Hi
I am running latest version 21.1.8
My ISP recently started IPv6 via DHCPv6 with PD. I could successfully configure for PD i.e. all the devices in a LAN are getting unique IPv6 address however I am not able to reach any of the IPv6 addresses on the Internet
The firewall rule is in place on the LAN to allow IPv6 traffic with all *
From the OPNSense Shell also I am unable to ping the IPv6 address
root@314-OPN:~ # ifconfig pppoe0
pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
inet6 fe80::4262:31ff:fe12:7e84%pppoe0 prefixlen 64 scopeid 0x9
inet6 fe80::4262:31ff:fe12:7e86%pppoe0 prefixlen 64 scopeid 0x9
inet6 2401:4900:1f30:xxxx::x:xxxx prefixlen 128
inet 182.68.xxx.xxx --> 122.161.xxx,xxx netmask 0xffffffff
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
root@PGHOME-OPN:~ #
root@314-OPN:~ # ping google.com
PING google.com (142.250.194.46): 56 data bytes
64 bytes from 142.250.194.46: icmp_seq=0 ttl=119 time=7.169 ms
64 bytes from 142.250.194.46: icmp_seq=1 ttl=119 time=6.925 ms
64 bytes from 142.250.194.46: icmp_seq=2 ttl=119 time=6.934 ms
64 bytes from 142.250.194.46: icmp_seq=3 ttl=119 time=7.041 ms
64 bytes from 142.250.194.46: icmp_seq=4 ttl=119 time=6.808 ms
^C
root@314-OPN:~ # ping6 google.com
PING6(56=40+8+8 bytes) 2401:4900:1f30:xxxx::x:xxxx --> 2404:6800:4007:820::200e
^C
--- google.com ping6 statistics ---
16 packets transmitted, 0 packets received, 100.0% packet loss
root@314-OPN:~ #
PS:: It works with Ubiquiti Edgerouter
I had the same issue. Setting IPv6 DNS under Settings -> General -> DNS servers and selecting the WAN_DHCPv6 gateway next to DNS worked for me. Also, enabling Sensei broke IPv6 in my case. So I haven't enabled Sensei or Suricata.
Do you have IPv6 specific rules in your firewall WAN interface?
Thanks
Let me try by enabling the IPv6 DNS
No Sensei, Suricata here
What IPv6 rules I should add on the WAN??
did you enabled 'allow IPv6" under: Firewall > settings > advanced?
OPNsense automatically create firewall rules when setting up ipv6 on WAN and Lan Interfaces (for what i know)
Yes I have enabled it but still no traffic forwarding happening
Quote from: panks21 on July 23, 2021, 06:12:47 PM
What IPv6 rules I should add on the WAN??
I had to add these firewall rules on the WAN and LAN interfaces for IPv6 to work. Else, I was losing IPv6 after a few minutes. Has been solid since. I just upgraded to 21.7 and IPv6 still works.
Action: Pass
Direction: In
Interface: WAN
TCP/IP Version: IPv6
Protocol: UDP
Source: ANY
Port Range: from 547 to 547
Destination: ANY
Port Range: from 546 to 546
-------------------------
Action: Pass
Direction: In
Interface: LAN
TCP/IP Version: IPv4 + IPv6
Protocol: ANY
Source: LAN net
Destination: LAN Address
I have also created an Prefix Alias of type "network" for the /56 given to me by my ISP. And added a rule on the WAN to allow ICMPv6 inbound to this prefix alias. This is optional.
Thanks
I added the LAN rule and I upgraded to 21.7 as well, but now getting mixed behavior
I can browse to IPv6.google.com
I can ping IPv6 address on the internet
ping www.hotstar.com
Pinging e35862.dscj.akamaiedge.net [2600:140f:2e00::685a:593] with 32 bytes of data:
Reply from 2600:140f:2e00::685a:593: time=6ms
Reply from 2600:140f:2e00::685a:593: time=11ms
Reply from 2600:140f:2e00::685a:593: time=13ms
Reply from 2600:140f:2e00::685a:593: time=6ms
Ping statistics for 2600:140f:2e00::685a:593:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 13ms, Average = 9ms
However, ipv6-test.com, test-ipv6.com and ipv6test.google.com fails the IPv6 tests
This all happens on one device (Microsoft surface)
In other device - Iphone / Ipad or MAC, I can only ping the IPv6 address but cant browse to ipv6.google.com and all the test website fails it. Infact I cant browse to opnsense.org while I have dual stack on Apple devices
Have checked the DNS settings also
Dont know where to troubleshoot further
Under interfaces - overview are you seeing IPv6 details in the WAN & LAN interfaces? Also, under services - DHCPv6 - leases are you seeing IPv6 leases?
With my ISP, just enabling IPv6 wasn't sufficient. I had to "kick" the connection. This is not rebooting the modem. This is a full reset & re-authenticate. The ISP provides us with an app to do that and hence I don't need to call them. I have a static IPv4 WAN address & IPv6 address is very sticky and hence both didn't change with the reset.
Each ISP is different. Yours might not need the above.