OPNsense Forum

probably been done to death, but here goes:
I'm just considering whether to move to IPv6, we live in UK (remote location) and broadband is about 1mb up 10mb down.
This will probably never change as we live on a farm in the countryside.
But if I moved to IPv6, then maybe I could eventually use the Starlink Sats for broadband?
I need fixed IP addresses since I need to OpenVPN  to the farm to remotely control machinery (when I'm away).
Currently using Zen internet and have 8 IPv4s.
If I had the network on IPv6 with zen and maybe Starlink offered fixed IPv6 IPs soon, I could test that and move over?

Some of the machinery PLCs use VNC and Modbus and are IPv4 only.  They do not need internet connectivity, but they must work internally on IPv4.  So presumably if I went to IPv6 for the PCs and phones to use Internet, the PLCs would still work (internally)?

If I used my phone to OpenVPN into the site on IPv6 could I get a local IPv4 address (as well as IPv6) to control the directly PLCs?
Or would I have to control a local PC to do it?

Also my knowledge of IPv6 isn't great (yet).  On IPv6 do you not use private addressing anymore (like 192.168.0.0/24), is it all publicly addressed?
If/when we lose internet connectivity (bad broadband etc etc) can the internal IPv6 network still route around the site normally if it's been assigned public IPv6s and the internet connection is broken for hours/days?

If I'm running 2 WANs for awhile for testing, Starlink and Zen on IPv6, the static addressing will change when 1 drops out.  My servers will need static addresses and need to work normally locally, controlling the machinery, could their IP addresses change and break the working network environment? when WANs switch over and/or drop out completely.

Sorry for the long question.  But wondering whether eventually I'll have to go IPv6, been ignoring it for years...

You don't need IPv6 to use Starlink but you do need to get a plan that doesn't have CGNAT for a real public IP. This may involve a business package and/or a surcharge.

You don't need a fixed public IP to use OpenVPN since it works quite well with dynamic DNS. This will also work with dual WAN. You can configure OpenVPN clients with two public servers so they will fail over from Zen to Starlink and back again.

My OpenVPN tunnels have both an IPv4 and IPv6 subnets.

Bart...

I was under the impression that before too long starlink will be offering IPv6 static addresses.
If I was already on IPv6 with Zen, then switching between the 2 on a dual WAN might not be to difficult.

Just thinking about it some more:
I suppose the easiest way for me to use IPv6 is to change my router (draytek ADSL) to IPv6 only with Zen.
Then make OPNsense IPv6 and IPv4.

Then I can use IPv6 for internet and IPv4 for internal LAN connections.  Those that are IPv4 only, won't reach the internet (no loss there) but will operate normally locally.

If the WAN goes offline, ALL nodes will have IPv4 addresses, so then continue internally as normal(with no internet access).
Will all the dual IPv6/IPv4 PCs, TVs, phones, tablets etc etc realise they can only reach internet over IPv6 ?  Or will they try to poll OPNsense for internet connections on IPv4 and timeout?

As Bart mentioned, you can always use IPv6 and IPv4 in the OpenVPN tunnel.

"Private" IPv6 addresses (ULAs) do exist, but you don't need them if you can get a static public prefix. You can use these public IPv6 addresses in the LAN even when the WAN is down. No need for IPv4 fallback.

Dual WAN is a bit tricky, but there are some options. If it's only temporarily, I wouldn't focus on that too much.

If you make the WAN IPv6-only, you'll need to use an external NAT64 service because significant parts of the Internet are still IPv4-only. There are a few public ones listed on https://nat64.xyz/.

Most devices prefer IPv6 over IPv4, so they won't try IPv4 and time out. You can also disable default gateway assignment in the DHCPv4 server settings to make sure nothing ever tries to connect to the Internet using IPv4.

Cheers

Maurice

The mechanism is called Happy Eyeballs (yes, really!)

https://en.wikipedia.org/wiki/Happy_Eyeballs

I would prefer dual-stack throughout since there are still resources that are IPv4 only and some new services may be IPv6 only once the v4 depletion starts to bite.

Bart...

Thanks for your input guys.
I think initially, I'll try running a dual stack on my LAN/OPNsense.
Then the IPv4 side of the LAN should need little/no messing with.
Then I can enable IPv6 as well, get some IPv6 subnets from ISP.  Nodes that want to go out on IPv6 do so, others can use IPv4.

What do you think?  Any problems you can fore see with this?

Yes, going IPv4-only -> dual-stack -> IPv6-only is currently the most common migration path. Although going directly from IPv4-only to IPv6-only is slowly gaining popularity (with separate LANs for legacy IPv4-only devices).

Disadvantages of dual-stack are a more complex configuration (e.g. more firewall rules) and troubleshooting (issues with one protocol are harder to detect if the other one still works).

But if you have no experience with IPv6 and want to set it up yourself, going dual-stack first might indeed flatten the learning curve a bit.

OK got my IPv6s from Zen, it won't route.  Zen gave me ND prefix /64 , PD delegation prefix /48 (these only share the first 2a02 of the address, everything else is different)
I have a draytek 2862 on the ADSL, it auths with zen, then gets the IPv4 public subnet routed to the OPNsense IPv4 WAN so it has a public IPv4.  This all works fine.
I then have the draytek PPP the IPv6, after this the draytek pings ipv6.google.com
draytek is set to DHCPv6 to the OPNsense WAN, draytek IPv6 is 2a02:x:x:1:21d:aaff:fe12:2fe8/64
So now I set WAN interface:
DHCPv6
BASIC
Prefix delegation size: 48
nothing else set

OPNsense WAN auto gets: 2a02:x:x:1:230:18ff:fec9:3a03/64

This auto creates a GW with an fe80: address
I now set LAN to static IPv6:
2A02:x:x:1000::1/64
DHCPv6 sever LAN:
server range of: 2a02:x:x:1000::2000 - 2a02:x:x:1000::4000

OPNsense can ping ipv6.google.com
PCs on LAN can ping OPNsense LAN IPV6 ip
PCs can't ping ipv6.google.com or the actual google IP (in case of DNS issue)

Where did I go wrong.
I have tried a root a few times, but since I started with this the reboot seems to take a long time to complete, which didn't happen when I was IPv4 only, maybe there is something bad going on?

Do I need any extra routing adding to the draytek?
Thanks

First, make sure Router Advertisements are enabled on the OPNsense LAN.

Next, check whether OPNsense gets a prefix from the Draytek. In Interfaces / Overview / WAN, there should be a line "IPv6 delegated prefix". If no, the Draytek DHCPv6 server might not support PD (or not be configured correctly). Then you would indeed need to add a static route on the Draytek. Just route the entire /48 to the link-local address of the OPNsense WAN interface.

Or just configure everything statically. Might also improve startup times. With a static prefix, there is no real need to use DHCPv6 on the OPNsense WAN at all.

There seems to be some misunderstanding of DHCPv6, Prefix Delegation and routing.

1) Setting OPNsense WAN to DHCPv6 and requesting a /48 isn't going to do anything productive if the draytek isn't capable of serving PD.  I suspect it is only able to provide host addresses.  Please verify.

2) The concept of setting the WAN to DHCPv6-PD then configuring a static address on the LAN makes no sense from a configuration perspective.  Bit of a contradiction.

3) The core connectivity problem is probably due to the draytek not having a route to the LAN 2A02:x:x:1000::1/64.  It would have to point to the OPNsense WAN interface (next hop route). If the draytek is not capable of IPv6 static routes, then there will be no return traffic.

4) Setting static IPv6 address with an ISP that provides addressing via PD --- If your address space never changes, then you can get away with it, but if it does you will forever be redoing everything.

I think delegation from the draytek is the problem....  Would like to try and do that if I can, then fall back to other routing methods etc.
See below web page pasted from draytek (sorry)
------------------
DHCPv6 Server
Authentication Protocol:   None
Prefix Delegation   Enable   Disable     
Prefix   2A02:x12:x34::/48     <this is just written on the page>

DHCPv6 Prefix Delegation

New Prefix:: <this is greyed out> :::/64
Suffix <only the last 3 boxes available>
New Prefix Length   (0~64)
Client Link Local Address   
Client DUID(option)   
--------------------

Do you understand this, no info on the internet....
the new prefix is completely grey out
suffix on has last 3 boxes fillable.

Quote from: priller on March 11, 2021, 02:34:53 PM
There seems to be some misunderstanding of DHCPv6, Prefix Delegation and routing.

1) Setting OPNsense WAN to DHCPv6 and requesting a /48 isn't going to do anything productive if the draytek isn't capable of serving PD.  I suspect it is only able to provide host addresses.  Please verify.

2) The concept of setting the WAN to DHCPv6-PD then configuring a static address on the LAN makes no sense from a configuration perspective.  Bit of a contradiction.

point 2:
If I don't set an IP on the LAN for OPNsense and route PCs through it, how do controlling who gets what from the internet?
won't they just all get out with no rules?

@fgsfdgfds, again, I recommend a static configuration for this use case.

If you insist on PD, you'll not be able to delegate the entire /48 to OPNsense. You'll have to configure the Draytek with an appropriate PD size and range. I'll not investigate how to do that, sorry.

There are use cases where using PD on the WAN and statically configured LANs makes sense. This is not one of them.

OK after looking on the draytek closed forum, sounds like PD isn't very well implemented or working.

So I adjusted the routing table in the draytek and now can ping from PCs on the LAN side, but DNS not working, still looking at why that is,
But in IPv6 how do run firewall rules if the LAN doesn't have an IP on the LAN IP subnet?
In IPv4 you'd have LAN subnet on 1 side (firewall's LAN has an IP in LAN subnet), wan subnet on the other side and rules between.

Surely you'd have WAN IPv6 subnet on 1 side and LAN IPv6 (different subnet) on other with PCs on.  They would send requests to the LAN IP of the firewall and it would pass through the rules to the WAN IP to the other.
Is that not right?

I don't understand the question. You mentioned above:

QuoteI now set LAN to static IPv6:
2A02:x:x:1000::1/64

So this is your LAN address and subnet. And on the OPNsense WAN (which is the Draytek LAN), you mentioned you use the 2a02:x:x:1::/64 subnet. So two different subnets. Looks good to me.

I don't understand why you don't have the Draytek in bridge mode, let Opnsense handle the PPPoE negotiation... the rest is then easy. There are full instructions for using Zen in the Opnsense wiki.

Yeah tried that multiple times, millions of reboots, network down for hours.
Gave up.
I think if I was starting on a fresh network deployment, I'd do that, but seems to cause alot of hassle to try and swap.
Maybe I'll change to that in the future.

If you want me to help you set  it up as a static system send me a pm, more than happy to assist. It doesn't take very long at all to do the basic configuration.

Thanks, I might in the future, still messing trying to get things to behave.
1 thing I have noticed if you change a few things with IPv6, you seem to have to reboot OPNsense, else it just seems to break it.

Anyway, now it have set DHCPv6 to assign IPs between ::2000 - ::4000
I can't work out why some clients seem to get an address in this range.
whilst others seem to just ignore the DHCP and go for something in the whole 64 subnet at random.

Any ideas why this would be?

SLAAC. The way ipv6 is designed any client can have multiple addresses. You can switch to managed in which case the only addresses would be those issued by dhcp6d, but then Android devices will not get a v6 address.

to be honest I think I maybe faced with a bare metal full reinstall with no config restore.

after messing with the settings to test stuff, after awhile routing stops.
I check the firewall and it says it's blocking stuff like ipv6 lan addresses to dns port 53 within the lan, that LAN rule should be wide open.

then a load of the services die.
the link to the gateway ipv6 side times out

it's like a cascade, reboot then things seem OK until you want to change/try something

why does this happen?

The usual cause is forgotten changes for that type of thing,. You make a couple of changes then reverse one then another... Pretty soon you've got forgotten changes. Backup your config often then reversing out of a situation like that is just reloading a backed up config. One of the reasons I use Zen and statics is that it's one less variable that can change. The only time my Opnsense instance ever needs a reboot is when it gets updated.

the thing I notice is clients seem to get an address of there own in 1000::/64 I have set as the overall subnet
then the same client also get from the DHCPv6 server the address from the set range :2000 - :4000
But this has a /128 subnet shown on the client.
Surely just 1 ip address is enough and in the range I specified and the subnet should be /64 not /128

Its annoying them getting 2 addresses and the subnets seems all messed up for the DHCPv6 offered one

The way ipv6 works clients get multiple get multiple addresses, in windows you can disable this, I have it disabled for my servers.

I guessed at that, just worried that if I make PCs (mostly linux) only take 1 address and then opnsense sends an address with /128 at the end. No routing might happen.

Why would you have them use only one address? The only reason to do that is if they are servers.

most are servers.
I clearly have soooo much to learn about IPv6.
I now have linux pcs making DNS requests to the LAN DNS on opnsense using fe80:: ip address, OPNsense just block these contiunually and then the linux PC timesout

why do I have DNS requests on port 53 coming from fe80 on a linux PC?

I have another question, if you set the DHCPv6 range to a narrow range say ::2000 - ::4000 on a /64
the addresses it hands out show up as /128 on the clients not /64
why is this?  the client then seems to get another address /64 so it is able to have comms with others on the same network.
Seems a bit crazy.

Becasue then it has another address, if I want to block a client on a schedule how can I tell which addresses I need to block?
often the client seems to get 2 or 3 addresses from the /64 subnet
I suppose if every machine gets 3 addresses on the planet, that'll run down the address space a bit quicker, lol

Quote from: fgsfdgfds on March 12, 2021, 11:09:29 PM
most are servers.
I clearly have soooo much to learn about IPv6.
I now have linux pcs making DNS requests to the LAN DNS on opnsense using fe80:: ip address, OPNsense just block these contiunually and then the linux PC timesout

why do I have DNS requests on port 53 coming from fe80 on a linux PC?

Quite normal, that's a link local address, if you look a great deal of IPv6 traffic will be using  link-local addresses within your own LAN segment.

Quote from: fgsfdgfds on March 12, 2021, 11:48:11 PM
I have another question, if you set the DHCPv6 range to a narrow range say ::2000 - ::4000 on a /64
the addresses it hands out show up as /128 on the clients not /64
why is this?  the client then seems to get another address /64 so it is able to have comms with others on the same network.
Seems a bit crazy.

Becasue then it has another address, if I want to block a client on a schedule how can I tell which addresses I need to block?
often the client seems to get 2 or 3 addresses from the /64 subnet
I suppose if every machine gets 3 addresses on the planet, that'll run down the address space a bit quicker, lol

In your /64 network you have 18,446,744,073,709,551,616 addresses, Zen gives you a /48 which is 65K of those /64 ranges. ISP's are usually allocated a /32 ranges, which allows them to dish out 65K /48s. I can't be bothered to take it to even shorter prefixes, but we will not run out of v6 addresses in the foreseeable future. They don't expect you to have 8,446,744,073,709,551,616 clients on your own LAN segment, it's done for security and privacy, the addresses can and will change on new sessions and that's the way v6 works, yes, you can assign a fixed address to client using dhcpv6, and that address will be given to only that client. but unless privacy extensions are disabled on the client then you cannot stop it getting further addresses.

I see thank-you.
Just seems a bit crazy, it (the client) has an address why go and get more and more.
having more than 1 public IP was always a server thing in my book.

maybe for firewalling I'll have to consider another method of separating clients on IPv6.
How can I block kids by IP from using their devices all night on IPv6?

Can't work it out, used to hand out static IPv4s and block on mapped mac to IP addresses
worked well for years

If you only use DHCPv6 to hand out IPv6 addresses and not SLAAC, you will still be able to control things. But you can't use DHCPv6 on Android devices

Quote from: fgsfdgfds on March 13, 2021, 12:29:09 AM
I see thank-you.
Just seems a bit crazy, it (the client) has an address why go and get more and more.
having more than 1 public IP was always a server thing in my book.

maybe for firewalling I'll have to consider another method of separating clients on IPv6.
How can I block kids by IP from using their devices all night on IPv6?

Can't work it out, used to hand out static IPv4s and block on mapped mac to IP addresses
worked well for years

Those days are gone, you can just live with v4 or use smart APs that limit access by time. For example, I use EAP 225s, they support VLANS. So I can have multiple SSIDs, one for the Kids ( if there were any at home ) that I can turn on and off by schedule. If it's a wired network, VLANs will do it for you, you could use cron to take down an interface at a specific time.

Quote from: Greelan on March 13, 2021, 12:38:57 AM
If you only use DHCPv6 to hand out IPv6 addresses and not SLAAC, you will still be able to control things. But you can't use DHCPv6 on Android devices

Correct, Android is SLAAC only.

And who wants to configure every other device on DHCPv6 anyway? [emoji23]

Rather go the Wifi shedule or VLAN route than play wack-a-mole anyway, you only have to change the DUID or MAC on the client and you get a new address, most 10 year olds probably now how to get around that sort of block.

I have many unmanaged switches on site.
But if I changed the 2 at the house which the wifi APs connect to, to VLAN managed switches and set 2 ssids, then wifi stuff on 1 ssid could be switched off from the net based on VLAN and time of day in OPNsense?

The rest of the switches could continue as they are, unmanaged, would that work?
Thanks

Yes, if that's the only way the kids connect. If the APs don't support VLANs you would need have each AP on a different VLAN. If they do support VLANs that means they will likely also support multiple SSIDs, in which case you can either use the AP based scheduler ( if it has one ) or a simple firewall schedule that disables internet access on that VLAN at given times.

Oh OK,
So my APs in the house support VLAN and multi SSIDs, but my switches don't.
Kids almost always use WIFI.
So if I set a new SSID on the APs with a VLAN, that will work without changing the unmanaged switch?
Never really felt the need for VLANs to be honest until IPv6 and the way that works. (so will have to read up on them)
1 of the APs is old and will not support IPv6, will that make it harder to setup 1 AP with VLAN ipv4+ipv6 other ipv4 only?

I only went over to VLANs about eighteen months ago, when smaller managed switches were available, when I mean small I mean the size of a couple of cigarette packets. as in several places in the house I only need a couple of wired connections. At the same time I changed my WAPs to VLAN supported WAPs and went the while hog, now I have separate IOT, work and primary VLANs, primary wifi and guest wifi and it all runs flawlessly; there are four 8 port switches and one 24, but that's in my study and has all sorts of stuff connected to it for testing Opnsense instances and two WAPs, one upstairs one downstatirs. There are now 5 port switches available that were not when I set it up originally, it's a good investment I'm happy with.

so will my main switch (unmanaged non vlan) that's next to opnsense happily pass the VLAN tagged packets correctly to other VLAN APs that are further back in the network?

I have I think 8 of the blue netgear unmanaged switches across the farm (4 in the house) (plus more on another network subnet with routing etc to another business)

No. If the switch is not VLAN aware, it is not VLAN aware

don't understand your answer.
Are you saying to have VLANs working on an VLAN compatible AP, the switch the AP connects to must be a managed switch?
I only want the switch to pass the VLAN packets to OPNsense nothing more.

Depends. If you are passing only 1 VLAN into the switch then it should work (assuming the switch doesn't choke on the VLAN tags and drop the packets as invalid). The issue arises if there are multiple VLANs going into the switch - the switch can't distinguish between them

The problem is, and I though that I had posted this in an earlier message, might have though it then the wife wanted me to do something and I forgot..


You cannot pass untagged and tagged packets down the same piece of cable, well you can, but it will not work. The reason is that the clients, PCs etc, cannot distinguish between the tagged packets and the untagged packets, so for example, if you put a VLAN (tagged) with a dhcp server on it and an untagged ( Non VLAN) with dhcp server server on it then you have a piece of wire that has two networks providing an address and the client sees both of them. Hence you need a managed switch to 'split' the network back in to the correct segments. The cables between the switches are known as trunks ( well in Cisco land ) and they carry all the VLANs, you cannot plug a client directly onto that trunk ( unless you know how to set the VLAN tag on the client's NIC ).

Cheers,
Well just to try and see what happens, I set the 2 APs to have an extra SSID called kids, I set this SSID with VLAN tag2.
Then made a new interface with new IPv4 subnet+DHCP, put the kids laptops/phones on the new ssid and they seem to now be separate from the main LAN.
Or at least best I can tell, they are on the other subnet.
Maybe I should change the switch to a managed netgear 'plus' switch, but for now, I think it's working.
so thanks for your input, i will probably reinstall and do pppoe bridge on the draytek sometime, but for now it seems OK.
I think the mrs get a bit annoyed when the internet goes down when I messing.

But really I needed to get IPv6 going at some point, have put it off long enough

Quote from: marjohn56 on March 13, 2021, 07:35:06 AM
Rather go the Wifi shedule or VLAN route than play wack-a-mole anyway, you only have to change the DUID or MAC on the client and you get a new address, most 10 year olds probably now how to get around that sort of block.

I faced this some monthes ago: not really on purpose by the kids, but some android now offer random mac address on wifi.
This is a good idea for public wifi, but not good for home :-)
To avoid this, I restricted wifi AP with mac address white list: so only known mac are allowed (this option on phone to use random MAC has to be disabled)
This "Static ARP" option in DHCP can be usefull too, all this to be combined with dedicated VLAN/AP

So at the end, only known MAC can be used have to match known IP on a dedicated VLAN/subnet, so you can rules them all :-)
I have done only in IPv4 so far, due to this SLAAC only on android (also I didn't see something similar to static ARP on DHCPv6)
it may be possible to manage with the alias on MAC trick.

I'm sorry to drag this thread back from the depths, but, to an extent, wasn't all of the IPv6 stuff here started because "I need to be able to use OpenVPN from outside my network, so I need a static IP?" I skimmed the thread, so I may have missed stuff, but, why not do what I do?

Use a VPS or other server elsewhere with a static IP, and have that proxy your VPN connection stuff. (Or use any of a number of other similar solutions.) Basically: My OPNSense box - behind starlink - drills an outbound OpenVPN tunnel to my Linode VPS. That VPS has an iptables rule that basically passes all traffic it gets (on my custom OpenVPN port) back across the VPN tunnel to my OPNSense box.

You can use certificates to avoid MITM attack risk, and the performance hit is about ~10ms for me. The hit there is small enough that it's WAY better to use that vs. the connection that goes directly to my DSL line w/o those extra hops, because of the MASSIVELY improved bandwidth on Starlink.

Just my two cents - and, maybe a good 'backup option' - if you're willing to spend ~$5 USD to get a VPS/shell account/whatever somewhere.