Messages

Okay so the routing from OPNsense to Fritzbox should be okay now.

Are you having Router Advertisements set up on OPNsense, so that the Fritzbox gets a default gateway advertised on the link its connected on (igc0).

I have is activated without specific settings per (V)LAN interfacve; I added a specific configuration for LAN and disabled it, so for LAN it should now be disabled. I did not notice any difference in behaviour in any of the systems.

Yeah oops there was a typo in the link (commits instead of commit)

https://github.com/opnsense/core/commit/e4cc9e7f4d55f63f6669dcb2a81d21b53fa1117a

Try this link, if it opens in your browser it will also work as patch.

The error disappeared, see log below. IPNsense seems to be OK, but Friz does not work with usual settings.

root@OPNsense:~ # netstat -rn -f inet6 | grep fd39                              fd39:e72c:9f6::1                  link#3                        UHS             lo0
fd39:e72c:9f6:8000::/56           fe80::e72:74ff:fefc:7914%igc0 UGS            igc0
fd39:e72c:9f6:ff00::/60           fe80::e72:74ff:fefc:7914%igc0 UGS            igc0

The 8000 entry is from an earlier, now stale and expired entry in the leases. Maybe I need to wait until this disappears; have rebooted everything several times, but still there.

Fritz reports:
Internet, IPv6   verbonden sinds 12-02-2026, 12:46 uur,
IPv6-adres: fd39:e72c:9f6:ff00:e72:74ff:fefc:7914/64, geldigheid: 2901/1401s
IPv6-prefix: fd39:e72c:9f6:ff00::/60, geldigheid: 2901/1401s

But in the IPv6 page it shows:
Gebruikte IPv6-prefixen:
Thuisnetwerk::/0
Netwerk voor gasten::/0
WANfd39:e72c:9f6:ff00::/64


A linux client in Fritz shows:
root@pluto:~# ip -6 route show
fd39:e72c:9f6:ff01::/64 dev eth0 proto ra metric 100 expires 6276sec mtu 1500 hoplimit 255 pref medium
fda9:2c7a:3760::/64 dev eth0 proto ra metric 100 expires 6656sec mtu 1500 hoplimit 255 pref medium
fda9:2c7a:3760::/64 via fe80::e72:74ff:fefc:7917 dev eth0 proto ra metric 100 expires 1256sec mtu 1500 hoplimit 255 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium

Log after restart of KEA:
2026-02-12T13:18:55   Notice   kea-dhcp6    add route fd39:e72c:9f6:ff00::/60 -> fe80::e72:74ff:fefc:7914%igc0
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x30a0b085c008] DHCP6_STARTED Kea DHCPv6 server version 3.0.2 started
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x30a0b085c008] DHCP6_MULTI_THREADING_INFO enabled: yes, number of threads: 4, queue size: 64
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_PD leases in subnet fd39:e72c:9f6::/48
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_TA leases in subnet fd39:e72c:9f6::/48
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_NA leases in subnet fd39:e72c:9f6::/48
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x30a0b085c008] DHCP6_USING_SERVERID server is using server-id 00:01:00:87:31:1b:94:d4:64:62:66:2f:50:f0 and stores in the file /var/db/kea/kea-dhcp6-serverid
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_MEMFILE_LFC_SETUP setting up the Lease File Cleanup interval to 3600 sec
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_MEMFILE_BUILD_EXTENDED_INFO_TABLES6 building extended info tables saw 1 leases, extended info sanity checks modified 0 leases and 0 leases were entered into tables
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /var/db/kea/kea-leases6.csv
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /var/db/kea/kea-leases6.csv.2
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_MEMFILE_DB opening memory file lease database: persist=true type=memfile universe=6
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x30a0b085c008] DHCP6_CONFIG_COMPLETE DHCPv6 server has completed configuration: added IPv6 subnets: 1; DDNS: disabled
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.database.0x30a0b085c008] CONFIG_BACKENDS_REGISTERED the following config backend types are available:
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_FORENSIC_BACKENDS_REGISTERED the following forensic backend types are available:
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.hosts.0x30a0b085c008] HOSTS_BACKENDS_REGISTERED the following host backend types are available:
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_LEASE_MGR_BACKENDS_REGISTERED the following lease backend types are available: memfile
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.commands.0x30a0b085c008] COMMAND_ACCEPTOR_START Starting to accept connections via unix domain socket bound to /var/run/kea/kea6-ctrl-socket
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_CFGMGR_ADD_IFACE listening on interface igc0
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_CFGMGR_SOCKET_TYPE_SELECT using socket type raw
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_CFGMGR_NEW_SUBNET6 a new subnet has been added to configuration: fd39:e72c:9f6::/48 with params: valid-lifetime=4000, rapid-commit is false
2026-02-12T13:18:55   Warning   kea-dhcp6    WARN  [kea-dhcp6.dhcp6.0x30a0b085c008] DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
2026-02-12T13:18:55   Warning   kea-dhcp6    WARN  [kea-dhcp6.dhcpsrv.0x30a0b085c008] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.
2026-02-12T13:18:55   Notice   kea-dhcp6    startup kea prefix watcher
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x3ba6ee25c008] DHCP6_SHUTDOWN server shutdown
2026-02-12T13:18:55   Informational   kea-dhcp6    INFO  [kea-dhcp6.commands.0x3ba6ee25c008] COMMAND_RECEIVED Received command 'shutdown'
   

Hello, thank you, could you test the above patch on 26.1.1?

Go into the opnsense root shell (same spot you e.g. executed netstat on OPNsense) and execute the following patch:

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commits/e4cc9e7f4d55f63f6669dcb2a81d21b53fa1117a
Afterwards try to restart KEA, or reboot, and check if the route is added now.

I get:

root@OPNsense:~ # opnsense-patch https://github.com/opnsense/core/commits/e4cc9e7f4d55f63f6669dcb2a81d21b53fa1117a
fetch: /var/cache/opnsense-patch/~core-core/commits/e4cc9e7f4d55f63f6669dcb2a81d21b53fa1117a: open(): No such file or directory

Hello, which OPNsense version are you using right now?

I feel like the scope ID is missing here when adding the route, but I want to double check on which script version you run (since it changed recently)

If its 26.1.1, I think this could be the issue: https://github.com/opnsense/core/pull/9778

Thank you for your reply. This I copied from the Dashboard:

System Information
Name
OPNsense.internal
Versions
OPNsense 26.1.1-amd64
FreeBSD 14.3-RELEASE-p8
OpenSSL 3.0.19

Dear all, I decided to test KEA based on a static prefix and ULA prefix. I set up LAN as Static IPv6 and created a KEA configuration following the documentation. Fritz basically needs a /60. Subnet: fd39:e72c:09f6::/48; Pools: fd39:e72c:09f6::100-fd39:e72c:09f6::199; Prefix: fd39:e72c:09f6:ff00::; Prefix length: 56, Delegated length: 60. I tried some variations, also with Prefix/Delegated exactly as in the documentation (52/56), all with the same result.

I reooted both OPNsense and Fritz and saw initially some old reservations still being logged, so I let the system settle for a night and then agian rebooted both OPNsense and Fritz. Fritz reports IPv6 connection and /60 reservations properly, but fails to assign the /64 prefixes (ff00 and ff01) to the guest and non-guest networks as it would do in the ISC DHCPv6 case.

In OPNsense, I see a val;id lease for fd39:e72c:9f6:ff00:: pointing at the Fritz. However in the KEA log I see an error when restarting the service:

The "failed adding route" also appeared in my previous attempts:

2026-02-12T09:06:11   Error   kea-dhcp6    failed adding route fd39:e72c:9f6:ff00::/60 -> fe80::e72:74ff:fefc:7914
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x3613cc25c008] DHCP6_STARTED Kea DHCPv6 server version 3.0.2 started
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x3613cc25c008] DHCP6_MULTI_THREADING_INFO enabled: yes, number of threads: 4, queue size: 64
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_PD leases in subnet fd39:e72c:9f6::/48
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_TA leases in subnet fd39:e72c:9f6::/48
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_NA leases in subnet fd39:e72c:9f6::/48
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x3613cc25c008] DHCP6_USING_SERVERID server is using server-id 00:01:00:87:31:1b:94:d4:64:62:66:2f:50:f0 and stores in the file /var/db/kea/kea-dhcp6-serverid
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_MEMFILE_LFC_SETUP setting up the Lease File Cleanup interval to 3600 sec
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_MEMFILE_BUILD_EXTENDED_INFO_TABLES6 building extended info tables saw 1 leases, extended info sanity checks modified 0 leases and 0 leases were entered into tables
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /var/db/kea/kea-leases6.csv
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /var/db/kea/kea-leases6.csv.2
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_MEMFILE_DB opening memory file lease database: persist=true type=memfile universe=6
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x3613cc25c008] DHCP6_CONFIG_COMPLETE DHCPv6 server has completed configuration: added IPv6 subnets: 1; DDNS: disabled
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.database.0x3613cc25c008] CONFIG_BACKENDS_REGISTERED the following config backend types are available:
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_FORENSIC_BACKENDS_REGISTERED the following forensic backend types are available:
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.hosts.0x3613cc25c008] HOSTS_BACKENDS_REGISTERED the following host backend types are available:
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_LEASE_MGR_BACKENDS_REGISTERED the following lease backend types are available: memfile
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.commands.0x3613cc25c008] COMMAND_ACCEPTOR_START Starting to accept connections via unix domain socket bound to /var/run/kea/kea6-ctrl-socket
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_CFGMGR_ADD_IFACE listening on interface igc0
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_CFGMGR_SOCKET_TYPE_SELECT using socket type raw
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_CFGMGR_NEW_SUBNET6 a new subnet has been added to configuration: fd39:e72c:9f6::/48 with params: valid-lifetime=4000, rapid-commit is false
2026-02-12T09:06:11   Warning   kea-dhcp6    WARN  [kea-dhcp6.dhcp6.0x3613cc25c008] DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
2026-02-12T09:06:11   Warning   kea-dhcp6    WARN  [kea-dhcp6.dhcpsrv.0x3613cc25c008] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.
2026-02-12T09:06:11   Notice   kea-dhcp6    startup kea prefix watcher
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x1d62b965c008] DHCP6_SHUTDOWN server shutdown
2026-02-12T09:06:11   Informational   kea-dhcp6    INFO  [kea-dhcp6.commands.0x1d62b965c008] COMMAND_RECEIVED Received command 'shutdown'
2026-02-12T08:50:27   Error   kea-dhcp6    failed adding route fd39:e72c:9f6:ff00::/60 -> fe80::e72:74ff:fefc:7914
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x1d62b965c008] DHCP6_STARTED Kea DHCPv6 server version 3.0.2 started
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x1d62b965c008] DHCP6_MULTI_THREADING_INFO enabled: yes, number of threads: 4, queue size: 64
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_PD leases in subnet fd39:e72c:9f6::/48
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_TA leases in subnet fd39:e72c:9f6::/48
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_CFGMGR_USE_ALLOCATOR using the iterative allocator for IA_NA leases in subnet fd39:e72c:9f6::/48
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x1d62b965c008] DHCP6_USING_SERVERID server is using server-id 00:01:00:87:31:1b:94:d4:64:62:66:2f:50:f0 and stores in the file /var/db/kea/kea-dhcp6-serverid
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_MEMFILE_LFC_SETUP setting up the Lease File Cleanup interval to 3600 sec
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_MEMFILE_BUILD_EXTENDED_INFO_TABLES6 building extended info tables saw 1 leases, extended info sanity checks modified 0 leases and 0 leases were entered into tables
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /var/db/kea/kea-leases6.csv
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_MEMFILE_LEASE_FILE_LOAD loading leases from file /var/db/kea/kea-leases6.csv.2
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_MEMFILE_DB opening memory file lease database: persist=true type=memfile universe=6
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x1d62b965c008] DHCP6_CONFIG_COMPLETE DHCPv6 server has completed configuration: added IPv6 subnets: 1; DDNS: disabled
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.database.0x1d62b965c008] CONFIG_BACKENDS_REGISTERED the following config backend types are available:
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_FORENSIC_BACKENDS_REGISTERED the following forensic backend types are available:
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.hosts.0x1d62b965c008] HOSTS_BACKENDS_REGISTERED the following host backend types are available:
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_LEASE_MGR_BACKENDS_REGISTERED the following lease backend types are available: memfile
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.commands.0x1d62b965c008] COMMAND_ACCEPTOR_START Starting to accept connections via unix domain socket bound to /var/run/kea/kea6-ctrl-socket
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_CFGMGR_ADD_IFACE listening on interface igc0
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_CFGMGR_SOCKET_TYPE_SELECT using socket type raw
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_CFGMGR_NEW_SUBNET6 a new subnet has been added to configuration: fd39:e72c:9f6::/48 with params: valid-lifetime=4000, rapid-commit is false
2026-02-12T08:50:27   Warning   kea-dhcp6    WARN  [kea-dhcp6.dhcp6.0x1d62b965c008] DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
2026-02-12T08:50:27   Warning   kea-dhcp6    WARN  [kea-dhcp6.dhcpsrv.0x1d62b965c008] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.
2026-02-12T08:50:27   Notice   kea-dhcp6    startup kea prefix watcher
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.dhcp6.0x3d5ad3a5c008] DHCP6_SHUTDOWN server shutdown
2026-02-12T08:50:27   Informational   kea-dhcp6    INFO  [kea-dhcp6.commands.0x3d5ad3a5c008] COMMAND_RECEIVED Received command 'shutdown'

A linux client (also rebooted) in Fritz non-guest network fails to set up a default route:

In OPNsense, I see:
netstat -rn -f inet6 | grep fd39
fd39:e72c:9f6::1                  link#3                        UHS             lo0

Please let me know if you need additional information.

Thanks everyone for the detailed explanations and for pointing me to the KEA static PD documentation.

After working through the feedback and testing different approaches, my conclusion is that there are two valid and clean solutions for my use case with a downstream FritzBox:

1. Stay entirely within the ISP-provided global prefix and configure everything statically
In this model, OPNsense acts as a classic border router. The /48 is subnetted manually into /64s for LAN, VLANs, and a routed /64 toward the FritzBox. Router Advertisements are sufficient; no internal DHCPv6 server is required. This is very robust and avoids all PD lifecycle issues.

2. Use a locally generated ULA prefix for the FritzBox side and KEA DHCPv6
Here, the FritzBox receives IA_NA and IA_PD from KEA exactly as described in the documentation, but using ULAs instead of the ISP prefix. This cleanly avoids any dependency on the ISP PD lifecycle and keeps everything manageable through the OPNsense GUI.

For now, I'll keep my working legacy setup, but this gives me a clear migration path once ISC DHCPv6 is retired. Thanks again for the insights — especially around prefix ownership and lifecycle, which turned out to be the key point.

Thanks for all the discussion so far — it helped clarify a lot. I wanted to summarize my situation and share some observations for others who might have similar setups:

Current Setup

My ISP provides a fixed /48 IPv6 prefix, anonymized: ( 2001:db8:abcd ::/48) that has been assigned to me for years.

On the OPNsense WAN (PPPoE), this prefix is delivered via DHCPv6-PD, and OPNsense relies on it to configure the global IPv6 address, default route, and delegated prefixes.

Internally, I run Track Interface + ISC DHCPv6 + RA on LAN and VLANs. Downstream devices (including a FritzBox managing its own guest and non-guest subnets) receive IPv6 addresses properly, and IPv6 routing works.

Why KEA / IA_PD did not work

KEA requires full static ownership of the prefix to assign delegated prefixes and manage routes.

Even though my /48 is "fixed" at the ISP level, it is still delivered dynamically via DHCPv6-PD. IA_PD with KEA cannot safely manage this prefix without risk of breaking downstream connectivity.

This is why earlier attempts to migrate to KEA with Identity Association and RA parameterization failed.

IPv4 vs IPv6 distinction

Fixed IPv4 works fine; OPNsense can assign it manually.

Fixed IPv6 is technically possible to test, but OPNsense may not route properly without DHCPv6-PD. The WAN address, default route, and RA to downstream networks may fail if the ISP expects dynamic PD delivery.

Future Considerations

For now, I will keep the current working setup (Track Interface + ISC DHCPv6 + RA).

Once ISC DHCPv6 is retired in OPNsense, I will need to explore:

Whether Static IPv6 can be safely used with a fixed /48 from my ISP.

Whether KEA could be configured to support this type of "fixed but delivered via DHCPv6-PD" scenario.

Thanks for the explanation — there is one important detail in my setup that may change the assessment.

I do not receive a changing IPv6 prefix. My ISP (Freedom Internet NL) has assigned me a fixed (anonymized) 2001:db8:abcd ::/48 for years, which is also visible in their customer configuration, and I additionally have a static IPv4 address.

From an architectural perspective, this places my OPNsense much closer to an "ISP edge" than a typical residential dynamic-PD setup.

Given this, I would expect IA + KEA + RA with downstream PD (e.g. to a FritzBox) to work in principle. However, in practice only legacy Track Interface + ISC DHCPv6 behaves correctly.

This leads me to suspect interoperability gaps between KEA, RA, and downstream routers rather than a fundamental IPv6 design issue.

Thanks for the insight! To give some context, my home setup is designed primarily to segregate IoT devices and other traffic that I don't want in my home network into separate VLANs, so that all non‑trusted devices are kept outside of the main home network. This allows me to apply more granular firewalling, intrusion detection, logging and overall network management, which dictated the current topology.

Beyond this, there is an ambition to get IPv6 running as cleanly and reliably as possible. One might argue "if IPv4 works, why bother with IPv6?" — but for my use case, I want a consistent and future-proof setup, including autonomous operation of downstream routers like FritzBox.

My observation is that:

Using Track Interface + ISC DHCPv6 + basic RA, the FritzBox operates autonomously and reliably, with PD sub-delegation working for both guest and non-guest networks.

Attempts to replicate the same behavior with IA + KEA + parameterized RA have so far been fragile; small misconfigurations can break downstream IPv6 connectivity.

I'm sharing this to highlight that there are real-world home/own built domotica scenarios where OPNsense essentially behaves like an ISP, even with dynamic PD. It would be useful if future KEA/IA guidance explicitly addressed such use cases, so that advanced setups can migrate cleanly when ISC DHCPv6 is eventually deprecated.

[Topology]

Topology

Code Select Expand

ISP (DHCPv6-PD /48)
        │
        ▼
OPNsense (pppoe0, dhcp6c)
        │
Legacy Track Interface
(assign /64s via Prefix IDs)
        │
 ┌──────┼────────┐
 │      │        │
LAN   VLAN1    VLAN2
ID 0  ID 4     ID 6
 │
 ▼
    FritzBox
    ├─ non-guest (/64)
    └─ guest     (/64)
    (Fritz runs its own RA/DHCPv6/DNSv6)
Core requirement:
OPNsense must behave like an IPv6 ISP, so the downstream FritzBox can operate fully autonomously.
Working Setup (Stable)

• Legacy Track Interface on all internal interfaces
• ISC DHCPv6 enabled
• Router Advertisements enabled (basic / unmanaged)
• FritzBox internal DHCPv6 + DNSv6 enabled

Behavior:

• OPNsense slices the ISP /48 using Prefix IDs
• FritzBox successfully receives sub-delegated prefixes
• Guest and non-guest IPv6 work reliably
• Prefix renewals and reboots are handled cleanly

ISC DHCPv6 (Working, Anonymized)

Code Select Expand

option dhcp6.domain-search "internal";
option dhcp6.rapid-commit;
default-lease-time 7200;
max-lease-time 86400;
authoritative;
subnet6 2001:db8:abcd::/64 {
  range6 2001:db8:abcd::1000 2001:db8:abcd::2000;
  option dhcp6.name-servers 2001:db8:abcd::1;
  # Prefix delegation to downstream router (FritzBox)
  prefix6 2001:db8:abcd:8000:: 2001:db8:abcd:ff00::/60;
}
This configuration:

• Delegates prefixes cleanly
• Automatically installs kernel routes
• Aligns PD lifetimes with RA behavior
• Allows FritzBox to act as a real downstream ISP customer

Attempted Setup (Problematic)

• Identity Association (IA) addressing
• KEA DHCPv6
• Parameterized Router Advertisements

Despite many variations, this does not allow FritzBox to function autonomously.
Observed problems:

• Delegated prefixes not reliably routed
• Guest IPv6 disappears
• IPv6 breaks when KEA is stopped/restarted
• Removing PD pools breaks downstream IPv6 even though OPNsense still has global IPv6
• FritzBox internal DHCPv6/DNSv6 cannot be enabled reliably

KEA DHCPv6 (Attempted, Anonymized)

Code Select Expand

{
  "Dhcp6": {
    "interfaces-config": {
      "interfaces": [ "lan0" ]
    },
    "subnet6": [
      {
        "subnet": "2001:db8:abcd::/48",
        "pd-pools": [
          {
            "prefix": "2001:db8:abcd:ff00::",
            "prefix-len": 60,
            "delegated-len": 64
          }
        ],
        "reservations": [
          {
            "duid": "00:03:00:01:xx:xx:xx:xx:xx:xx",
            "ip-addresses": [ "2001:db8:abcd::2000" ]
          }
        ]
      }
    ]
  }
}
Even with variations:

• PD routing is fragile or missing
• RA behavior must be manually aligned
• Downstream router does not behave as with ISC DHCPv6

Key Observation
FritzBox internal DHCPv6/DNSv6 only works when upstream behaves exactly like an ISP.

• ✔ Track Interface + ISC DHCPv6 → Fritz autonomous
• ✖ IA + KEA + RA → Fritz breaks or degrades

This suggests that either:

• KEA lacks functionality needed for downstream routers, or
• OPNsense's current KEA + IA + RA integration does not fully model ISP-like behavior

Questions / Migration Path

• Is it currently possible to fully replace
   Track Interface + ISC DHCPv6 + basic RA
   with
   IA + KEA + RA
   while still supporting autonomous downstream routers?
• Are PD pools mandatory in KEA for downstream routers?
• Is the lack of automatic route installation for delegated prefixes a known limitation?
• Is ISC DHCPv6 expected to remain for this use case, or is there a recommended migration path?

Summary

• My setup is stable today
• I am not looking for workarounds
• I want to understand whether a clean KEA/IA migration path exists for "OPNsense as ISP" deployments

Any guidance from developers or users running downstream routers would be appreciated.