Messages

Are you sure that you are talking about a "modem", not a "router"? This sounds more like a router-behind-router setup where OpnSense does not control its real WAN IP address.

Could still be a plugin or an antivirus engine.

The keyword is "webgui" here... as it seems, not even the time being off is present when using SSH.

When the problem occurs only on the web gui, it has to be the client, which means browser or some kind of plugin. I would try another browser first.

CG-NAT does not handle IPv6, which is the problem at hand if it can be fixed by using IPv4 only or by instructing the browser to disregard IPv6 in the first place.

Movistar in Spain is known to have issues with IPv6, there are lots of reports on this (also from this year, BTW).

The provider test is crap, for me, it shows "OPALTELECOM-AS TalkTalk Communications Limited, GB", while I am in Germany.

If you still use the parameter in Firefox, the test should probably fail, because that setting essentially disables IPv6.

There were several changes in 26.1.6 for IPv6. If you only did an 26.1.6 -> 26.1.6_2 upgrade, everything should work.

What do you mean by "the DNS server is the upstream router"? Do you use a router-behind-router setup, do you mean the ISP router or your OpnSense? If so, its IPv4 or IPv6 address? Please be more specific.

Read the change notes for the update(s) you did. I think there were changes for IPv6. Probably, you need a reboot, depending on what your update path was.

The name of the parameter should give you a hint about what is probably wrong with your setup: DNS resolution for IPv6 names or IPv6 reachability.

You should investigate what exactly goes wrong (and then, why).

For example:

1. When you resolve a name like "www.google.com", you will get both an IPv6 and an IPv4 address - that is, if DNS resolution does not fail in the first place, in case your client tries to resolve via IPv6 first. If that fails, which is the IPv6 address of your DNS server? Does it answer?

2. Can you reach the resolved IPv6 via ping? Probably not.

3. Does your client get a routeable IPv6?

4. Has it got an IPv6 gateway? Can it be reached?

5. Can you reach your upstream gateway? Or any IPv6, like "2600::", via ping?

You catch my drift. "websites are slow" means "cannot be reached via IPv6, which is the preferred way" in your case. There is about 0% chance that TLS is impacted. OpnSense does not even interfere with that, unless you use a proxy.

When IPv6 did work before, you should be able to fix it. If your ISP does not offer it, turn it off globally.

Thanks for the quick response.

Point 10. The CPU is sufficient because with Linux Mint on USB I reach 500 Mbps. Now, I don't know if OPNsense adds anything that makes performance more demanding.

Obviously, you did not read the full point and the link about RSS and others.

Point 22. I first tried it in a virtual machine with Proxmox. Then I installed OPNsense bare metal. I gained absolutely no speed.

Perhaps there's a difference between FreeBS and Linux that means the hardware isn't managed, I don't know?

There is a lot more in the linked article about OpnSense under PVE, like not using passthru, suggested tuneables and more.

What I meant by that is:

1. You did not state how you measure throughput (i.e. single-threaded vs. multi threaded). So, your testinmg methodology cannot be verified.
2. You tried the most advanced setup (i.e. under PVE) first, without using guidance about how that is to be done (hint: no, it does not work optimally from the get-go).
3. You probably did not apply some needed tuneables for using more than one of your CPU cores.

Start with this, points 10 and 13, if you use some kind of IPS and point 22.

Die DG scheint - zumindest an manchen Anschlüssen - erst nach einigen Minuten eine IPv6 zu vergeben. Warte mal 15 Minuten ab.

[completely unrelated]

When you read my explanation again closely, you will find that your problem is completely unrelated to the automatic discovery, thus any more complaining about that won't help you a bit.

What really helps to clean up the mess once is also given in my post.

The final solution to this is to use the newly created "delete lease" button in the Kea leases window, which should take care of cleaning out the old lease correctly.

FWIW: Ich habe eine (von drei) Installation bei DG, bei der nach einem Neustart die IPv6 erst nach ca. 10 Minuten vergeben wird.

Keine Ahnung, wieso.

Take a look at the Tutorial section - there is a HowTo for IPv6.

The business license that comes with Deciso boxes is valid for one year only, so it probably has expired.

I assume you want to set up a bridge with LAN and LAN2. Follow the Offizials docs, them it will work.