Blue Gateway (Colorado)¶
Overview¶
| Attribute | Value |
|---|---|
| Location | Colorado |
| Hardware | Protectli UP-2420 |
| ISP | Starlink |
| WAN IP | Dynamic (DHCP) |
| LAN Subnet | 10.15.0.0/16 |
| Gateway IP | 10.15.0.1 |
| ZeroTier IP | 192.168.194.x |
| IPv6 | DHCPv6-PD (/56 prefix) |
Network Interfaces¶
| Interface | Device | IP Address | Notes |
|---|---|---|---|
| WAN | igc0 | DHCP | Starlink (dynamic) |
| WAN IPv6 | igc0 | DHCPv6-PD | Starlink /56 delegation |
| LAN | igc1 | 10.15.0.1/16 | track6 from WAN |
| OPT1 | igc2 | - | Enabled, unconfigured |
| OPT2 | igc3 | - | Enabled, unconfigured |
| ZEROTIER | zt6ldb571t4n4bn | 192.168.194.x | ZeroTier overlay |
IPv6 Configuration¶
Blue receives native IPv6 via DHCPv6 Prefix Delegation from Starlink.
| Attribute | Value |
|---|---|
| Provider | Starlink |
| Method | DHCPv6-PD |
| Prefix Size | /56 |
| LAN Tracking | Enabled (track6) |
Dynamic IPv6
Unlike Owl's static HE tunnel, Blue's IPv6 prefix may change when the Starlink connection resets. The LAN uses track6 to automatically update when the WAN prefix changes.
DHCP Configuration¶
| Setting | Value |
|---|---|
| Enabled | Yes |
| Search List | blue.scandora.net; scandora.net |
| Range | 10.15.254.10 - 10.15.254.254 |
| Static Mappings | 12 devices |
| Default Lease | 7200 sec |
| Max Lease | 14400 sec |
Notable Static Devices¶
- Netgear switches (GS308EPP, GS308E)
- TP-Link EAP110 (outdoor WAP)
- Netgear WAX610, WAX214 access points
Installed Plugins¶
| Plugin | Purpose |
|---|---|
| os-git-backup | Git-based config backup |
| os-zerotier | ZeroTier VPN |
| os-theme-* | Various themes |
No ddclient
Blue doesn't have os-ddclient installed. Dynamic DNS is handled by the cf-ddns.sh script instead.
Backup Configuration¶
| Method | Destination | Count |
|---|---|---|
| Git | github.com/scandora/opnsense-blue.git | 5 backups |
Recommendation
Consider adding Google Drive backup for redundancy (Owl has this enabled).
Access¶
SSH¶
No Root SSH
Root SSH login is disabled. Always use joe with passwordless sudo.
Web Interface¶
Firewall Rules¶
WAN Inbound (Dual-Stack)¶
All WAN rules use IPv4+IPv6 dual-stack for simpler management:
| Protocol | Port | Source | Description |
|---|---|---|---|
| ICMP | - | any | Allow ICMP inbound |
| TCP | 22 | any | Allow SSH inbound |
| UDP | 9993 | any | Allow ZT inbound |
LAN Rules¶
- Default allow LAN to any (IPv4+IPv6, all protocols)
- Allow ZT to LAN (IPv4+IPv6) - explicit rule for cross-site access
Starlink Considerations¶
CGNAT¶
Starlink uses Carrier-Grade NAT (CGNAT), meaning:
- No direct inbound connections on IPv4
- Must rely on ZeroTier for site-to-site connectivity
- IPv6 provides direct connectivity when available
Dynamic IP & DDNS¶
The WAN IP changes frequently. The cf-ddns.sh script updates DNS records automatically:
- Location:
/usr/local/bin/cf-ddns.sh - Config:
/usr/local/etc/cf-ddns.conf - Schedule: Every 5 minutes via cron
- Updates: IPv6 only (IPv4 is behind CGNAT)
Dual DNS Updates:
| DNS Provider | Hostname | Record Type | Purpose |
|---|---|---|---|
| Cloudflare | blue.scandora.net | AAAA | Public access |
| PowerDNS | blued.scandora.net | AAAA | Internal direct access |
The blued.scandora.net record is private (PowerDNS only) and provides direct IPv6 access when ZeroTier is unavailable. See DNS Architecture for details on the "d" suffix naming convention.
Configuration Files¶
- Production config:
gateways/blue/configs/config.xml
Recommendations¶
Based on Gateway Comparison:
- Enable Unbound Stats - Helps with DNS troubleshooting
- Review OPT1/OPT2 - Either disable or assign specific roles
- Add GDrive Backup - For disaster recovery redundancy
- Document Static Devices - Ensure all critical devices are mapped