OPNsense 22.1.2-amd64
all intel nics on an atom board. radvd is running. It's been an issue with any BSD based firewall...i am on Comcast business using a /55 prefix. I have an ipv6 address on the wan..for some reason, it is not pulling the subnets on the internal subnets.
IPv6 Configuration Type would be DHCPv6 I guess, Prefix /55 is not a typo? All I can see is that Comcat Business offers /56. Maybe try with "Use IPv4 connectivity" enabled and on the LAN interface use to track the WAN for IPv6.
I have Comcast business "working" on 21.7.8 (which should be, I think, Similar)
Edit: Mar 10, 2022: This is working on 22.1.2_1 as well for me.
Edit2: Your track interface must start at 1 since 0 is on your wan interface.
Edit3: If you have Cocmast SecurityEdge on, TURN IT OFF. It will make DNS very flaky. I had to call Comcast in order to get this turned off and then everything ran perfectly.
Try the following settings which work for me:
On your "wan/internet" interface:
IPv6 Configuration Type -> DHCPv6
DHCPv6 client configuration -> Basic
Prefix delegation size -> 59
Send ipv6 prefix hint [X]
[SAVE]
On your lan interface:
IPv6 Configuration type: Track interface
and under Track IPv6 Interaface:
IPv6 Interface: [_Name_of_wan_interface+]
IPv6 Prefix ID: 1
(don't use 0 as I think that conflicts with the "wan/interface" IIRC)
[SAVE]
This should work if your hosts support SLAAC. Works for me on iphone/android/windows/linux/mac hosts just fine.
Be aware that the /59 that is assigned MAY CHANGE DYNAMICALLY. If you are trying to run static ip servers inside your lan on ipv6.....it doesn't work well because of the /59 that can change when your modem is replaced or your opnsense box reboots.
If the above doesn't work for basic ipv6 connectivity, please post your comcast modem/router model & firmware version and I may be able to assist further.
Also: don't forget to add lan firewall rules so that your computers with ipv6 addresses can contact the internet.
I jsut reformatted the firewall. at the beginning..before any configuration...wan and lan had approiate ipv6. comcast has said /54, /55, /56..it depends on where youare. I've tried all thjree. now when I re do everything..it efuses to work with any /number. comcast of course says it's on myend..which i agree with. Like i said..linux firewalls work fine..without any tweaking..i s3et the prefix size and it jsut works. For some reason opnsense jsut refuses.
so case in point. if i turn track interface off..the wan will get an ipv6 /128 on the interface.
then if i set the prefix to 56 and add track 6 on the internal vlan interface...using 0x0..and...nothing.
applying interface changes i give up on after more than two minutes of it thinking. This behavior has been consistent across different hardware devices..so it's not the hardware. Right now i have the prefgix set to /56 and the physical lan interface says the following:
1000baseT <full-duplex> 192.168.255.1
track6
it refuses to gran a subnet once the system has the vlan interfaces added. Any ideas? I've been digging around but i cnanot find a reason why Opnsense refuses to to ipv6 at all.
I setup my WAN with a /60, prefix hint and dhcpv6. Someone suggested consumer IPv6 only gets /60 not /64 like the commercial accounts. I've setup my LAN interface to track the WAN interface and set the IPv6 Prefix ID to 1 for the first interface (and 2 for the second LAN). Now I have IPv6 addresses on both interfaces. But I'm a bit confused as the networks don't match the WAN interface or the dhcp6dump interface. I have 2001:... on the WAN and in the dump. But I have 2601:... on the LANs. Hmm, they do belong to Comcast (my ISP) so that checks. But when I attempt tp ping6 google.com from the LAN hosts, it stops at the router's LAN interface (I used traceroute6 to figure that out). Now I'm stuck, but at a new place.
You cannot set up an interface with /60 in IPv6. All interfaces are /64. Always. You might get a /60 (I get a /56) via prefix delegation but you can only use individual /64s out of that range on your interfaces.
I would check with the support of your provider what exactly they do. Guesswork will not help, there will be one and only one working configuration for any particular ISP.
Quote from: pmhausen on March 05, 2022, 08:21:29 AM
You cannot set up an interface with /60 in IPv6. All interfaces are /64. Always. You might get a /60 (I get a /56) via prefix delegation but you can only use individual /64s out of that range on your interfaces.
Ah, sorry, poorly worded on my part.
On the WAN interface I set "Prefix delegation size" to /60. But WAN will get a /128, the LANs (which are tracking the WAN) will get /64.
And now the really strange part, routing is working! I have at least 2 of my servers able to reach IPv6 and the IPv6 test site (ipv6-test.com). I need to work on a third. I have to turn off IPv6 on a third server as it was having issues with IPv6. :-)
except my internal interfaces get....nothing. I have noticed when I switch modems the BSD based firewalls then do ipv6 correctly but then I lose connectivity every 3-5 minutes for about 5-20 seconds. When I plug a laptop or desktop directly into the modem however everything works fine. it's only opn(and PF)sense that have this weird behavior. This latest version it went from partially working to nothing at all.
Most ISPs that use DHCP6 only provide a /128 on the WAN, that is if they even provide a GUA address at all, some will not even provide that, instead relying on a link-local address between your WAN and the ISP BNG. Routing will still work as Opnsense uses the default route via the WAN interface, even if it is link-local, to route packets out to the ISP BNG. Therefore do not assume you will always see a GUA address on the WAN.
Quote from: marjohn56 on March 06, 2022, 11:48:21 AM
Most ISPs that use DHCP6 only provide a /128 on the WAN, that is if they even provide a GUA address at all, some will not even provide that, instead relying on a link-local address between your WAN and the ISP BNG. Routing will still work as Opnsense uses the default route via the WAN interface, even if it is link-local, to route packets out to the ISP BNG. Therefore do not assume you will always see a GUA address on the WAN.
BNG - What is that? Sorry this level of IPv6 is new to me.
GUA - Global Unique Address.
I am fortunate, I now have a GUA and I do see Opnsense using the link-local as the default route. Not sure what issue hescominsoon is running into.
Quote from: linuxha on March 06, 2022, 02:41:30 PM
BNG - What is that? Sorry this level of IPv6 is new to me.
Broadband Network Gateway
Thanks :-)
Quote from: hescominsoon on March 04, 2022, 09:12:00 PM
... then if i set the prefix to 56 and add track 6 on the internal vlan interface...using 0x0..and...nothing. ...
@hescominsoon, did you try 0x1 instead of 0x0? I had to change mine on each interface. 0x0 didn't work for me. I incremented for each LAN I added under IPv6.
Quote from: hescominsoon on March 06, 2022, 02:05:21 AM
except my internal interfaces get....nothing. I have noticed when I switch modems the BSD based firewalls then do ipv6 correctly but then I lose connectivity every 3-5 minutes for about 5-20 seconds. When I plug a laptop or desktop directly into the modem however everything works fine. it's only opn(and PF)sense that have this weird behavior. This latest version it went from partially working to nothing at all.
If you are on comcast business, and have static /56, one of the /64's is going to be on your wan interface. Try requesting /59 on your wan interface, and then try assigning 0x1 to one of your internal interfaces and "track interface" of your wan connection. This is working for me.
Quote from: linuxha on March 06, 2022, 06:28:40 PM
Quote from: hescominsoon on March 04, 2022, 09:12:00 PM
... then if i set the prefix to 56 and add track 6 on the internal vlan interface...using 0x0..and...nothing. ...
@hescominsoon, did you try 0x1 instead of 0x0? I had to change mine on each interface. 0x0 didn't work for me. I incremented for each LAN I added under IPv6.
The 0 offset (0x0) won't work because that is on your WAN interface, afaik.
It depends on the modem's choice for that matter. From experience it seems to be better to not request an address for WAN, which may or may not give you a separate GUA (via SLAAC) from a router subnet not delegated further. So you are free to use the full prefix delegation range to delegate yourself.
Cheers,
Franco
Quote from: 5SpeedFun on March 11, 2022, 04:15:46 AM
Quote from: hescominsoon on March 06, 2022, 02:05:21 AM
except my internal interfaces get....nothing. I have noticed when I switch modems the BSD based firewalls then do ipv6 correctly but then I lose connectivity every 3-5 minutes for about 5-20 seconds. When I plug a laptop or desktop directly into the modem however everything works fine. it's only opn(and PF)sense that have this weird behavior. This latest version it went from partially working to nothing at all.
If you are on comcast business, and have static /56, one of the /64's is going to be on your wan interface. Try requesting /59 on your wan interface, and then try assigning 0x1 to one of your internal interfaces and "track interface" of your wan connection. This is working for me.
yeppers tried all of this..started at 1 instead of zero and count up..zero ipv6 on internal. if I reformat the machine and leave it at defaults(so no vlans only the wan and plan at d3efaults) then ipv6 works for the wan and plan. As I noted I have seen this on both opn and pf sense.
Quote from: 5SpeedFun on March 11, 2022, 04:15:46 AM
Quote from: hescominsoon on March 06, 2022, 02:05:21 AM
except my internal interfaces get....nothing. I have noticed when I switch modems the BSD based firewalls then do ipv6 correctly but then I lose connectivity every 3-5 minutes for about 5-20 seconds. When I plug a laptop or desktop directly into the modem however everything works fine. it's only opn(and PF)sense that have this weird behavior. This latest version it went from partially working to nothing at all.
If you are on comcast business, and have static /56, one of the /64's is going to be on your wan interface. Try requesting /59 on your wan interface, and then try assigning 0x1 to one of your internal interfaces and "track interface" of your wan connection. This is working for me.
static ipv6 in my area with comcrap business doesn't work due to known firmware issues with their CPE in my area: https://etc-md.com/2021/07/28/the-comcast-business-ipv6-issue-resolved/
Also comcast is now requiring you sue their cpe for ALL installs or they charge you what's know as the rack rate which is roughly double what you'll pay under a "promotion"
I fixed my issue, where I was receiving IPv6 addresses but not actually able to reach the internet with IPv6.
Created a new firewall rule on the LAN,
Address: IPv4 + IPv6
Action: Pass
Direction: In
Source: LAN Net
Destination: LAN Address
Rebooted, and clients are now working on IPv6.
Makes me think there was a firewall generation/compatibility issue with 21.7 -> 22.1, as I'm using my config from 21.7 and experiencing this issue.
Quote from: zneaks on March 20, 2022, 01:00:07 PM
Created a new firewall rule on the LAN,
Address: IPv4 + IPv6
Action: Pass
Direction: In
Source: LAN Net
Destination: LAN Address
That's a typical rule you need when you set your policy based routing too coarsely.
Cheers,
Franco
Quote from: hescominsoon on March 18, 2022, 04:48:00 AM
Quote from: 5SpeedFun on March 11, 2022, 04:15:46 AM
Quote from: hescominsoon on March 06, 2022, 02:05:21 AM
except my internal interfaces get....nothing. I have noticed when I switch modems the BSD based firewalls then do ipv6 correctly but then I lose connectivity every 3-5 minutes for about 5-20 seconds. When I plug a laptop or desktop directly into the modem however everything works fine. it's only opn(and PF)sense that have this weird behavior. This latest version it went from partially working to nothing at all.
If you are on comcast business, and have static /56, one of the /64's is going to be on your wan interface. Try requesting /59 on your wan interface, and then try assigning 0x1 to one of your internal interfaces and "track interface" of your wan connection. This is working for me.
static ipv6 in my area with comcrap business doesn't work due to known firmware issues with their CPE in my area: https://etc-md.com/2021/07/28/the-comcast-business-ipv6-issue-resolved/
Also comcast is now requiring you sue their cpe for ALL installs or they charge you what's know as the rack rate which is roughly double what you'll pay under a "promotion"
IF you want to ping me out of band, I have had major issues with comcast CPE as well and I finally have it (mostly) working. If you want to pm me, maybe we could compare notes, firmwares, etc? I started a bunch of threads over at comcast business on static ip issues. I have no choice of other provider, so run an he.net tunnel (6-in-4) as a workaround for my servers, but have my local (non-servers) clients on comcast and it seems to work ok, although I haven't had this config long. I did have MAJOR issues with ipv6 up until recently until I had support disable Comcast ecurity Edge which the level 2 techs on the phone (I had to get a callback) told me as broken.
Quote from: franco on March 21, 2022, 08:04:15 AM
Quote from: zneaks on March 20, 2022, 01:00:07 PM
Created a new firewall rule on the LAN,
Address: IPv4 + IPv6
Action: Pass
Direction: In
Source: LAN Net
Destination: LAN Address
That's a typical rule you need when you set your policy based routing too coarsely.
Cheers,
Franco
I have allow all rules, I don't block anything ;D and it still wasn't working.
My Allow All Rule:
Address: IPv4 + IPv6
Action: Pass
Direction: In
Source: LAN Net
Destination: *
With this rule, IPv6 still wasn't working until I created the below rule:
Address: IPv4 + IPv6
Action: Pass
Direction: In
Source: LAN Net
Destination: LAN Address
Yes, but do you have gateways assigned to the rules? Maybe even a floating rule.
Cheers,
Franco
Quote from: 5SpeedFun on March 11, 2022, 04:15:46 AM
Quote from: hescominsoon on March 06, 2022, 02:05:21 AM
except my internal interfaces get....nothing. I have noticed when I switch modems the BSD based firewalls then do ipv6 correctly but then I lose connectivity every 3-5 minutes for about 5-20 seconds. When I plug a laptop or desktop directly into the modem however everything works fine. it's only opn(and PF)sense that have this weird behavior. This latest version it went from partially working to nothing at all.
If you are on comcast business, and have static /56, one of the /64's is going to be on your wan interface. Try requesting /59 on your wan interface, and then try assigning 0x1 to one of your internal interfaces and "track interface" of your wan connection. This is working for me.
yeppers..tried that..no dice with the latest version my ipv6 is dynamic..but again it works fine if I plug a machine directly into the cable modem..and my linux based firewalls work fine..it's only OPNSense that is having this issue.