Hello everyone,
I'm still fairly new to the topic of IPv6 and probably still very much stuck in the "good old" IPv4 idea. Maybe I'm getting old and no longer flexible? Who knows ;D
Anyway - I have problems understanding the following and I haven't been able to solve it with my research so far. I'm hoping for some helpful advice here.
I have a static IPv4 address with VODAFONE: dial-in takes place via WAN and PPPoE - fully functional for years.
With the help of OPNsense manual(https://docs.opnsense.org/manual/ipv6.html (https://docs.opnsense.org/manual/ipv6.html)) I have successfully set up a functional IPv6 setup and distributed IPv6 addresses locally (LAN, WLAN and DMZ) to all my computers and servers.
My problem now is that I still have an IPsec service running on the OPNsense that is listening on the WAN interface. With the checkbox "Request only an IPv6 prefix" (Interaces > WAN > DHCPv6 client configuration) the WAN interface does not get an IPv6 address and I cannot access IPsec via IPv6.
What is the best way to solve this?
- move IPsec service from OPNsense to the DMZ?
- create a separate interface for IPsec via VLAN?
- another, secret technology?
I would be very grateful for any help!
Best regards!
Simon
I don't have experience with IPsec, but in general any interface that has a routable IPv6 address should be reachable from the internet if you have a rule to allow it (destination "This Firewall"), so you probably could use your DMZ interface. Alternatively you might be able to use a VIP with an address within your routable prefix, or a loopback interface. Is your prefix "static"?
Thanks for that hint. This has taken me a good step forward.
I have now simply duplicated my existing IPv4 tunnel and switched it to IPv6 and connected the whole thing to the DMZ interface.
Connecting via the VPN now works already - the clients are getting an IPv4 and an IPv6 address. Unfortunately, I now have the problem that those coming via the VPNv6 tunnel have no access to the services in the network and I don't understand why :) I made a mistake somewhere.
Can someone help me with this?
- My Prefix is 2a00:aaaa:bbbb::
- I edited the local subnets of phase 2 to match my prefix with 2a00:aaaa:bbbb:0::/48
- the mobile clients are assigned a virtual IPv6 from the area 2a00:aaaa:bbbb:0::/120
- the IPsec interface of the firewall rules is very liberal with IPv4+6 * * * * * *
What I don't understand:
the VPN clients all get an IPv6 with 2a00:aaaa:bbbb:cccc::[XX] - the cccc corresponds to the subnet that is assigned to the DMZ (IPv6 Prefix ID).
I am still grateful for any help