OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: norg on December 11, 2017, 01:00:26 am
-
Hi,
I have tried to get IPv6 working but I can't get it working (stable) on the non-WAN interfaces. I receive a static /64 for my WAN interface from my ISP (Deutsche Telekom) and a static /56 for internal (LAN) usage. I have to use pppoe with DHCPv6 and I tried all the possible options within "DHCPv6 client configuration". What I always enable is "Send IPv6 prefix hint" and "DHCPv6 Prefix Delegation size" with "56" (also tried 60 and 64). The IPv6 connection from opnsense itself to the internet works fine and I get the correct /64 on WAN. I added "Track interface" to the WAN interface on my LAN and DMZ interfaces and also added different prefix IDs for each of them. But there are no IPv6 subnetworks deligated to those interfaces.
Funny thing is, after I didn't touch it for one day it suddenly worked but as soon as I change something on any interface it breaks again. The ISP settings are fine, I tested the same with a LEDE (openwrt fork) Linux system and the whole IPv6 system worked perfectly. So it's either config issue from me, opnsense issue or even with freebsd itself. Also tested with pfsense 2.4.2, works too :/
Another bug is that after reboot the IPv4 on the pppoe interface comes up but not ipv6, i need to reconnect again :/
Can you give me some hints how I can debug it? I enabled debug log for dhcp but where do I find that log on the system so I can tail on it?
Thanks
-
I’ve noticed the same behavior, especially on the WAN interface. Any changes made to that interface loses the IPv6 address obtained from the ISP and won’t acquire until about a day later. I do however get an fe80::/64 address as an address without any delay. My service provider is Comcast.
Static address on my LAN side works fine including SLAAC. Though the router that my computers pick is the fe80::/64 address and not what I configured for the network, a static address in the fd00::/8 network.
A while ago, maybe an early build of 17.7, my DHCP6 dynamic gateway actually had a global address from the 2000::/56 network.
Originally, I thought maybe the ISP changed something with how IPv6 networks are handled, but this does not seem to be the case.
Unfortunately, IPv6 documentation is sparse of anything regarding configuration, and I doubt the ISP will have decent support.
-
Another bug is that after reboot the IPv4 on the pppoe interface comes up but not ipv6, i need to reconnect again :/
This should be fixed in 18.1. PPPoE still has oddities that need addressing though.
I have to say the standard install works reliably for the hands-off IPv6 providers, where WAN and LAN receive a prefix and clients are provided addresses via SLAAC without interaction.
Some providers, however, do next to never advertise IPv6 routers, so one needs to send the "directly send SOLICIT" message. Or they do other clever things they won't document so they have to be found by trail and error. The documentation is sparse because of this with language barriers in place and bits and pieces cluttered over the internet as opposed to be in one place, not a drastically different approach to how IPv6 is done.
We're especially psyched about Orange FR who require a separate VLAN PCP for them to start their DHCPv6 handling at all.
Here are some links with "ready to go" tutorials, further providers have been discussed in the forum here and there...
https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html
https://www.kirkg.us/posts/setting-up-ipv6-with-opnsense-and-comcast/
http://blog.firewallonline.nl/how-to-en-tutorials/xs4all-pfsense-opnsense-ipv6/
Cheers,
Franco
-
PS: It is likely true that other solutions go about this smarter, but that smarter approach comes from learning about how to handle these quirks better. They need to be reported, tested, improved up and finally shipped. :)
-
We're especially psyched about Orange FR who require a separate VLAN PCP for them to start their DHCPv6 handling at all.
Yes took quiet a few of wireshark capture sessions to work that one out.
Along with their use of weird raw options to authenticate the session