Hello all,
My OPNSense Build has been configured to my liking, following several tutorials online. But this one thing is making me having to consider going back to my ISP Router if I dont find a solution fast enough.
The IPv6 just goes out, without notice, not sure how long it takes, but i would say about 12 hours of flawless operation, then bang, i do an IPv6 Test and its out. I have seen several topics with similar problems online from years ago.
I tried already the most hardcore solution that a user has mentioned did the work for him, reinstalling it all from scratch. I did just that yesterday, and woke up this morning to find my IPv6 offline again.
I really don't know what else I could do. I humbly ask for help, the entire home network gets affected when this happens, i just cant keep OPNsense if this isnt solved fast enough.
Diagnostics, things to try, I am all ears!
THank you all
How do you get the IPv6 address / prefix? Static, DHCP, SLAAC,...? What are the interfaces using IPv6 and what exactly do you mean "just goes out"?
A few questions for you:
(1) Does your ISP give you a static or dynamic ipv6 prefix? By dynamic I mean one that changes every now and again
(2) When you say that "ipv6 goes out". What do you mean? For example, when "ipv6 goes out":
- does your WAN still have an ipv6 address (look in the Dashboard under interfaces panel)?
- does your LAN still have an ipv6 address? (as above)
- does your PC still have an ipv6 address?
(3) How do you get your ipv6 prefix from your ISP? That is, how have you configured the WAN interface for ipv6
(4) How do you assign ipv6 prefixes to your devices on the LAN:
- SLAAC only (ie through Services: Router Advertisements: [LAN])? What type of " Router Advertisements" do you use?
- Do you use DHCPvc6?
(5) Have you configured the LAN interface to use "Track Interface" as the ipv6 configuration type?
Edit: One other question:
(6) I assume that ipv6 connectivity comes back when you reboot your OPNsense device. Correct?
I get my IPv6 address via
DHCPv6,
Request only an IPv6 prefix Checked,
Prefix delegation size 56,
Send IPv6 prefix hint Checked
When I mean it goes out, I mean it fails all internet IPv6 tests, only IPv4 stills online.
I am not sure if its static or dynamic IPv6. I have to keep looking for change to confirm?
Quote2) When you say that "ipv6 goes out". What do you mean? For example, when "ipv6 goes out":
does your WAN still have an ipv6 address (look in the Dashboard under interfaces panel)?
does your LAN still have an ipv6 address? (as above)
does your PC still have an ipv6 address?
Yes WAN still shows an ipv6 address.
I run a LAGG, with VLANs, and all individual VLANs have their IPv6 addresses.
Yes my PC shows an IPv6 Address
Quote(3) How do you get your ipv6 prefix from your ISP? That is, how have you configured the WAN interface for ipv6
Mentioned above
Quote(4) How do you assign ipv6 prefixes to your devices on the LAN:
Tried both ways, DHCPv6, and now using SLAACK only
Quote(5) Have you configured the LAN interface to use "Track Interface" as the ipv6 configuration type?
Yes they are
Quote(6) I assume that ipv6 connectivity comes back when you reboot your OPNsense device. Correct?
That is correct, it does come back when I do so.
very interesting. We followed a very similar path. My instance had the same symptoms last week. I was pulling my hair out trying to solve it.
Anyhow, everything has been working flawlessly for a week now, but unfortunately, I don't know exactly what the fix was. The last thing that I did to get it working was to click the WAN reload button on the Interfaces/Overview page not just once, but several times. It might be a coincidence, but the results were strange as I saw it sometimes not provide an IPv6 address to the LAN network. I clicked it slowly maybe 5 times total until I saw it provide an address again. It's been working ever since. Disclaimer: there's definitely a chance that it was some other setting that I changed beforehand, but I'm getting too old to remember and too lazy to look through the config history.
@Alec246: thanks
Why do you set "Request only an IPv6 prefix Checked "? Is that required by your ISP? Do you know what mechanism is used to get the ipv6 address of the gateway?
It would be good to know if your delegated ipv6 prefix is static or not. Maybe, try comparing it over a few days with a few WAN restarts in between?
When your ipv6 connectivity is functioning, could you share the first 8 hex digits of your WAN ipv6 address (no more than 8 since otherwise it might identify you). You can find it on the OPNsense Da.shboard
For the record here are my config details which are somewhat similar to yours, though I need to use pppoe and obtain my ipv6 prefix/address through dhcpv6 over the pppoe. I too have LANs based on vlan's over a lagg. Here are some details:
WANside interfaces: WAN->pppoe->vlan->(interface on igc)
- interface on igc uses MAC spoofing and has Promiscuos mode set. It has no ipv4 or ipv6 configuration.
- vlan is required by my ISP
- pppoe is required by my ISP
- WAN:
promiscuos mode unset and has DHCPv6 client configuration as follows:
Request only an ipv6 prefix: No (otherwise the WAN has no ipv6 address of its own)
Prefix delegation size: 48
Send ipv6 prefix hint: yes
Use ipv4 connectivity (required by my ISP - i.e. ipv6 trafic travels down the same pppoe connection as the ipv4.
LANside interfaces: LAN->vlan->underLAN->lagg (lacp) ->(a pair of igc interfaces)
- underLAN has Promiscuos mode set and sets a MAC address. It has no ipv4 or ipv6 configuration.
- LAN has promiscuos mode unset. Static ipv4 and tracks the WAN interface for ipv6.
My ipv6 prefix is static and so will only change when I change ISP. The WAN ipv6 address is also static.
Have you tried Interfaces > Settings > IPv6 DHCP > Prevent release? Turning this on helped my IPv6 stability, although your problem sounds different (I was losing the address completely, you say you're keeping the address, but connectivity fails?). Still, could be worth a try.
If you find your WAN line to be unstable or if your ISP changes IPv6 prefixes regularly, do not use DHCPv6 for your (V)LANs, but SLAAC with a minimum interval 200 und maximum interval 600 (set under Services::Router Advertisements).
In contrary to DHCPv6, which operates via pull, SLAAC pushes new prefixes, so that a prefix change is pushed to the clients immediately. Otherwise, they may use outdated prefixes, thus IPv6 connectivity is lost until they ask for a lease renewal.
@joezeppy
Thank you for your feedback! I am not alone in this. Might try that!
@sja1440
QuoteWhy do you set "Request only an IPv6 prefix Checked "? Is that required by your ISP? Do you know what mechanism is used to get the ipv6 address of the gateway?
I followed this guide, the only one I found of a user in the same ISP as mine, PFSense instead
https://forum.meo.pt/internet-fixa-e-movel-11/pfsense-ipv6-155245
Unfortunately I dont know the ISP mechanism really for anything. Completely ignorant to this matter
QuoteIt would be good to know if your delegated ipv6 prefix is static or not. Maybe, try comparing it over a few days with a few WAN restarts in between?
Made a forced ISP Modem restart, IPv6 is back, without touching the OPNsense Router. The only difference when comparing IPv4 e IPv6 I noted was the IPv6 Address as
"Dynamic IPv6 prefix received"
QuoteWhen your ipv6 connectivity is functioning, could you share the first 8 hex digits of your WAN ipv6 address (no more than 8 since otherwise it might identify you). You can find it on the OPNsense Da.shboard
This?
fe80::aab8
Will check your suggestions! THanks!
@Ben S
No Ben, I will try that too! Thank you
@meyergru
Already have all my VLANS using this, Router Advertisements set to Unmanaged to all. Unfortunately stil lgets the issue
Tried everything, IPv6 still goes off :/
If you haven't already, check out the following video closely to see if something in it might help you trouble-shoot your situation:
https://www.youtube.com/watch?v=Yb7JdIFriKI&t=901s (https://www.youtube.com/watch?v=Yb7JdIFriKI&t=901s)
Quote from: Alec246 on May 23, 2024, 12:03:19 PM
Tried everything, IPv6 still goes off :/
If you have not done it already, I suggest turning on Debug logging under Interfaces > Settings > IPv6 DHCP header.
Quote from: Alec246 on May 22, 2024, 12:42:41 PM
I followed this guide, the only one I found of a user in the same ISP as mine, PFSense instead
https://forum.meo.pt/internet-fixa-e-movel-11/pfsense-ipv6-155245
Looking at a few other posts on that forum, it would seem that your provider could and does (or rather did) change the delegated ipv6 prefix. It is not clear to me with what frequency. Though it seems that even small changes to the ISP router will cause the prefix to change.
Quote from: Alec246 on May 22, 2024, 12:42:41 PM
Made a forced ISP Modem restart, IPv6 is back, without touching the OPNsense Router.
Does that mean that your system consists of:
<ISP ONT> -> <ISP router> -> <OPNsense router>
If so how have you configured the ISP router for ipv6?
Quote from: Alec246 on May 23, 2024, 12:03:19 PM
Tried everything, IPv6 still goes off :/
I had a similar issue where IPv6 would stop working after sometime. Clients on the network dropped IPv6 address altogether. Did a fair bit of digging and found out that Suricata was the culprit. SID 2030387 (ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read). Looks like packets relating to IPV6 was being blocked by suricata. Disabled SID 2030387 and the problem went away.