Hi,
I installed opensense in a proxmox VM with two interfaces, one WAN connected to a 5G router, the other LAN.
On WAN side, I get a public IPv4 address and a IPv6 address via SLAAC (no DHCPv6 possible). The LAN interface is static IPv4 and "track WAN" for IPv6. Therefore, I get a /64 on the LAN side. The LAN clients receive a /64 via SLAAC and can ping each other via IPv4/IPv6. But I cannot ping the opnsense VM or any host in the Internet via IPv6.
The neighbor solicitations are not answered by opnsense.
19:59:42.743631 IP6 xxxx:xxxx:xxxx:xxxx:5054:ff:fe21:d971 > ff02::1:ff21:d976: ICMP6, neighbor solicitation, who has xxxx:xxxx:xxxx:xxxx:5054:ff:fe21:d976, length 32
The client is xxxx:xxxx:xxxx:xxxx:5054:ff:fe21:d971, the opnsense WAN interface is xxxx:xxxx:xxxx:xxxx:5054:ff:fe21:d976
BTW, I can ping any host in the Internet via IPv6 from opnsense.
Could you give me some advice what I could check?.
Thanks a lot for your help.
Regards,
meiser
Are you allowing the necessary ICMPv6 traffic from WAN?
https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
I allow all ICMPv6 because I wish anybody the very best of luck in scoping out my IPv6 address range with ping, since it will take them longer than the half life of a proton (the subatomic particle, not the car)
Bart...
Hi,
if I understand it correctly, ICMPv6 is allowed by default via the auto-generated firewall rules on WAN and LAN side.
Regards,
meiser
Maybe you only get one IPv6 /64 Prefix from your ISP? Then you would have to use NAT66 with ULAs fc00:: in your LAN Segment.
For more than 1 /64 Prefix to work you need at least a /56 from your ISP, and a transfer net with a static route to the IPv6 Address of your WAN Interface.
Yes, it's only one /64. But why does it work with the residential CPE which I "reverse-engineered"? It also runs a NDP proxy.
Isn't it possible to support this scenario? I read multiple times that this is not a good IPv6 design, but it's reality.
ULA won't work because desktop operating systems boycott it. Mac OS at least assumes "no IPv6" if it does not have a GUA.
You could borrow a GUA /64 from someone - most people with a static assignment have quite enough - configure that statically and use NPT6.
I get a /56 with my German Telekom business DSL line, that's 256 different /64. I use some of them in cloud environments I run for the reason that ULA alone does not quite work. As long as I do not use any of these /64s on the public Internet, everything is fine.
I found out that it's "RFC 7278: Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link" which has to be supported.