"
I'm trying to understand the current ability of OPNSense (25.1 as of this post) to handle dynamic NPTv6 rulesets for IPv6 routing. My setup is (I would think) pretty typical of any multihomed arrangement for a small/home network with redundant ISP connections, much as described in RFC 7157 scenario 2.
My particular intent is to use WAN1 as my primary connection and WAN2 only for failover. I want to assign PD /64 #0 from WAN1 to my LAN network (notably I do not want to assign a ULA prefix, for the same reason identified in this thread—Windows hosts expect GUA addressing, not ULA, for global routing, and that seems reasonable to me as well).
So for my network, I want/have:
WAN1:
WAN2:
LAN:
What's working:
What's not working:
Can anyone verify that I'm understanding the current state of things correctly? I'd be happy to help any way I can, raising issues if needed, testing, coding (may be a bridge too far, but maybe)!
Thanks!
My particular intent is to use WAN1 as my primary connection and WAN2 only for failover. I want to assign PD /64 #0 from WAN1 to my LAN network (notably I do not want to assign a ULA prefix, for the same reason identified in this thread—Windows hosts expect GUA addressing, not ULA, for global routing, and that seems reasonable to me as well).
So for my network, I want/have:
WAN1:
- is my primary upstream egress route
- receives PD /60 from upstream
- receives NA /128 on a different prefix than the assigned PD
WAN2:
- failover egress route
- receives PD /64 from upstream
- receives NA /128 on a different prefix than the assigned PD
LAN:
- dynamically assigned GUA /64 prefix #0 from WAN1 PD
- optionally, would be nice to additionally assign a static ULA /64, and the second dynamic delegated prefix from WAN2, but not necessary
What's working:
- OPNSense seems to be able to dynamically assign PD #0 from WAN1 -> LAN (this is opaquely called "track interface" on the LAN interface configuration, "dynamic external delegated prefix" would be much clearer wording in my mind), so this part is working nicely already.
- Failover from WAN1 -> WAN2, triggered on dropped or latent packets over WAN1, can be configured, and seems to be working.
- I can set up a manual/static NPTv6 rule on WAN2 to route IPv6 traffic LAN <-> WAN2 in a failover situation, but this relies on me manually digging in to find the delegated WAN1 and WAN2 prefixes and then configuring the rule with those static prefixes. If either of my ISPs change delegated prefixes, my rule breaks.
What's not working:
- OPNSense doesn't allow configuring multiple IPv6 prefixes on the LAN, as far as I can tell. Hardly critical for me, but still it seems like it would be a useful feature.
- I really need to be able to configure NPTv6 rules that have dynamic source and target prefixes based on delegated prefixes from WAN1 and WAN2, but this doesn't seem supported at all. I see some chatter about dynamic NPTv6 rules in the forum and Github but I'm having trouble making sense of it, and at the end of the day it seems not to be implemented as far as I can tell.
- There is a "track interface" option in the NPTv6 rule dialog, but this seems to be for the target prefix only and, bewilderingly, seems to require that the interface the rule tracks, in turn tracks the NPTv6 interface (why would you ever want to do that??).
Can anyone verify that I'm understanding the current state of things correctly? I'd be happy to help any way I can, raising issues if needed, testing, coding (may be a bridge too far, but maybe)!
Thanks!
