Topics

Configuration details below. As in the title, the IPv6 delegated prefix is never getting updated for LAN devices. I'm not using DHCPv6 on the LAN, I only want SLAAC addresses. This works for the most part. But for some reason, when the delegated prefix changes (thanks, Starlink), the prefix is updated on the (tracking) LAN interfaces but RADVD never gets updated.

If on Interfaces/Overview/WAN I click reload for DHCPv4/v6, then it immediately updates and the devices are all happy with correct IPv6 addresses. Is there something wrong in the config below, or is this a known issue? I checked github for issues and some of them seem like they could apply but I am not sure.

OPNsense 22.7.11_1-amd64
ISP: Starlink with CGNAT and IPv6: WAN Address stays the same, but delegated prefix changes every few days
WAN IPv6 Configuration Type: DHCPv6
Request only an IPv6 prefix: Checked
Prefix delegation size: 56
Send IPv6 prefix hint: Not Checked
Use IPv4 connectivity: Not Checked
Use VLAN priority: Not Checked
LAN  IPv6 Configuration Type: Track Interface
Track IPv6 Interface: WAN
IPv6 Prefix ID: 0x0
Manual configuration: Allow manual adjustment of DHCPv6 and Router Advertisements : Checked
Enable DHCPv6 server on LAN interface: Not Checked
Available prefix delegation size: 57 bits (informational only field)
Router Advertisements: Unmanaged
Router Priority: Normal

I just upgraded from 19.1 to 19.7 Jazzy Jaguar. I was reviewing the upgrade log and noticed this:

Code Select Expand

Message from opnsense-19.7.1:

Roar!


Nice easter egg!  8)

Deciso DEC600 A10 Dual Core
OPNsense 19.1.4-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019

Scratching my head on this one. What are the proper combination of settings to enable hardware assisted crypto in OpenVPN?

Is this help still valid under Miscellaneous: Settings: Cryptography settings: Hardware acceleration (Current setting: AES-NI CPU-based Acceleration (aesni))

"... OpenVPN should be set for AES-128-CBC and have cryptodev enabled for hardware acceleration."

VPN: OpenVPN: Servers: Hardware Crypto shows "No Hardware Crypto Acceleration" and no other options can be selected for that field.

From the hardware documentation:

"Hardware acceleration:    SoC has integrated AESNI instructionset including support for GCM"
"Hardware Assisted Encryption: 600Mbps IPsec (AES256GCM16)"

I have Comcast Business as my ISP and have a Cisco 3941B Business Gateway. I am running OPNsense 18.7.9 behind it and have recently got IPv6 running (mostly) but I'm having trouble with getting Router Advertisements working with the "Track Interface" setting on the LAN interface of OPNsense.

I did a lot of searching, but none of the guides out there worked for me. Through trial and error, the combination of settings I used to get basic routing functionality were this: Comcast Business Gateway set to Stateful (Use DHCP Server), along with using DHCPv6 on the WAN interface of my OPNsense appliance with 64 bits for the prefix delegation size, which is confusing since the Comcast Business Gateway says I have a delegated /56, but this is the only way I can get it to work. Then I used WAN interface Tracking on the LAN Interface with Prefix ID 0.

With all this set, under Interfaces---Overview, I have a modified EUI-64 auto-configured IPv6 address with a /64 prefix length on my OPNsense WAN interface (not a DHCP IPv6 address). My OPNsense LAN address gets auto-configured with a modified EUI-64 IPv6 address and a /59 prefix, which seems strange (once again) since my Comcast Business Gateway says I have a delegated /56.

Then, if I manually configure my hosts sitting behind the OPNsense appliance with appropriate IPv6 addresses in the same subnet as the OPNsense LAN interface and use its address as the default gateway, then routing works and I am able to get IPv6 internet access with my hosts. So this is a big success!

However, I can't figure out how to get my router advertisements working properly with the above configuration, which would allow me to use automatic configuration for my LAN hosts. SLAAC only seems to work if I manually configure my OPNsense LAN interface's IPv6 address with the one it would have gotten from "Track Interface" and to use a /64 prefix length. My Router Advertisement settings are set to "Stateless", "Normal" router priority, "Advertise Default Gateway" checked, and "RA Sending" checked.

How can I get SLAAC for LAN hosts working along with "Track Interface" on the LAN interface of my OPNsense appliance?