IPv6 NAT driving me nuts

Started by raspberryswirl2, April 06, 2022, 08:41:37 PM

Previous topic - Next topic
Hi,

I am behind a cable router, which is not handing me down prefixes - so my opensense needs to NAT the IPv6 - this is possible - and I know, not the optimal solution, but please no discussion about that :(
I was looking already in several documentations - and hence I upgraded the opensense I am really thinking of reinstalling with a fresh install, because its driving me crazy, because I had success but only for a short time.
I am doing something wrong - or misconfigured something

Here are the details:
Cable Router - Opensense - WLAN ROUTER - CLIENTS

System is on 21.7.8 - I have enabled DHCPv6 and also in the Services Router Advertisments Asssisted - so its is doing SLAAC.
Behind opensense is an ddwrt wifi router - configured with radv - nothing else, FW disabled
The linux and the windows system get an IPv6 address from opensense, also a lease and know their DNS server now.
from those systems I can ping each other and also the opensense (!)
but although the Firewall OUTBOUND NAT is configured with my source adresses (like (fd42:4242:4242:4242:ffff:ffff:ffff:8 and WAN address) its not going out:

on windows:
tracert -6 google.com

Tracing route to google.com [2a00:1450:4016:809::200e]
over a maximum of 30 hops:

  1     *        *        1 ms  OPNsense.localdomain [fd42:4242:4242:4242::]
  2     *        *        *     Request timed out.


From opensense shell - I can ping google successfull.
In the FW:
LAN: LAN TO ANY - all traffic IPv6 allowed
WAN:
WAN TO ANY -  TCP/IP V6 allowed
WAN TO ANY -  ICMP V6 allowed

thanks
jon

funfact: I played around with restarting the DHCP and also configured the WLAN router with DDWRT and I had some successes, but there are not reproducible. So really some assistance would be very apricated.

April 07, 2022, 10:25:53 AM #1 Last Edit: April 07, 2022, 10:27:29 AM by bimbar
Maybe https://github.com/opnsense/core/issues/5325 ?

In my opinion that functionality should be removed - it doesn't seem to work well, and it shouldn't be done in the first place.

The solution in your case should be to complain to your internet provider since he doesn't follow documented standards. (little consolation, I know)

While technically correct, there may be circumstances when one still has got to use NAT66 - I for one do it with my WireGuard VPN terminating in a DigitalOcean droplet. Since they won't route a /64 - even if you threaten them with money - but insist on using 10 statically assigned IPv6 addresses, I need to NAT the VPN client.

And this works perfectly well with pf on FreeBSD. So if this is an issue with the OPNsense UI or middleware, it should be fixed, IMHO.

My rules for example:
nat on vtnet0 from 192.168.254.0/24 to any -> 134.209.x.y
nat on vtnet0 from 2003:a:u:v::/64 to any -> 2604:a880:w:x::y:z
pass all no state


The global unicast prefix I use for WireGuard and then NAT outbound is from my own static assignment at home, so I know there will be no conflicts.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

I should add that with static IPs this does work, but if you do a dynamic NAT66 on an out interface, it seemingly doesn't always.