Messages

The steps for adding IPv6 are here:
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#configuring-ipv6

First, what size prefix are you getting from the ISP?  If only a /64, stop right there.  You will need something larger, typically a /56 or /60.

If the larger prefix, then for your LAN2 interface you will still track the WAN, but set it for IPv6 Prefix ID = 1.

One possibility is to set the OPNsense RA priority to "high".  The default is "normal" which is "medium" ... the same as the rouge RA.  A higher priority RA from OPNsense may very well my keep AnyConnect from flipping as it does now due to receiving multiple RA's of the same priority.

Since the "rouge" RA's are already on the LAN,  OPNsense can't do anything about it. The source device sends them out and everybody is going to see them.

What you would need is a feature like RA Guard on the wireless or the wired switched LAN depending on the device attachment. 

Perhaps AnyConnect has a feature to only trust specific source RA's or something along that line?

On the client side, IPv6 is enabled DHCP.

See this thread:  https://forum.opnsense.org/index.php?topic=22936.msg109141#msg109141

Good chance you are hitting the bug referenced.  Only fix is a reboot.

Well my system has been running fairly well so far; only one random disconnection but I was able to release/renew DHCP and get back up and running.

Thanks again for your help!

Excellent! Happy it's working.

Sounds like a plan!   ;)    To keep it clean, remove the spoofing config on the OPNsense WAN.

[VLAN 1]

The graphic looks right, but the details in the tutorial are wrong.  The tutorial shows all ports also living in VLAN 1 (attached graphic).  That needs to be stripped out of Port 2.

You have already seen the impact of that error by making it work (for a while) by cloning the TP's MAC.  That ain't right, having the same MAC on two device in the same VLAN will always present "random" problems.

Remove VLAN 1 from Port 2.  The port to the cable modem needs to be isolated.

A cable modem will only provide an address to the first MAC it sees.  Since you have a managed switch, it can be seeing the MAC of the switch management IP first  So, if the TP-Link works as I expect it to, removing VLAN 1 from the CM port will make the problem go away.  Make the change and reboot everything.

EDIT:  Also, remove the spoofing.

Possibly related to this?:

DHCPv6 server intermittently unresponsive, not responding to solicits
https://github.com/opnsense/core/issues/4691

I bet you are on Cox.  They use 172.19.x.x for their DHCP servers and self-install Walled Garden function.

Is this new service? 

If you are having any issues, like DHCP not renewing, you will need to allow DHCP for the RFC1918 space.

OPNsense will still autoconfigure a WAN address and prefix using SLAAC. You can't disable that, can you (I seriously don't know)?

OPNsense should only autoconfigure if the A-flag is set in the Router Advertisment from the ISP router. 

To fix this problem of the same prefix appearing on the WAN via SLAAC, and on the LAN from DHCP-PD, you need need to unset the RA's A-flag on the ISP router.   Then on OPNsense set the WAN to "Request only an IPv6 prefix".

So, what config settings are available on the ISP router.  It may appear as a "Managed" option like OPNsense does.

This sound logical?

Ramblings: Not sure if the RA on-link L-flag would confuse OPNsense as it would be informed that the prefix was "on the wire" (WAN), but see if the above is available and it may just work.  Also, if the prefix still existed on the ISP router interface, I don't think it would route properly to OPNsense.  Got'a be some piece of the the ISP router configuration we're not seeing.

There seems to be some misunderstanding of DHCPv6, Prefix Delegation and routing.

1) Setting OPNsense WAN to DHCPv6 and requesting a /48 isn't going to do anything productive if the draytek isn't capable of serving PD.  I suspect it is only able to provide host addresses.  Please verify.

2) The concept of setting the WAN to DHCPv6-PD then configuring a static address on the LAN makes no sense from a configuration perspective.  Bit of a contradiction.

3) The core connectivity problem is probably due to the draytek not having a route to the LAN 2A02:x:x:1000::1/64.  It would have to point to the OPNsense WAN interface (next hop route). If the draytek is not capable of IPv6 static routes, then there will be no return traffic.

4) Setting static IPv6 address with an ISP that provides addressing via PD --- If your address space never changes, then you can get away with it, but if it does you will forever be redoing everything.

Just to mention it ... There will only be a "daily backup" if something has changed in the configuration (one that you made).  If you didn't make a change on a given day, you will not see a new backup.

It's both IAX and SIP (IAX inter Office) and SIP for the main lines - without the forwards we end up with one way Audio.

I was referring to the IAX2 trunking protocol ( https://www.voip-info.org/iax/ ).  This works differently than SIP.  Some providers still offer IAX2 trunks.