Hi,
hopefully someone could help. Hi have at Hetzner an ESXi.
When I boot OPNsense with IPv6 I can ping but every UDP or TCP stream is not working.
If I use PFsense IPv6 is working without any problem. I found no differences, could someone help me to debug this?
Regards
Gregor
sysctl OPNsense:
net.inet6.ip6.forwarding: 1
net.inet6.ip6.redirect: 1
net.inet6.ip6.hlim: 64
net.inet6.ip6.maxfragpackets: 62876
net.inet6.ip6.accept_rtadv: 0
net.inet6.ip6.log_interval: 5
net.inet6.ip6.hdrnestlimit: 15
net.inet6.ip6.dad_count: 1
net.inet6.ip6.auto_flowlabel: 1
net.inet6.ip6.defmcasthlim: 1
net.inet6.ip6.gifhlim: 30
net.inet6.ip6.kame_version: FreeBSD
net.inet6.ip6.use_deprecated: 1
net.inet6.ip6.rr_prune: 5
net.inet6.ip6.v6only: 1
net.inet6.ip6.use_tempaddr: 0
net.inet6.ip6.temppltime: 86400
net.inet6.ip6.tempvltime: 604800
net.inet6.ip6.auto_linklocal: 1
net.inet6.ip6.prefer_tempaddr: 0
net.inet6.ip6.use_defaultzone: 0
net.inet6.ip6.maxfrags: 62876
net.inet6.ip6.mcast_pmtu: 0
net.inet6.ip6.stealth: 0
net.inet6.ip6.no_radr: 0
net.inet6.ip6.norbit_raif: 0
net.inet6.ip6.rfc6204w3: 0
net.inet6.ip6.intr_queue_maxlen: 256
net.inet6.ip6.grehlim: 64
net.inet6.ip6.deembed_scopeid: 1
net.inet6.ip6.dad_enhanced: 1
net.inet6.ip6.mcast.loop: 1
net.inet6.ip6.mcast.maxsocksrc: 128
net.inet6.ip6.mcast.maxgrpsrc: 512
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 0
net.inet6.ipsec6.filtertunnel: 0
net.inet6.icmp6.rediraccept: 1
net.inet6.icmp6.redirtimeout: 600
net.inet6.icmp6.nd6_prune: 1
net.inet6.icmp6.nd6_delay: 5
net.inet6.icmp6.nd6_umaxtries: 3
net.inet6.icmp6.nd6_mmaxtries: 3
net.inet6.icmp6.nd6_useloopback: 1
net.inet6.icmp6.nodeinfo: 3
net.inet6.icmp6.errppslimit: 100
net.inet6.icmp6.nd6_maxnudhint: 0
net.inet6.icmp6.nd6_debug: 0
net.inet6.icmp6.nd6_maxqueuelen: 1
net.inet6.icmp6.nodeinfo_oldmcprefix: 1
net.inet6.icmp6.nd6_onlink_ns_rfc4861: 0
net.inet6.icmp6.nd6_gctimer: 86400
net.inet6.mld.use_allow: 1
net.inet6.mld.v1enable: 1
net.inet6.mld.gsrdelay: 10
sysctl PFsense:
net.inet6.ip6.forwarding: 1
net.inet6.ip6.redirect: 1
net.inet6.ip6.hlim: 64
net.inet6.ip6.maxfragpackets: 47174
net.inet6.ip6.accept_rtadv: 0
net.inet6.ip6.log_interval: 5
net.inet6.ip6.hdrnestlimit: 15
net.inet6.ip6.dad_count: 1
net.inet6.ip6.auto_flowlabel: 1
net.inet6.ip6.defmcasthlim: 1
net.inet6.ip6.gifhlim: 30
net.inet6.ip6.kame_version: FreeBSD
net.inet6.ip6.use_deprecated: 1
net.inet6.ip6.rr_prune: 5
net.inet6.ip6.v6only: 1
net.inet6.ip6.use_tempaddr: 0
net.inet6.ip6.temppltime: 86400
net.inet6.ip6.tempvltime: 604800
net.inet6.ip6.auto_linklocal: 1
net.inet6.ip6.prefer_tempaddr: 0
net.inet6.ip6.use_defaultzone: 0
net.inet6.ip6.maxfrags: 47174
net.inet6.ip6.mcast_pmtu: 0
net.inet6.ip6.stealth: 0
net.inet6.ip6.no_radr: 0
net.inet6.ip6.norbit_raif: 0
net.inet6.ip6.rfc6204w3: 1
net.inet6.ip6.intr_queue_maxlen: 256
net.inet6.ip6.pfil.outbound: pf
net.inet6.ip6.pfil.inbound: pf
net.inet6.ip6.deembed_scopeid: 1
net.inet6.ip6.dad_enhanced: 1
net.inet6.ip6.grehlim: 64
net.inet6.ip6.mcast.loop: 1
net.inet6.ip6.mcast.maxsocksrc: 128
net.inet6.ip6.mcast.maxgrpsrc: 512
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 0
net.inet6.ipsec6.filtertunnel: 0
net.inet6.icmp6.rediraccept: 1
net.inet6.icmp6.redirtimeout: 600
net.inet6.icmp6.nd6_prune: 1
net.inet6.icmp6.nd6_delay: 5
net.inet6.icmp6.nd6_umaxtries: 3
net.inet6.icmp6.nd6_mmaxtries: 3
net.inet6.icmp6.nd6_useloopback: 1
net.inet6.icmp6.nodeinfo: 3
net.inet6.icmp6.errppslimit: 100
net.inet6.icmp6.nd6_maxnudhint: 0
net.inet6.icmp6.nd6_debug: 0
net.inet6.icmp6.nd6_maxqueuelen: 1
net.inet6.icmp6.nodeinfo_oldmcprefix: 1
net.inet6.icmp6.nd6_onlink_ns_rfc4861: 0
net.inet6.icmp6.nd6_gctimer: 86400
net.inet6.mld.use_allow: 1
net.inet6.mld.v1enable: 1
net.inet6.mld.gsrdelay: 10
It definitely works as I had an ESXi baremetal setup on one of my Qotom units and I was running Opnsense, quite happily. Just for checking, I'll run it up again and see if it still checks out.
Works fine on ESXi 6.0 with ISP delegated range.
Bart...
so you can configure and can use e.g. OpenVPN only over IPv6?
Gregor
Checked with a clean ESXi install 6.7 and a fresh Opnsense install, all working fine
Quote from: gex on July 23, 2018, 04:17:31 PM
so you can configure and can use e.g. OpenVPN only over IPv6?
Gregor
So which is it, IPv6 doesn't work at all or OpenVPN doesn't work?
Quote from: gex on July 23, 2018, 04:17:31 PM
so you can configure and can use e.g. OpenVPN only over IPv6?
Gregor
Yes, indeed. One /64 from the ISP range for the LAN and one for the VPN. Both LAN clients and VPN clients can browse over IPv6.
Not exclusively, no. OpenVPN won't connect over IPv6 only. You can give the server and clients 169.254.0.0/16 (a.k.a. IPv4 link-local) addresses if you don't want a routable IPv4 tunnel
Bart...
Quote from: marjohn56 on July 23, 2018, 07:49:22 PM
So which is it, IPv6 doesn't work at all or OpenVPN doesn't work?
only ping is working with IPv6 - can't open the config page (with the right FW Rule setuped) and also OpenVPN won't connect
in tcpdump all Packages have cksum incorrect