Messages

See? Then please show all your rules and aliases you tried and @Monviech will probably be able to help with the details. I have no experience with the NDP proxy in production but the fact that LAN net would not work is obvious from basic principles.

I wasn't arguing with you, just providing what the manual said.

Do you run any multi-WAN IPv6?  That's my next hurdle for dual stack.

Change LAN net to any just for a test and try again, please.

That does work.  test-ipv6.com now shows the client global IPv6.

ETA: The ndp alias are now populated as well.

Please show the rule. They are matched for static or "track interface" configuration, not for NDP proxy. I don't have a firewall with the defaults still active so I cannot look.

The default LAN allow rule is source = LAN net.  I added the ndp proxy alias and rule settings from the manual but they don't appear to be getting populated.

What does your allow all rule for IPv6 on LAN look like exactly? If you have source = LAN net instead of source = any, and you are using the NDP proxy, that would explain the traffic being denied because there is no LAN net. The firewall doesn't have an IPv6 address in that single /64 you use with the proxy on LAN (!).

I'm speaking of the default rules that are configured on install.  I have not made any modifications.  The manual implies it should just work.

I installed the ndp-proxy-go plugin and configured it according to the manual.  I unchecked RA under Dnsmasq General.

My client now get global and unique local addresses that match the WAN prefix.  Client default route now shows LAN IPv4 and IPv6.  Client DNS shows WAN gateway for IPv6 and OPNsense for IPv4.

I still have no IPv6 connectivity on the client.  All pings timeout.  Looking at the Firewall Live View I see the client global address being blocked by the default deny rule despite the default LAN allow all rules.

Check /tmp if you find a file that contains "prefix" for you WAN interface.

(eg igb1_prefix6...) out of my head right now.

I reset to defaults and confirmed that my WAN was set to DHCPv6.  I don't see anything prefix in /tmp.

On WAN you need DHCPv6 configured in order for that file to show.

For the ndp proxy, it has an example configuration to follow inside the manual. If you configure it exactly like that, IPv6 will most likely "just work" without any NAT66.

I'll give that a try.  There does seem to be some typos/errors in the manual.  There's no or option to the either clause.

Go to Interfaces ‣ LAN and choose either a link-local IPv6 configuration.

Check /tmp if you find a file that contains "prefix" for you WAN interface.

(eg igb1_prefix6...) out of my head right now.

I'll take a look.  Do the WAN IPv6 defaults need to be changed in order for this to show?

Your ISP router should offer something the like of IPv6 prefix delegation (IA_PD).

Unfortunately, it really does have zero configuration options.  I can't even change the IPv4 subnet.

It has to delegate a prefix via DHCPv6 that the OPNsense can use. The WAN interface would be configured with DHCPv6, and internal networks like LAN with Identity Association mode.

Then you need a Router Advertisement Daemon like Dnsmasq or Radvd to offer the prefixes (/64) that were subnetted from the delegated ISP prefix (>/64) to internal clients.

From what I can tell, that is how the OPNsense defaults are configured for IPv6.  I wasn't able to get it to work, I assume because I'm not getting a prefix from the ISP.

If (and only if) your ISP router has no prefix delegation mode, a workaround could be an NDP proxy.
https://docs.opnsense.org/manual/ndp-proxy-go.html

How would I configure the interfaces?

From what I read online, it appeared that IPv6 NAT was my only solution.  How does the proxy compare to that?

I'm attempting to stand up a dual stack deployment and I can't get IPv6 working.  While I'm familiar with OPNsense and IPv4, this is my first real foray into the world of IPv6.

ISP Router --> OPNsense --> Client

I'm stuck with the ISP router and it has zero configuration options.  OPNsense is an up to date install and reset to defaults.  It receives an IPv6 address from the ISP router and can connect to IPv6 hosts.  The client is unable to connect to anything IPv6.  If I connect the client directly to the ISP router then IPv6 just works.

How do I get IPv6 working on LAN?

While I second that ZFS is preferable in principle, there are two caveats:

1. The ZFS defaults were different with older versions of OpnSense, such that writes occured more often.
2. There are applications that - if not moved to RAM disk - eat through SSDs quite visibly. Among those are RRD and Netflow.

With my first OpnSense installation (DEC750 on 23.x) and no RAM disk, I consumed half of my enterprise-grade's lifetime in one year.

That's impressive.  I was going to recommend the OP switch to an enterprise ssd for a larger endurance.

Exactly because ive set 853 tls for dns, and blocking outgoing port 53 connections from wan.

Outgoing firewall rules are almost never what you want.  You'd have to explain your setup and rules more for us to know what you're running into.

In the meantime, I wrote about this some time ago so you may find the posts helpful.

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-1/

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-2/

You can use the gpu slot for a nic in a Dell.  I'm using a pair of them with 25g mellanox cards for VM hosts.

The problem is that you need to disable pins on the nic.  The hardest part about it is getting the kapton tape just on the pins and not their neighbors.  See here:  https://www.dell.com/community/en/conversations/optiplex-desktops/optiplex-7060-dimm-slot-4-and-pcie-network-card/647f911bf4ccf8a8de2830b8?commentId=67a7ab9967c2593db3dbab73

That said, you're probably better off using a managed switch instead of multiple 10g ports on OPNsense.

What are your LAN speeds?  Often ISPs over provision their plans, so you can get over 1g speeds on a 1g plan if your connection has a 2.5g or faster port.  IIRC, I went from results similar to yours to 1.2g speeds by doing so.

I doubt you'd notice the difference, but it's fun nerd cred. :)

You may wish to have a read of my post from a few years ago.

https://forum.opnsense.org/index.php?topic=31705.msg153860#msg153860

The TLDR is the mlx4en doesnt play nicely with QNAP.
I ended up moving to a Netgear 10G switch instead and the mlx4en's have been solid since....

My upgrade plans got sped up due to the tariffs and I now have a Mikrotik replacing the QNAP.  Initial testing has been positive with no link problems during boot.

OPNsense was plugged into a non-combo port on the QNAP via DAC so I'm not sure why my results were different from yours.  But I appreciate the tip and glad I could finally resolve this issue.