Hello,
I'm a happy user of opnsense since the beginning (came from mono, pfsense and others) and usually everything I've tried works mostly out of the box.
Currently I decided to finally hit the road with IPv6 as well and experience some strange behaviour where I'm not sure what it is causing it. In advance, I'm new to IPv6 and have just started lerning about it.
In advance, IPv4 is working ok and everything below is related to IPv6.
My networking setup and configuration:
The ADSL router is provided by the ISP with a heavily customized web ui. But still, it features quite some posiiblities to setup things up.
Internet --- ADSL (Router from ISP, limited access) --- ISP LAN ---- (wan) OPNSENSE (lan) ---- My LAN (Clients)
ADSL router
=========
ADSL router is configured to have the OPNSENSE in its DMZ for IPv4/6
Below information is reported by the router (generic IPv6 info):
Delegated Prefix: 2001:171b:x:y::/60
CPE LAN IPv6 Address: 2001:171b:x:y:z:z:z:z
OPNSENSE
==========
General:
- OPNsense 20.1.4-amd64
- Configuration was reset to default before attempting to setup for IPv6
- Firewall and system setting enabled for IPv6
WAN:
- Request only an IPv6 prefix (64)
- Send IPv6 prefix hint
LAN:
- IPv4 --> Static
- IPv6 Configuration Type --> Track Interface
- Track IPv6 Interface --> IPv6 Interface --> WAN / IPv6 Prefix ID --> 0
- Allow manual adjustment of DHCPv6 and Router Advertisements --> ON
(Router advertisement is on and when I get an IPv6 address on the LAN interface DHCP starts, I was able to configure it so that clients on the lan received an IPv6 address)
Interface Overview:
WAN:
IPv6 Link Local fe80::20d:x:x:x / 64
IPv6 address fdaa:bbcc:x:0:x:x:x:x1 / 64
+ 2001:171b:x:x:x:x:x:x / 64
sometimes as well + 2001:171b:x:x:x:x:x:x / 128
LAN:
IPv6 Link Local fe80::20d:x:x:x / 64
Gateways:
at any time WAN_DHCP6 --> fe80::x:x:x:x
Clients in my LAN
##################
In the case of OPNSENSE assigning an adress to the LAN I was able to configure DHCPv6 and my clients in the LAN got an IPv6 address in the range 2001:171b:...... as one would expect
Summary of observations
#####################
1. By rebooting the router, putting interface up/down at some point OPNSENSE assigns an address to its LAN interface. Currently I'm not able to clearly reproduce it. If assigned, then a reboot of opensense removes the address. But most of the time it does not assign a IPv6 to the LAN.
2. At any time I can ping google.com or my router from OPNENSENSE on IPv6
3. When the IPv6 gets assigned to the LAN and DHCP6 assigns adresses to my clients they are able to ping each other on the LAN but not OPENSENSE nor the internet
4. Another weird thing is that sometimes I see in the firewall log blocked ICMP entries from the LAN for IPv6. All automatic rules are there.
Questions
########
- Does anybody have a clue what is going on here or point me to further infos?
- Does above setup/configuration confuse OPNSENSE somehow that it messes up IPv6 interface tracking for LAN?
- Why is IPv6 traffic not leaving the LAN?
Thanks in advance for any inputs!
Let me replay to my own post with a partial solution.
Enabling and studiying the DHCPc log revealed this:
OPNsense dhcp6c[78038]: advertise contains NoAddrsAvail status
OPNsense dhcp6c[78038]: Sending Solicit
this hintem me to this post: https://forum.opnsense.org/index.php?topic=11680.0
1. Go to Interfaces:Setting and select 'Insert a new LLT DUID' in the DHCP Unique identifier setting. Save and reboot.
afterwards found this in the log:
OPNsense dhcp6c[78038]: advertise contains NoPrefixAvail status
OPNsense dhcp6c[78038]: Sending Solicit
This was my fault, because of trying out things I had set the prefix to a wrong value. Change back to 64 and LAN interface got an IPv6 addr.
Now a new problem appeared in the log:
2020-04-21T13:48:03 opnsense: /usr/local/etc/rc.newwanipv6: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '[1587476883] unbound[53061:0] error: bind: address already in use [1587476883] unbound[53061:0] fatal error: could not open ports'
2020-04-21T13:48:03 opnsense: /usr/local/etc/rc.newwanipv6: The command '/usr/local/opnsense/scripts/dns/unbound_dhcpd.py --domain 'localdomain.home'' returned exit code '1', the output was 'Unable to lock on the pidfile.'
Regarding network connectivity, my clients get a IPv6 address and can ping each other. OPENSENSE and internet hosts can't be pinged. Any hints on this?
I guess I did run into same issue as discussed here: https://forum.opnsense.org/index.php?topic=7719.0
The problem was that I acidentally assigned the physical LAN interface to a second one. Even this was not enabled it did mess up packet routing internally I guess. I'm now able to ping the OPNSENSE LAN/WAN after removing this misshap.
But I'm still not able to ping the ADSL router nor hosts on the internet.
Any hints on this?
To exclude any previous missconfiguration I did reinstall opnsense.
Configuration as follows:
OPT1, OPT2 disabled
WAN
IPv4 DHCP
IPv6 DHCP6
- Request only an IPv6 prefix
- Prefix delegation size 64
- Send IPv6 prefix hint
- Prevent release
- Enable debug
LAN
IPv4 Static
IPv6 Track Interface
- IPv6 Interface WAN
- IPv6 Prefix ID 0
Opnsense does receive a /64 and has a valid IPv6 on the LAN interface
Hosts on the LAN receive multiple IPv6 addresses.
Ping with IPv6
- opnsense to google.com --> OK
- opnsense to hosts in LAN --> NOK
- hosts in LAN to hosts in LAN --> OK
- hosts in LAN to opnsense --> NOK
- hosts in LAN to google --> NOK
I don't see any blocked ICMP packets by opnsense.
I did run a packet capture on the LAN while pinging
LAN
igb0 11:59:24.850584 IP6 2001:1715:dddd:dddd:dddd:dddd:dddd:a83 > 2001:dddd:dddd:dddd:ddd:dddd:dddd:ea20: ICMP6, echo request, seq 5, length 64
LAN
igb0 11:59:25.809997 IP6 fe80::dddd:dddd:dddd:2d15 > 2001:dddd:dddd:dddd:ddd:dddd:dddd:ea20: ICMP6, neighbor solicitation, who has 2001:dddd:dddd:dddd:ddd:dddd:dddd:ea20, length 32
LAN
igb0 11:59:25.810137 IP6 fe80::ddd:dddd:dddd:ea20 > fe80::dddd:dddd:dddd:2d15: ICMP6, neighbor advertisement, tgt is 2001:dddd:dddd:dddd:ddd:dddd:dddd:ea20, length 24
LAN
igb0 11:59:25.878063 IP6 2001:dddd:dddd:dddd:dddd:dddd:dddd:a83 > 2001:dddd:dddd:dddd:ddd:dddd:dddd:ea20: ICMP6, echo request, seq 6, length 64
Could this be a routing issue?