Specifically for ipv6.
I have added a null route to 2607:f8b0:4009::/48 with next hop as Null6 - ::1, yet I can still ping 2607:f8b0:4009:800::200a.
i actually tried null routing the /128 as: 2607:f8b0:4009:80a::200e/128 and it still didn't work.
rob2@daisy:~$ ping6 2607:f8b0:4009:80a::200e
PING 2607:f8b0:4009:80a::200e(2607:f8b0:4009:80a::200e) 56 data bytes
64 bytes from 2607:f8b0:4009:80a::200e: icmp_seq=1 ttl=118 time=23.5 ms
64 bytes from 2607:f8b0:4009:80a::200e: icmp_seq=2 ttl=118 time=25.9 ms
64 bytes from 2607:f8b0:4009:80a::200e: icmp_seq=3 ttl=118 time=33.6 ms
64 bytes from 2607:f8b0:4009:80a::200e: icmp_seq=4 ttl=118 time=24.1 ms
64 bytes from 2607:f8b0:4009:80a::200e: icmp_seq=5 ttl=118 time=24.2 ms
I have IPV6 via a GIF tunnel (he.net)
I'm sure I"m actually routing through the OPNSense box as if I reboot it I lose all ipv6 connectivity.
However if I add a Null route for an ipv4 address 172.217.9.67/32 I can no longer ping it:
Before
rob2@daisy:~$ ping 172.217.9.67
PING 172.217.9.67 (172.217.9.67) 56(84) bytes of data.
64 bytes from 172.217.9.67: icmp_seq=1 ttl=114 time=19.4 ms
64 bytes from 172.217.9.67: icmp_seq=2 ttl=114 time=20.3 ms
After:
rob2@daisy:~$ ping 172.217.9.67
PING 172.217.9.67 (172.217.9.67) 56(84) bytes of data.
^C
--- 172.217.9.67 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3052ms
Edit: This seems broken in 21.1.5 as well.
I went back in my backups & restored an 8 week old VM image with 21.1.3 and I'm seeing the same issue, so I don't think this is related to 21.1.6 specifically.
In any case, is anyone seeing the same behavior?
Are you applying/overriding a gateway on the "incoming interface via firewall rules?
Edit: I'm wrong & misread your post at first. On the incoming interface in the firewall, I have my gif tunnel as the next hop. Would this cause the Null routing not to work?
If on you incoming interface, say the LAN interface, you have a rule to force/override the gateway say to point to you GIF/Tunnel interface/Gateway, that will bypass OPNsense routing table, thus the null route.
Thanks for the info!
I've removed the gateway from the firewall rules & left it at default, and then added a static route in System -> Routes -> Configuration with:
Network Address ::/0
Gateway: <Same gateway as what I had in the firwall rule before I removed it>
and now I'm getting TTL Expired in transit when tracerouting to ipv6.google.com so it's in a routing loop
Logging in & getting a shell, here is the output from netstat -6 rn on the opnsense box itself (after adding in the default route manually & disabling the gateway in the firewall rule)
root@edge01:~ # netstat -6 -rn
Routing tables
Internet6:
Destination Gateway Flags Netif Expire
default xxxx::1 UGS gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
options=80000<LINKSTATE>
tunnel inet <mystatic_ipv4> --> <henet_static_ipv4>
inet6 fe80::206:f6ff:fee6:6f22%gif0 prefixlen 64 scopeid 0xe
groups: gif
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
So to make a long story short:
- I took the forced gateway out of the firewall rules
- I instead created a static ipv6 default route (::/0) with default gateway as the other side of the gif0 tunnel
- Result: Ipv6 stopped working.
Thanks for your help thus far & let me know what I should be looking at.
Edit : I've re-read https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html (https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html) and my setup looks ok. I did notice that after I go to System -> Gateways -> Single & edit the V6 interface & check "upstream gateway" it still doesn't show any default route with netstat -6 -rn in the shell on the opnsense box.
Quoteand now I'm getting TTL Expired in transit when tracerouting to ipv6.google.com so it's in a routing loop
When you do the trace what hops are showing? Is it just OPNsense over and over? Do you see a hop past OPNsense?
Edit:
TTL exceeded in transit is coming from the ipv6 address on my lan interface back to my client.
However, on the opnsense box, if I ping6 -S <local ip of the gif tunnel> ipv6.google.com it works fine.