Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: kumba on June 08, 2023, 08:18:30 AM

Title: WAN not responding to IPv6 neighbor solicitations for LAN IPs
Post by: kumba on June 08, 2023, 08:18:30 AM
I've got IPv6 setup on 23.1.9 and the WAN interface is not responding to IPv6 neighbor solicitations for traffic it's routing from the LAN. Below is the output of tcpdump on the WAN interface where a host from the LAN is trying to ping google at 2607:f8b0:4008:801::200e:.

Code Select

01:54:05.130607 IP6 fe80::225:90ff:fe47:7a27 > fe80::2a9e:fcff:fe60:61a: ICMP6, echo request, seq 188, length 8
01:54:05.131275 IP6 fe80::2a9e:fcff:fe60:61a > fe80::225:90ff:fe47:7a27: ICMP6, echo reply, seq 188, length 8
01:54:05.295478 IP6 WWWW:XXXX:YYYY:ZZZZ:3eec:efff:fe12:4b7 > 2607:f8b0:4008:801::200e: ICMP6, echo request, seq 2972, length 64
01:54:05.312970 IP6 fe80::2a9e:fcff:fe60:61a > ff02::1:ff12:4b7: ICMP6, neighbor solicitation, who has WWWW:XXXX:YYYY:ZZZZ:3eec:efff:fe12:4b7, length 32
01:54:06.139438 IP6 fe80::225:90ff:fe47:7a27 > fe80::2a9e:fcff:fe60:61a: ICMP6, echo request, seq 189, length 8
01:54:06.140158 IP6 fe80::2a9e:fcff:fe60:61a > fe80::225:90ff:fe47:7a27: ICMP6, echo reply, seq 189, length 8


You can also see that the link-local from opnsense can communicate just fine with the link-local default gateway.

Any ideas what I am doing wrong or where to look? I looked at some of the other IPv6 threads and tried disable Block Bogons but it didn't make a difference. I wasn't seeing that firewall rule fire anyways but desperation is running rampant.

Here's my IPv6 configuration.
WAN:
- DHCPv6
- Prefix Size 64 (My ISP will only give me a single /64)
- Send Prefix Hint
- Request Only a Prefix didn't make a difference, and OPNsense still ended up with an internet IP even after a reboot?

LAN:
- Track Interface
- Set to WAN
- Prefix ID 0
- Allow adjustment of router advertisements

Router Advertisement:
- Set to Unmanaged
- advertise default gateway
- mostly every else is default
Title: Re: WAN not responding to IPv6 neighbor solicitations for LAN IPs
Post by: Monviech (Cedrik) on June 09, 2023, 11:14:58 AM
For IPv6 to work you need more than a single /64 net.

ISPs should provide a /56 net, then you could use Track Interface and give the LAN a /64 net.

Right now you have to use NAT for IPv6 to translate the WAN /64 Global Unicast Adresses (GUAs) to LAN /64 Unique Local Scope Addresses (ULAs). This can cause issues with some device types which refuse to route to ULAs (like some apple devices).
Title: Re: WAN not responding to IPv6 neighbor solicitations for LAN IPs
Post by: franco on June 09, 2023, 12:29:44 PM
A single /64 works, but only for a single LAN tracking it obviously.


Cheers,
Franco
Text only | Text with Images