IPv6 downstream router (FritzBox) requires OPNsense to behave like ISP

[GerhardHeus]

Topology

Code Select Expand

ISP (DHCPv6-PD /48)
        │
        ▼
OPNsense (pppoe0, dhcp6c)
        │
Legacy Track Interface
(assign /64s via Prefix IDs)
        │
 ┌──────┼────────┐
 │      │        │
LAN   VLAN1    VLAN2
ID 0  ID 4     ID 6
 │
 ▼
    FritzBox
    ├─ non-guest (/64)
    └─ guest     (/64)
    (Fritz runs its own RA/DHCPv6/DNSv6)
Core requirement:
OPNsense must behave like an IPv6 ISP, so the downstream FritzBox can operate fully autonomously.
Working Setup (Stable)

• Legacy Track Interface on all internal interfaces
• ISC DHCPv6 enabled
• Router Advertisements enabled (basic / unmanaged)
• FritzBox internal DHCPv6 + DNSv6 enabled

Behavior:

• OPNsense slices the ISP /48 using Prefix IDs
• FritzBox successfully receives sub-delegated prefixes
• Guest and non-guest IPv6 work reliably
• Prefix renewals and reboots are handled cleanly

ISC DHCPv6 (Working, Anonymized)

Code Select Expand

option dhcp6.domain-search "internal";
option dhcp6.rapid-commit;
default-lease-time 7200;
max-lease-time 86400;
authoritative;
subnet6 2001:db8:abcd::/64 {
  range6 2001:db8:abcd::1000 2001:db8:abcd::2000;
  option dhcp6.name-servers 2001:db8:abcd::1;
  # Prefix delegation to downstream router (FritzBox)
  prefix6 2001:db8:abcd:8000:: 2001:db8:abcd:ff00::/60;
}
This configuration:

• Delegates prefixes cleanly
• Automatically installs kernel routes
• Aligns PD lifetimes with RA behavior
• Allows FritzBox to act as a real downstream ISP customer

Attempted Setup (Problematic)

• Identity Association (IA) addressing
• KEA DHCPv6
• Parameterized Router Advertisements

Despite many variations, this does not allow FritzBox to function autonomously.
Observed problems:

• Delegated prefixes not reliably routed
• Guest IPv6 disappears
• IPv6 breaks when KEA is stopped/restarted
• Removing PD pools breaks downstream IPv6 even though OPNsense still has global IPv6
• FritzBox internal DHCPv6/DNSv6 cannot be enabled reliably

KEA DHCPv6 (Attempted, Anonymized)

Code Select Expand

{
  "Dhcp6": {
    "interfaces-config": {
      "interfaces": [ "lan0" ]
    },
    "subnet6": [
      {
        "subnet": "2001:db8:abcd::/48",
        "pd-pools": [
          {
            "prefix": "2001:db8:abcd:ff00::",
            "prefix-len": 60,
            "delegated-len": 64
          }
        ],
        "reservations": [
          {
            "duid": "00:03:00:01:xx:xx:xx:xx:xx:xx",
            "ip-addresses": [ "2001:db8:abcd::2000" ]
          }
        ]
      }
    ]
  }
}
Even with variations:

• PD routing is fragile or missing
• RA behavior must be manually aligned
• Downstream router does not behave as with ISC DHCPv6

Key Observation
FritzBox internal DHCPv6/DNSv6 only works when upstream behaves exactly like an ISP.

• ✔ Track Interface + ISC DHCPv6 → Fritz autonomous
• ✖ IA + KEA + RA → Fritz breaks or degrades

This suggests that either:

• KEA lacks functionality needed for downstream routers, or
• OPNsense's current KEA + IA + RA integration does not fully model ISP-like behavior

Questions / Migration Path

• Is it currently possible to fully replace
   Track Interface + ISC DHCPv6 + basic RA
   with
   IA + KEA + RA
   while still supporting autonomous downstream routers?
• Are PD pools mandatory in KEA for downstream routers?
• Is the lack of automatic route installation for delegated prefixes a known limitation?
• Is ISC DHCPv6 expected to remain for this use case, or is there a recommended migration path?

Summary

• My setup is stable today
• I am not looking for workarounds
• I want to understand whether a clean KEA/IA migration path exists for "OPNsense as ISP" deployments

Any guidance from developers or users running downstream routers would be appreciated.

[franco]

For a static IPv6 prefix in Kea yes. For a dynamic one no. We'll be discussing some things related to Kea in the upcoming roadmap discussion for 26.7.


Cheers,
Franco