OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: watz on June 21, 2017, 05:07:43 pm

Title: [solved] IPv6 prefix delegation & static WAN?
Post by: watz on June 21, 2017, 05:07:43 pm

Hello,

I would like to make some of our infrastructure ready for IPv6, but struggle doing so.


tl;dr
Is it necessary to setup IPv6 prefix delegation for static IPv6 WAN addresses? How to do it?

* We have a server at a datacenter
* There are several KVM hosts running on this server.
* OPNsense is running in one of these KVM guests
* OPNsense WAN interface is bridged to the host ethernet interface
* OPNsense LAN interface is bridged to an internal bridge interface
* The datacenter is providing a /48 network to us: 2a00:nnnn:nnnn::/48
* Default GW is: 2a00:nnnn:nnnn::1

I've configures OPNsense WAN Interface to us a static IPv6. (One out of the /48 network)
2a00:nnnn:nnnn::123

What's working:
+ I could connect without problems from OPNsense to other IPv6 Hosts on the Internet
+ I could connect from other IPv6 internet hosts to the OPNsense host.


Now the tricky part:
I want do "hide" some KVM guest behind the OPNsense Firewall. By hiding it means that for example the hidden machines should only be accessible via HTTPs and HTTP.

Therefor I've setup a static IPv6 Adress on OPNsense LAN interface
2a00:nnnn:nnnn:100::1

And manually configured the other KVM guest (hidden behind the OPNsense) to use IPv6 Addresses like
2a00:nnnn:nnnn:100::10


With this setup
+ I can connect to the LAN host from OPNsense and vice versa.
- I can't ping the default GW from the LAN hosts
- I can't connect to internet host from the LAN hosts


I assume the without a correct IPv6 prefix delegation the default GW (2a00:nnnn:nnnn::1) does not know it needs to route all packages to 2a00:nnnn:nnnn:100::/64 to the WAN interface of OPNsense.

But to be honest I've totally no idea who to do this prefix delegation. Any help or idea is highly appreciated.

What is the correct way to configure WAN and LAN interfaces is this scenario?

Title: Re: IPv6 prefix delegation & static WAN?
Post by: sebastian on June 22, 2017, 09:18:20 pm

You need to use RADV (found on DHCPv6 under Services) to "annouce" the prefix to the LAN interface. So the LAN host knows which gateway it should send the packets to.

Remember that IPv6 is NAT-less, thus the LAN host is talking directly to your upstream gateway. With IPv4, your LAN host talks to the firewall, and your firewall talks with the gateway.

If you use Static IP, you can annouce unmanaged or Router Only.

Title: Re: IPv6 prefix delegation & static WAN?
Post by: watz on July 12, 2017, 03:32:26 am

In the meantime the problem is solved:

Quote

I assume the without a correct IPv6 prefix delegation the default GW (2a00:nnnn:nnnn::1) does not know it needs to route all packages to 2a00:nnnn:nnnn:100::/64 to the WAN interface of OPNsense.

But to be honest I've totally no idea who to do this prefix delegation. Any help or idea is highly appreciated.

The datacenter has added an additional IPv6 route on their side which forwards all traffic to 2a00:nnnn:nnnn:100::/64 to the WAN IPv6 IP of the OPNsense Firewall. With this additional route everything is working fine.