Messages

It's been a while, and I have to say I didn't get to test the ndp-proxy.
But I can report that with my current workaround, things seem to be stable.

It's a python script which runs every minute which detects the GUAs associated with the MAC address of my phone and sets them to "permanent", while deleting/expiring any other GUA that is not currently associated with the phone.

By running this often enough, the ndp table is always accurate, as long as the phone doesn't randomly decided to change its IID — this has happened actually once, I don't know why/how (according to the documentation the IID should be stable for a given SSID, unless you activate the "randomize MAC" option, which I haven't).

I see that not only Motorola but also Fairphone has this issue (https://forum.fairphone.com/t/dns-over-tls-ipv6-issues-apps-dont-load-data-over-wifi/130519), so I'm hoping that the issue will gain some traction and be solved quickly.

BTW apparently Android, even if it doesn't support DHCPv6, does support getting a whole prefix (https://android-developers.googleblog.com/2025/09/simplifying-advanced-networking-with.html, https://mailarchive.ietf.org/arch/msg/v6ops/Sq5TadeSsMQ-0uEWrdem3A1wDh0/#) which is weird but could be a solution. Unfortunately, this doesn't seem to be supported (yet) but RADVD or DNSMASQ.

Patrick,

Yes, thank you. I did that when I set up the bridge initially (I know it's kinda weird nowadays, but I do RTFM before doing stuff, I even read the instructions of things like vacuum cleaners :)

I hope to test the ndp-relay this weekend. In principle my workaround of ensuring that the two GUAs of my phone are always present in the ndp cache should be enough, but of course Android seems to be always a step ahead: DHCPv6 is not supported, but they ignore RAs in their sleep, don't care about reconfiguring when waking up, and even if you can (thank $DEITY) have a "stable-privacy" IPv6 for a given SSID, they still randomly generate a temporary IPv6, which changes (apparently, but I will know later today) every 24th — and, to add insult to injury, it is *that* GUA that they prefer for outgoing connections.

It's like a bad joke, and yet we all have to live with that (or with iOS, but that'd be even worse).
But enough ranting (for now :)

Thanks for the additional info. I may be able to test a few things during the weekend (can't afford to disturb the network while $FAMILY is busy).

Originally I thought that having 6 ports directly on the firewall mini-PC (the brand is "sharedvi" and has 6x i226) would be cool, but now I see that the Unix philosophy always wins, and I should have bought a 2-port thing and a proper switch (though I have to say that aside from this weird problem with the Motorola everything is working great).

For now I've set up a cron job (had to learn the (to me) weird — but elegant :) — way of defining cron jobs in Opnsense) which runs a shell script which generates the (expected/assumed) GUAs of the phone and adds them to NDP (and removes unexpected GUAs).

It seems to work OK, but I still have to check it for longer periods. The phone has Tailscale always on, which I hope is not affecting things. The good thing is that if I set my opnsense router (which also has tailscale) as exit node, everything works perfectly, both at home and away (5G, other WLANs, etc.).

But I'd prefer not being dependent on this (at the expense of being dependent of a workaround in Opnsense, but hey).

Ideally (even though it's also a workaround) it would be nice to disable IPv6 for this specific client, but Android doesn't allow that, and I don't think radvd/dnsmasq (or the whole RA concept) allows for that.

But just to ask: can RA work with unicast instead of multicast?

(I know, many questions, all dumped into a single thread, but I hope that's OK)

Thanks, Monviech.

I'll have to read up on your ndp-proxy, but I'm not sure if I can use it.

My WAN interface ("WAN_VLAN7") is pppoe1, using an ethernet port connected to the Deutsche Telekom modem.
My LAN interface ("LAN") is bridge0, which bridges 5x Ethernet ports (I'm using a weird PC-like computer with 6 ethernet ports).

There is this big fat warning
"If you receive a single /64 prefix via DHCPv6-PD on a PPPoE link, it must be terminated on a router before the proxy. This could be another OPNsense, or a device like a Fritzbox. The proxy does not listen and learn a prefix from DHCPv6. To use PPPoE as upstream, IPv6 configuration must be set to SLAAC."

which applies to my case (receive /64 prefix via DHCPv6-PD over PPPoE).

I wonder if I could set-up the NDP proxy in a separate box (upstream would be the current opnsense router and downstream would be a switch where I would connect the APs, which are currently connected to the router).

But I'm still confused, so I'll read the whole thing and see if I can make sense of it and (sensibly) make use of it ¯\_(ツ)_/¯

Thanks in any case!

Thanks! Yes, that seems to point in the right direction, especially the "Static Assignments".

I will test that to see if that can replace my /usr/local/etc/rc.syshook.d/start script, but I guess the issue of how to deal with prefix changes still remains.

Context: Opnsense 25.7.11_9-amd64. IPv6 works perfectly well with computers (Linux desktop, Windows laptop, Android 16 smartphone (Nothing 2a), various Raspberry Pi's and many VMs running in a Proxmox computer).

Original problem: my new phone (Motorola Edge 70, with Android 16) appeared to lose IPv6 connectivity after some time (could be seconds, minutes or even hours). After lots of debugging and trying different workarounds, I have finally verified that when the phone is in that weird state, it can still send ECHO REQUESTS to a remote (linux) server (phone → router → server). This is clearly visible in the server logs (I added logging to the nftables rule to make sure).

However, the ECHO REPLY from the server reaches the router (opnsense), but it gets stuck there, because the IPv6 addresses of the smartphone expire from the NDP cache and don't appear again (apparently when Android sleeps it ignores Neighbor Solicitation messages).

The phone itself has its link-local address and two GUAs, like

Code Select Expand

inet6 2003:c9:XXXX:db00:2c6:fd40:fe92:44a9/64 scope global temporary dynamic
       valid_lft 86090sec preferred_lft 14090sec
    inet6 2003:c9:XXXX:db00:d484:d675:64b6:5235/64 scope global dynamic mngtmpaddr stable-privacy
       valid_lft 86090sec preferred_lft 14090sec
    inet6 fe80::4db0:84b2:c5ac:2aeb/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

Watching (with ndp -an | grep $MAC in a loop) I can see "live" how the two addresses disappear and never appear again the NDP table.

I've tested that by adding the two GUAs as permanent entries in the NDP cache (with ndp -s $GUA1 $MAC and ndp -s $GUA2 $MAC) everything works again, and continues to work (because the entries never expire).

Given that the Interface IDs of the phone should remain constant (the "random" MAC is fixed for a given SSID, so it's stable), I want to make sure that whenever the IPv6 prefix of the LAN (bridge0) changes, the two GUAs are calculated (I have made a shell script that does that, correctly :) and added to the NDP cache. Maybe it should also delete the previous ones, if/as they become invalid (this should be easy enough, though).

Currently I have put a script in /usr/local/etc/rc.syshook.d/start which calculates the GUAs and does "ndp -s" for them.
It also (just in case) does "ndp -i bridge0 -- reachable 3600000"

Question 1: is there an easier way (set once and forget) to make sure that the IPv6 addresses of (all, or this one) devices get a permanent status in NDP and are updated automatically if/when the IPv6 prefix changes?

Question 2: how can I trigger running a script whenever the IPv6 prefix of LAN (bridge0, in particular) changes? (it is configured as a "tracked interface").

I hope I didn't write too much, and I hope the questions are clear enough (I'm by no means an expert in IPv6, and a complete newbie in Opnsense and FreeBSD).

Thanks in advance for any help/ideas.

I'm not sure if the issue(s) reported here are the same or related to the issue I had, but just in case: I bought a Motorola Edge 70 (in case the model matters), which runs Android 16. I quickly noticed that after a few minutes (sometimes longer) IPv6 connectivity stopped working (like visiting ipv6-test.com, or ping6 www.google.com from termux). This would work after rebooting, or switching airplane mode off/on, or turning WLAN off for a while and then back on.

I'm still on Opnsense 25.7 (need to find the time to upgrade w/o causing disturbance at home..), and was using the standard RA daemon (and DNSMASQ for DHCP). I tried all sorts of combinations of RA lifetimes, etc. but couldn't get it to work reliably. I then switched to dnsmasq (defined an IPv6 range and enabled "ra-statless", tried also with "ra-names" and with "slaac"). and it still didn't work reliably.

Out of desperation I then enabled ra-advrouter (and only that mode), and suddenly (OK, I restarted the phone yet again, just to make sure I started with a clean state) IPv6 has been working reliably for about 24h, including short and long sleep/doze periods.

I'm by no means an IPv6 expert, and I still have to read RFC 3775 sections 7.2 and 7.3, but maybe this can serve as a workaround to other users of Android 16 affected by this, and (maybe) some expert might be able to explain why this works.

Thanks.

[EDIT] Nope. It didn't work. I wrote too soon, because minutes after posting this IPv6 stopped working again. I leave it here in case it can (somehow) help and/or somebody has suggestions.

For the intended use-case unbound allows you to configure "views", so that you can effectively "tag" certain hosts with specific views, and then have e.g. different blocklists, etc.

cf. e.g. https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html

I used to have such a set-up in the past. Now I'm using OPNSense built-in unbound (and am still learning my way around OPNSense), and the web interface doesn't have any means to configure views. You can probably do it by directly editing/adding config files, etc. but I don't know enough to know whether the UI would overwrite/break such config.