Setup IPV6 LAN

[Sky22019]

Hello to the community.

I am still running opnsense 20.1.9 since I am waiting for a cable in order to connect via the com port of my dedicated firewall box and update afterwards.
My current setup is as follows: VDSL line -> Modem -> Opnsense (dhcp, routing & firewall) -> lan (switches, devices etc) and a pihole in my lan blocking ads. The (static) ip of the pihole is set in opnsense at the DHCPv4 Service page. And the (static) IP of opnsense is set in pihole as the only upstream ipv4 dns server. Finally, in opnsense I have set dns servers from quad9 and cloudflare in Systems->Settings->General page. Everything is working swell as it is but this is just a typical IPV4 lan.
My ISP is handing out dynamic IPV4 and IPV6 addresses. So I figured I can try to setup an IPV6 local network as well.

Well, since I am writing this post you can imagine that this endeavor did not go as planned. The only method by which my personal computer can access IPV6 is with the setup described in the official documentation:
https://docs.opnsense.org/manual/how-tos/ipv6_dsl.html?highlight=ipv6
AND having my NIC (Windows 10) setup with manual settings pointing to specific IPV6 address of opnsense as gateway and DNS Server.

The problem is that with this method, I cannot setup pihole to act as my DNS IPV6 server the same way it works with IPV4. And that is because when my dynamic IPV6 public address changes the same happens with my local IPV6 pool which means I can't use a static IPV6 address for any of my devices. And anyway, all my attempts to setup static IPV6 address in opnsense went to waste as I was losing connectivity altogether!

So long story short, is there a known configuration that accommodates opnsense and pihole working together with IPV6?

And something else: how do you specify IPV4 and IPV6 DNS servers together? You just put them in Systems->Settings->General page? How does this work? When a device requests an IPV6 page the dns are asked sequentially (on after the other)?

Thanks in advance for any input.

Cheers!

[littlepepper]

And something else: how do you specify IPV4 and IPV6 DNS servers together? You just put them in Systems->Settings->General page?

You are not supposed to put a local DNS server in the General page, it should be a DNS upstream, it is for the router to access updates it.

Have you configure your dhcpv6? you can specify your pihole in the DHCP6 settings.

[Sky22019]

As I said,

...in opnsense I have set dns servers from quad9 and cloudflare in Systems->Settings->General page

Still, when doing a traceroute from cmd in windows, the first hop after my opnsense box appears to be my ISP ???
What gives?

How should I specify my pihole in dhcpv6 service? Just put its ipv4 address to the dns server field? Will that remain the same after say, a reboot of opnsense?

[bartjsmit]

You very rarely need DHCPv6 since IPv6 clients craft their own IP from their MAC, often with a sprinkling of randomness for security. There are after all billions of billions of available IP addresses.

What is your ISP delegation size? It needs to be larger than a /64 since that is the size of an IPv6 subnet. Pick a /64 subnet from the delegation for your LAN and assign a fixed IP for the OPNsense LAN interface.

Set up RADVD on OPNsense to advertise the route to the internet. You can also advertise the IPv6 address of your Pi-Hole for DNS. Services -> Router Advertisements -> LAN. Set it to unmanaged, high.

Remember to allow ICMPv6 just about everywhere since it's needed to join multicast groups and such like.

Bart...

[Sky22019]

Hello and thanks for the response.

I guess I am missing something(s) here. I am trying to have any IPV6 connectivity pass through my pihole just as with ipv4 so as to block any(?) ads.

Apart from that, how can I find out my

ISP delegation size

?
I am guessing 'bigger' than /64 is /58 ???
Thing is, the only way my wan gets an IP (v6) address is when having delegation size =64 and "Request the IPv6 information through the IPv4 PPP connectivity link." checked.
So, having the above, I selected static ipv6 on lan interface, set delegation size to 120 and chose an ip.
Then, I set up RADVD as you said.
So far my pihole has not yet acquired an IPV6 address and hence I cannot advertise its address as a dns server in DHCPv6. I will wait for it to reboot overnight (default behaviour) and try again tomorrow.
Apart from (all) that, how do I go about allowing ICMPv6?

Thanks again.
Cheers!

[bartjsmit]

You should contact your ISP and ask for a delegated range. See if their competitors have more generous allocations.

You can try setting the LAN interface to track the WAN interface but it is much easier to set up your internal network with a fixed /56 or /48.

Apart from (all) that, how do I go about allowing ICMPv6?

Firewall, rules, floating. Add a rule for IPv6, ICMP, allow any.

Open a shell prompt on the firewall console, run radvdump and wait a few minutes. Confirm that the router advertisements are being sent out.

Bart...

[Sky22019]

Some progress here...

With my dhcpv6 service enabled, I have set up my ipv6 address pool (/120) and there appear to be some leases already handed out!

My problem now is that despite the fact that my pihole's mac address is appearing in the list of ipv6 leases normally (online), when asking the raspberry pi itself for its ipv6 address it only shows the local ipv6 link (eg fe80:: etc). Is this normal? Should I manually set the said ipv6 address on the pi and also reserve it in my opnsense's ipv6 reservations?

With regard to radvdump it seems that the router advertisements are being sent out ok.

And concerning firewall I attached a screenshot of a rule I found out had already been set automatically.