OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: TheLinuxGuy on February 28, 2021, 01:13:33 am
-
My ISP (5G wireless home internet / T-mobile) gives us a dumb modem that does not allow 'bridge mode' the ISP themselves doesn't do IPv6 prefix delegation. Looking for help fixing issues with http://ipv6-test.com/ and http://test-ipv6.com/ as they fail.
I'm not sure what my options are here other than NAT IPv6? I'm not familiar with IPv6 much but I can connect directly to the modem obtain a V6 address and all dual-stack tests pass.
When opnsense connects to the modem, it obtains a unique IPv6 (non-local-link) and the WAN settings are set for DHCPv6 and my LAN is set "Track interface".
I have been struggling with this for a few weeks - to make sure nothing advanced (vlan, complex rules, vpn settings etc) I ended up spinning up a fresh install of opnsense - straight out of the box with default settings one WAN and one LAN to see if it would work. I did this with both opnsense and pfsense - my luck has been that IPv6 dual stack doesn't work in neither pfsense or opnsense behind this modem.
Perhaps I am missing something to try here? Open to suggestions.
In the alternative - any steps or quick guide on using NAT IPv6 on the LAN and then use outbound NAT to share the single IPv6 I am getting from WAN? or I wonder if pfsense can bind multiple IPv6 addresses to the WAN interface and manage it somehow intelligently by itself and without NAT?
-
Without Prefix Delegation, track interface requires a point-to-point WAN interface with SLAAC. If your modem supports this (some do), you can "pass through" the WAN-side /64 to a single LAN.
Otherwise, you would indeed need to bind multiple IPv6 addresses to the WAN interface in order to make them available to hosts in the LAN. But this would require an NDP proxy which as far as I know OPNsense does not currently have.
So if the modem doesn't support PPP, IPv6 NAT would be the only option. Quite awful, but should work. It's configured pretty much the same way as IPv4 NAT: Configure the LAN interface with a static address, switch outbound NAT rule creation to hybrid or manual and create an outbound NAT rule.
Cheers
Maurice
-
Or use Hurricane Electric. Yes, it's tunnelled by over v4, but you do get a static \48 and it works.
-
As far as I remember from my HE tunneling days, 6in4 does not work through CGNAT. Which is what 4G / 5G mostly uses.
But a tunnel is indeed an option - when using a different protocol. There are a few providers which give you a static prefix through e. g. WireGuard. ungleich.ch is one I occasionally use on the road and it works quite well.
-
So if the modem doesn't support PPP, IPv6 NAT would be the only option. Quite awful, but should work. It's configured pretty much the same way as IPv4 NAT: Configure the LAN interface with a static address, switch outbound NAT rule creation to hybrid or manual and create an outbound NAT rule.
will try this thank you
Or use Hurricane Electric. Yes, it's tunnelled by over v4, but you do get a static \48 and it works.
I can give this a try but I think he.net IPv6 tunnel-brokered netblock is blacklisted from NetFlix so it may break my smart devices at home. Are there any other 'free' V6 tunnel brokers?
To circumvent CGNAT, I purchased a VPS (dual-stack IPv6+IPv4) but unfortunately the VPS provide does not give me a /48 or anything larger than a single /64.
My plan to circumvent CGNAT on T-mobile is to tunnel the IPv4 address via wireguard to opnsense and do port forwarding to open ports to: Plex media server and SSH for emergency access to opnsense (unfortunate that thisthis has a SPOF on the VPS/wireguard).
I'm unsure if there's anything I could do on the VPS for IPv6 on this setup to do my own tunnel of the /64 assigned block but IPv6 NAT may be the easiest way out :/
-
I would only use IPv6 NAT as the very last resort. It has severe limitations and hardly anyone uses it. So if (or rather: when) you encounter issues you'll be pretty much on your own.
Netflix blocks HE tunnels, that's correct.
Since you're going to use a WireGuard tunnel to a VPS anyway, I'd recommend getting one with more than a /64. There are plenty. That'll make your life much easier.
-
So if the modem doesn't support PPP, IPv6 NAT would be the only option. Quite awful, but should work. It's configured pretty much the same way as IPv4 NAT: Configure the LAN interface with a static address, switch outbound NAT rule creation to hybrid or manual and create an outbound NAT rule.
I may be missing a step?
My LAN hosts are unable to ping 2001:4860:4860::8888 (google dns)
Here's what I have done to try to setup LAN IPv6 'NAT' (this is on a fresh opnsense)
Interfaces config : LAN
- Static IPv6
- IPv6 address: "fdde:5453:540e:ff12::" and 64
click save
Services : DHCPv6 LAN
- Range start
fdde:5453:540e:ff12::
- Range end
fdde:5453:540e:ff12:ffff:ffff:ffff:ffff
save & restart service
Firewall: NAT : outbound
- Set Hybrid outbound
- Add manual rule
interface WAN
TCP/IP version 6
protocol any
source any
destination any
translation target WAN address
log enabled
save
My Windows 10 client now obtains an IPv6 address from opnsense. But can't ping or pass external ipv6 tests.
There was mention that I may need multiple IPv6 addresses on the system to map 1:1? is this what I am missing? any quick tips on exactly how to set this up, is this a VIP?
-
Since you're going to use a WireGuard tunnel to a VPS anyway, I'd recommend getting one with more than a /64. There are plenty. That'll make your life much easier.
I just asked my VPS provider if they can do anything for me - if I were to get a block larger than /64 is there perhaps some guidance on what 'service' needs to be running on the VPS itself to delegate the block and then configure opnsense to use it?
The problem with 5G cellular home internet from T-mobile is UDP packet deprioritization during congestion, TCP/HTTP does not suffer from this but TCP VPN tunnels are horrible speed wise and almost unusable.
My home network is a bit complex, so while I do have a VPS to tunnel traffic that I want to have a static IP - not all of my home network would be able to use the wireguard tunnel due to the above reliability. Direct-connect to T-mobile using their CGNAT is what some of my vlans will use and the VPS is primarily to allow streaming and roadwarrior connections coming into my home. Most outbound traffic would need to go via T-mobile IPv6 only network.
-
Using native IPv6 with multiple LANs and without an available prefix larger than /64 is indeed impossible without NAT.
The LAN interface identifier should not be zero, that's a reserved anycast address. Better use fdde:5453:540e:ff12::1.
How did you configure Router Advertisements?
Is there a firewall rule on the the LAN interface passing IPv6?
Also, be aware that clients will always prefer IPv4 over IPv6 when using ULAs. Just one of the limitations of IPv6 NAT.
1:1 would be NPT, but you can't use that either without an available prefix.
Regarding the VPS: No particular services required, just the VPN and some static routes. With a static prefix there is no need for DHCPv6 Prefix Delegation, interface tracking and such.
-
Using native IPv6 with multiple LANs and without an available prefix larger than /64 is indeed impossible without NAT.
ACK. I noticed this in other threads that I was reading on the subject - this is why I was thinking of maybe only have 1 VLAN have IPv6 enabled.
Right now all my VLANs have IPv4 only - I am trying to sort out what I need to do to to get IPv6 to work on this opnsense blank slate/testbox before I touch my production opnsense install that is working perfectly with just IPv4.
The LAN interface identifier should not be zero, that's a reserved anycast address. Better use fdde:5453:540e:ff12::1.
Thanks for this - LAN IPv6 set to fdde:5453:540e:ff12::1 - adjusted DHCP scope to account for start range ::2
How did you configure Router Advertisements?
Is there a firewall rule on the the LAN interface passing IPv6?
Also, be aware that clients will always prefer IPv4 over IPv6 when using ULAs. Just one of the limitations of IPv6 NAT.
Router advertisements are 'disabled' on LAN by default, are settings on it needed to make this work?
Presuming a setting here is needed - would "Assisted" for Stateful DHCPv6 and SLAAC (M+O+A flags) be ideal? any hints on any other settings is appreciated.
LAN firewall rules (recall this is a fresh install test box) do have an IPv6 rule that allows any.
-
Router Advertisements are required. "Assisted" is a good default choice. If it works you can optimise later.
Also, you might want to limit the source in the NAT rule to LAN net.
-
Router Advertisements are required. "Assisted" is a good default choice. If it works you can optimise later.
Also, you might want to limit the source in the NAT rule to LAN net.
Thanks so much for the tips and help here, it works!
On a simple opnsense WAN+LAN setup, in order to get IPv6 from ISP to work in LAN following the steps
Interfaces config : LAN
- Static IPv6
- IPv6 address: "fdde:5453:540e:ff12::" and 64
click save
Services : DHCPv6 LAN
- Range start
fdde:5453:540e:ff12::
- Range end
fdde:5453:540e:ff12:ffff:ffff:ffff:ffff
save & restart service
Firewall: NAT : outbound
- Set Hybrid outbound
- Add manual rule
interface WAN
TCP/IP version 6
protocol any
source LAN
destination any
translation target WAN address
log enabled
save
The Enable Router Advertisements in LAN, to "Assisted" solved it.
-
Glad it works, although I feel a little dirty for assisting in the creation of such a monstrosity... ;)
To anyone finding this thread later: Don't do this unless you absolutely have to. I plead not guilty!
Cheers
Maurice
-
Reading through the forum across the road I see a nice script someone has created that dynamically updates NPT if the prefix changes, as we know a lot of ISPs do that sort of thing. Would it be useful to see if we can do similar? I have no experience of NPT at all... as I don't need it, using a sensible ISP as I do.
-
"Dynamically updates NDP"? I don't think I understand... Do you mean NPT? Dynamically update the NPT prefix?
-
Sorry typo... fingers are struggling to follow brain.
-
No worries, happens to the best!
Well, in this particular case it wouldn't help, because @TheLinuxGuy doesn't even have a single /64 GUA prefix available, only the WAN address. So they can't use NPT at all.
But in general, yes, dynamically updating the NPT prefix would be very useful. This is just one aspect of the whole "firewall rules with dynamic prefixes" can of worms. There's an old open feature request for that: https://github.com/opnsense/core/issues/2544
-
Yes that thread... :) Not read it for a while. Interesting that last comment from bu7cher. Could be very useful. The script that I am referring to is here: https://github.com/gewuerzgurke84/pfSense-dynamicNptAddress (https://github.com/gewuerzgurke84/pfSense-dynamicNptAddress)
-
My ISP (5G wireless home internet / T-mobile) gives us a dumb modem that does not allow 'bridge mode' the ISP themselves doesn't do IPv6 prefix delegation. Looking for help fixing issues with http://ipv6-test.com/ and http://test-ipv6.com/ as they fail....
/snip
same boat as you are, I tried to get this to work *without* going the static IPv6 on LAN and fell flat on my face... I thought that perhaps instead of using DHCPv6 on LAN, to use relay instead, but nope... would not *relay* anything.. atleast it didn't seem to, and I have no clue what to put in as the destination server.. i used the Nokia access points' fbb.home IPv6 address, which seemed to sorta work.. but ya, no.
-
This has nothing to do with DHCPv6 in the OPNsense LAN (which you don't even need). The issue is the 5G router being unable to "see" the hosts in the OPNsense LAN. You only have a single /64 which is used for the 5G router's LAN. The 5G router has no way of knowing that there are hosts using the same /64 in the OPNsense LAN. As mentioned, this would require an NDP proxy which OPNsense doesn't have.
There is no great solution here. Options are:
- Get a "better" Internet connection with more than just a single /64. I understand this is not available everywhere.
- Use a firewall with an integrated 5G modem. Still limits you to a single LAN and I don't know if T-Mobile allows "bring your own modem".
- Use a firewall which has an NDP proxy. Still limits you to a single LAN.
- Use a VPN tunnel. Might have a performance impact.
- Run OPNsense as a transparent filtering bridge. Severely limits its functionality and only allows a single LAN.
- Use ULAs and IPv6 NAT. Results in IPv6 almost never being used.
This is a common problem so if anyone has a better solution, I would be happy to hear about it.
-
This has nothing to do with DHCPv6 in the OPNsense LAN (which you don't even need). The issue is the 5G router being unable to "see" the hosts in the OPNsense LAN. You only have a single /64 which is used for the 5G router's LAN. The 5G router has no way of knowing that there are hosts using the same /64 in the OPNsense LAN. As mentioned, this would require an NDP proxy which OPNsense doesn't have.
There is no great solution here. Options are:
- Get a "better" Internet connection with more than just a single /64. I understand this is not available everywhere.
- Use a firewall with an integrated 5G modem. Still limits you to a single LAN and I don't know if T-Mobile allows "bring your own modem".
- Use a firewall which has an NDP proxy. Still limits you to a single LAN.
- Use a VPN tunnel. Might have a performance impact.
- Run OPNsense as a transparent filtering bridge. Severely limits its functionality and only allows a single LAN.
- Use ULAs and IPv6 NAT. Results in IPv6 almost never being used.
This is a common problem so if anyone has a better solution, I would be happy to hear about it.
Is there a possibility to get lan segment DHCPv6 requests through the WAN to the modem? If the modem is capable of providing them (which it does do, cause i get them if I connect say directly to the modem on wifi.. it has it's own segment and provides both ipv4 and ipv6 addressing)
-
- Use ULAs and IPv6 NAT. Results in IPv6 almost never being used.
I think I have a workaroud to the issue of "IPv6 never used" beause of ULAs
It is, I have to say, even more a monstruosity than the fact of using NAT.
Instead of using ULAs I used GUAs, I know, it is not fine, but I've been using this for a week and it's working very fine and stable.
I know that my ISP assigned me a /64 segment so I can use these addresses as I need.
I have some VLANs, so I choosed a /80 preffix changing the last 16 bits of the network address in each VLAN.
-
@tswalker, that wouldn't help you. Assigning addresses is not the issue here, routing / Neighbor Discovery is.
@muchacha_grande, that's actually not the worst idea. The downside is that SLAAC doesn't work when using a /80, so you can't use devices which don't support DHCPv6 (like Android).
-
@Maurice, that's right. I believe that I'm thinking in IPv6 as it were IPv4.
Now, I have a question. How can be achieved an IPv6 configuration with more than one VLAN?
There should be some subnetting in the config
-
I believe that I'm thinking in IPv6 as it were IPv4.
Yeah, a common mistake. We've all been there. :)
Now, I have a question. How can be achieved an IPv6 configuration with more than one VLAN?
There should be some subnetting in the config
You need a unique /64 for each VLAN. Most ISPs give you a /56 or /48, so you can create at least 256 /64 subnets. If you only have a single /64... Well, we're back at the beginning. Doesn't really work, no great solution available, only workarounds.
-
Ok, now I stated to see the bigger picture. My ISP wants me to have only one subnet. It is very stingy.
-
Asus routers have an IPv6 configuration called Passthrough. Maybe Opnsense should get something like that.
Those also have an option called FLET'S IPv6 Service.
If you know Asuswrt Merlin, you may ask Merlin how to do it, he develops third-party firmwares for Asus routers.
-
Asus routers have an IPv6 configuration called Passthrough. Maybe Opnsense should get something like that.
Those also have an option called FLET'S IPv6 Service.
If you know Asuswrt Merlin, you may ask Merlin how to do it, he develops third-party firmwares for Asus routers.
Interesting, seems that OpenWRT has something similar:
https://www.reddit.com/r/tmobileisp/comments/luslbf/how_are_you_getting_around_the_lack_of_ipv6/gpuuim4/?utm_source=share&utm_medium=web2x&context=3
-
OpenWrt does have the aforementioned NDP proxy.
Not sure what Asus is doing, probably the same.
-
OpenWrt does have the aforementioned NDP proxy.
Not sure what Asus is doing, probably the same.
I noticed there is ndproxy(4) in freebsd?
https://www.freebsd.org/cgi/man.cgi?query=ndproxy&apropos=0&sektion=4&manpath=FreeBSD+11-current&format=html
This is getting beyond my capability to follow very easily... but I'm willing to learn/figure out.
-
I noticed there is ndproxy(4) in freebsd?
Yes indeed, that should work. But it's currently not available in OPNsense. You could open a feature request on GitHub: https://github.com/opnsense/core/issues/new?template=feature_request.md