I'm not able to set CARP VIPs for link local addresses (https://docs.opnsense.org/manual/how-tos/carp.html#setup-virtual-ipv6-link-local-address) to make IPv6 communication flowing. RA announces current, physical link local ipv6 address as router which is different than CARP VIP. I've tried setting fe80::/64 and fe80::1/64 as CARP VIP without any luck...
But as I use tunnelbroker I can't use my ipv4 WAN interface to set up CARP VIP (https://docs.opnsense.org/manual/how-tos/carp.html#setup-virtual-ipv6-global-unicast-address) and I think this should have been my GIF interface...(?) And if I set next hop, either tunnel remote or local address as CARP VIP address, VIP remains as disabled...
How to set it up properly?
fe80::/64 is not a valid address but fe80::1/64 should be fine. I use fe80::<VLAN ID>/64 everywhere.
Please show a screenshot of
- the interface configuration of both units
- the CARP VIP configuration on the active/master (should propagate to the standby once you do a configuration sync)
Quote from: Patrick M. Hausen on March 16, 2026, 02:35:12 PM- the interface configuration of both units
- the CARP VIP configuration on the active/master
So, I adjusted local link addresses - as per your advice to make sure they are different
I couldn't attached screenshots here as limit is only 250 kB (?)
Link to listed below screenshots: https://imgur.com/a/r9RSFma
Master interface:
Backup interface:
CARP VIP global (I had multicast, same issue, so I tried unicast)
CARP VIP local:
(https://imgur.com/a/r9RSFma)
VHID groups are fine, initially I synchronised CARP VIPs, later I changed them to unicast.
So, where's mistake???
I block so called image hosting sites, sorry.
This works.
Interface configuration on the primary node:
(https://forum.opnsense.org/index.php?action=dlattach;attach=53136;image)
CARP VIP:
(https://forum.opnsense.org/index.php?action=dlattach;attach=53134;image)
Radvd config:
(https://forum.opnsense.org/index.php?action=dlattach;attach=53138;image)
HTH,
Patrick
Quote from: Patrick M. Hausen on March 16, 2026, 09:00:09 PMRadvd config:
Thanks!
Can you confirm, do you use: Services -> Router Advertisements? Because I don't have any dropdown list to choose from...
I use Services: Router Advertisements. I don't recognise your screen shot.
Patrick, my settings look like the one above, as well. Your seems to be from an old version or the business version. There is no dropdown in "Source Adress" with 26.1.4, not even when a CARP VIP exists on the interface.
Yes, the setup in question is BE 25.10.
So, it means that ipv6 won't work in HA setup in community edition...?
The only place I've found to choose interface with carp vip address is gif interface settings.
Then there's probably a bug. This used to work in CE, too, before we switched to BE.
Quote from: Patrick M. Hausen on March 17, 2026, 07:35:02 AMThen there's probably a bug. This used to work in CE, too, before we switched to BE.
Do I need to report it or this forum is monitored?
Please report on Github.
Quote from: Patrick M. Hausen on March 17, 2026, 09:13:15 AMPlease report on Github.
There is issue already created: https://github.com/opnsense/core/issues/9873
This is an issue different from yours. Please do not assume they are related because they have IPv6 and CARP in them. You should be able to set the CARP VIP as the RA address. This used to work.
There is no bug here the field exists and you can input the source IP address.
https://github.com/opnsense/core/blob/f8364f426a986f879ecd4c40a0ed4b15f67b5fa9/src/opnsense/mvc/app/models/OPNsense/Radvd/Radvd.xml#L101
https://github.com/opnsense/core/blob/f8364f426a986f879ecd4c40a0ed4b15f67b5fa9/src/opnsense/mvc/app/models/OPNsense/Radvd/FieldTypes/VipLinkLocalField.php#L80
https://github.com/opnsense/core/blob/f8364f426a986f879ecd4c40a0ed4b15f67b5fa9/src/opnsense/mvc/app/controllers/OPNsense/Radvd/forms/dialogEntry.xml#L115
Its just not a dropdown anymore.
What's the reason for that change?
The mvc migration of the component.
The old code at that spot was very unfortunate.
Quote from: Monviech (Cedrik) on March 17, 2026, 05:45:36 PMThere is no bug here the field exists and you can input the source IP address.
That's what I'd done also (i.e. I typed in: fe80::14) and doesn't work. Once I remove CARP VIPs ipv6 works fine.
My issue may have something to do with tunnelbroker setup, as I don't have native ipv6 provider available... OR I will try also to reconfigure my PVE setup and create additional LAN bridge for backup instance and instead of having them (2x opnsense) connected over single linux bridge - within proxmox, connect them over physical switch?
This of course requires second downlink, so:
- regular bridge would remain connected as it is now
- backup/new bridge will be connected to switch via additional downlink
If it does not work in your infrastructure it does not mean it's bug right away.
Check for these:
- If you set a source address for the RAs, but "cat /var/etc/radvd.conf" does not contain it.
- If you set a source address for the RAs, and packet capture that the source address of the RAs (Source link layer option) is not the source address you set.
Please note that depending on your interface configuration on LAN or whatever you use, (Static IPv6, Track Interface, Identity Association) radvd.conf will contains subtly different results.
Best use the new "Identity Association" as IPv6 configuration method.
Quote from: Monviech (Cedrik) on March 18, 2026, 10:50:58 AMCheck for these:
- If you set a source address for the RAs, but "cat /var/etc/radvd.conf" does not contain it.
- If you set a source address for the RAs, and packet capture that the source address of the RAs (Source link layer option) is not the source address you set.
radvd.conf contains source address:
[color=#000000][size=1][font=Menlo][/font][/size][/color]
interface vlan14 {
AdvSendAdvert on;
MinRtrAdvInterval 200;
MaxRtrAdvInterval 600;
AdvLinkMTU 1500;
AdvDefaultPreference high;
AdvRASrcAddress { fe80::14;
};
AdvSourceLLAddress off;
RemoveAdvOnExit off;
prefix XXXXXXXXd:4::/64 { DeprecatePrefix off;
AdvOnLink on;
AdvAutonomous on;
};
RDNSS XXXXXXXXXd:1::4 { };
DNSSL x.xx { };
};and tcpdump of RA:
tcpdump -i vlan14 -vv -n icmp6 and 'ip6[40] == 134'
tcpdump: listening on vlan14, link-type EN10MB (Ethernet), snapshot length 262144 bytes11:17:40.481739 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 112) fe80::14 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 112
hop limit 64, Flags [other stateful], pref high, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
prefix info option (3), length 32 (4): XXXXXXXXXd:4::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s
0x0000: 40c0 0001 5180 0000 3840 0000 0000 2001
0x0010: 0470 604d 0004 0000 0000 0000 0000
rdnss option (25), length 24 (3): lifetime 1800s, addr: XXXXXXXd:1::4
0x0000: 0000 0000 0708 2001 0470 604d 0001 0000
0x0010: 0000 0000 0004
dnssl option (31), length 32 (4): lifetime 1800s, domain(s): x.xx.
0x0000: 0000 0000 0708 0d6d 6172 737a 616c 6b6f
0x0010: 7773 6379 0270 6c00 0000 0000 0000
mtu option (5), length 8 (1): 1500
0x0000: 0000 0000 05dcLike I wrote in my first message:
QuoteBut as I use tunnelbroker I can't use my ipv4 WAN interface to set up CARP VIP (https://docs.opnsense.org/manual/how-tos/carp.html#setup-virtual-ipv6-global-unicast-address (https://docs.opnsense.org/manual/how-tos/carp.html#setup-virtual-ipv6-global-unicast-address)) and I think this should have been my GIF interface...(?) And if I set next hop, either tunnel remote or local address as CARP VIP address, VIP remains as disabled...
This could have been my source of this issue, but I'm not sure how to solve it.
An update: out of blue (almost) ipv6 started working! My guess is that is because of "routes" - I had them configured in my previous setup. I deleted them from RA when preparing HA setup, but maybe my laptop had cached them (?)... Anyway, since couple of hours ago it did start working and continue doing so...