Messages

121

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 19, 2021, 12:18:43 pm »

use statically configured ULA on LAN (or a "known available" GUA

This means, that for the LAN Interface IPv6 is set to static and e.g. fd00::100 ?

use NAT on WAN or possibly NPT (I have not tried this, yet, but if NPT works, that would be a next-to-perfect solution

I assume that NPT requires an external IPv6 Prefix, which however in the present case is not static. So, NPT should not work.

Regarding NAT on WAN - in case this works at all, which is questionable (see discussion above), what would be correct here? Just WAN NAT IPv6 with Source address "LAN" and Translation / target "Interface address"?

122

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 19, 2021, 09:50:05 am »

Indeed, the prefixes are different. I use track interface on both systems, both either with IPv6 Prefix ID 0x0 or (I also tried) one with 0x0 and the other one with 0x1.

And please permit me to question the business case - you have a dynamic/changing prefix from your provider and want to run a HA pair? Why not get a static /56 or similar?

The provider does not guarantee that the assigned prefix is static. Even though it appears to be static, they may change it from one day to the other. So, this is nothing I can rely on.

As far as I understand, each client can get multiple GUA adresses. In case the goal is to firstly maintain IPv6 connectivity (even with interruption of connections in case of a failure of one firewall), is there some more easy approach how to ensure that the clients are using IPv6 connectivity (and existing GUA) of the other firewall?

123

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 18, 2021, 10:32:31 pm »

Windows GUA and ULA seems to be correct. I did a ping -6 google.de on windows, which resulted in a timeout. TCPDUMP results in:


GUA_LAN_Opnsense: 2a02:810b:....
Opnsense LAN fe80 address: fe80::2e0:4cff:fe68:337c
Windows GUA: 2a02:810b:c03f:..f27f

Code: [Select]

Interface Capture output
WAN
igb0 21:29:04.489739 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 156
WAN
igb0 21:29:04.504490 IP6 (flowlabel 0x244af, hlim 55, next-header ICMPv6 (58) payload length: 8) 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 > 2a02:810b:...: [icmp6 sum ok] ICMP6, echo reply, seq 156
WAN
igb0 21:29:05.490666 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 157
WAN
igb0 21:29:05.506616 IP6 (flowlabel 0x244af, hlim 55, next-header ICMPv6 (58) payload length: 8) 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 > 2a02:810b:...: [icmp6 sum ok] ICMP6, echo reply, seq 157
WAN
igb0 21:29:06.491739 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 158


LAN
igb1 21:29:06.772091 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) 2a02:810b:c03f:..f27f > 2a00:1450:4001:811::2003: [icmp6 sum ok] ICMP6, echo request, seq 1779
LAN
igb1 21:29:06.791941 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:07.791570 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:08.806593 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:10.103587 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::dcdf:3597:709c:b416 > fe80::2:2: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::2:2
LAN
igb1   source link-address option (1), length 8 (1): 34:2e:b7:a8:4a:6c

First, I have no idea what 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 is. This is not on my system. Second, Opnsense does not report the used fe80::2e0:4cff:fe68:337c in its overview of the interfaces. However, I can see it in the opnsense terminal window with ifconfig. Third, while playing around the gateway pointing from WAN to the fe80 address of my Fritzbox router got disabled. And voila, packets passed to my windows computer.  Toggling the Gateway on/off did not make any difference. However, after a reboot no IPv6 ping possible any more. Even with IPv6 Gateway enabled or disabled. So this was only a single occurence for whatever reason.

Finally, after a few minutes of doing nothing, ping6 suddenly started to work again on one LAN computer, while on the other LAN computer it didn't work. Completely unpredictible.

124

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 18, 2021, 08:08:22 pm »

OPNsense 21.7.5-amd64
Windows reports as gateway fe80::2:2%8, whereas in the interface overview of Opnsense the address is fe80::2:2/64

125

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 18, 2021, 08:02:24 pm »

Does not work - I have no IPv6 internet connection on computers in the LAN in case the following is used:

• Virtual IP Carp LAN fe80::2:2/64
• Router Advertisements LAN unmanaged, Priority High, RA Interface LAN_VIP6 (fe80::2:2)
• WAN_DHCP6 Gateway with address of the Fritzbox (router) on the WAN side

Screenshots attached. As soon as I deactivate the virtual CARP and use RA Interface "LAN dynamic", IPv6 connection to WAN is possible.

126

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 18, 2021, 03:02:51 pm »

And additionally you have to define a further Gateway (System-Gateways-Single) or do you keep the "normal" IPv6 Gateway there?

127

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 18, 2021, 12:53:01 pm »

Sorry, but CARP as an isolated issue works as it should in 21.7.5.

...which means that besides CARP something like NAT for IPv6 to a link local address fd00... does not work? Correct? At least that is what I'm experiencing.

We have a redundant setup with [...] a link local CARP address as the default gateway for all internal systems.

In other words, you define an fe80... CARP address on e.g. the LAN interface and additionally (or instead?) of the normal fe80 gateway you define the fe80-Carp address as gateway for this interface (Gateway-Interface = LAN)? Correct?

128

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 17, 2021, 09:08:50 pm »

I would like to get rid of my frustration here and above all save a lot of people life time that they could waste with Opnsense, IPv6 and CARP. It is definitely the case that Opnsense does not run with Carp IPv6. It's a pity that this is not admitted officially.

Any attempt to implement Carp with IPv6 fails. For example, if you define a virtual interface fd00:..., it will be used instead of the additionally available global IPv6 address 2004:... . and the stupid system tries to transport all packets via fd00 out to the WAN. The solution is to manually change the order of the IPv6 addresses after each reboot. Disable Carp IPv6, apply, re-enable, reboot RA.

If you are lucky, NAT IPv6 to a fd00 address will work. This MAY work for a while. Eventually, however, it will stop working and Opnsese routes fd00 packets into nirvana. I'm really fed up with IPv6 and Opnsense. And I suspect more will have this problem here in Germany, as our providers are moving more and more to only allow accessibility from the WAN via IPv6.

129

General Discussion / Re: DNS Hairpin Rule for Pi-Hole

« on: November 08, 2021, 01:00:52 pm »

Hello,
Ipv6 is really strange. I have tracked the issue down to some problem in Opnsene.

Code: [Select]

nslookup google.com 2001:4860:4860::8844
successfully leads to a request originating from Opnsense (fd00::1) at the local pihole DNS server (fd00::2:115). The Firewall log at opnsense reports the redirect and tcpdump at the DNS server correctly reports:

Code: [Select]

12:13:57.142437 IP6 fd00::1.49895 > pi.hole.domain: 18686+ A? google.com. (28)
12:13:57.142994 IP6 pi.hole.domain > fd00::1.49895: 18686 1/0/0 A 142.250.185.206 (44)

The problem is, that somehow Opnsenese does not forward this response to the requesting device. Unfortunatelly I have no idea how to track that issue? By the way, the forward works fine for IPv4:

Code: [Select]

nslookup google.de 9.9.9.9results at the DNS server in

Code: [Select]

12:58:45.175356 IP 192.168.2.2.11493 > pi.hole.domain: 53828+ AAAA? google.de. (27)
12:58:45.252237 IP pi.hole.domain > 192.168.2.2.11493: 53828 1/0/0 AAAA 2a00:1450:4001:82f::2003 (55)
and the DNS reponse is immediatelly provided at the requesting device.

130

General Discussion / Re: Is it possible to advertise ULA prefix only to IPv6 client?

« on: November 05, 2021, 12:40:09 pm »

Any modifications to Router advertisement? At the moment it is unmanaged. Dhcpv6?

Is there a reason to construct ipv6 subnets for different interfaces?

131

General Discussion / Re: Is it possible to advertise ULA prefix only to IPv6 client?

« on: November 05, 2021, 11:51:30 am »

How would a NAT rule look like for ULA? E.g. fd00::

132

General Discussion / Re: DNS Hairpin Rule for Pi-Hole

« on: November 05, 2021, 11:00:48 am »

Hello,
I have implemented this hairpin approach for DNS requests successfully for IPv4. The problem is that it does not work for IPv6. The setup for Ipv6 is identical as for IPv4. The pihole address is an ULA address fd00::2:115 which is  working like a charm. So nslookup google.com fd00::2:115 works fine. However, as soon as I want to get around pihole nslookup google.com 2001:4860:4860::8844 I receive a timeout. In the log I can see that the request was redirected to pihole, but I receive no response.

Does anyone have an idea how to solve this issue? In the firewall log I can see no blocks or anything.

133

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 04, 2021, 07:40:35 pm »

ok, you write

(there is a PR in github that allows to select the RA SRC address)

. What are you referring to?

134

High availability / Re: How to do IPv6 with DHCPv6-PD?

« on: November 04, 2021, 02:12:59 pm »

@bimbar, do I understand correctly that "internally" you only work with ULA addresses?

Regarding the external service, I also have no solution yet. But since sooner or later I may loose my public IPv4 access with IPv6 remaining as only access possibility from outside, I have rent a virtual server which has a public IPv4 address and forwards any request e.g. on port 443 via IPv6 to my firewall (using 6tunnel).

I consider that on this virtual server I may run a script which tests accessability of firewall 1 and firewall 2 using the IPv6 addresses of the firewalls each published via DynDNS to respective Domains. In case connection is lost to one of the Domains (i.e. firewalls), the script just instructs 6tunnel to use the other domain for forwarding requests.

135

German - Deutsch / Re: Best Practice, letzte Regel "allow all"

« on: November 04, 2021, 01:55:06 pm »

Danke für die Rückmeldungen. Ich habe zunächst alles blockiert, was ich nicht möchte (z.B. Gast net auf Lan net), und die letzten zwei Regeln sind dann Allow Lan net bzw. Allow Lan address auf alles.