OPNsense Forum

Hi,

I'm having problems with setting up working IPv6 on my OPNsense installation running on Proxmox. I have a /56 assigned from Hetzner.

This is the /etc/network/interfaces of the host machine:

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp4s0
iface enp4s0 inet static
        address x.x.1x.x/26
        gateway x.x.x.1
        up route add -net 94.130.161.0 netmask 255.255.255.192 gw 94.130.161.1 dev enp4s0
        post-up sysctl -w net.ipv4.ip_forward=1
        post-up sysctl -w net.ipv6.conf.all.forwarding=1
        post-up iptables -t nat -A PREROUTING -i enp4s0 -p tcp -m multiport ! --dport 22535,8006 -j DNAT --to 10.10.10.1
        post-up iptables -t nat -A PREROUTING -i enp4s0 -p udp -j DNAT --to 10.10.10.1
# route x.x.x.0/26 via 94.130.161.1

iface enp4s0 inet6 static
        address 2a01:xxxx:xxxx:f300::1/128
        gateway fe80::1

iface enp4s0 inet6 static
        address 2a01:xxxx:xxxx:2b1d::/64
        gateway fe80::1

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.0/31
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.10.10.1/31' -o enp4s0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.1/31' -o enp4s0 -j MASQUERADE
#OPNSense WAN - Proxmox LAN

iface vmbr0 inet6 static
        address 2a01:xxxx:xxxx:f300::1336/127
        up ip -6 route add 2a01:xxxx:xxxx:f300::/56 via 2a01:xxxx:xxxx:f300::1337 dev vmbr0

auto vmbr1
iface vmbr1 inet manual
        ovs_type OVSBridge
#VM Net

I can ping both the host machine (f300::1336) and the OPNsense (f300::1337) from the internet.

WAN interface is setup like this:
IPv6  address: 2a01:xxxx:xxxx:f300::1337/127
Gateway: 2a01:xxxx:xxxx:f300::1336
Block bogon networks checked

The gateway shows up as online.

I have created a VLAN called DMZ, with the following setup:
IP address: 2a01:xxxx:xxxx:f301::1/64
Gatewaay: Auto-detect
Nothing else is checked

The situation is as follows, I can ping the internet from inside of the VM's assigned to this VLAN, IPv6 is working, HOWEVER I cannot access / ping these VM's from the outside, not from the host machine, not from the internet.

So if I ping 2a01:4f8:13b:f301::1234 (which is assigned to my mail server), I will get address unreachable. It is probably some stupid thing I'm not getting (I'm a beginner), so any help or poke in the right direction would be greatly appreciated.

Thanks in advance.

Hi,

did you enable incoming traffic (e.g. ICMP) for IPv6 on WAN for your DMZ host(s)?

Firewall -> Rules -> WAN

That is actually my first rule on the WAN interface:

Protocol Source Port Destination Port Gateway Schedule Description
IPv6 ICMP * * * * * * Allow ICMP

Change:

IPv6 ICMP

to:

IPv6 IPV6-ICMP

Changed. I'm posting whole IPv6, because it doesn't matter anyway:

When I ping the DMZ IP address now, this shows up:

PING 2a01:4f8:13b:f301::1337(2a01:4f8:13b:f301::1337) 56 data bytes
From 2a01:4f8:13b:2b1d:: icmp_seq=1 Destination unreachable: Address unreachable

It's showing completely different IP, not unknown actually, this IP is assigned to enp4s0 interface, but shouldn't have anything to do with OPNsense.

EDIT: If I remove the IP from /etc/network/interfaces on the host, it still shows up this:

ping -6 2a01:4f8:13b:f301::1
PING 2a01:4f8:13b:f301::1(2a01:4f8:13b:f301::1) 56 data bytes
From 2a01:4f8:13b:f300::1336 icmp_seq=1 Destination unreachable: Address unreachable

Could this line in /etc/network/interfaces be a problem?

up ip -6 route add 2a01:4f8:13b:f300::/56 via 2a01:4f8:13b:f300::1337 dev vmbr0

What is /etc/network/interfaces? Doesn't look like OPNsense to me?

OPNsense is running on Proxmox. So /etc/network/interfaces is Debian 12 running Proxmox. I'm trying to route IPv6 prefix /56 I have from Hetzner to OPNsense (I also have original /64 from them, haven't found use for it yet).

IPv4 is working fine, only with IPv6 I can ping f300::1337, which is OPNsense WAN from the internet, but can't ping f301::1 (VLAN DMZ), etc.

I think /etc/network/interfaces is somehow configured wrong.

Sorry, no idea. I never used Proxmox.

Hi,

first: The IP in a line "From $IP" is the IP of the device telling you that it can't reach the address.

Please check the routes in proxmox. Unfortunately, I have no experience with proxmox and cannot help you with this.

Weird thing is that you're saying the host 2a01:4f8:13b:f301::1234 has working outbound IPv6 Internet connectivity via OPNsense, which makes a routing issue less likely. Did you double check this is actually the case? What does a traceroute from this host to the Internet tell you?

Not a Proxmox expert either and this doesn't look like an OPNsense issue.

Cheers
Maurice