OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: mwiora on November 29, 2016, 11:51:54 pm

Title: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on November 29, 2016, 11:51:54 pm
Hi @all,

I'm currently facing a very strange issue.
Attachment restrictions are very interesting... I'll add them by replying to this thread....

ISP = Vodafone / Kabel Deutschland
|
|
|
----- IF WAN -
AVM FritzBox 6490 - a_fritzbox-ifswithips.png, a_fritzbox-ipv6-conf.png
----- IF LAN -
|
|-- some machines X
|
----- IF WAN - a_opnsense-ifwan.png
OpnSense
----- IF LAN - a_opnsense-iflan.png
|
|-- some machines Y
|

IPv4 is working great. IPv6 does not (yet ;) )
The AVM FritzBox 6490 is configured as described at https://en.avm.de/service/fritzbox/fritzbox-7390/knowledge-base/publication/show/1239_Setting-up-a-IPv6-subnet-in-the-FRITZ-Box/

Since I'm getting a /62 subnet from my ISP I guessed I have to request a /63 subnet from my FritzBox (which would let me choose between 20da and 20db)
So I've configured the WAN interface to request a /63 subnet and assigned the first IP of 20da to the internal IF of the OpnSense machine.
Furthermore I've configured a DHCPv6 Server as shown in - a_opnsense-dhcpv6server.png. The advertisement is configured as shown in - a_opnsense-dhcpv6ad.png

Machines X are able to obtain IPv6 addresses immediately (they route their traffic through the AVM FritzBox 6490). The clients are served by the Subnet with ID 2a02:810d:xxxx:20d8::/64
Machines Y are not able to obtain IPv6 - by issuing "ipconfig /renew6" they are obtaining and IPv6 from the DHCPv6 Server with all settings correct, are able to route traffic over the OpnSense to the AVM FritzBox and in the end to the Internet. After round about one hour of connectivity, the connection gets lost.

Any Ideas:
- Which logs do I have to check?
- Which configuration do I have to change?

I've seen the following logs:

a_opnsense-log.png

ICMPv6 is enabled on all Firewall Rulesets.
Cheers and thanks in advance,
Matthias
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on November 29, 2016, 11:53:09 pm
adding further attachments
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on November 29, 2016, 11:54:34 pm
adding further attachments
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on November 29, 2016, 11:54:52 pm
adding further attachments
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on November 29, 2016, 11:55:17 pm
adding further attachments
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: bartjsmit on November 30, 2016, 08:31:39 am
Does the Fritzbox have a static route for the subnet behind the OPNsense?

Bart...
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on November 30, 2016, 09:22:36 am
Hi Bart,

actually I cannot add IPv6 static routes to the fritz box - see a_fritzbox-noipv6staticroutes.png
And a ping from one of machines X to the internal interface of the OpnSense doesn't work..... thanks for that hint!
I actually had to add a Rule to the LAN which allows ICMPv6-Pings from anywhere.
Furthermore I've added allow all traffic from the 20d8-network to the WAN-Interface. Routing seems now to work!

But shouldn't the opnsense and the fritzbox exchange routing tables?
Reg. https://en.avm.de/service/fritzbox/fritzbox-7390/knowledge-base/publication/show/1239_Setting-up-a-IPv6-subnet-in-the-FRITZ-Box/
The wrote:
You can use a router with its own IPv6 subnet in the FRITZ!Box home network. In this case, you do not need to configure static routes for the IPv6 subnet because the FRITZ!Box and the IPv6 router automatically exchange all of the necessary routing information.

What needs to be enabled to enable this route table exchange?

In step 2 (configuring the IPv6 router) they wrote:
Configure the IPv6 router so that it requests its own prefix from the FRITZ!Box using IPv6 prefix delegation and that it announces its routing information to the FRITZ!Box via router advertisement.

It looks like the WAN interface would need some special configuration to publish the routes.


I'll double check the ipv6 problems and report again.

cheers,
Matthias
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on November 30, 2016, 12:39:59 pm
nope. no change....
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: bartjsmit on November 30, 2016, 04:07:41 pm
How about running the Fritzbox in bridge mode and letting OPNsense deal with the IPv6?

Bart...
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on November 30, 2016, 08:26:28 pm
Mh. Unfortunately VoIP is realized via the FritzBox - and no chance to get the credentials.

Cheers,
Matthias
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on December 14, 2016, 10:52:19 pm
ipv6 seems to be stable since I've removed the static configuration and replaced it with "track WAN interface" on the LAN interface IPv6 setting. This disables IPv6 RA configuration and dhcp (static ip needed). I will analyze this in the future.... would like to have a nice static ipv6 for my gateway.
Title: Re: IPv6 --> Client's get IPv6 address for round about one hour....
Post by: mwiora on December 31, 2016, 03:30:05 pm
update - I coudln't believe it, but since moving to Sophos UTM I have absolutely no issues with IPv6 - finally got working.
Opnsense and Pfsense - both didn't work for me.

Cheers,
Matthias