Hi,
I have some IPv6 routing problems ...
my OPNsense is sitting behind a Fritz!Box, IP connectivitiy is served from a VDSL260 german telecom link., IPv4 and native IPv6:
the OPNsense box is configured as "exposed host" (i.e. the Fritz!box does not filter anything, but just forwards everything incoming to OPNsense
On the Fritz!Box, IPv6 ist activated:
DNS-Server/DHCPv6 Server, prefix (IA_PD) and IPv6 addresses are assigned (IA_NA) to clients
there is a /64 network delegated to the LAN
router priority is set to 255 (max)
OPNsense
the WAN interface of OPNsense is connected to the LAN interface of the Fritz!Box
the WAN interface uses DHCPv6 with "Basic" configuration
the interface does get an IPv6 address
WAN 1000baseT <full-duplex> 192.168.178.3
xxxx:xx:xxxx:xxxx:2a8:2cff:fe68:e3e7
The LAN interface is set to "track interface" for IPv6 (track the WAN interface)
it does get an IPv6 address as well
igb0: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN
options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
ether 00:a8:2c:68:e3:e6
inet6 fe80::2a8:2cff:fe68:e3e6%igb0 prefixlen 64 scopeid 0x1
inet6 xxxx:xx:xxxx:be81:2a8:2cff:fe68:e3e6 prefixlen 64
inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Manual configuration Allow manual adjustment of DHCPv6 and Router Advertisements is activated
the router advertisment daemon is running on the LAN , I tried
"Unmanaged" and "Assisted", with the same routing problem
when set to Unmanaged, the hosts in the LAN network do get IPv6 addresses from the correct (delegated) subnet:
e.g.
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:a0:98:0c:5c:d5 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 192.168.80.29/24 brd 192.168.80.255 scope global dynamic noprefixroute ens3
valid_lft 6608sec preferred_lft 6608sec
inet6 xxxx:xx:773c:be81:ccbe:498f:b967:91d9/64 scope global temporary deprecated dynamic
valid_lft 6821sec preferred_lft 0sec
inet6 xxxx:xx:773c:be81:2a0:98ff:fe0c:5cd5/64 scope global deprecated dynamic mngtmpaddr noprefixroute
valid_lft 6821sec preferred_lft 0sec
inet6 fe80::2a0:98ff:fe0c:5cd5/64 scope link noprefixroute
valid_lft forever preferred_lft forever
they can ping the LAN side of the OPNsense
but: they cannot ping the WAN side of the OPNsense box
and of course they cannot ping the Fritz!Box or any other external host.
the DNS resolution works though
christian@debmatic:~$ ping -6 www.heise.de
PING www.heise.de(www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85)) 56 data bytes
christian@debmatic:~$ traceroute -6 www.heise.de
traceroute to www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85), 30 hops max, 80 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
Routing on the hosts in the LAN net is
christian@debmatic:~$ ip -6 r
xxxx:xx:773c:be81::/64 dev ens3 proto ra metric 100 pref medium
fe80::/64 dev ens3 proto kernel metric 100 pref medium
default via fe80::2a8:2cff:fe68:e3e6 dev ens3 proto ra metric 100 pref high
so clearly, there is something wrong on the OPNsense box.
But what?
The firewall rules on the LAN interface say that all outbound IPv6 traffic is allowed.
Firewall -> Rules -> LAN
IPv6 * LAN net * * * * * Default allow LAN IPv6 to any rule
IPv6 * LAN address * * * * * Default allow LAN IPv6 to any rule
netstat -r -n on OPNsense:
Internet6:
Destination Gateway Flags Netif Expire
default fe80::9a9b:cbff:fe08:3ca0%igb1 UG igb1
::1 link#7 UHS lo0
2003:ce:773c:be00::/64 link#2 U igb1
2003:ce:773c:be00:2a8:2cff:fe68:e3e7 link#2 UHS lo0
2003:ce:773c:be80::/64 link#3 U igb2
2003:ce:773c:be80:2a8:2cff:fe68:e3e8 link#3 UHS lo0
2003:ce:773c:be81::/64 link#1 U igb0
2003:ce:773c:be81:2a8:2cff:fe68:e3e6 link#1 UHS lo0
2003:ce:773c:be82::/64 link#11 U run0_wla
2003:ce:773c:be82:1e4b:d6ff:fe7d:81e0 link#11 UHS lo0
2a01:4f8:161:83d1::/64 link#18 US ovpnc4
2a01:4f8:161:83d1:cccc::/112 link#18 U ovpnc4
2a01:4f8:161:83d1:cccc::2 link#18 UHS lo0
fd10::/64 link#19 U ovpns2
fd10::1 link#19 UHS lo0
fd11::/64 link#17 U ovpns3
fd11::1 link#17 UHS lo0
fe80::%igb0/64 link#1 U igb0
fe80::2a8:2cff:fe68:e3e6%igb0 link#1 UHS lo0
fe80::%igb1/64 link#2 U igb1
fe80::2a8:2cff:fe68:e3e7%igb1 link#2 UHS lo0
fe80::%igb2/64 link#3 U igb2
fe80::2a8:2cff:fe68:e3e8%igb2 link#3 UHS lo0
fe80::%lo0/64 link#7 U lo0
fe80::1%lo0 link#7 UHS lo0
fe80::%run0_wlan1/64 link#11 U run0_wla
fe80::1e4b:d6ff:fe7d:81e0%run0_wlan1 link#11 UHS lo0
fe80::%ovpns3/64 link#17 U ovpns3
fe80::2a8:2cff:fe68:e3e6%ovpns3 link#17 UHS lo0
fe80::%ovpnc4/64 link#18 U ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4 link#18 UHS lo0
fe80::%ovpns2/64 link#19 U ovpns2
fe80::2a8:2cff:fe68:e3e6%ovpns2 link#19 UHS lo0
igb1 is the WAN interface
the OPNsense box it self can reach outside IPv6 hosts:
[cbadmin@OPNsense ~]$ ping -6 www.heise.de
PING6(56=40+8+8 bytes) 2003:ce:773c:be00:2a8:2cff:fe68:e3e7 --> 2a02:2e0:3fe:1001:7777:772e:2:85
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=0 hlim=57 time=9.083 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=1 hlim=57 time=8.620 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=2 hlim=57 time=8.865 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=3 hlim=57 time=9.097 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=4 hlim=57 time=8.651 ms
^C
--- www.heise.de ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 8.620/8.863/9.097/0.204 ms
What am I doing wrong?
What do I miss here?
A bit unsure of your setup, due to the router you have etc.
But not sure you can do what your doing with only a /64 subnet.
The reason I think this is because, you router, opnsense and lan network would all be on the same subnet.
I think you need a /56 from your provider and divide this down into /64 networks
Chris
Good hint, Thanks!
But: I can't get a /65 from my provider, no way.
Obviously, I'm free to split the given /64 into smaller chunks internally, but at the moment, I don't know how to do that in OPNsense.
Setup is
VDSL250 (Dt. Telekom) --> Fritz!Box 7530 as DSL-Modem/Router with
1. Link ("exposed host", everything is forwarded IPv4 , /64 subnet IPv6 ->
OPNsense2. Link -> WLAN (if activated) -> /64 subnet IPv6
3. Link -> guest WLAN, (if activated) /64 IPv6
- router advertisment aktive
fritzbox is default gateway to the internet
preference-value in router advirtisment: high
DNSv6 via router advertisment (RFC 5006): yes
DHCPv6 server active: yes
DNS-Server, Präfix (IA_PD) und IPv6-Adresse (IA_NA)
preference value DHCPv6 server: 255
Verwendete IPv6 Präfixe:
- OPNSense: 2003:ce:773c:be00::/64
Guest-net 2003:ce:773c:be01::/64
WAN 2003:ce:77ff:3cef::/64
So the OPNsense receives one /64 prefix. This cannot be changed
OPNsense then has three interfaces + a few VPN tunnels
1) LAN (physical interface, connected to 48 port switch, port-based VLAN on that
2) WLAN (physical interface Ethernet, connected to same switch. different VLAN (prt based an tagged, OPNsense does not see the VLANs
3) buildt-in AccessPoint for management-WLAN only
4) 2 OpenVPN server interfaces, one Wireguard server interface
5) one OpenVPN client interface (get's a different IPv6 network prefix from the server)
So these interfaces 1, 2 and 3 would need smaller networks that /64, as /64 is the maximum I can get from upstream.
Question:
how do I configure that on OPNsense? and where in the UI?
> Obviously, I'm free to split the given /64 into smaller chunks internally
No, you are not. A /64 is the smallest prefix in IPv6. You need exactly one /64 for each interface/network. All neighbor discovery and autoconfiguration mechanisms depend on that size.
Hi,
as pmhausen already mentioned, the smallest IPv6 Prefix is /64. And I am sure you got a bigger prefix than /64 from your ISP. You can check that in the Fritz!Box in the Menu
Internet > Online-Monitor. It will tell you since when you are connected and what IPv6 Address the Fritz!Box has on its WAN and the IPv6-Prefix is including size.
You can select the Prefix size the Fritz!Box requests from the ISP in the Menu
Internet > Zugangsart. Blow
Verbindungseinstellung should be the checkbox
Bestimmte Länge für das LAN-Präfix anfordern. If checked you can then type in the Prefix size. The input field might be a little be short for showing the content, but you can edit it. The availability of the checkbox might depend on the Fritz OS release and if the box is your own or one provided by your ISP.
You already set Fritz!Box to work as DHCPv6 server and to provide a IPv6 prefix (IA_PD). If you are using exposed host in the Fritz!Box this is needed.
For IPv6 to work behind the OPNsense you need the following:
- The OPNsense must ask the Fritz!Box of a prefix delegation
- The OPNsense must split the prefix delegation to its client networks
You need to set the WAN in the OPNsense to get its address via DHCPv6, which I assume you already did. In this WAN Interface settings you need to set then Prefix delegation size which the OPNsense should request from the Fritz!Box. This Prefix delegation size must be at least one smaller than the one in the Online-Monitor of the Fritz!Box. If the Fritz!Box has e.g. /59 you should use /60 or /61. The bigger you can choose the better. If the prefix size in the Fritz!Box is just /62, then you should try to increase the requested one it in the Fritz!Box.
In the LAN and all other Interfaces you set the IPv6 Configuration to Track interface and select a unique prefix ID. The maximum prefix ID you can select depends on the Prefix delegation size you selected in the WAN Interface on the OPNsense. None of your devices in the LAN and the other networks behind the OPNsense is allowed to use a IPv6 Address from the Fritz!Box LAN and Guest-Net.
In the German forum somebody had a similar issue issue (https://forum.opnsense.org/index.php?topic=30902.msg148992#msg148992).
KH
Thanks!
OK, I checked the settings .. and... it does not do what it should;
Fritzbox:
Internet, IPv6
verbunden seit 18.09.2022, 04:13 Uhr, Telekom, Geschwindigkeit des Internetzugangs (verfügbare Bitrate): ↓ 251,6 Mbit/s ↑ 41,5 Mbit/s,
IPv6-Adresse: 2003:ce:77ff:3cef:9a9b:cbff:fe08:3c9d, Gültigkeit: 13891/1291s,
IPv6-Präfix: 2003:ce:773c:[b]be00[/b]::[b]/56[/b], Gültigkeit: 13685/1085s
Verwendete IPv6 Präfixe:
Heimnetz2003:ce:7731:[i]a300[/i]::/64
Gastnetz2003:ce:7731:a301::/64
WAN2003:ce:77ff:31d2::/64
Portfreigabe
aktiv, 1 Portfreigabe eingerichtet
Exposed Host '192.168.178.3, ::2a8:2cff:fe68:e3e7' aktiviertWAN on OPNsense is set to DHCPV6
Prefix delegation size is set to 57
Send IPv6 prefix hint is activated
on LAN, Track interface is on WAN, PrefixID = 1
on WLAN (OPT1): Track interface is on WAN , Prefix ID = 3
on AP TRack Interface is on WAN, ID = 2
WAN interface on OPNsense:
igb1: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WAN
options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
ether 00:a8:2c:68:e3:e7
inet6 fe80::2a8:2cff:fe68:e3e7%igb1 prefixlen 64 scopeid 0x2
inet6 2003:ce:773c:[b]be00[/b]:2a8:2cff:fe68:e3e7 prefixlen 128
inet6 fd00::2a8:2cff:fe68:e3e7 prefixlen 64 deprecated autoconf
inet6 2003:ce:7731:[i]a300[/i]:2a8:2cff:fe68:e3e7 prefixlen 64 autoconf
inet 192.168.178.3 netmask 0xffffff00 broadcast 192.168.178.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
LAN interface
igb0: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN
options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
ether 00:a8:2c:68:e3:e6
inet6 fe80::2a8:2cff:fe68:e3e6%igb0 prefixlen 64 scopeid 0x1
inet6 2003:ce:773c:[b]be81[/b]:2a8:2cff:fe68:e3e6 prefixlen 64
inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
WLAN interface
igb2: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WLAN
options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
ether 00:a8:2c:68:e3:e8
inet6 fe80::2a8:2cff:fe68:e3e8%igb2 prefixlen 64 scopeid 0x3
inet6 2003:ce:773c:[code]be80:2a8:2cff:fe68:e3e8 prefixlen 64
inet 192.168.81.2 netmask 0xffffff00 broadcast 192.168.81.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[/code]
or, in the GUI interface overview:
WAN
IPv6 link-local fe80::2a8:2cff:fe68:e3e7/64
IPv6 address 2003:ce:773c:[b]be00[/b]:2a8:2cff:fe68:e3e7/128
fd00::2a8:2cff:fe68:e3e7/64 deprecated
2003:ce:7731:[i]a300[/i]:2a8:2cff:fe68:e3e7/64LAN:
IPv6 link-local fe80::2a8:2cff:fe68:e3e6/64
IPv6 address 2003:ce:773c:[b]be81[/b]:2a8:2cff:fe68:e3e6/64WLAN
IPv6 link-local fe80::2a8:2cff:fe68:e3e8/64
IPv6 address 2003:ce:773c:[b]be80[/b]:2a8:2cff:fe68:e3e8/64AP
IPv6 address 2003:ce:773c:[b]be82[/b]:1e4b:d6ff:fe7d:81e0/64
example PC in LAN:
ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:a0:98:0c:5c:d5 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 192.168.80.29/24 brd 192.168.80.255 scope global dynamic noprefixroute ens3
valid_lft 6541sec preferred_lft 6541sec
inet6 2003:ce:773c:[b]be81[/b]:c199:8655:41bf:6729/64 scope global temporary dynamic
valid_lft 86158sec preferred_lft 2626sec
inet6 2003:ce:773c:[b]be81[/b]:670:91e:68d0:9fa/64 scope global temporary deprecated dynamic
valid_lft 86158sec preferred_lft 0sec
inet6 2003:ce:773c:[b]be81[/b]:133c:75e4:3833:e383/64 scope global temporary deprecated dynamic
valid_lft 86158sec preferred_lft 0sec
inet6 2003:ce:773c:[b]be81[/b]:2a0:98ff:fe0c:5cd5/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86158sec preferred_lft 14158sec
inet6 fe80::2a0:98ff:fe0c:5cd5/64 scope link noprefixroute
valid_lft forever preferred_lft forever
for me, that looks exactly as you described it:
Fritzbox gets a /56 from the ISP
- OPNsense requests a /57
- OPNsense WAN has an address in the "homenet" of Fritzbox and a different /64 net
- LAN, WLAN and AP have their own PrefixID and all of them get their own /64 net which is different from the Fritzbox "homenet"
- PC in the LAN net gets adresses from the /64 net of the LAN interface
and still no PC on LAN can reach any external ipv6 host, only the LAN interface of OPNsense
christian@debmatic:~$ ping -6 www.heise.de
PING www.heise.de(www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85)) 56 data bytes
^C
--- www.heise.de ping statistics ---
44 packets transmitted, 0 received, 100% packet loss, time 44042ms
christian@debmatic:~$
router advertisment daemon is running on OPNsense
routing on PC
christian@debmatic:~$ ip -6 r
2003:ce:773c:be81::/64 dev ens3 proto ra metric 100 pref medium
fe80::/64 dev ens3 proto kernel metric 100 pref medium
default via fe80::2a8:2cff:fe68:e3e6 dev ens3 proto ra metric 100 pref high
christian@debmatic:~$so the default route is the LAN interface of OPNsense
inet6 fe80::2a8:2cff:fe68:e3e6%igb0 prefixlen 64 scopeid 0x1 which seems to be what it should be
routing on OPNsense is
[cbadmin@OPNsense ~]$ netstat -r -6 -n
Routing tables
Internet6:
Destination Gateway Flags Netif Expire
[b]default fe80::9a9b:cbff:fe08:3ca0%igb1 UG igb1[/b]
::1 link#7 UHS lo0
2003:ce:7731:a300::/64 link#2 U igb1
2003:ce:7731:a300:2a8:2cff:fe68:e3e7 link#2 UHS lo0
2003:ce:773c:be00::/64 link#2 U igb1
2003:ce:773c:be00:2a8:2cff:fe68:e3e7 link#2 UHS lo0
2003:ce:773c:be80::/64 link#3 U igb2
2003:ce:773c:be80:2a8:2cff:fe68:e3e8 link#3 UHS lo0
2003:ce:773c:be81::/64 link#1 U igb0
2003:ce:773c:be81:2a8:2cff:fe68:e3e6 link#1 UHS lo0
2003:ce:773c:be82::/64 link#11 U run0_wla
2003:ce:773c:be82:1e4b:d6ff:fe7d:81e0 link#11 UHS lo0
2a01:4f8:161:83d1::/64 link#18 US ovpnc4
2a01:4f8:161:83d1:cccc::/112 link#18 U ovpnc4
2a01:4f8:161:83d1:cccc::2 link#18 UHS lo0
fd00::/64 link#2 U igb1
fd00::2a8:2cff:fe68:e3e7 link#2 UHS lo0
fd10::/64 link#19 U ovpns2
fd10::1 link#19 UHS lo0
fd11::/64 link#17 U ovpns3
fd11::1 link#17 UHS lo0
fe80::%igb0/64 link#1 U igb0
fe80::2a8:2cff:fe68:e3e6%igb0 link#1 UHS lo0
fe80::%igb1/64 link#2 U igb1
fe80::2a8:2cff:fe68:e3e7%igb1 link#2 UHS lo0
fe80::%igb2/64 link#3 U igb2
fe80::2a8:2cff:fe68:e3e8%igb2 link#3 UHS lo0
fe80::%lo0/64 link#7 U lo0
fe80::1%lo0 link#7 UHS lo0
fe80::%run0_wlan1/64 link#11 U run0_wla
fe80::1e4b:d6ff:fe7d:81e0%run0_wlan1 link#11 UHS lo0
fe80::%ovpns3/64 link#17 U ovpns3
fe80::2a8:2cff:fe68:e3e6%ovpns3 link#17 UHS lo0
fe80::%ovpnc4/64 link#18 U ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4 link#18 UHS lo0
fe80::%ovpns2/64 link#19 U ovpns2
fe80::2a8:2cff:fe68:e3e6%ovpns2 link#19 UHS lo0
[cbadmin@OPNsense ~]$
which seems to be OK as well
the default route is
fe80::9a9b:cbff:fe08:3ca0which is the link local address of the Fritz!Box as seen from OPNsense:
Unique Local Address Ihrer FRITZ!Box: fd00::9a9b:cbff:fe08:3ca0/64the firewall logs show no reject/block
so, what's wrong?
I can't find anything :-(
Try a /62 for the delegation size.
delegation size /62
in the Fritz!Box?
or on the OPNsense WAN interface?
OPNsense WAN.