I have three OPNsense routers:
- one router ("umbrella"), connected to my modem, it receives a /60 IPv6 delegation from the ISP. It then delegates a /62 to each of the two downstream routers (::4 and ::8). It's using ISC DHCPv6.
- the 1st downstream router get's it's WAN address in the ::0/64 subnet, and is delegated the ::4/62 prefix, which is hands out 3 /64 subnets
- the 2nd downstream router get's it's WAN address in the ::1/64 subnet, and is delegated the ::8/62 prefix, which is hands out 3 /64 subnets
- The downstream routers are both using DNSmasq DHCP.
That part all looks like it works, both of the downstream routers are receiving their own IPv6 address, and a /62 delegated to them. Clients to those routers receive an IPv6 address that is in the right subnet, but they don't have any IPv6 connectivity.
I think the issue is the routes, the "umbrella" router doesn't have any routes for the /62 subnets in the routing table. I read a couple of threads (https://forum.opnsense.org/index.php?topic=7719.0) from a long time ago that made it seem that this was an issue then. I tried the fix that was listed there (manually add a gateway and route on the umbrella router), and that stopped the prefixes from delegating.
Any suggestions?
It has been repaired a few times over the years for different reasons, yes. But I don't see anything that would warrant to say it's currently not working. Take a closer look at https://github.com/opnsense/core/blob/master/src/opnsense/scripts/dhcp/prefixes.php -- what you need is to offer both a single address (NA) and a prefix (PD) or use a link-local static lease to point to the downstream router -- it cannot be automated if you don't know its address as the target for the route.
Cheers,
Franco
Thanks, that helped! It was user error, of course. The routes were created perfectly.
My next issue is that the firewall on the umbrella router is blocking the IPv6 traffic from the delegated subnets. I have a rule to pass IPv6 traffic from the LAN_A network to any (inbound on LAN_A interface). The delegated prefixes aren't a part of "LAN_A net". If I make a firewall rule (inbound on LAN_A) to pass all IPv6 traffic any to any, it works great. Is there a security risk in doing this? Or is there a way to add a rule allowing from the delegated prefixes?
My prefixes are dynamic (though rarely change), so I'd rather not make a hard-coded alias to them.
The firewall aliases don't have an option for dynamic IPv6 prefixes yet (only hosts), so allowing a specific dynamic prefix isn't easily possible.
For many use cases, using 'any' should be okay.
Cheers
Maurice
Great, I appreciate the help!
-Ben