I am attempting to expose my website via IPv6 and am running into issues. Though I have researched IPv6, this is my first time attempting to do any routing beyond connecting to another's site.
My server(hosting the site) can access an IPv6 website.
The server reports it's addresses as
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2604:f780:d220:f100::2000/128 scope global dynamic noprefixroute
valid_lft 5869sec preferred_lft 3169sec
inet6 fe80::f59c:3716:b71:c3ac/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Another machine on my LAN can `curl http://[2604:f780:d220:f100::2000]:8080` successfully.
I have a firewall rule set to allow the `8080` on that IP address, and when I `curl http://[2604:f780:d220:f100::2000]:8080` from an external machine, I can see the connection accepted in my firewall logs.
Informational filterlog 84,,,fae559338f65e11c53669fc3642c93c2,bxe0,match,pass,out,6,0x00,0x229fb,53,tcp,6,40,2601:3d02::f03f:93ff:fe5a:e261,2604:f780:d220:f100::2000,40252,8080,0,S,2760746982,,28800,,mss;sackOK;TS;nop;wscale
Informational filterlog 91,,,ba12a6fae4ded317f9604e82ebb419ec,bxe1,match,pass,in,6,0x00,0x229fb,53,tcp,6,40,2601:3d02::f03f:93ff:fe5a:e261,2604:f780:d220:f100::2000,40252,8080,0,S,2760746982,,28800,,mss;sackOK;TS;nop;wscale
But the command just hangs until it times out.
Since it seemed like the connection never made it's way back, I tried a tcp dump, and verified that the connection is reaching the server, but appears something is failing with `destination unreachable`.
IP6 2601:3d02::f03f:93ff:fe5a:e261.46038 > 2604:f780:d220:f100::2000.8080: Flags [S], seq 1105096936, win 28800, options [mss 1440,sackOK,TS val 150905032 ecr 0,nop,wscale 7], length 0
IP6 2604:f780:d220:f100::2000.8080 > 2601:3d02::f03f:93ff:fe5a:e261.46038: Flags [S.], seq 1345266100, ack 1105096937, win 64260, options [mss 1440,sackOK,TS val 2088291025 ecr 150904270,nop,wscale 7], length 0
IP6 2604:f780:d220:f100:9ab7:85ff:fe01:821a > 2604:f780:d220:f100::2000: ICMP6, destination unreachable, unreachable route 2601:3d02::f03f:93ff:fe5a:e261, length 88
I added firewall rules to allow ICMP on the global and local addresses, but end up with the same result.
To simplify things, I attempted just pinging, but end up with the same behavior.
What am I missing?
Running on opnsense 24.7.11_2
Interfaces overview
LAN 2604:f780:d220:f100:9ab7:85ff:fe01:821a/56
fe80::9ab7:85ff:fe01:821a/64
WAN 2604:f780:d001::79/128
fe80::9ab7:85ff:fe01:821b/64
I think I found it. I switched from DHCP6 to SLAAC, which didn't help as all IPv6 communication failed. But when I switched it back to DHCP6, my site was reachable all of a sudden. The thing I noticed from my logs was a routing entry that was not there before.
Destination Gateway Flags Netif Expire
default fe80::12ff:fe3d:c900%bxe1 UG bxe1
Why this was missing from opnsense in the first place is troubling(and how everything except inbound was working as expected), but it seems to be working now.