"
Thank you all, I'll try everything and update this with any solutions I find.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Series / Re: Losing the war against CGNAT, IPv6 and Plex working
January 31, 2025, 05:23:43 PM #2
25.1, 25.4 Series / Re: Losing the war against CGNAT, IPv6 and Plex working
January 30, 2025, 01:23:53 PM
Thank you for your replies. I'll pipe everything over wireguard from the VPS until I get get the ISP modem bridged.
I would be interested if someone can confirm that what I was trying to do here is indeed impossible ? - https://forum.opnsense.org/index.php?topic=45442.0
I have to say my first venture into IPv6 has been disappointing. I thought all my devices could have their own address and goodbye to problems with NAT and forwarding. Having to rent a server somewhere else so you can have a homelab is not a great advert for it, and I know its because I'm behind the ISP modem but surely a lot of others will be as well.
Thanks,
I would be interested if someone can confirm that what I was trying to do here is indeed impossible ? - https://forum.opnsense.org/index.php?topic=45442.0
I have to say my first venture into IPv6 has been disappointing. I thought all my devices could have their own address and goodbye to problems with NAT and forwarding. Having to rent a server somewhere else so you can have a homelab is not a great advert for it, and I know its because I'm behind the ISP modem but surely a lot of others will be as well.
Thanks,
#3
25.1, 25.4 Series / Losing the war against CGNAT, IPv6 and Plex working
January 29, 2025, 07:06:21 PM
Hola all,
I've recently changed ISP to DIGI in Spain. Its great, its 10G up/down and EUR 25.00 a month.
But I noticed Plex has stopped working outside the house, because of CGNAT.
So I thought no problem, get IPv6 working, I've got a VPS at Hetzner ready to forward people without IPv6 etc.
But after a week of headbanging, I think I can't get it to work because (I think) I am behind the DIGI router and the delegation cannot be passed to Opensense. From what I can establish the delegation should be /56, but Opnsense just gets /128 or /64 if I use Slaac.
So I got to here:
DIGI Router (all clients on WLAN / LAN having working IPv6)
Opnsense, gets IPv6 on WAN (SLAAC) and LAN (tracking) but can't route.
All clients on the LAN appear to have a valid IPv6. Maybe there's some routing setting I'm missing but... I give up.
See here - https://forum.opnsense.org/index.php?topic=45442.0
My conclusion is, the DIGI router is not offering DHCP-PD, so Opnsense doesn't know what prefixes are available, gives me an address, but I have nothing I can then offer to the LAN. This is as far as I can make out (with my confusion) the issue. I've tried PFsense, same issue.
So how can I defeat CGNAT so I can host my own services, without relying on relays etc that will ruin my bandwidth?
How can I achieve this?
1) Some routing hack to get things working as is.
2) Ask DIGI to make their router work in bridge mode, hopefully then I get the IPv6 delegations to Opnsense.
3) Spend EUR 250 on a SFP+ ONT transceiver that I can use to plug in the fibre directly to Opnsense and put in the PPPoE credentials.
4) Some other magic, IPv6 works in Opnsense, but not on LAN, Maybe some IPv6 -> 4 translation, reverse proxys...
5) Give up, run another box outside of Opnsense plugging directly into the DIGI modem. This would work, but suck.
Sigh.
Any ideas please?
I've recently changed ISP to DIGI in Spain. Its great, its 10G up/down and EUR 25.00 a month.
But I noticed Plex has stopped working outside the house, because of CGNAT.
So I thought no problem, get IPv6 working, I've got a VPS at Hetzner ready to forward people without IPv6 etc.
But after a week of headbanging, I think I can't get it to work because (I think) I am behind the DIGI router and the delegation cannot be passed to Opensense. From what I can establish the delegation should be /56, but Opnsense just gets /128 or /64 if I use Slaac.
So I got to here:
DIGI Router (all clients on WLAN / LAN having working IPv6)
Opnsense, gets IPv6 on WAN (SLAAC) and LAN (tracking) but can't route.
All clients on the LAN appear to have a valid IPv6. Maybe there's some routing setting I'm missing but... I give up.
See here - https://forum.opnsense.org/index.php?topic=45442.0
My conclusion is, the DIGI router is not offering DHCP-PD, so Opnsense doesn't know what prefixes are available, gives me an address, but I have nothing I can then offer to the LAN. This is as far as I can make out (with my confusion) the issue. I've tried PFsense, same issue.
So how can I defeat CGNAT so I can host my own services, without relying on relays etc that will ruin my bandwidth?
How can I achieve this?
1) Some routing hack to get things working as is.
2) Ask DIGI to make their router work in bridge mode, hopefully then I get the IPv6 delegations to Opnsense.
3) Spend EUR 250 on a SFP+ ONT transceiver that I can use to plug in the fibre directly to Opnsense and put in the PPPoE credentials.
4) Some other magic, IPv6 works in Opnsense, but not on LAN, Maybe some IPv6 -> 4 translation, reverse proxys...
5) Give up, run another box outside of Opnsense plugging directly into the DIGI modem. This would work, but suck.
Sigh.
Any ideas please?
#4
24.7, 24.10 Series / IPv6 - LAN hosts cannot ping internet or opnsense router
January 28, 2025, 10:33:16 AM
Hi All,
----------------
EDIT: My opnsense router is behind my ISP router. Could it be that it is not passing the IPv6 delegation to opnsense and this is causing the routing problem? I'm confused because all my LAN devices have an address and the gateway assigned. It all looks good, but LAN devices cannot ping the gateway.
----------------
I've been banging my head against the wall on this for days, tried to do the reading etc, youtube etc..... lol I have tried.
For anyone searching this is a setup for DIGI Spain. I am using the supplied router, firewall off, DMZ set to my opnsense box.
In Opnsense, I have enabled link local on the bridge so I get IPv6 assigned.
This ONLY works as far as I can tell if I put WAN interface to DHCP4 and SLAAC for ipv6.
Note, you then have to go to LAN interface settings and click save after any changes before changes to the WAN interface are carried through.
If I set WAN interface to DHCP4 and DHCP6 I do not get IPv6 addresses assigned to the bridge, I have tried DHCPv6 and changing the prefix to 48 / 56 / 60 / 64, I never get an address on the bridge without setting it to SLAAC.
Opnsense seems happy with this setup, I have added a floating IPv6 firewall rule to allow all IPv6 in and out for testing purposes.
Machines on the LAN are issued with IPv6 addresses:
Ping just hangs:
I cannot ping the default route either, this is the same address shown against the LAN bridge in Opnsense, which has 2a0c:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6075/64 and fe80::5a9c:xxxx:xxxx:6075/64. I cannot ping either address.
IPv4, no problem, IPv6 not working, this is a wired connection to the opnsense box.
I don't think its a firewall issue, I've allowed all ipv6 both ways with a floating rule.
I'm no expert on this, could someone point me in the right direction please?
EDIT: tried with clean install and minimal configuration no bridge etc, same result.
Thanks,
----------------
EDIT: My opnsense router is behind my ISP router. Could it be that it is not passing the IPv6 delegation to opnsense and this is causing the routing problem? I'm confused because all my LAN devices have an address and the gateway assigned. It all looks good, but LAN devices cannot ping the gateway.
----------------
I've been banging my head against the wall on this for days, tried to do the reading etc, youtube etc..... lol I have tried.
For anyone searching this is a setup for DIGI Spain. I am using the supplied router, firewall off, DMZ set to my opnsense box.
In Opnsense, I have enabled link local on the bridge so I get IPv6 assigned.
This ONLY works as far as I can tell if I put WAN interface to DHCP4 and SLAAC for ipv6.
Note, you then have to go to LAN interface settings and click save after any changes before changes to the WAN interface are carried through.
If I set WAN interface to DHCP4 and DHCP6 I do not get IPv6 addresses assigned to the bridge, I have tried DHCPv6 and changing the prefix to 48 / 56 / 60 / 64, I never get an address on the bridge without setting it to SLAAC.
Opnsense seems happy with this setup, I have added a floating IPv6 firewall rule to allow all IPv6 in and out for testing purposes.
Code Select
DEBUG (igc2) ->
LAN (bridge0) -> v4: 10.2.1.1/16
v6/t6: 2a0c:5a87:xxxx:xxxx:xxxx:xxxx:fe10:6075/64
Nord_UK (ovpnc1) -> v4: 10.100.0.2/16
OFFICE (igc3) ->
WAN (ix2) -> v4/DHCP4: 10.1.1.2/24
v6/SLAAC: 2a0c:5a87:xxxx:xxxx:xxxx:xxxx:fef4:33c3/64
WAPS (igc4) ->
root@OPNsense:~ # ping -6 heise.de
PING(56=40+8+8 bytes) 2a0c:5a87:xxxx:xxxx:xxxx:xxxx:fef4:33c3 --> 2a02:2e0:3fe:1001:302::
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=0 hlim=54 time=44.149 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=1 hlim=54 time=44.283 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=2 hlim=54 time=43.910 ms
^C
--- heise.de ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 43.910/44.114/44.283/0.155 ms
root@OPNsense:~ #
Machines on the LAN are issued with IPv6 addresses:
Code Select
➜ ~ ip -6 addr show en0
14: en0: <UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 status UP
link/ether 3e:5e:xx:xx:xx:6c brd ff:ff:ff:ff:ff:ff
inet6 fe80::4d3:xxxx:xxxx:1361/64
inet6 2a0c:xxxx:xxxx:xxxx:xxxx:5e38:aa50:a1aa/64
inet6 2a0c:xxxx:xxxx:xxxx:xxxx:c303:87d2/64
inet6 2a0c:xxxx:xxxx:xxxx::1b1c/64
Ping just hangs:
Code Select
~ ping6 heise.de
PING6(56=40+8+8 bytes) 2a0c:xxxx:xxxx:xxxx:xxxx:a29:c303:87d2 --> 2a02:2e0:3fe:1001:302::
....
Code Select
~ ip -6 route
default via fe80::5a9c:xxxx:xxxx:6075%en0 dev en0
default via fe80::%utun0 dev utun0
::1 via ::1 dev lo0
2a0c:xxxx:xxxx:2800::/64 dev en0 scope link
I cannot ping the default route either, this is the same address shown against the LAN bridge in Opnsense, which has 2a0c:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6075/64 and fe80::5a9c:xxxx:xxxx:6075/64. I cannot ping either address.
Code Select
~ ping6 fe80::5a9c:xxxx:xxxx:6075
PING6(56=40+8+8 bytes) fe80::4d3:xxxx:xxxx:1361%en0 --> fe80::5a9c:xxxx:xxxx:6075
ping6: sendmsg: No route to host
ping6: wrote fe80::xxxx:xxxx:xxxx:6075 16 chars, ret=-1
IPv4, no problem, IPv6 not working, this is a wired connection to the opnsense box.
Code Select
~ ping 10.2.1.1
PING 10.2.1.1 (10.2.1.1): 56 data bytes
64 bytes from 10.2.1.1: icmp_seq=0 ttl=64 time=2.626 ms
64 bytes from 10.2.1.1: icmp_seq=1 ttl=64 time=0.822 ms
^C
--- 10.2.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.822/1.724/2.626/0.902 ms
➜ ~ ping6 fe80::5a9c:fcff:fe10:6075
PING6(56=40+8+8 bytes) fe80::xxxx:xxxx:xxxx:26df%en8 --> fe80::xxxx:xxxx:xxxx:6075
ping6: sendmsg: No route to host
ping6: wrote fe80::xxxx:xxxx:xxxx:6075 16 chars, ret=-1
I don't think its a firewall issue, I've allowed all ipv6 both ways with a floating rule.
I'm no expert on this, could someone point me in the right direction please?
EDIT: tried with clean install and minimal configuration no bridge etc, same result.
Thanks,
#5
Tutorials and FAQs / Re: [Tutorial] How I do port forwarding - simple and straightforward
February 07, 2024, 08:00:36 PM
I've just been through this, there's no need to forward ports or change NAT reflection options, just add an alias. select host and enter the static ip of the PS4. Then set settings->outbound to hybrid and add a rule, select source as your PS4 alias and click static, that's all that's needed.
Pages1
