"
Hello, I'm new to OPNsense and networking in general, and I'm facing some issues with the IPv6 configuration of my setup.
PPPoE is working, but I'm getting "Destination unreachable: Source address failed ingress/egress policy" when trying IPv6.
I'm, attaching three files with the status of WAN, LAN and what a client receives as parameters, so you can check if anything is amiss.
Do you have any suggestions?
PING [PREFIX]:0::1 OK
PING fe80::1%enp42s0 OK
PING google.com KO > From _gateway (fe80::1%enp42s0) icmp_seq=1 Destination unreachable: Source address failed ingress/egress policy
Physical network>
Two identical Proxmox nodes (v9.1.1) with two NICs, one NIC in a Tagged 835VLAN, the other is Untagged LAN.
Each NIC has a virtual bridge on top, connected to the OPNsense VM (v25.7.8) and other containers. Bridges are VLAN aware, virtual NICs are VIRTIO (queues enabled, Firewall OFF).
Everything is attached to a TL-SG3424, stock config except for ports 1-4 being assigned to VLAN 835 (TRUNK).
My ISP provides me with a public dynamic IPv4 (which never actually changes) as well as a static /48 IPv6 prefix.
OPNsense Environment>
- WAN : Block private, Block bogon
IPv4 : PPPoE
IPv6 : DHCPv6, Prefix delegation /48, request only prefix, send hint
- LAN
IPv4 : 10.79.0.2/24 (static) - (10.79.0.2/24)
IPv6 : [PREFIX]:0::2/64 (static) - ([PREFIX]:0::3/64)
- WAN_PARENT : assigned to vtnet1 just for CARP logic
CARP>
VHID 1 - LAN - 10.79.0.1/24
VHID 2 - LAN - fe80::1/64
VHID 3 - LAN - [PREFIX]:0::1/64
VHID 4 - OPT1 - 10.254.254.1/32 (brings down PPPoE when BACKUP)
One VM is MASTER, the other BACKUP, I can see the spoofed MACs from the switch's ARP table, so they should be fine
KEA DHCPv6>
Subnet : [PREFIX]:0::/64
Range : [PREFIX]:0::1000 - [PREFIX]:0::ffff
DNS : [Pi-Hole1], [Pi-Hole2]
HA : Enabled
Router Advertisements>
Mode : Assisted
Priority : High
Source Address : fe80::1/64
Advertise Routes : [PREFIX]:0::/64
Advertise Default Gateway, Do not send any DNS configuration to clients
Dnsmasq, ISCDHCP, Unbound DNS> OFF
System : High Availability> Active and synchronized
For internet connectivity on BACKUP router>
- Firewall: NAT: Outbound : Hybrid
Rule : WAN - Src: LAN - Dst: * - NAT: Interface addr
- Gateways
Fallback_GW : Interface: LAN - IP: 10.79.0.1 (lower priority, FAR gateway)
PPPoE is working, but I'm getting "Destination unreachable: Source address failed ingress/egress policy" when trying IPv6.
I'm, attaching three files with the status of WAN, LAN and what a client receives as parameters, so you can check if anything is amiss.
Do you have any suggestions?
PING [PREFIX]:0::1 OK
PING fe80::1%enp42s0 OK
PING google.com KO > From _gateway (fe80::1%enp42s0) icmp_seq=1 Destination unreachable: Source address failed ingress/egress policy
Physical network>
Two identical Proxmox nodes (v9.1.1) with two NICs, one NIC in a Tagged 835VLAN, the other is Untagged LAN.
Each NIC has a virtual bridge on top, connected to the OPNsense VM (v25.7.8) and other containers. Bridges are VLAN aware, virtual NICs are VIRTIO (queues enabled, Firewall OFF).
Everything is attached to a TL-SG3424, stock config except for ports 1-4 being assigned to VLAN 835 (TRUNK).
My ISP provides me with a public dynamic IPv4 (which never actually changes) as well as a static /48 IPv6 prefix.
OPNsense Environment>
- WAN : Block private, Block bogon
IPv4 : PPPoE
IPv6 : DHCPv6, Prefix delegation /48, request only prefix, send hint
- LAN
IPv4 : 10.79.0.2/24 (static) - (10.79.0.2/24)
IPv6 : [PREFIX]:0::2/64 (static) - ([PREFIX]:0::3/64)
- WAN_PARENT : assigned to vtnet1 just for CARP logic
CARP>
VHID 1 - LAN - 10.79.0.1/24
VHID 2 - LAN - fe80::1/64
VHID 3 - LAN - [PREFIX]:0::1/64
VHID 4 - OPT1 - 10.254.254.1/32 (brings down PPPoE when BACKUP)
One VM is MASTER, the other BACKUP, I can see the spoofed MACs from the switch's ARP table, so they should be fine
KEA DHCPv6>
Subnet : [PREFIX]:0::/64
Range : [PREFIX]:0::1000 - [PREFIX]:0::ffff
DNS : [Pi-Hole1], [Pi-Hole2]
HA : Enabled
Router Advertisements>
Mode : Assisted
Priority : High
Source Address : fe80::1/64
Advertise Routes : [PREFIX]:0::/64
Advertise Default Gateway, Do not send any DNS configuration to clients
Dnsmasq, ISCDHCP, Unbound DNS> OFF
System : High Availability> Active and synchronized
For internet connectivity on BACKUP router>
- Firewall: NAT: Outbound : Hybrid
Rule : WAN - Src: LAN - Dst: * - NAT: Interface addr
- Gateways
Fallback_GW : Interface: LAN - IP: 10.79.0.1 (lower priority, FAR gateway)
