OPNsense Forum
English Forums => General Discussion => Topic started by: Tecuma on June 03, 2020, 03:04:54 pm
-
Hello Community,
before I start with my questions I would like to say thank you to the OPNsense team and the community for having this software. It is working very well and I am happy to use it. It took me some time after the discontinue from monowall to choose another firewall system. I am glad to be here now.
I have searched the forum but found not the information I seek in the search results.
I have a DSL connection from the German provider Telekom. I am using OPNsense 20.1.7 on a apu2 (pcengine)
Beside one public IPv4 address I have received
1x /56 IPv6 for private use
1x /64 for public use
I have configured the public IPv6 /64 according to https://wiki.opnsense.org/manual/how-tos/ipv6_dsl.html.
In the leases overview from the OPNsense GUI I can see several systems using a public IPv6 address. This address seems to be defined by SLAAC. Is this IPv6 public address always the same so I can use it for DNS entries?
I see an official IPv6 address on the LAN interface. I have expected to see it on the WAN interface. Is this behavior correct?
The /56 is divided in 56 IPv6 address blocks. Is it possible to use OPNsense as DHCPv6 server for a private LAN?
Best regards
Christian
-
Your WAN public address you can pretty much ignore, it's not really necessary and many ISPs do not even issue an address and use link-local. The /56 range is what is already appearing on your LAN if you are using dhcp6 on the WAN. If you are using track interface on the LAN then the following applies.
The /56 block of those addresses are global addresses and can, firewall rules allowing, be accessed from the internet. Obviously by default any inbound traffic apart fro ICMP6 is blocked so don't worry. The dhcdv6 server is already running, as is RADVD which give out the v6 addresses on the LAN, its automatic. You can override this and manually set the dhcpdv6 server and RADVD yourself. A single LAN uses a /64.
You can divide the /56 up and pass on subnets to other routers, for example I get a /48 block, that is broken up and passed on to my test routers in the form of /56 and /60 subnets.
Whether your IPv6 addresses remain the same is down to your ISP, some make sure they are static, some change them at will, so ask your ISP.
-
Hello marjohn56,
thank you for your information.
I have checked the IPv6 leases shown in OPNsense gui again. These IPv6 addresses are from the /56 block which I understand is link-local.
When I understand your information correctly this comes from my "IPv6 Configuration Type" setup for the WAN interface which is DHCPv6.
How can I use the global /64 IPv6 addresses in the DMZ? Is this possible via OPNsense / DHCPv6 or do I have to configure this on my systems lan configuration?
Best regards
--Christian
-
/56 address block is not link-local, they are global addresses as I explained, not local only. You can assign a separate /64 IPv6 range to each LAN interface, in fact with a /56 PD you can assign up to to 255 LAN interfaces if you wish, each with their own /64 range. At the bottom of the Interface LAN page is an entry for the track interface, which should be set to WAN, below that is the prefix ID, this should be unique for each LAN interface, i.e, 0, 1, 2 etc. this will automatically ensure that each LAN has its own /64 address range.
-
apart fro ICMP6 is blocked
On my side, in order to reach 20/20 on ipv6-test.com/ (http://ipv6-test.com/), I had to create the following inbound rules on my WANs in order to have the right ICMPv6 code being not filtered.
cf. https://tools.ietf.org/html/rfc4890#section-4.3.1
cf. attachment.
I don't know whether this is normal. Actually I have been using the same OPNsense installation since a very long time and maybe OPNsense has added new default rules in the meantime for new installations?
-
There are automatic floating rules for ICMPv6, at least on 20.7
-
@marjohn56,
/56 address block is not link-local, they are global addresses as I explained, not local only.
Ok
You can assign a separate /64 IPv6 range to each LAN interface
That was what I am looking for. How can I do this?
-
It's automatic, if you look at your LAN interface addresses you should see a 2A or similar address there already.
-
@marjohn56
Many thanks for your information.
I had problems of understanding with the /56 and /64 I got from my ISP Telekom. I found an entry in the telekom community
https://telekomhilft.telekom.de/t5/Festnetz-Internet/IPv6-im-LAN-bereitstellen/td-p/3852995 (https://telekomhilft.telekom.de/t5/Festnetz-Internet/IPv6-im-LAN-bereitstellen/td-p/3852995). It is in German language. It explains that the /64 is an segmant where my router gets automatically an IP address to talk with the world. The /56 is for my usage.
With this information your information makes sense and solved my problem :D