Messages

How do I go about adding this "accept_rtadv" flag?

Is the second one the privacy address? They both appear to be on the same /64.

Edit: it appears you are using DHCPv6 to send out client IPs as well as SLAAC. You should only use DHCPv6 for prefix delegation and maybe DNS server information.

The official guide for IPv6 goes through setting up exactly what you are doing. What exactly are you struggling with?

I have 2 downstream servers (Linux) that have a /64 network each on a bridge for VMs/LXC containers. I have configured them to advertise the route to the /64 and the servers add each other as a route to their respective /64. I know the RAs are working.

My OPNsense router can see those Route Advertisements but are not adding a route into their routing table. I am still learning IPv6 but have a solid understanding of routing. I can manually add these routes but I was hoping to have it working auttomatically.

The radvd.conf on each of the servers is as follows.

Code Select Expand

interface eth0
{
    AdvSendAdvert on;
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    AdvReachableTime 0;
    AdvRetransTimer 0;
    AdvCurHopLimit 64;
    AdvDefaultLifetime 0;
    AdvHomeAgentFlag off;
    AdvDefaultPreference medium;
    AdvSourceLLAddress on;

    route 2001:db8:0:b33f::1/64
    {
        AdvRoutePreference medium;
        AdvRouteLifetime 3600;
    }; # End of route definition

}; # End of interface definition

On the router I can see this RA is received on the LAN interface using radvdump.

Code Select Expand

interface igc0
{
    AdvSendAdvert on;
    # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    AdvReachableTime 0;
    AdvRetransTimer 0;
    AdvCurHopLimit 64;
    AdvDefaultLifetime 0;
    AdvHomeAgentFlag off;
    AdvDefaultPreference medium;
    AdvSourceLLAddress on;

    route 2001:db8:0:b33f::1/64
    {
        AdvRoutePreference medium;
        AdvRouteLifetime 3600;
    }; # End of route definition

}; # End of interface definition

Why is OPNsense not adding a route based on this RA?

Can you share your config?

All sorted out now. The problem I had was misconfiguration of radvd on my servers (I did prefix instead of route) and some devices had stale IPv6 records and routes. Cleaned everything up and now it is all working.

My brain finally caught up. The link-local address of the server is added to the NDP table. My bad. I wonder why RouterOS didn't see this as an issue.

The servers have no direct connection to the bridges on each other. The only way they know how to get to each others bridge is through the OPNsense. I had this working on Mikrotik RouterOS by configuring the routes as shown in my write-up of it. Any device on my LAN network can only access the bridges through the OPNsense.

I may have a misunderstanding of how the Layer 2 traffic is functioning here. If I am not seeing a neighbour, from the bridge subnet, in the NDP table on any device in the LAN network, wouldn't that mean it isn't being sent to there on L2?

I am lost about what is happening here.

LAN receives an IPv6 /64 using Track Interface. Devices on the network receive their IPv6 with SLAAC.

I have some servers hosting Linux Containers. The containers network bridge has a static IPv6 /64 subnet configured from the /48 I receive from my ISP.

I have created a gateway on OPNsense for each of the servers IPv6 address. I then add a route to the static IPv6 /64 subnet specified on the network bridge with the matching gateway.

At this point everything appears to be working but...

The problem I am seeing is that connections from a device on the LAN network are not stable to a container via IPv6. I connect to a Minecraft server and then it drops after around 30 seconds and the firewall log is flooded with "Default deny / state violation rule" relating to that connection.

I seem to have it all working now but it is weird how I have had to make it work considering how basic it is to setup on RouterOS.

On each of my servers I have installed radvd. They then learn about each other and add a route. OPNsense does not learn about these routes. I still have to manually add gateways and routes.

For clarification; I previously used a Mikrotik Router with this configuration and everything worked perfectly.

I am having bizarre issues with routing IPv6 to downstream routers from my OPNsense router. It works to a point and then causes all sorts of problems. It seems almost random.

Here is a guide I wrote about how it was all configured with my Mikrotik setup.

I have a couple of servers downstream from my OPNsense that are running Incus for containers and VMs. I manually set a IPv6 /64 network on the Linux bridges on those servers. In OPNsense I have created a disabled gateway with the IP of the server and then a route to the IPv6 subnet assigned to the linux bridge.
This gives access to the servers but then I have all kinds of issues with delays and I'm unable to traceroute between containers/VMs on the servers. The containers on one server have no issues with accessing everything sometimes and then it starts to fail.

I was hoping someone might have instructions on how they have configured this type of setup and I might see where I have gone wrong.