Hi guys,
hope you can point me in the right direction, as I am a little lost and don't know why it does not work.
Setup:
Modem connected to the OpnSense
OpnSense connects to the internet via PPPoE
2 Servers, one connected to DMZ interface of the OPNSense, the other to the LAN interface
Configurations:
Interfaces - WAN
IPv6 Configuration Type = DHCPv6
Request only an IPv6 prefix = Check
Prefix delegation size = 56
Send IPv6 prefix hint = Check
Use IPv4 connectivity = Check
Interfaces - DMZ
IPv6 Configuration Type = Track Interface
IPv6 Interface = WAN
IPv6 Prefix ID = 0
Manual configuration = Check (tried it also without checking this)
Interfaces - LAN
IPv6 Configuration Type = Track Interface
IPv6 Interface = WAN
IPv6 Prefix ID = 1
Manual configuration = Check (tried it also without checking this)
Services - Router Advertisements
DMZ
Router Advertisements = Assisted (Tried also the others)
LAN
Router Advertisements = Assisted (Tried also the others)
Interfaces - Overwiew
WAN
IPv6 address = 2003:xxxxxx/64
IPv6 prefix = 2003:xxxxxxx::/56
IPv6 gateway = auto-detected: fe80::xxxxxx
DMZ
IPv6 address = 2003:xxxxxx/64
LAN
IPv6 address = 2003:xxxxxx/64
I also tried to play with DHCPv6, but I cannot get any Server in LAN or DMZ to get an IPv6 address.
Any help is really much appreciated. I also searched the Forum and also the Web, tried the different proposed solutions, but the Clients/Servers get no external IPv6 address.
fastboot
Hi,
Assuming you have an up and running PPPoE connection with VLAN7 properly configured?!
Normally, manual configuration for router advertising is not required, should be unchecked in a first step
'request ipv6 prefix only' I have also unchecked
Can you share whether the ipv6 prefixes on your LAN and DMZ interface look as expected, i.e. have the assigned Prefix ID? (0 resp. 1)
Your servers on LAN and DMZ: How are they supposed to get an IPv6 address on their interfaces?
Br br
The correct setting for SLAAC-only is "Unmanaged". You should disable the DHCPv6 server first.
Does radvd run? If so, try restarting it. Changes in the interface might not be seen unless the daemon is restarted (this should be O.K. later).
Also, try to reduce the two intervals to 200/600 seconds.
If prefixes do not get distributed, have a look at /var/etc/radvd.conf and see if the prefixes are in there.
Hi,
yes of course. I configured VLAN7 also on the FW, instead of having this on the Modem.
IPv6 prefixes on LAN and DMZ? I have not configured IPv6 yet.
My assumpttion was that the NICs of the Servers will get automatically an IPv6 address for the internet. At least this is how I read all of the documentations. The prefixes I already sent you? DMZ is 0, LAN is 1
Quote from: meyergru on November 30, 2023, 04:54:37 PM
The correct setting for SLAAC-only is "Unmanaged". You should disable the DHCPv6 server first.
Does radvd run? If so, try restarting it. Changes in the interface might not be seen unless the daemon is restarted (this should be O.K. later).
Also, try to reduce the two intervals to 200/600 seconds.
If prefixes do not get distributed, have a look at /var/etc/radvd.conf and see if the prefixes are in there.
Well, I do not see the configuration within "services", if I do not enable "Manual configuration" in the settings. But then I can see the
"Services - Router Advertisements".
First, your LAN and DMZ IPv6 addresses must be assigned by "track interface" first and should look like:
DMZ: 2003:xxxx:xxxx:xxx0:yyyy:yyyy:yyyy:yyyy/64
LAN: 2003:xxxx:xxxx:xxx1:yyyy:yyyy:yyyy:yyyy/64
Then, the full /64 prefixes can be distributed by radvd. For this to work, the configuration file (auto-generated) must have the correct prefixes (2003:xxxx:xxxx:xxx0/1::/64) in them.
And yes, you should use manual configuration to shorten the intervals for RAs.
The DMZ and LAN Addresses are shown 2003:XXXX in your post. So: can you show the field to see whether prefix ID 0 and 1 are properly assigned to the ipv6 address on the DMZ and LAN interface?
What do you mean with IPv6 has not configured yet?
ipv6 on servers: Assuming servers with Linux with ipv6 activated, you should then have at least a configuration on /etc/network/interfaces like
iface eth0 inet6 auto
Otherwise you won't get any ipv6 address on the servers
Or, for newer versions of Debian-based distributions based on netplan, you should have /etc/netplan/01-netcfg.yaml like this:
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: yes
dhcp4-overrides:
use-dns: true
use-domains: true
dhcp6: no
accept-ra: true
ipv6-privacy: true
optional: true
mtu: 1500
That assumes all ipv6-related tuneables are set correctly.
Hi guys,
thanks a lot for the prompt replies :)
I disabled the IPv6 settings for the LAN now. But DMZ is stil configured
From Interfaces - Overview for DMZ Interface:
IPv6 address: 2003:XX:XXX:XXXX:2e0:XXX:XXXX:XXXX/64
It's correctly set as far as I can see. Same I had for the LAN interface, but just with the 1 for sure.
Edit: I also tried the same with the LAN and another Host in there. Just as this is a complete different setup with different onboard tools compared to the server in DMZ.
With not configured IPv6 I meant the normal setup to have IPv6 connectivity. So I did not use IPv6 so far for the LAN connection(e.g machine2machine, ...).
The server in the DMZ should get the IP automatically, as I did not turned it off for the whole system.
Example for eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
inet 10.xx.xx.xx/24 brd 10.xx.xx.xx scope global dynamic noprefixroute eth0
valid_lft 5225sec preferred_lft 5225sec
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
valid_lft forever preferred_lft forever
I also tested if the Firewall itself can ping for example heise.de via IPv6. That works.
I guess we can close this as solved.
I rebooted the FW and **BANG** the Server in DMZ had a IPv6 Address... No connection allowed so far, but it's configured.
Maybe for someone else interesting who's running into the same issue.