Messages

Hi all, I have a dual-v6WAN setup that uses NPTv6 that doesn't work properly. Here's how the network is set up

(I use 2400::/64 and 2001::/48 addresses as placeholders in my post; obviously I use the proper prefixes assigned to me)

ISP -> WANv4 (DHCPv4)                -> OPNsense [2400::1234/64 | 2001::1/64] -> LAN Clients [2001::xx/64]
    -> WANv6 (DHCPv6) [2400::/64] ->
HE.net Tunnel (GIF)    [2001::/48] ->

I'm using NPTv6 as the LAN network was built using HE.net's prefix before the ISP started supporting v6. So NPTv6 is used to translate the LAN address to the ISP's prefix. The HE.net tunnel is kept around as a backup gateway. Router Advertisements is set to Assisted.

Everything works fine. v4 and v6 works in both directions. If I disable the ISP's v6 link, traffic automatically fails over to the he.net tunnel. I see that all LAN clients use the firewalls's link-local address as the router.

The only thing that does not work is accessing OPNsense(the firewall) over its assigned [2001::1/64] v6 address. As such, it does not respond to DNS queries and LAN clients behave oddly while waiting for the v6 DNS query to timeout.

I've verified that Unbound is working properly over v4. Unbound also properly responds to v6 queries done on the firewall itself (using the same v6 [2001::1/64] address).

Looking at the interface packet captures, I see the DNS query entering the firewall over the LAN interface, then leaving out of the GIF interface of the he.net tunnel. Nothing seems to be recorded in the firewall logs.

I believe this is likely a configuration error on my part, but where do I start?

I realized I had to use an older kernel ( 14.1-RELEASE-p3 FreeBSD 14.1-RELEASE-p3 stable/24.7-n267778-bb2c86773c1b SMP amd64) for OPNsense to be able to boot up, otherwise the entire machine, including the parent ESXi hypervisor loses networking.

I chose to stick with the older kernel for now since I can't think of a way to debug the kernel version issue (no way to look into the machine since ESXi loses all network connectivity)

Could this be somewhat related?

Edit: I updated to 24.7.10 with kernel 24.7-n267981-8375762712f and things boot up fine. However clients are still unable to use v6 but the router itself is able to.

I have a V6 Multi-WAN setup that was working fine on 24.1 but stopped working when I recently upgraded to 24.7.

Technically there is only one WAN, but I was running IPv6 via the HE.net tunnel before my ISP started supporting v6 using 6rd. To minimize any network address changes, I set up NPTv6 to translate HE.net prefixes to my ISP's and configure a gateway group prioritizing my ISP's connection.

Code Select Expand


WAN 6rd prefix: 2400:xxxx:xxxx:xxxx::/64
WAN HE.net prefix: 2001:yyyy:yyyy::/48

LAN prefix: 2001:yyyy:yyyy:zzzz::/64

NPTv6
Internal: 2001:yyyy:yyyy:zzzz::/64
External: 2400:xxxx:xxxx:xxxx::/64


After upgrading to 24.7, IPv6 works fine on OPNsense itself. I can ping both local and global IPv6 addresses no problem. Local machines can ping OPNsense and other local machines, but global addresses receive no reply.

I did a packet capture and I see the ping response reaching OPNsense via the WAN interface, but there is no response emitted from OPNsense (address translated or not) via LAN (or any interface for that matter).

Code Select Expand


E.g. Pinging 2606:4700:4700::1111

Ping:
Local Machine (2001:yyyy:yyyy:zzzz::4) --(LAN)--> OPNsense (2001:yyyy:yyyy:zzzz::1)
OPNsense (2400:xxxx:xxxx:xxxx::4) --(WAN)--> Target (2606:4700:4700::1111)

Reply:
Target (2606:4700:4700::1111) --(WAN)--> OPNsense (2400:xxxx:xxxx:xxxx::4)
(Nothing thereafter)


I thought it might be a firewall rule, but searching through the firewall logs, nothing is blocked. So the packet has just... disappeared?

Can anyone point to where I should look into to figure out where the packet is dropped?