Hi guys,
I've updated to 25.7 recently and switched to dnsmasq and unbound. Yesterday I noticed that IPv6 was not working, might have been so for a few days and I've set up dual stack.
Have done some digging from older posts and noticed that the interface did not generate a full IPv6, ony gets the prefix. I'd be greatful for any hints what might cause this and how to fix it.
The set up and troubleshoooting I've done so far is as follows:
Interfaces:
WAN - changing prefixes with dual stack
LAN - static IPv4 and TrackInterface for IPv6
DNSmasq on LAN interface
as DHCP
Ranges are 192.168.22.10 to 192.168.22.200 for IPv4
:: for IPv6
options set dns server, ntp serever and nis-domain for both IPv4 and IPv6
not for DNS
DNS via unbound
To get the ULA on LAN the virtual IP defined on Interfaces / Virtual IPs as
fd11:f0d8:a7bb:135d::/64 - LAN - IP Alias
The Clients on the LAN receive the prefix just fine and get their IPv6 via SLAAC.
I've checked the Router advertisement via Wireshark. As far as I understand it, it looks as expected
Frame 2294: 166 bytes on wire (1328 bits), 166 bytes captured (1328 bits) on interface \Device\NPF_{5B7E23CD-8508-42FD-9E61-D2ED511AAD4D}, id 0
Ethernet II, Src: Microsoft_16:01:04 (00:15:5d:16:01:04), Dst: IPv6mcast_01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::215:5dff:fe16:104, Dst: ff02::1
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0x78c9 [correct]
[Checksum Status: Good]
Cur hop limit: 255
Flags: 0x48, Other configuration, Prf (Default Router Preference): High
Router lifetime (s): 1200
Reachable time (ms): 0
Retrans timer (ms): 0
ICMPv6 Option (Prefix information : fd11:f0d8:a7bb:135d::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0, On-link flag(L), Autonomous address-configuration flag(A)
Valid Lifetime: 86400 (1 day)
Preferred Lifetime: 86400 (1 day)
Reserved
Prefix: fd11:f0d8:a7bb:135d::
ICMPv6 Option (Prefix information : 2003:****:****:****::/64)
ICMPv6 Option (Source link-layer address : 00:15:5d:16:01:04)
ICMPv6 Option (Recursive DNS Server fe80::215:5dff:fe16:104)
Got IPv6 to work again by setting the Liknk-Local Address as DNS, as you can see in the RA.
When I try to set the ULA fd11:f0d8:a7bb:135d:215:5dff:fe16:104 as DNS IPv6 breaks as no DNS Requests are answered, wereas fe80::215:5dff:fe16:104 seems to work.
So I logged in via SSH and checked the following in the OPNsense shell:
Ping from OPNsense to a client on LAN is working ...
root@JIGOKUMON:~ # ping fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c
PING(56=40+8+8 bytes) fd11:f0d8:a7bb:135d:: --> fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c
16 bytes from fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c, icmp_seq=0 hlim=255 time=0.356 ms
16 bytes from fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c, icmp_seq=1 hlim=255 time=2.206 ms
16 bytes from fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c, icmp_seq=2 hlim=255 time=1.305 ms
Ping to OPNsense is not working
ping fd11:f0d8:a7bb:135d:215:5dff:fe16:104 -t
Ping wird ausgeführt für fd11:f0d8:a7bb:135d:215:5dff:fe16:104 mit 32 Bytes Daten:
Zielhost nicht erreichbar.
Zielhost nicht erreichbar.
Ping-Statistik für fd11:f0d8:a7bb:135d:215:5dff:fe16:104:
Pakete: Gesendet = 2, Empfangen = 0, Verloren = 2
(100% Verlust),
... but I noticed the second line where the interface part (::215:5dff:fe16:104) is missing.
The Interface looks like this:
hn1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: LAN (lan)
options=80018<VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
ether 00:15:5d:16:01:04
inet 192.168.22.254 netmask 0xffffff00 broadcast 192.168.22.255
inet6 fe80::215:5dff:fe16:104%hn1 prefixlen 64 scopeid 0x6
inet6 fd11:f0d8:a7bb:135d:: prefixlen 64
inet6 2003:****:****:****:215:5dff:fe16:104 prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Looks like the virtual IP is only shown as the prefix, but no full IPv6 is generated.
If I change the LAN IPv6 setting from "Track Interface" to "SLAAC" the expected IPv6 is generated and the ping TO OPNsense is working, but public accecss is gone as the GUA/2003:: prefix is not known.
I could test the config with 25.1.12 if usefull/needed. Any hint appreciated.
Cheers,
Holger Kühn
When you specify a virtual fixed IPv6, you have to provide the EUI-64 part, you only gave ::, which is zero. Your OpnSense would probably respond to fd11:f0d8:a7bb:135d::0, but not to fd11:f0d8:a7bb:135d:215:5dff:fe16:104, simply because you did not configure that.
Quote from: meyergru on August 12, 2025, 09:33:12 PMWHen you specify a virtual fixed IPv6, you have to provide the EUI-64 part, you only gave ::, which is zero. Your OpnSense would probably respond to fd11:f0d8:a7bb:135d::0, but not to fd11:f0d8:a7bb:135d:215:5dff:fe16:104, simply because you did not configure that.
Ok, makes sense. Any pointers where I can configure this?
Quote from: HolgerKuehn on August 13, 2025, 12:01:53 PMOk, makes sense. Any pointers where I can configure this?
??? - you literally configured fd11:f0d8:a7bb:135d::/64 and not fd11:f0d8:a7bb:135d:215:5dff:fe16:104/64 for your virtual IP:
Quote from: HolgerKuehn on August 12, 2025, 08:51:55 PMTo get the ULA on LAN the virtual IP defined on Interfaces / Virtual IPs as
fd11:f0d8:a7bb:135d::/64 - LAN - IP Alias
Quote from: meyergru on August 13, 2025, 12:17:17 PM??? - you literally configured fd11:f0d8:a7bb:135d::/64 and not fd11:f0d8:a7bb:135d:215:5dff:fe16:104/64 for your virtual IP:
Thanks for the hint, I must have misunderstood this point in my initial setup back then. Thought it is supposed to define the prefix only, as the column states network. Checked some newer guides out there and all of them show the interface part as well. A great one is here https://www.raydak.de/blog/2025-05-25_opnsense_ipv6/
I must have missed this, as I was using a DNS service on a client on the LAN and not the router itself. Just showed now as I switched to unbound on the box.