Hi,
I have a /64 IPv6 range, and am trying to use part of this range to hand out IPv6 addresses to some of my clients/servers. For this i'm using the DHCPv6 service. However, eventhough my (linux) clients are receiving an IPv6 address from the specified range, they do not receive the IPv6 gateway associated with it. This means these clients can only ping other addresses in my IPv6 space, but nothing outside of it.
The set up as follows (the IP range is partially masked/redacted as xxxx:xxx:xxxx:c0:: ) :
I created an additional interface called "IPv6NET", which has IPv4 disabled and a static IPv6 address (xxxx:xxx:xxxx:c0::299 / 64).
For this interface I also created a gateway which is named "OPT1_GWv6" and has xxxx:xxx:xxxx:c0::1 as address. I was assigned this address by the IPv6 range provider. In the gateway setting I enabled "Upstream Gateway".
With the above setup, this "IPv6NET" interface acts as a second WAN interface, specific for IPv6 communication. I can access the IPv6 enabled outside world from within the Opnsense server.
I then configured a DHCPv6 service for this "IPv6NET" interface, and set the range as xxxx:xxx:xxxx:c0:2f:ffff:ffff:300 - xxxx:xxx:xxxx:c0:20f:ffff:ffff:2000 and populated the "DNS servers" field with the IPv6 google DNS (2001:4860:4860::8888 and 2001:4860:4860::8844). Everything else on this page is left to their default setting.
Under Router Advertisements for "IPv6NET", I set the Router Advertisement to "Managed" and enabled "Advertise Default Gateway". Everything else on this page is left to their default setting. I also tried "stateless" to o get a slaac provided address, which also works to get an address.
When I start my clients, they receive an address that falls within the defined DHCP range, and these leases are shown on the "DHCPv6 / Leases" page, but show as "offline" on that page, and have no MAC address. The DNS servers I defined above are also present on the client, but the gateway is not. The route table on the clients show this:
root@ipv62:~# ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
xxxx:xxx:xxxx:c0:20f:ffff:ffff:1fbc dev eth0 proto kernel metric 256 pref medium
xxxx:xxx:xxxx:c0::/64 dev eth0 proto kernel metric 256 expires 86274sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::d875:32ff:fe3d:fb13 dev eth0 proto ra metric 1024 expires 1674sec mtu 1400 hoplimit 64 pref medium
I don't know why it shows a local(?) default route address here. Both clients show the same default route.
Anyone here have any idea what might be wrong (or wrongly set)?
Hi, I think you should have a WAN side and a LAN side and the network part of both should be different.
Try to assign an IPv6 to your existing WAN and then assign an IPv6 to your existing LAN.
For example your WAN IPv6 address xxxx:xxx:xxxx:c0::2/64, your IPv6 gateway xxxx:xxx:xxxx:c0::1/64.
Then, your LAN IPv6 address xxxx:xxx:xxxx:c0:1::1/80.
Configure your DHCPv6 from xxxx:xxx:xxxx:c0:1:ffff:ffff:300 - xxxx:xxx:xxxx:c0:1:ffff:ffff:2000.
Observe the /80 prefix used in LAN IPv6. It needs to be something higher than /64 because you are subnetting.
I have a configuration like this and the dual stack is working fine.
The default route is the local link address, and it is ok because your gateway may be reached using the local link as well as the routable address.
Unfortunately this did not work. I cannot assign the IPv6 address to the existing WAN interface, since that one (outside the Opnsense VM) is a different bridge, with a different MTU, than the "IPv6NET" one. The "LAN" interface is also not possible, as that's also another bridge specific for internal IPv4 addresses.
So I now attached another interface to the VM (my Opnsense runs inside a VM), using the same bridge as the one which has the configuration for "IPv6NET", and disabled the already configured DHCPv6 and Router Advertisements on "IPv6NET".
I then configured that new interface, that I call "IPv6LAN", using the configuration you proposed with /80 prefix, but with no specific upstream gateway (Auto Detect). I also created a new DHCPv6 and Router Advertisement for this interface.
The result is the same unfortunately. I do receive a lease that falls within the new specified /80 range. The fe80 default gateway is present in the routing table of the client. I just noticed this gateway address is the same as the local fe80 address (fe80::183e:99ff:fe99:6909) on the "IPv6LAN" interface. However, I still cannot ping anything outside this /80 prefix.
I also noticed I can ping the fe80 address (fe80::d875:32ff:fe3d:fb13) that exists on the "IPv6NET" interface from the client.
I also tried to add that fe80::d875:32ff:fe3d:fb13 address to IPv6LAN as gateway adress (no idea what i'm doing at this point ::) ), but that doesnt change things either.
Now that I have 2 IPv6 interfaces (IPv6NET that connects to the outside world, and IPv6LAN for DHCP) how would clients that come through IPv6LAN know they should actually go through the IPv6NET interface to the outside world?
Clients that come through IPv6LAN know they should actually go through the IPv6NET interface to the outside world because you defined an upstream gateway on IPv6NET, so it has a default gateway and everythig that hasn't a reachable destination go through the default gateway.
I think it has something to do with the routing of the fe80 local addresses of the IPv6NET/LAN interfaces. Since I can ping these addresses but cannot go outside with any of these set as default gateway in the client. But when I define the DHCP IPv6 address on the client as static, and manually add a route to the actual address of the default gateway on IPv6NET (xxxx:xxx:xxxx:c0::1), only then I can connect to the outside world from within the client.
So, DHCPv6 advertises the local fe80 address of the interface to the client, but it cannot connect through that. But if DHCPv6 were to advertise the "real" address of the interface's default gateway, it would work. However there's no setting in Opnsense to make it work that way (i think).
I found out what the problem was. I did not realize that this new interface (IPv6NET) had no firewall rules, and was thus blocking traffic to the fe80 addresses. Once I created an incoming and outgoing rule, I was able to access the outside world.
A simple solution that I completely overlooked :-[
Oh, that's usual to me. Don't worry.
Cheers...