Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: martymarty004 on November 27, 2025, 05:55:23 PM

Title: OPNsense 25.7.8 HA - Persistent IPv6 ingress/egress policy Error on WAN (PPPoE)
Post by: martymarty004 on November 27, 2025, 05:55:23 PM
Hello, I'm new to OPNsense and networking in general, and I'm facing some issues with the IPv6 configuration of my setup.
PPPoE is working, but I'm getting "Destination unreachable: Source address failed ingress/egress policy" when trying IPv6.
I'm, attaching three files with the status of WAN, LAN and what a client receives as parameters, so you can check if anything is amiss.
Do you have any suggestions?

PING [PREFIX]:0::1 OK
PING fe80::1%enp42s0 OK
PING google.com KO > From _gateway (fe80::1%enp42s0) icmp_seq=1 Destination unreachable: Source address failed ingress/egress policy

Physical network>

Two identical Proxmox nodes (v9.1.1) with two NICs, one NIC in a Tagged 835VLAN, the other is Untagged LAN.
Each NIC has a virtual bridge on top, connected to the OPNsense VM (v25.7.8) and other containers. Bridges are VLAN aware, virtual NICs are VIRTIO (queues enabled, Firewall OFF).

Everything is attached to a TL-SG3424, stock config except for ports 1-4 being assigned to VLAN 835 (TRUNK).

My ISP provides me with a public dynamic IPv4 (which never actually changes) as well as a static /48 IPv6 prefix.


OPNsense Environment>

- WAN : Block private, Block bogon
IPv4 : PPPoE
IPv6 : DHCPv6, Prefix delegation /48, request only prefix, send hint

- LAN
IPv4 : 10.79.0.2/24 (static) - (10.79.0.2/24)
IPv6 : [PREFIX]:0::2/64 (static) - ([PREFIX]:0::3/64)

- WAN_PARENT : assigned to vtnet1 just for CARP logic

CARP>
VHID 1 - LAN - 10.79.0.1/24
VHID 2 - LAN - fe80::1/64
VHID 3 - LAN - [PREFIX]:0::1/64
VHID 4 - OPT1 - 10.254.254.1/32 (brings down PPPoE when BACKUP)

One VM is MASTER, the other BACKUP, I can see the spoofed MACs from the switch's ARP table, so they should be fine

KEA DHCPv6>
Subnet : [PREFIX]:0::/64
Range : [PREFIX]:0::1000 - [PREFIX]:0::ffff
DNS : [Pi-Hole1], [Pi-Hole2]
HA : Enabled

Router Advertisements>
Mode : Assisted
Priority : High
Source Address : fe80::1/64
Advertise Routes : [PREFIX]:0::/64
Advertise Default Gateway,  Do not send any DNS configuration to clients


Dnsmasq, ISCDHCP, Unbound DNS> OFF

System : High Availability> Active and synchronized

For internet connectivity on BACKUP router>
- Firewall: NAT: Outbound : Hybrid
  Rule : WAN - Src: LAN - Dst: * - NAT: Interface addr
- Gateways
  Fallback_GW : Interface: LAN - IP: 10.79.0.1 (lower priority, FAR gateway)


Text only | Text with Images