients / captive portal / wlan controller / useful apps or software packets?
Thanks!
Thank you! Question, what software you use for your diagrams drawing?
draw.io
Great video! I would love to see static IP setup and configuration on Opnsense for homelab servers. I just setup a Proxmox node, I thought I assigned it the correct static IP and MAC combo, but I might need to fix it. I have no idea how to change the static IP configuration from the leases page.
Proxmox is a bit of a special thing since it does name-resolving in the cluster (even for a single node) using the hosts file, and isn't really designed to deal with DHCP (even static addresses). So that could be related to your issues.
@@apalrdsadventures thanks for the response! I joined the Discord, and I may ask further questions there about Proxmox soecifically. Would definitely love a continuation of this video with static IP setups in Opnsense.
How to use the other ports of the router as extra LAN ports.
Does opnsense handle ipv6 prefix delegations in some sort of semi intelligent way? by that i mean if i punch a hole for port 666 to my laptop and my PD from my ISP changes do i need to go an edit all of the firewall rules? what if i have an android/iphone/windows computer that is constantly re-gen'ing it's IPv6 addr, does opnsense support ddns for lan clients via SLACC?
Opnsense does support a alias type called dynamic host. This allows you to specify the second half of the v6 address and opnsense will automatically add the current prefix.
You can also create an alias for a MAC address, and it will resolve to all of the IPv4/IPv6 addresses of that host.
What is the best way to move from pfsense to opnsense?
What isp's use ipv6, none I've used have.
Great video! Can you help me with my OPNsense / FreeBDS driver problem? I'm using a Sophos XG 125w firewall with OPNsense. But I can't get the Wifi interface working because of missing drivers; vendor = 'Qualcomm Atheros'; device = 'QCA986x/988x 802.11ac Wireless Network Adapter'
In general FreeBSD / OPNsense does not have a lot of functional network drivers. I wouldn't expect to get it working.
Greetings, what is the software do you use for drawing diagrams? Thank you!
I use draw.io but the desktop app version
Is Opensense already pre-installed? Is it worth it to go from ER to OpenSense?
1:50 audo jack output on a firewall... I know their used to be an open source project which could use audio background sounds for monitoring. Say what ? Well, it would have different background sounds it would play constantly, the audio level or how often it repeated the background noise would correspond with events. For example the amount of network traffic corresponds to the sound of a waterfall. The more network traffic, the louder/wilder the waterfall got. The number of 404 responses on a webserver would correspond with the sound of a frog, etc. 🙂
During setup of the WAN, "block private networks" says that it includes in the blocking "carrier-grade NAT addresses (100.64/10)". This is the space that Tailscale assigns IPv4 addresses to your Tailscale-connected clients in. I'm not too clear on whether this means that someone using Tailscale clients on both sides of the router would thus need to leave this setting unchecked. Anyone understand this?
The prefix 100.64/10 is formally assigned to be used by ISPs for carrier grade NAT. Tailscale is squatting in an improper IPv4 semi-private range (they should be using the RFC1918 space, 10/8, 172.16/12, and 192.168/16).
But no, it's only a filter on packets entering/leaving that interface, not via tunnels which run over that interface.
@@apalrdsadventuresThanks for the quick and clear reply! Your video and style of explanation is by far the best I've found on these topics here. You're clear and explain what's important without wasting time or skipping important stuff. Really looking forward to more of this.
I looked at Tailscale's FAQ, and their explanation for the use of the ISP CG-NAT space is "Philosophically, Tailscale is a service provider creating a shared network on top of the regular Internet."
Not an expert here. Here we still use pppoe even with 2.5/1 gbps connection.
Would you suggest to use pf-opn/sense in a bare metal little monster box due the issue in a virtualized mode? Or they fixed the one core CPU "problem" and now performance are good?
If you're doing PPPoE that specific tunnel driver is still single-thread limited. Other than that, there isn't a single core limitation.
I personally don't virtualize the perimeter router since it's so critical to the network that I want it to have dedicated hardware, even if that hardware is small and fanless.
@@apalrdsadventuresthanks, super helpful video. Your isp gives you a /62 prefix for real? So disgusting! Vodafone do the same here in Europe. Im super lucky with my fully compilant /48.
The standards orgs have decided on /48 as the smallest routable prefix, and suggested ISPs give /48 to customers but /56 to residential (which is still 256 subnets).
I actually get a /60 directly from my ISP (which is still small), which I then further delegate to a /62 for the lab network. So you're seeing OPNsense getting a prefix delegation from my main router which got a larger delegation from the upstream ISP.
want to see more IPv6 stuff. for example, vlans using ipv6 subnetting.
As far as i know you dont need subnetting. Your /48 /54 or whatever would be your prefix provided by your isp, has 64-48bits (2¹⁶) reserved for your subnet. So, u Will have 2¹⁶ subnet and every single One has 2⁶⁴ Client. You could subnetting ipv4 style but Is not necessary/raccomanded/useful.sry for my english.
You don't subnet the same way as in v4 (essentially randomly + NAT), you end up with either a subnet id (for small sites) or a hierarchy of what the nibbles mean (on more complex routed sites). It's much more organized and easy to follow.
@@apalrdsadventures so how do you do network segregation with vlans and ipv6?
@@vaidkun same as ipv4, except you dont need a broadcast ip. You still have a network ipv6 address like 2001:db8:acad:1::/64 - 2001:db8:acad:2::/64 until
2001:db8:acad:ffff/64.
I.e. 2001:db8:acad:1::1 Is the router interface and the 2⁶⁴ Minus 1 are the availables host address.
Subnets are /64, and the ISP gives you something larger (/56, /60, ..) so you can create subnets out of the remaining bits in the address. With a /56 you can create 256 subnets for your extra interfaces/vlan interfaces.
Tack!
Thanks!
What software are you using to map your network visually on your computer?
draw.io
As a home user, I have not understand the benefit of using IPv6 over older IPv4 ?
Hi, what would be a good alternative based on Debian? Cuz, at the "company" I have made them switch to Debian from end user devices to servers, having uniformity on the switch/firewall will help. :)
Depending on your needs, there aren't a ton of options.
You can build a firewall out of 'bare' iptables / firewalld and `ip route` if you want to do things more manually. For a setup like the video it's not super hard to do with dnsmasq + firewalld, but there is no web UI for guidance.
VyOS is Debian-based and tries to create a single CLI to configure, but it's not particularly excellent. OpenWRT (which is not Debian based but is Linux) works well but has a very minimal web UI since it's designed to fit on converted router hardware. The OPNsense UI is much better than either of those options.
You don't need Debian for the firewall. You need something that works AND can be managed. pfSense and OPNsense are BSD-based. The best you can get for security. Sophos has a free-for-home/paid-for-work firewall (Xstream) which is fantastic. Not Debian-based of course. Appliance or VM.
We've got 22,000+ Linux instances and around 200 firewalls and we don't know what the firewalls are based on. They're commercial hardware appliances with some hardened Linux (my guess) or BSD.
Rolling your own firewall using Linux? For home, sure. Not too hard. For a work environment? LOL Nope. Not if you have many services/people/requirements/ACLs/GPE/yada. ACLs and Group Policies will kill you alone. I used to do it on the OLD Red Hat Linux v7/v9 days. Also remember in a work setup you always want clustered firewalls. It's never a good plan to not plan on something going down, or needing to take it down for administration/updates. I duplicate mine at home for the same reason.
Depends on what sort of network you are building. If you're building out a datacenter or SaaS type backend network and you are doing a lot of dynamic routing, yeah building it all on Linux is probably not a bad good idea. Building an access network for a bunch of client laptops to use Word? yeah no don't roll your own.
@@Doesntcompute2k not with Linux, but BSD with pf isn't actually that difficult.
Thanks for the detailed replies everyone! Good inputs, I will checkout out VyOS, currently there are no immediate plans, but just a thought as the recent move is helping the teams where I work. Thanks again!
I found your channel about a week ago, and as I'm currently migrating all of my home server stuff off of vmware onto a new proxmox box they have bean a real help. I'd also like to replace my EdgeRouter 4 with OPNsense. I was originally considering hyperconverged, but that little protectli box looks pretty good. However I need an SFP wan port and to support a 1000/250 connection.
Would you have any suggestions?
@ServeTheHomeVideo has a lot of great reviews on mini boxes depending on what you need. I'll refer you to him.
Okay, I'll take a look at his articles (those are usually pretty good), I just can't stand his videos.
He's the only one I know that has thoroughly tested a large number of mini-PCs with a wide variety of IO for mini servers and networking.
If you're doing SFP+ fiber you can also just use a managed switch and bring in WAN on a VLAN. Like any other interface, create the vlan, then move WAN to that interface.
I finished the bulk of my network re-work last night.
After a lot of research and thought I decided to run OPNSense in a VM, It has a dual NIC passed through for the WAN port (and a spare if I need it later) With my LAN interface on a Proxmox bridge to my 10gb switch (along with a few more interfaces for DMZ, an old forum I host, and my own services).
One of the main reasons I switched was to implement IPv6, of course I now know my damn ISP doesn't support it.
But despite that I can say I like OPNSense a lot more then the UBNT router it replaced,
Your videos have bean some of the most straightforward ones I've found.
if you ever setup a patreon I'll support you on that (I'll send you a bit on ko-fi for now).
Thank you.
Hello
I use a 4G mobile router supplied by my ISP and my Opensense router behind it... I noticed that my ISP did not share any prefix information for the subnet. So I am unable to fully configure my Opensense router to IPV6 mode following your advice.
I don't know, if you have any suggestions to solve this problem?
I will be very pleased, if you do.
It’s likely you’ll have to use SLAAC on WAN. The mobile router is probably doing nat and v6 router advertisement itself, at least that’s what mobile hotspots usually do. That also means you only get a single preset, because that’s all the mobile router will pass through.
@@apalrdsadventures
Hi,
I followed your advice.
It had add a new entry in the gateway's lobby, called LAN_TRACK6.
I reboot it, and it seems to work.
I will add a comment if i experience a new issue.
Thanks for your answer.
does OPNsense support wireguard VPN? I've been using it almost exclusively for the past year and it is amazing.
It does, and it can do policy routing across the tunnel.
The UI for individual clients isn't fantastic, but you can add peers and assign them to tunnel adapters.
I change the management IP to a different IP than the fw lan IP.
Not to take away from the videos value or anything, but for a firewall id use something that values stability and security above update frequency and bleeding edge features...
Unless you're using development builds (OPNsense is open-source after all, so you are free to), it's not a rolling release. They publish new versions with feature updates every 6 months and continuously publish security updates for current and several previous versions with support going back ~4 major versions.
They are just able to get new features introduced in under a year and release when they say they will.
@@apalrdsadventures That release cycle sounds like a desktop OS, for a router i think a slower one is better. Sometimes less is more.... ;)
In general they are doing updates which track with FreeBSD's releases. FreeBSD's releases tend to be yearly in the spring, so they are following that with a summer OPNsense release.
Man I would pay to learn everything about networking from you. Do you consider making courses?
So I tried doing a opnsense router and I couldn't get out to the internet. My isp gives me a 10.0.0.1 ip address so I will need to uncheck the one box that is checked so it doesn't block me getting out to the internet if I understand you correctly?
Yes, that's true. They should be using 100.64/10 (which is designated for CGNAT) instead of 10/8, but some ISPs do it wrong. In any case though you'll need to uncheck the RFC1918 box.
@apalrdsadventures ok thanks and is there anything else I may have to do?
unchecking the box should be all you need to do. Also I would avoid using the 10 subnet range on your own if your ISP is also using parts of it.
@apalrdsadventures ok I unchecked that box. It shows my wan connection is up and my tv is working through wifi but my pc won't connect to the internet. It shows I am connected. Any ideas?
You of all guys would happen to know if it can run on a dual core thin client. Does it?
If it's a 64-bit PC platform it should work.
Man I wish you showed how to virtualize it since that’s the route I’m trying to do this
DETROIT BABY!!
ua-cam.com/video/aktLRiWXfqg/v-deo.html
Would love too see Zerotier edge device/ network routing done with Opnsense, any chance? 😊
Zerotier isn't something I use myself, I actually use Nebula instead
They changed their license, instead do consider Netbird, they are new and have a dfsg approved license.
@@apalrdsadventures built-in Wireguard is better than nebula right ? Why choosing nebula over wireguard ?
eh it depends on your use case. Nebula is designed to make a point to point routed network without any previous knowledge of the other nodes in the network, other than the lighthouse. It also adds features like identity to its certificate.
Wireguard provides the absolute bare minimum to pass traffic and provides nothing else for managing and discovering endpoints and configuring routes. Some platforms like Tailscale build on the Wireguard crypto to provide a lot more, but they also introduce the single point of failure Headscale server.
OpenVPN is often hated for being slow, but this is partially because it provides a ton of useful features for managing remote user access like server-side configuration of client routes, enterprise user authentication (usernames/passwords and connections to identity databases), and things like that.
Nebula (and OpenVPN) also use AES instead of ChaCha cipher, which is significantly faster if you have hardware acceleration for it. Wireguard stays fast by implementing no features.
The headphone jack is so you can listen to the packets, have you not seen the movie Hackers?
Zero Trust end to end would be nice for OPNsense
With proper zero trust, OPNsense isn't involved at all
@@apalrdsadventuresthanks for the response i've been watching your videos forever, but I meant a complete end to end zero trust network setup from creating the vlans to host the lxc to routing the ports across other vlans to access the resource
Ah that's a bit different than a 'zero-trust network architecture' that's a sorta IT buzzword right now. In that setup, each node is responsible for its own session validation and the network infrastructure does a lot less (since firewalling is end to end and not a box in the middle).
Can you cover - Dynamic routing protocols
Internal (OSPF / friends) or external (BGP)?
Main issue with OPNSense is Wireguard as isn't as fine as OpenWRT is, sone complex routing for that (and even Tailscale) and there's no Avahi, so for example I can't repeat mDNS from a printer to other VLANs without repeating the whole networks mDNS between all damn networks themselves...
But I really love it, thinking about to migrate OpenWRT to full OPNSense + CARP in a Proxmox cluster to get almost zero downtime.
My experience with OpenWRT is that the functionality is all there in packages but the UI is severely lacking compared to OPNsense. There are Linux programs which will do almost anything, and you can install them, but that doesn't mean it's well integrated into the UI / distribution.
@@apalrdsadventures No, it is not.
It's a mixed bag, since it's designed for embedded devices, there's no decent way of performing upgrades compared to OPNSense.
Also, I need Unbound for getting multiple domain resolution which is not working in OpenWRT's dnsmasq and using unbound under OpenWRT has to be done with some kind of wizardry to get it working without messing up dnsmasq+DHCP...
I will go with OPNSense this winter, as I will use the integrated HAProxy with it.
Need to get it running in my lab these days for debugging/testing all my config until it's perfect for day to day usage.
Also, love the diagnostics and reporting tools in OPNSense, makes everything more "visible" instead of just "working"... or not.
First question: why doesn't my overview interface look like that?
OPNsense changed the Overview UI in 24.1, I made this back in 23.7.
@@apalrdsadventures Thanks for explaining. I am very noob in networking
After following your video, i think my IPS doesn't hand out prefix to my OPNsense. I only get IPv6 /64 from ISP router, so i guess i need to do DHCP6v and set IPv6 range manually to my LAN?
Depends. DHCPv6-PD is the most common way to do prefix delegation but it isn't the only one. If you have AT&T they only delegate individual /64s which is stupid, some other ISPs delegate via PPPoE instead, and mobile hotspots tend to just offer a single /64. But, you can use that single /64 as your LAN.
Windows will also roam a prefix and use multiple ipv6 address concurrently. Makes IP whitelists a pain.
That's very normal and expected and why IP whitelists within your own subnet aren't reliable (even in IPv4, although then you can assume they just have one IP at a time, even if the user might be changing it)
@@apalrdsadventures It's all about security layers, like an onion. Deploy what you can where you can.
17:28 or a /59 if you are a Vodafone cable internet customer :^)
I really don't understand why these ISPs have to be so scrimpy with their v6 prefixes, but here we are...
/59 is such a weird size! At least make it line up with the nibbles!
@@apalrdsadventures Absolutely, but at least Telekom (DTAG) gives me a /56
Windows 7 is also fine with SLAAC.
SLAAC yes, but not RDNSS for router advertised DNS servers
@@apalrdsadventures Agreed. But it'll use IPv4 for all DNS without any problem.
opnsense + unifi access point