Messages

1

24.1 Legacy Series / Re: Kea DHCP IPv6?

« on: February 18, 2024, 06:13:38 pm »

Yes, maybe 24.7 if all goes well. We will discuss roadmap stuff in two weeks.


Cheers,
Franco

Anywhere that I can read more about this in the meantime? Will ISC still be supported in 24.7? I'd rather wait to migrate until there is full IPv6 support.

2

General Discussion / Re: Per connection speed issues for high bandwidth data transmissions

« on: May 09, 2023, 10:18:52 pm »

I actually just found an article that explains this same issue that says it is a limitation of the software. Article is written mostly for pfsense. I'm wondering if anyone has heard of this being an issue with opnsense as well?

https://teklager.se/en/knowledge-base/apu2-1-gigabit-throughput-pfsense/

3

General Discussion / Per connection speed issues for high bandwidth data transmissions

« on: May 02, 2023, 01:01:40 am »

I have a 6gbit fiber connection to the home. However, on a per-connection basis, I can never seem to achieve speeds above 900mbits.

Here is "multi connection" speed test result from just a few minutes ago


Here is a "single connection" speed test result done right after


This issue is not just limited to speed tests. Any service of any kind, be it FTP, SCP, HTTP/HTTPS (up or down), and others that I'm probably forgetting about. When I download a torrent (obviously something legal like a linux distribution), it downloads significantly faster because it is downloading from multiple peers.

That the problem happens regardless if the traffic is IPv4 or IPv6.

When I eliminate the router and directly connect Comcast's network to my desktop computer (via 10gbit network card), I am able to achieve full speeds. Furthermore, when I eliminate my entire local network and plug my computer directly into the "LAN" interface on the router, the problem returns. Ergo, this limitation is happening on the router.

I have been through a number of "routers" over the years (computers with either pfSense or OPNsense installed) and I have never been able to solve it with a hardware upgrade. During large file transmissions, none of the systems (RAM, CPU, etc.) are pegged. It's never under any kind of real load.

I'm currently running: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz (8 cores, 8 threads) w/ 16GB RAM

I also have in production at another location a similar build running: Intel(R) Pentium(R) CPU D1508 @ 2.20GHz (2 cores, 2 threads) w/ 16GB RAM

In fact, I actually have a second location with this exact same 6gbit internet service and I experience the problem at both places. I sort of ignored it for years, but now that I am trying to transfer files back and forth between the two locations, it's killing me.

4

General Discussion / Re: IPv6 Router Advertisements

« on: May 02, 2023, 12:39:41 am »

Which router advertisements mode should I be using to have it hand out the dns server information? All the settings I've tried so haven't worked.

I've got another setup where I don't have the "Allow manual adjustment of DHCPv6 and Router Advertisements" checked and it is handing out itself as the dns server no problem. I just can't seem to get this other instance to hand out the dns servers I want.

IPv6 browsing is working on the network it just isn't handing out the dns servers I want.

Setup: my isp is handing out a /64 prefix via dhcp and I've got track interface enabled on my lan interface.

I just went through a big thing with Router Advertisements. The screenshots at the link below will work for your set up. Just make sure to use a /64 (sounds like you are already doing that)

https://forum.opnsense.org/index.php?topic=32433.0

5

General Discussion / Re: IPv6 Router Advertisements (RA) for SLAAC not working when gateway IPv6 static

« on: May 02, 2023, 12:34:06 am »

Ok this specific issue is solved now. Here is a recap of how to fix it if you have the same issue:

When using a /48 IPv6 subnet from your ISP (Comcast, in my case), you actually want to assign it as a /64 on your LAN interface.

Example: Comcast has assigned you 2001:543:c1e::/48

Set your router LAN IP as 2001:543:c1e::1 /64
This means your subnet will be "2001:543:c1e:0:" instead of just "2001:543:c1e:".

However, you can still use 2001:543:c1e::1 as the 0 is automatically interpreted when you use :: in the address.

Here's what you could use for a DHCP range: 2001:543:c1e:0:888::1 - 2001::543:c1e:0:888::ffff. Note that in this case you have to actually type the :0: because the :: comes later in the address.

As far as router advertisements go, you do not need to specify any range. Make sure that all fields under "Advertise Routes" are empty. Make sure that Router Advertisements are configured as "Assisted" and router priority is "Normal". Check the box for "Advertise Default Gateway"

Restart services for RA and DHCPv6.

Thanks to everyone that contributed to the answer here. I generally never ask for help on the internet because if I can't figure it out, the problem is too complex and I am too autistic to properly explain it. This was a situation where I had no other options than to turn to this community for help. Thanks again.

6

General Discussion / Re: IPv6 Router Advertisements (RA) for SLAAC not working when gateway IPv6 static

« on: May 01, 2023, 07:04:17 pm »

I don't think /48 for the LAN network mask can work. Please use /64.

This is incorrect. I am given a /48 by my ISP and it works fine on other router platforms, including the project OPN was forked from, pfSense.

You do get a /48 from your provider, but you are supposed to split that up into multiple /64 networks for the LAN interfaces. IPv6 autoconfiguration behaviour is not defined with networks that are not /64. Which is the reason the address type is called modified EUI-64 -> https://en.wikipedia.org/wiki/IPv6_address#Modified_EUI-64 .

I would argue that it works on pfsense because that doesn't even seem to let you choose the prefix length, probably forcing /64.

I apologize for the late reply. I had reverted to pfSense and had not had a chance to try reinstalling OPNsense to try some of the other suggestions out.

I assumed that having the SLAAC configuration set to /64 would be enough to meet the spec. I did not realize that I would also need to configure the LAN interface to /64. I will give that a shot. Unfortunately, it means reconfiguring all of my static IPv6 addresses to be longer. I'll report back either way.

I'll also check /var/etc/radvd.conf etc

7

General Discussion / Re: IPv6 Router Advertisements (RA) for SLAAC not working when gateway IPv6 static

« on: March 15, 2023, 01:06:28 pm »

Hi Frazzetta,

First of all, thank you for writing out your situation. I was reading your post thoroughly to see where it matches my situation, and did not skip forward to see the replies that were not there yet.

My configuration is quite a bit different, the only corresponding item being the lack of router advertisements. I was also depending on static IPv6 in the network, because I don't know enough about IPv6 to have it match DNS entries with SLAAC.

It worked till a couple of weeks (months, by now, I realize) back.

In case you solve your issue outside of the forum, would you mind posting the configuration you ended up with?

Sorry for not being of any help!

I stopped checking on this because no one got back to me. I am still on pfSense at the moment.

When you say configuration, what do you mean outside of the GUI screenshots? Is there a conf file I can pull from the shell? I am back here today because I plan to boot into OPNsense over the weekend again to run more tests with the goal of either bumping the thread here (already done) and opening a ticket on github with more data in hand. I really want to make the switch to OPNsense as it solves some other issues I am having with pfSense.

8

General Discussion / Re: IPv6 Router Advertisements (RA) for SLAAC not working when gateway IPv6 static

« on: March 15, 2023, 01:04:34 pm »

I don't think /48 for the LAN network mask can work. Please use /64.

This is incorrect. I am given a /48 by my ISP and it works fine on other router platforms, including the project OPN was forked from, pfSense.

9

General Discussion / IPv6 Router Advertisements (RA) for SLAAC not working when gateway IPv6 static

« on: February 11, 2023, 08:47:39 pm »

Update: This is solved below.

If you are configuring IPv6 for the first time on your device and would like to use this as a reference, please scroll down to "LAN Static IP Configuration" and follow the screenshots. You will also want to check the updates on the link below for the changes. (In short, you have to use a /64 instead of a /48.)

https://forum.opnsense.org/index.php?topic=32433.msg163504#msg163504


---

I want to preface this by saying that while I am pretty good with it, I do not consider myself an expert in IPv6. I have been using it for five years, and yet there are still some oddities with it that I do not fully comprehend.

--

I am trying to migrate from pfSense to OPNsense, but I am having trouble getting IPv6 RA to work. I am fairly certain that I've found a bug as I imagine it's rather difficult for the package maintainers to test in every single type of environment.

Here is a screenshot from my phone on my pfSense network. I get a local IPv4 address, link-local IPv6 address, and two IPv6 addresses (one temporary) from SLAAC with the correct prefix configured in RA.


Here is a screenshot from my phone on my OPNsense network with identical settings. I only get a local IPv4 address and link-local IPv6 address.


When my phone is connected, the OPNsense terminal fills up with errors: "cannot forward src fe80:..." showing the address of my phone and other phones on the network. If I try to run an ipv6 test from the phone, it obviously fails.

This doesn't just affect phones, of course. I can see that the SLAAC entries are missing on my Windows and Linux devices as well.

---

My environment is a home lab. My ISP provides me with a /30 IPv4 subnet and a /48 IPv6 subnet.

Because I have a few servers that require static IPv6 addresses (public addresses), I have assigned my IPv4 and IPv6 addresses statically on both WAN and LAN interfaces of the OPNsense router.

Example of static IP on a client device, note the field for gateway is the same as the static LAN Interface IPv6 address:


Because the limited OPNsense IPv6 guides I've found all use "track interface", it is my belief that there is some kind of a bug affecting environments running static IPv6 addresses. When I choose track interface, I do not seem to be able to set a static IPv6 on the LAN interface. I need a static IPv6 address on the OPNsense LAN interface to enter as my gateway when configuring static IPv6 on the clients.

Most newer Windows, Linux, and Apple computers will get their address from DHCPv6. However, DHCPv6 is not required on an IPv6 network. Many devices like iPhones, Android phones, Rokus, and other multimedia devices will only use SLAAC. So while I do not even need to run a DHCPv6 server, I do so anyways.

---

With all of that out of the way, here are side by side screenshots of my configuration on OPNsense vs my configuration on pfSense. I will always start with the OPNsense screenshot first. If the right edge of the photo is truncated, you may need to right click and open it in another window.


LAN Static IP configuration

OPNsense


pfSense



WAN Static IP configuration

OPNsense


pfSense



DHCPv6 Configuration

OPNsense


pfSense


---

Router Advertisements

These are probably the screenshots that matter the most. My annotations are truncated by the forum, please right click and open in a new window to see the full image.

OPNsense


pfSense




---

Additional information: Both my pfSense and OPNsense configs are pretty basic. I did a factory reset on pfSense and set it up from total scratch today to make sure there wasn't a step or setting I was missing. I documented every setting with screenshots and then reproduced the exact same settings on the OPNsense router. I've tried restarting the services, restarting OPNsense, etc.

The evidence seems to be pretty clear that something with OPNsense is not working correctly, but if I can figure out how to find Router Advertisements in Wireshark, my next step is to do a package capture with OPNsense to see if there are any RA packets whatsoever.

Open to any advice you may have.