OPNsense Forum
English Forums => General Discussion => Topic started by: ChristianVirtual on March 18, 2024, 03:32:46 pm
-
Hi all, new here with OPNsense and new to IPv6. Hope you help/guide me. I have some practical experience with networks and IPv4 (also some 6 years back with pfSense).
My environment: living in Japan, weak in Japanese, have a dedicated fiber line into the house with 10Gbs and a /56 IPv6 assignment; IPv4 is established via DS-lite (and not infos provided from ISP beyond that /56 allocation). The rental router is direct connected behind the OBU/Modem and shows the /56 allocation when connected. And they want me the rental router direct behind the OBU.
What is my problem: I want to restructure my home network and isolate certain segments (e.g. general use for mobile devices, my work, my child, IOT stuff, cameras, home lab, …).
I have an overkill of Minisforum MS-01 (and 2x10Gb SFP+, 2x2.5Gb RJ45) with OPNsense dedicated installed. That should give me enough power for whatever IDS/IPS or routing I want to play later).
I managed to get an /64 allocated to the WAN (via one of the SFP+ ports) but then don’t get any IPv6 in the LAN (other 10Gb SFP+) or IOT (2.5Gb) ports. I can update the OPNsense box itself so basic connectivity is given.
But how can I now convince my LAN and IOT also to establish a /64 segment out of a (desired) /60 segment from the WAN ? How I need to configure OPNsense to try to get a /60 slice of address range for the ISP.
Or should I try to place OPNsense box between OBU and rental router ?
I looked a bit around in the online documentation from OPNsense and tried to search in the forum but didn’t found the right hints). Any guidance or hints are appreciated.
Thanks in advance .
-
Update: while family was (hopefully sleeping) I shutdown the regular wifi router and connected the OPNsense box direct with the ONU via a dumb 10Gb-hub.
And this way I get the proper prefixes assigned to LAN and IOT networks with distinctive IDs. Lost though then visible global IPv6 address on the WAN and shows me only the fe80::[mac]
In addition I reconnected my consumer grade wifi router back to the hub too and let it do its DS-lite stuff (used by this iPad while posting).
The question then is why I don’t get the subnets/prefix delegation when I have the OPNsense behind the rental router having a /56 assigned ?
I getting optimizitic, but still confused and not fully understand …
-
When you connect OPNsense directly to the ONU, the /56 gets delegated to OPNsense and you can use it for your LANs. But if you connect the rental router to the ONU and OPNsense to the rental router, the /56 gets delegated to the rental router. It is then up to this router to delegate a subnet (e. g. a /60) to OPNsense. Whether or not it can do this is the question. More often than not, these basic ISP routers are only meant for directly connecting devices and don't support downstream prefix delegation. So if you don't have to, I wouldn't use this rental router at all.
Some ISPs don't assign a WAN address. If you made sure "Request only an IPv6 prefix" is disabled, then that's probably why you only see a link-local address on the WAN interface.
OPNsense doesn't support automatic DS-Lite configuration, but you can manually set up a 4in6 GIF tunnel.
Cheers
Maurice
-
Ooo, 10ギガ, nice!
(I'm also in Nihon with weak in Nihongo - love to know all about your 10G ISP too, BTW).
I have had DS-Lite working with OPNSense (but not reliably enough for my daily use so far, when I'm not testing OPNSense directly I have an OpenWRT host holding the DS-Lite up in front of OPNSense (your machine would probably have ample resources to do both OPNSense + OpenWRT in virtualisation if you're game to try)).
Details of making the GIF tunnel are in my posts ie. https://forum.opnsense.org/index.php?topic=27935.msg136305#msg136305
My only problem is that establishing the tunnel seems to always require I manually restart one or other of the interfaces in OPNSense after booting. Once it's up it seems to work fine.
-
Ok, somehow I got it working:
My LAN get a global IPv6 address from the edge-router (NTT Router) on connected to the WAN. On that edge router I get as expected (hoped) two /60 segments.
The first one goes to the consumer wifi router.
The second one goes to the OPNsense box which should one day in the future should be my primary router (and the consumer wifi goes as backup on the shelf).
The prefix delegation of /60 in OPNsense I sees to have to configure on two different locations (WAN interface and disabled DHCPv6server ?)
But here the big BUT: that only works if I create for both WAN and LAN a firewall rule allowing all trafic for TCP, UDP and ICMPv6.
Question to the community: what minimal rule need to be defined to allow this to work ?