OPNsense Forum
English Forums => General Discussion => Topic started by: IsaacFL on February 03, 2018, 04:38:38 am
-
I am brand new to opnsense and just did a fresh install 18.1 today.
I am trying to get ipv6 configured. I can get it so my lan hosts can use SLAAC to get an address, but I cannot figure out how to turn on DHCPv6 to hand out ipv6 addresses.
When I do searches the services - DHCPv6 had settings that mine does not. The only thing I have is Relay and Leases, but I don't think I want to enable relay, and there are no leases.
I had ipv6 working pretty well on my consumer router but can't seem to figure how in opnsense.
The reason I use dhcpv6 is it seems to be the only way to get the ipv6 addresses of the hosts in the dns.
-
Router Advertisements can only be enabled on interfaces configured with static IP addresses. Only interfaces configured with a static IP will be shown.
Have you configured Interfaces > [LAN] > IPv6 Configuration Type as "Static IPv6"
And Interfaces > [LAN] > IPv6 address with an IPv6 address?
-
how do I enter a static using the prefix I get from my isp?
If I enter it manually, but still can't figure out to set up without hardcoding the prefix. For Range I tried entering ::1000 to ::fffff but it doesn't like that.
How do I pass the prefix I get from the ISP to the DHCPv6 server?
-
What prefix do you get from your ISP and who is your ISP?
-
The prefix varies depending on the DUID. For the opnsense it was 2605:e000:100e:xxxx
My ISP is Time Warner/Spectrum and I have ipv6 working on my Asus Merlin router.
I was trying out opnsense, but can't seem to get the ipv6 to work properly so for now I am back on my Asus.
Documenation seems to be non-existing for ipv6 configuration?
Thinking of switching to something else maybe pfsense, but it is hard to tell what will work without taking my whole net down.
I would like to go beyond the capabilities of my Asus, for my homelab in ipv6.
-
Sorry, I actually meant "prefix length" not just prefix.
-
Does this help: https://osquest.com/2014/08/28/ipv6-with-comcast-and-pfsense/
-
Prefix length is 64.
-
when I set the IPv6 Configuration type to "Track Interface" it does work, but only with SLAAC.
As stated above by mausy5043, it seems that DHCPv6 and Router Advertisements can only be enabled on interfaces configured with static IP addresses so Track Interface doesn't work for that.
That seems like a bug to me. Since one of the things DHCPv6 can do, is send out prefix.
-
See if this works for you:
https://www.kirkg.us/posts/setting-up-ipv6-with-opnsense-and-comcast/
It especially suggests you need to add a firewall rule!
-
Never did get this to work satisfactorily. I have in meantime tried pfsense, mikrotik, and vyos. Was able to get ipv6 to work ok with them.
So I am retrying opnsense again, and I am still having troubles getting it set up.
Is there any documentation that goes into the ipv6 options?
-
Never did get this to work satisfactorily.
Is there any documentation that goes into the ipv6 options?
I must admit that I too can't seem to get IPv6 working properly.
I have now got the WAN-interface to acquire an address from the upstream router, but getting DHCP6 to dish out IPv6 address to the LAN-interface and the LAN clients is a whole different story.
I know DNSMASQ can even do this, but the GUI doesn't seem to support this directly. And really, isn't this what DHCPv6 is there for anyway? :(
-
What errors are you seeing with DHCP? Do you see a suggested range when you to the DHCPv6 config page?
[EDIT] I forgot to ask if you have a fixed IP address for IPv6?
-
What errors are you seeing with DHCP? Do you see a suggested range when you to the DHCPv6 config page?
[EDIT] I forgot to ask if you have a fixed IP address for IPv6?
Thanks for taking the time to provide assistance with this.
Here are the settings that I think are appropriate.
My ISP (XS4ALL; NL) has provided me with a modem (Fritz!Box 5490). IPv6 relevant settings on the modem:
x Assign unique local addresses (ULA) as long as no IPv6 connection exists (recommended)
x Priority of Router advertisements = Low
x Announce DNSv6 server via router advertisement (RFC 5006)
x DHCPv6 server is enabled and assigns DNS server, prefix (IA_PD) and IPv6 address (IA_NA).
The OPNsense firewall is behind the modem (in DMZ). The WAN interface has been assigned an IPv4 and an IPv6 address. The IPv6 addresses shown by ifconfig match the addresses that the FritzBox says it has issued.
OPNsense configuration:
On Interfaces > [WAN]
IPv6 Configuration Type = DHCPv6
DHCP client configuration = all options empty (defaults); prefex delegation size = 64; use VLAN priority = disabled.
On Interfaces [LAN]
IPv6 Configuration Type = Track Interface
IPv6 Interface = WAN
IPv6 Prefix ID = 0
I get stranded when I want to configure the DHCPv6 server. On Services > DHCPv6 > Relay: I select:
Enable = ON
Interfaces = WAN
Clicking Save I get:
The following input errors were detected:
The field Destination Server is required.
Destination server? :o
-
A couple of things, first I'm no great expert with IPv6 and I've never had much success getting the 'track interface' to work correctly - I resorted to fixed IP address for the LAN.
I assume you want to hand out IPv6 addresses for your LAN, would that be correct? If what you're trying to achieve is IP address allocation for IPv6 then you would use a DHCP serve not a relay, I'm guessing that would explain why you're mentioning a 'destination server'. If you could just clarify if you're trying to get LAN IPv6 addresses allocated or something else.
If when you got the Services/DHCPv6 menu you're only seeing the Relay/leases wntries I'm assuming that's because you have no fixed IPv6 addresses on your firewall.
-
If you could just clarify if you're trying to get LAN IPv6 addresses allocated or something else.
What I want to achieve is:
1. The clients on my LAN get issued an IPv4 AND an IPv6 address
2. On every client on my LAN this should work:
$ ping6 google.com
connect: Network is unreachable
$ ping6 google.com
ping6: UDP connect: No route to host
On OPNsense it already works:
$ ping6 google.com
PING6(56=40+8+8 bytes) 2001:985:509c:1:20e:c4ff:DEAD:DEAD --> 2a00:1450:4002:808::200e
16 bytes from 2a00:1450:4002:808::200e, icmp_seq=0 hlim=53 time=20.743 ms
-
You need to configure the LAN interface to have a fixed IP address, that will allow you to enable the DHCPv6 server on that interface to allocate IPv6 addresses for your LAN.
-
OK. I now have a fixed IPv6 address configured for the LAN interface:
xxxx:yyyy:zzzz::2/118
On Services > DHCPv6 > [LAN] I now have an available range of
xxxx:yyyy:zzzz:: - xxxx:yyyy:zzzz::3ff
I've entered a Range of:
xxxx:yyyy:zzzz::3 - xxxx:yyyy:zzzz::3f0
No leases are being handed out.
The IPv6 address on the WAN interface is xxxx:yyyy:zzzz:1:20e:c4ff:fed0:9f95
I assume that's okay.
-
Do you have the router advertisements service enabled on the LAN interface?
-
Do you have the router advertisements service enabled on the LAN interface?
I do now :-D
Managed, priority: normal
-
I also have Spectrum/Ex time Warner and I am unable to get DHCPv6 on lan host with OPNsense. However, Openwrt, and PFsense do work and hand out local ipv6 adresses.
using this to test: http://ipv6-test.com/
Also ping6 google.com fails
also ping6 2001:4860:4860::8888 (google dns) fails.
So its nothing related to dns/unbound/dnsmasq, its likely a gateway/addressing issue.
I've also tried mimicking ip wan6 :track and pointing my RA assisted and making a local dhcpv6 server by overrides, but my understanding of IPv6 IPS and link local and other addressing schemes is limited based on my knowledge/experience. I know ipv6 doesn't use nat, but when I look at my OPENWRT/pfsense IPv6 address/gateway im rather perplexed how to mimic it to work on OPNsense.
Has OP solved his problem? if so what are the steps that you did?
I might consider making a new topic if none replies
-
First things first, are you using 18.7?
What settings did you have in the WAN interface for pfsense, they should be the same for Opnsense.
In the lobby page, are you showing an IPv6 address on the WAN and/or LAN?
Once you give us that information, we can take it further.
-
@marjohn56 Yes running 18.7, tried 18.1.x (same issue) and on pfsense: 2.4.3
On the lobby pages of both pfsense/opnsense I was given a ipv6 address, however only for OPNsense the IPv6 on the lan side refused to resolve or reach any ipv6 addresses with opnsense. One thing of interest from the OPNsense shell, ping6 was able to work with IPv6 addresses, but not anything on the lan side. It was giving me IPv6 addresses on lan, just refusing to not work with anything IPv6 from the lan
With PFsense everything was configured properly., was able to use IPv6 from the host and lan. Did you need screenshots/config notes from PFsense to tell me what to input?
-
OK, so are you running static IPv6 on the WAN/LAN or dhcp and Track6?
Are all the services showing green?
-
Im so sorry have wasted your time. The issue isn't with OPNsense but rather on the end user (me). I just googled and found this forum because I assumed the issue was with OPNsense and charter spectrum's ipv6 or OPNsense routing, since my backup worked on PFsense (didnt try it for long just enough to test the website). I tried everything, manually adjusting the RA to assisted with a Lan ipv6 DHCP server, in the config
I got it to work. I feel so dumb.
The solution:
I've deployed this both pfsense and opnsense to a physical machine (athlon II x2) with actual nics, and problem gone. Both receive IPv6.
Now going to deploy opnsense to a Pentium4 i386 with these pci realtek based nics. Probably not the idea candidate, but its a way to recycle old hardware for the time being. Sorry for the long pauses, usb 2.0 is slow on these old machines
My setup was a thinkpad t510 (1st gen intel mobile) with 1g ram allocated to it, and having my hypervisor (proxmox) route the vlans to it and feeding wan ethernet to my switch/router (archer c7 v2) control the switches. This worked with ipv6 and everything as far as i can remember for a while, so I just assumed the firewall when ipv6 failed recently, i'm guessing my PFsense reverting that VM kept some older settings and worked. I cannot explain why the old backup passed through ipv6 traffic, will investigate further. I know this isn't a Ideal setup, but I don't want to buy a usb dongle for two nics in a mobile laptop, and besides it keeps power $ lower. So I will look for the appropriate help where i find the actual issue with hypervisor/switch setup.
So sorry to have wasted your time chasing around a non existent issue in my OPNsense setup, and thank you OPNsense for being better than PFsense to the devs, and not reverting to the tactics that Netgate often tries on you. At least with your product I can still use my i386 hardware to run the latest versions, real shame what Netgate is forcing users to swallow requiring 64bit and soon AES support.
-
You're not wasting our time. glad you got it working.