Messages

1

19.7 Legacy Series / IPv6

« on: November 01, 2019, 02:27:22 am »

I'll attempt to be brief.

My ISP provides a /56 IPv6 prefix through DHCP. I am able to get an IPv6 address at the WAN port of my router; however I choose not to use this as my WAN IP, since getting the LAN to obtain an IPv6 address through WAN tracking does not work with my hardware. So... static IPv6. Since I have a /56 prefix, I set the LAN IPv6 address to one of the subnets, configure my pools, set radvd to managed and...... No internet access with IPv6. IPv6 tests fail. I think I'm doing something wrong here, am I missing something?

2

Tutorials and FAQs / OPNSense newbie with IPv6 musings and questions

« on: October 31, 2019, 10:50:40 pm »

Hello, please bear with me guys:

I installed OPNSense on a computer with a dual-nic network card. I set everything up and everything is fine and dandy. However... IPv6 does not work: it is plotz.

There is no doubt that i can get IPv6 at the WAN port. Up to there I'm good. FWIW the prefix is a /56 (would love to know how to properly set this up). at the gateway interface, I have set up my ONT router IPv6 address as the gateway, and a static IPv6 address way at the end of the spectrum (2001:818:d9d9:ba00:ffff:ffff:ffff:fffe). This, I set as a /64.

On the LAN side, i set my IPv4 address, a /16, and an address thus: 2001:818:d9d9:ba00::ffff /64. I also configured DHCPv6 to spread a pool from ::10 to ::ffff and I configured radvd thus:

* Managed router advertisements
* Normal priority
* Advertise default gateway checked
* Advertised route (2001:818:d9d9:ba00::/64)
* blank dns servers and domain search
* minimum interval 200
* maximum interval 600

However,
If I don't do a wiring trick involving a switch (which gives me dual IPv6 addresses at LAN level) my OPNsense produced IPv6 addresses do not get Internet connectivity. ipv6-test.com tests fail. I have ICMPv6 set to be allowed at the WAN level.

The scheme for the wiring trick is as follows:



ONT ----- Switch port 1
         |----- Switch port 2---To WAN port on OPNSense
         |----- Switch port 3---From LAN port on OPNsense
         |----- Switch port 4---To main switch going to the rest of my net

I suspect some configuration is missing here. IPv6 should work and the wiring hack above should not be necessary, I think. I wonder whether I have to set the LAN with a totally different prefix within the /56 subnet?

I have tried ULA and NPT -- that was a spooktacular fail. (de rigueur pun, because Halloween). Perhaps I'm not configuring things properly, after all I am a newbie at using OPNsense.

What should I do, how should I proceed, to have IPv6 working as good theory says it should?

Thanks in advance.

3

18.7 Legacy Series / Re: IPv6 weirdness

« on: December 06, 2018, 03:14:59 pm »

Remembering what I know about ipv6, it is an address made up of 8 4-number blocks separated by colons, so an fe80 (link-local) address is also valid for IPv6 routing, unlike IPv4 addresses. that said, the correct syntax should be, for instance, fe80:dead:beef:0c0b:fefe:bada:babe:ff00/64, that or a numerical, xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 (for instance 2606:4700:4700::1111/64). The special prefix, fe80::1, translates into fe80:0000:0000:0000:0000:0000:0000:0001 and is a so-called "well known" address that is used for shorthand to designate the default router. That being said and keeping in mind the (admittedly oversimplified) explanation above it's obvious that fe80::1:1 is not a valid ipv6 link-local address, so there must be a bug in the code somewhere. Apart from all the technical mumbo jumbo, how did you get ipv6 working? I'd like to try what you did in my setup when I get home.

4

18.7 Legacy Series / IPv6 weirdness

« on: December 06, 2018, 12:28:27 pm »

Recently installed OPNsense and I am happy with it overall, except for a couple of things that have me stumped.

a) when I use fe80::1 as my gateway, OPNSense broadcasts it as fe80::1:1. I have tried configuring a 2001 but the gateway address remains reported as fe80::1:1. This breaks IPv6 traffic towards the Internet (obviously, since fe80::1:1 is not a valid link-local IPv6 address). Yes, I have tried using the bug typing fe80: as my gateway, but no joy

b) Using a tunnel broker like HE everything configures well, I get a good gateway and DNS resolvers, but no traffic to the Internet. OPNSense is behind a router that has a DMZ set up for OPNSense's IP address. I must also add that the router has a fairly limited web interface and some of the possibly more interesting configuration options are not available to me, either because they are not installed in the router or because they are locked out / disabled. Therefore, I don't know whether ICMP 41 is being filtered or not. In theory it shouldn't be, since the IP address for OPNSense is a DMZ, but I am out of ideas, I spent the whole night trying to figure this out and I am exhausted. Therefore I would appreciate any assistance in this matter.