Text only | Text with Images

OPNsense Forum

English Forums => 26.1, 26,4 Series => Topic started by: jbernardo on May 25, 2026, 08:58:23 AM

Title: IPV6 with Orange Belgium - wrong prefix used by opnsense
Post by: jbernardo on May 25, 2026, 08:58:23 AM
Hello,
I found out that I can get IPV6 with orange belgium - if I set their router to bridge mode and let my router (in this case opnsense) handle it. Seems that Orange.BE has DHCPV6-PD, and in my case with a /56 delegation size.
I set it up, can see from /tmp/vtnet0_prefixv6 that it is assigning a 2a01:xxxx:xxxx:xxxx::/56 prefix, so I configure the WAN DHCPV6 as in the "WAN DHCPV6 settings" image.
However, opnsense is using, for the WAN, a different prefix and delegation size, as you can see on the "Interfaces overview censored" image. It is pushing the "correct" prefix to the LAN, but with a incorrect delegation size.
What am I missing here, why is opnsense insisting on this fe80:/64?

And checking from the shell, default IPV6 routing is also going to this wrong prefix and ping v6 doesn't work.
Code Select
# netstat -nr6 | grep default
default                           fe80::1%vtnet0                UG           vtnet0

I am using this script (https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc?permalink_comment_id=6142547#gistcomment-6142547) for carp on a single wan ip, as Orange will only assign one ip to a single mac address behind the bridge. I have cloned the mac between both opnsense instances and carp works. I don't see anything on that script that could interfere with DHCPV6, but have included that info for completeness.
Title: Re: IPV6 with Orange Belgium - wrong prefix used by opnsense
Post by: Monviech (Cedrik) on May 25, 2026, 09:47:28 AM
You have checked "Request prefix only" which only asks for IA_PD.

If you also want an IA_NA address on WAN, uncheck that.

IPv6 routing uses link local addresses per default (fe80...). It does not require global unicast addresses for routing most of the time (2001...)

Using prefix delegation (IA_PD) and high availability is not going to work reliably, as the clients have a real identity. You would need some sort of NAT66 and ULAs (unique local addresses fd00...) just like with IPv4 HA (RFC1918 addresses and NAT44)

It only works if you have a static prefix and your provider routes your prefix to an address you configured as CARP on WAN.

https://docs.opnsense.org/manual/how-tos/carp.html#configuring-carp-for-ipv6

A different way could also be to use an NDP proxy that masks the client identity for you by pretending it is the only client, but that wont work with prefix delegation.

https://docs.opnsense.org/manual/ndp-proxy-go.html#high-availability


Text only | Text with Images