OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: jimpd on January 01, 2020, 01:15:43 am
-
Hi :)
I tried to configure IPv6 behind my OPNsense but I stuck right now.
My setup looks like this:
Internet -> FritzBox -> LAN1
-> OPNsense (in LAN1) -> LAN2
What is working?
IPv6 is working fine on devices in LAN1. IPv6 is working fine on the WAN port on my OPNsense.
What is not working?
IPv6 is not working on devices in LAN2
I do get IPv6 addresses on devices in LAN2 and I can ping OPNsense and the FritzBox via IPv6 but I cannot reach anything outside on the Internet.
Configuration:
Enabled IPv6 in FritzBox with "DNS and IA_PD"
Enabled IPv6 in OPNsense
WAN interface:
IPv6 Configuration Type - DHCPv6
Configuration Mode - Basic
Request only an IPv6 prefix - Yes
Prefix delegation size - 62 (also tried 60 here)
Send IPv6 prefix hint - Yes
Prevent release - Yes
Enable debug - No
Use IPv4 connectivity - No
Use VLAN priority - NO
LAN interface:
IPv6 Configuration Type - Track Interface
IPv6 Interface - WAN
IPv6 Prefix ID - 0x0
Manual configuration - No
Firewall -> Advanced:
Allow IPv6 - Yes
Firewall -> Rules -> LAN:
Action - Pass
Interface - LAN
Direction - in
TCP/IP Version - IPv6
Protocol - ICMP
ICMP type - any
Source - LAN net
With this config I get IPv6 addresses in LAN2 and can ping other local devices but I cannot reach outside IPv6 addresses via ping.
According to the "Live View" under "Log Files" the ICMP ping is successful, at least it is not blocked.
A mtr shows successful connection to OPNsense, then FritzBox, then it stops.
Any idea what is wrong here?
/edit
To test this more I added following rules to LAN:
IPv6 * - Source WAN - any...
IPv6 * - Source LAN - any...
And on WAN the same:
IPv6 * - Source WAN - any...
IPv6 * - Source LAN - any...
But still not working
-
There is a Firewall within the fritzbox that may block the packet returning.
I used to have a fritzbox and must say that ipv6 function in the fritzbox are more like a beta state feature.
you can test if you allow all traffic for the the host / network (your delegated ipv6) within the fritzbox.
I think Internet > Freigaben > somewhere there
-
I added my OPNsense as exposed IPv6 host but that did not work either.
The most interesting part is, that if the mtr runs long enough sometimes a single package goes out.
-
I played a bit more around and noticed the following:
If I block the device via Filter -> Kindersicherung and then change it again I get a single package through it via IPv6.
If I block it again and set it back to "Standard" the mtr always succeeds but only until I stop and re-start the mtr on a device in LAN2
-
just for fun... because its all strange
can you ping devices in LAN2 from LAN1? but all in all it seems to be a problem of the fritzbox? try contacting AVM support - they are pretty good and give you test firmewares that might fix your problem.
-
Sorry for the late reply
I have tested the following with IPv6:
device1 in LAN1
device2 in LAN2
device1 can ping device2
device2 can ping device1
installed webserver on device2 and allowed port 80 in opnsense on WAN interface for device2
-> device1 can access website running on device2
-
Next approach
Allow incoming port 443 on OPNsense WAN interface (which is in LAN1) with exposed Host configured in fritzbox -> OPNsense interface is reachable from remote via IPv6
Then I tried the similar setup as before from the internet (with curl)
device1 in LAN1
device2 in LAN2
device1 webserver port 80
i opened port 80 for device1 in fritzbox
-> access to webserver on device1 from remote server via IPv6 is possible
tcpdump on port 80
13:43:46.206828 IP6 ipv6-of-device1:198d.54222 > ipv6-of-device2:e03a.http: Flags [S], seq 4161419774, win 28640, options [mss 1432,sackOK,TS val 3100947471 ecr 0,nop,wscale 7], length 0
13:43:46.206879 IP6 ipv6-of-device2:e03a.http > ipv6-of-device1:198d.54222: Flags [S.], seq 2344778224, ack 4161419775, win 64260, options [mss 1440,sackOK,TS val 457004862 ecr 3100947471,nop,wscale 7], length 0
.....
13:43:46.213160 IP6 ipv6-of-device1:198d.54222 > ipv6-of-device2:e03a.http: Flags [P.], seq 1:104, ack 1, win 224, options [nop,nop,TS val 3100947478 ecr 457004862], length 103: HTTP: GET / HTTP/1.1
......
device2 webserver port 80
i opened firewall for opnsense (exposed host) and allowed also to access the delegated IPv6 prefixes for this device in fritzbox
i opened port 80 in opnsense on WAN interface for device2
-> access to webserver on device2 from remote server via IPv6 was **not** possible
i saw the request from the remote server in my opnsense firewall log
lan [remote-ipv6::2]:59836 [ipv6-of-device:e03a]:80 tcp let out anything from firewall host itself
then i tcpdump'd on device2 port 80
i saw the requests:
13:55:21.417708 IP6 remote-ipv6::2.42044 > ipv6-of-device2:e03a.80: Flags [S], seq 2674231027, win 28800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
13:55:21.417754 IP6 ipv6-of-device2:e03a.80 > remote-ipv6::2.42044: Flags [S.], seq 4276351807, ack 2674231028, win 64800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
13:55:22.442402 IP6 ipv6-of-device2:e03a.80 > remote-ipv6::2.42044: Flags [S.], seq 4276351807, ack 2674231028, win 64800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
I wireshark'd this via http://fritz.box/html/capture.html - image1 is on eth1 - image2 on wan interface
(please ignore that image2 is ::1 instead of ::2, doesnt matter here)
also tcpdump'd on the remote server
14:18:13.265952 IP6 remote-ipv6::2.39468 > ipv6-of-device2:e03a.80: Flags [S], seq 730490927, win 28800, options [mss 1440,sackOK,TS val 2624988435 ecr 0,nop,wscale 7], length 0
verbose:
14:17:36.967342 IP6 (flowlabel 0xc305c, hlim 64, next-header TCP (6) payload length: 40) remote-ipv6::2.39466 > ipv6-of-device2:e03a.80: Flags [S], cksum 0xe30d (incorrect -> 0xeca7), seq 2577571887, win 28800, options [mss 1440,sackOK,TS val 2624952138 ecr 0,nop,wscale 7], length 0
-
Kindersicherung
This is broken in the current FritzOS
You need to disable "Kindersicherung" entirely.
I had the same problem. AVM is aware of this.
Das Problem ist uns bekannt und wird in einem kommenden Update gefixt.
Workaround:
Kindersicherung komplett abschalten, das geht nur indirekt. Dazu alle Einschränkungen in der Kindersicherung abschalten, dann werden die Kindersicherungs-Module nicht geladen:
- Alle Einschränkungen im Standard-Profil "Alle anderen Geräte" entfernen.
- Alle Einschränkungen im Gast-Profil "Alle Geräte im Gastnetz" entfernen.
- Alle Geräte auf Standard-Profil setzen.
Das Problem sollte sich damit lösen lassen.
I removed all the stuff i don't need from my FritzBox and IPv6 runs fine.
-
This issue is probably fixed with new Fritz!OS 7.20
- **Behoben** Geräte, die an einen nachgelagerten Router via IPv6-Präfixdelegation angebunden sind, bekamen bei aktiver Kindersicherung keine IPv6-Internetverbindung
- **Behoben** Geräte, die an einen nachgelagerten Router via IPv4 Static Routes angebunden sind, bekamen bei aktiver Kindersicherung keine IPv4-Internetverbindung
https://ftp.avm.de/fritzbox/fritzbox-7590/deutschland/fritz.os/info_de.txt
I will report back once my FritzBox received the 7.20 update too