Messages

I can't be sure about OPNsense WAN side GUA at the moment. While I was working on this problem last night, I started experiencing some bizarre behavior from the OPNsense firewall. It displayed weird pop-ups that said "Dangerous error" and then became non-responsive. Its boot process is now abnormal. Protectli support says they've never seen that behavior before and recommends reinstalling OPNsense. If I still have problems, they will replace the SSD. Anyway, I am currently using my previous firewall (Supermicro E200-9B/pfSense). I have the same issues here (this makes me think that I am missing something basic), though my pfSense WAN interface has the following IPv6 addresses:

Code Select Expand

IPv6 Link Local     fe80::ec4:7aff:fe7f:80f4%igb0
IPv6 Address        2607:9b00:620d:7b00:ec4:7aff:fe7f:80f4
I have only seen Link Local addresses on the LAN side (both in OPNsense and pfSense), is this expected behavior?

The ONT is more than just a simple network terminal. Race provides a Calix u6xw/4227w ONT/"Residential Gateway" at the customer endpoints of its fiber network. I only use it as an ONT, since I normally use a Protectli Vault V1410/OPNsense as a router/firewall feeding two Ubiquiti WiFi access points and some GbE wired connections.

From the Calix GUI I can ping and traceroute, just like I can from the OPNsense GUI. From the OPNsense GUI I can ping and traceroute with IPv6 to arbitrary host FQDNs, as well as IPv6 addresses.

BrandyWine, there aren't any "allow IPv6" toggles in WAN & LAN interface settings on the GUI.

meyergru, I changed the setup so that the WAN interface is now specifically set to prefix id 0 and the LAN interface is set to prefix id 1 and then rebooted everything. I still have the same symptoms from the LAN side: "Network is unreachable". I'm not seeing an IPv6 default route on my host.

Code Select Expand

netstat -r -f inet6   
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 eno3
192.168.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eno3


My ISP (Race.com) delegates a /56 prefix. I can succesfully ping and traceroute -6 from Race's ONT and from the OPNsense firewall but ping -6 or traceroute -6 from this host on the LAN results in "Network is unreachable" errors.

This is my setup:

Code Select Expand

[WAN]
   [Generic configuration]
   IPv6 Configuration Type:   DHCPv6

   [DHCPv6 client configuration]
   Configuration Mode:        Basic
   Prefix delegation size:    56
   Request prefix only:       Checked

[LAN]
   [Generic configuration]
   IPv6 Configuration Type:   Tracking

   [Track IPv6 Interface]
   Parent interface:          WAN
   Assign prefix ID:          0

I get this from netstat on the firewall:

Code Select Expand

# netstat -nr6 | grep default
default                           fe80::1621:3ff:fe0e:d846%igc0 UG             igc0

from ifconfig on this host:

Code Select Expand

eno3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.20.1  netmask 255.255.0.0  broadcast 192.168.255.255
        inet6 fe80::8156:32f1:abe0:be2b  prefixlen 64  scopeid 0x20<link>

I am using DNSMASQ for DHCP service with its DNS disabled and Unbound for DNS. Tailscale is also running on the firewall, in case that matters. I can ping -6 my host with its ipv6 address. test-ipv6.com  shows only my DNS server has IPv6 access. Any suggestions?