My ipv6 environment is that the upstream openwrt obtains the public/60 ipv6 address through the ISP. DHCPv6-PD + SLAAC configured in openwrt.
OPNsence gets a 64 prefix under openwrt LAN. Both OPNsence and OPNsence LAN devices can obtain DHCPv6-PD + SLAAC addresses and can communicate.
But when my ISP updated the IPV6 prefix. Openwrt, OPNsence and other openwrt LAN devices can get updates. The OPNsence LAN device still keeps the original prefix, but I see that the prefix displayed by OPNsense LAN has changed.
Restarting the OPNsence LAN device still keeps the old prefix. The firewall has a log showing that the device sent to [ff02::1:2]:547 passed.
Only when you restart the DHCPv6 Server service on OPNsence, The IPv6 DHCPv6 address of the OPNsence LAN device will be updated.
Restart the Router Advertisement Daemon service, The SLAAC address of OPNsence LAN device is displayed as deprecated. Then restart the device to update the SLAAC address.
I don't know if it's my ipv6 configuration problem or a software problem. Is there any way to troubleshoot it?
It is a configuration problem. Some of it is caused by your tandem setup. But the main reason is that you issue DHCP leases for a dedicated time. Only after the timeframe expires (or half of it) will clients ever ask for a new IP. With SLAAC only (Unmanaged or Assisted), a router advertisement with a lifetime of zero can be given, invalidating all old prefixes. Then, the clients will be updated with a new RA and a new prefix.
You can imagine that this gets worse when your OpenWRT lease is still used a while after the real prefix has already changed.
That being said, IPv6 setups with changing prefixes are FUBAR anyways, because they break existing connections. This is especially tru if your ISP does forced reconnections with changing prefixes. It is less harmful when your connection is kept "forever".
The problem is that the devices under openwrt can update the prefix in time, and opnsence itself is also updated in time.
Is it because opnsence did not pass the updated RA notification to its own lan?
In the firewall log, openwrt will communicate with the 546 port of the ipv6 local link address of opnsense through the dhcpv6 protocol, but the LAN firewall log of opensense does not have such communication at all.
Quote from: zteng on March 24, 2025, 01:29:36 AMThe problem is that the devices under openwrt can update the prefix in time, and opnsence itself is also updated in time.
Is it because opnsence did not pass the updated RA notification to its own lan?
No, the problem is that you use DHCPv6 to distribute adresses at all. With DHCP, it is up to the client to fetch a new address.
You should use SLAAC only in either unmanaged or assisted mode in order to force the new prefix on the client. This is all explained here (https://forum.opnsense.org/index.php?topic=45822.0), but your setup is the dreaded router-behind-router setup (see point #4 here (https://forum.opnsense.org/index.php?topic=42985.0)). This means that you would have to use SLAAC-only for both OpenWRT and OpnSense - yet IDK if or how it is even possible to sub-delegate prefixes via SLAAC between OpenWRT and OpnSense.
I found the cause of the problem. Because I installed it in a PromoxVE virtual machine, I needed to turn on Router Advertisement in the virtual machine settings.