OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: Drohne on February 04, 2019, 03:43:54 pm

Title: NPTv6: issues after upgrade 19.1, weird linklocal assignments
Post by: Drohne on February 04, 2019, 03:43:54 pm

After upgrading OPNsense 18.7.10_3 to 19.1 recently, I face severe issues with firewalling and NPTv6.

The setup is a point-to-point uplink to our ISP (Telekom, vlan tag 7), dual-stack.  Inbound LAN is one interface, FreeBSD desinates it with re0. External interface is designated re1 towards the MODEM. The modem is not capable of handling vlan tags. The WAN connection is performed via PPPoE.

The outbound "interfaces"  in OPNsense terminology is WAN: it is comprised from binduing EXTIF (re1) and VLAN7 (re1_vlan7, vlan  tag 7 on re1) and WAN, which is pseudo device pppoe0 and derived from  re1_vlan7.

We use static routes for IPv4 and IPv6.

Internally we use ULA IPv6 addresses and on our FreeBSD 12/13 installations, we use successfully IPFW's NPTv6 for prefix translation. In 18.7.10_3 I tried a similar setup via the GUI, but for every change of the prefix (due to ISP interruptions or forced reset of the assigned IPv6), I had to change the translated prefix in OPNsense. So far, that setup worked in 18.7.10_3: the hosts were able to traverse OPNsense as desired.

The setup worked, so far perfectly in 18.7.10_3. It doesn't anymore in 19.1. For reasons unknown, IPv4 also doesn't work anymore. From time to time, not exactly to reproduce, reloading services from OPNsense's console via option 11 leads to "Configuring firewall.....failed". Services radvd, dhcpd6 and unbound sporadically do not load and are marked disabled in the lobby/dashboard.
It gets really weird when disabling NPTv6: after confirming, IPv4 works again and the hosts of the internal LAN are able to connect to the outside world again.

Another very strange observation in comparison to our FreeBSD experiences with PPPoE uplinks is the fact, that when OPNsense derives the link local address for the outbound EXTIF/VLAN7 interface (physical re1) the MAC of the internal NIC (re0) is used! So, I find the MAC of re0, the internal LANIF encoded in the link local IPv6 address of pppoe0, fe80::..., abd 2003::.... I'm not quite sure whether this is an issue, but from the experiences I can rely on with FreeBSD, the OS derives the MAC of cloned devices usually from the root device, which would be re1.

I feel a bit helpless here.