I'm trying to assign global IPv6 addresses to the LAN side of my OPNsense VM, but I could use some guidance for my unusual setup.
My setup:
- OPNsense is running in a virtual machine. Its role is to route traffic from my main network to VMs on a different subnet and perform NAT so those VMs can access the internet via my main network.
- IPv4 setup is done with static private IP on the WAN side of OPNsene with DHCPv4 and DNS via DNSmasq.
- WAN side of the OPNsense VM is connected to my main network. LAN connects to other VMs.
Challenges:
- My ISP provides a dynamic /56 IPv6 prefix that changes often (power loss, reconnection, etc.).
- My main router (not OPNsense) only delegates a single /64 subnet and provides addresses via SLAAC only.
- Currently, OPNsense itself gets a /128 via SLAAC from the main router.
- Attempting to configure LAN IPv6 using "Track Interface" fails because the parent interface shows up empty.
I've already tried to use ISC DHCPv6 and Kea DHCPv6 without any success as it seems both will require static IPv6 (and even if dynamic prefix is supported I will need /64 subnet which I wasn't able to get)
What I want to achieve:
1. To use the ISP-provided /56 prefix to get out a second /64 subnet for the VMs LAN, leaving the main network untouched:
A. LAN VMs to get global IPv6 addresses via DHCPv6 with static MAC assignments
B. or SLAAC if thae DHCPv6 server is not possible
2. Worst case to get IPv6 connectivity via the /128 of OPNsense as NAT connection
Is any of these possible in OPNsense? (even if it require scripting) or is there a built-in way to handle this kind of dynamic prefix delegation?
Thanks in advance for any advice!
I maintain a plugin that can do something for you, but its rather hacky in its nature, and if it doesnt work I cannot really help as its quite hard to troubleshoot.
If you want something generally stable, use this:
https://docs.opnsense.org/manual/ndproxy.html#offering-services-behind-nat-cloud-setup
If you want something more hacky look at the other example :)
Quote from: Monviech (Cedrik) on August 16, 2025, 12:32:03 PMI maintain a plugin that can do something for you, but its rather hacky in its nature, and if it doesnt work I cannot really help as its quite hard to troubleshoot.
If you want something generally stable, use this:
https://docs.opnsense.org/manual/ndproxy.html#offering-services-behind-nat-cloud-setup
If you want something more hacky look at the other example :)
Thanks, I would love to hear about your plugin
I will keep ndproxy in mind as last resort to just establish outward connections only
Well ndproxy is that plugin. Sorry I dont have anything else xD
This here also works but your prefix is very unstable:
https://docs.opnsense.org/manual/ndproxy.html#simple-setup-for-home-users
The one with NPTv6 in my post before is generally stable and you can NAT inbound and outbound just fine with it.
Quote from: iTheMask on August 16, 2025, 12:23:54 PM- My main router (not OPNsense) only delegates a single /64 subnet and provides addresses via SLAAC only.
If it actually
delegates a /64, set the OPNsense WAN IPv6 configuration type to DHCPv6 and the prefix delegation size to 64. "Track interface" should then work on the LAN interface.
Quote from: iTheMask on August 16, 2025, 12:23:54 PM- Currently, OPNsense itself gets a /128 via SLAAC from the main router.
A /128 WAN address actually indicates that is was assigned via DHCPv6 - SLAAC addresses are /64. But even if your main router provides
addresses via SLAAC only, prefix delegation is independent from address assignment and always uses DHCPv6.
Quote from: iTheMask on August 16, 2025, 12:23:54 PM2. Worst case to get IPv6 connectivity via the /128 of OPNsense as NAT connection
Ugly, but possible. Works the same as IPv4 NAT: Assign a static address to the LAN interface and create an outbound NAT rule.
Cheers
Maurice