standard setup, no route on IPv6

[LoneGumMan]

I am new to OPNSense.  Running the setup with two NICs for WAN and LAN.

IPv6 did work previously (test-ipv6.com passes, as did ipv6test.google.com) when the network was on a Mikrotik router with pretty much OOTB setup, so I know the ISP side is not an issue.

edit: this is a home setup, no VLAN, just beefier hardware to consolidate other server-like duties on one box.

The setup:
* IPv4 is DHCP on WAN side, typical setup
* ISP supports IPv6 with both SLAAC and DHCPv6. both gives a valid /64 prefix, and I am using SLAAC. LAN side tracks the WAN interface.
* "Allow manual adjustment of DHCPv6 and Router Advertisements" is unchecked in the LAN interface.
* System DNS (system-> settings -> general) is using Google and Cloudflare public DNS (1.1.1.1/8.8.8.8/2001:4860:4860::8888/2606:4700:4700::1111)
* Unbound for DNS, set to use system DNS ("Use System Nameservers" in query forwarding), I can resolve AAAA records if I point nslookup to the router's port 53

What's working:
* IPv4 front to back; DHCP on the LAN side, no problem
* ALL clients, windows, linux and android phones, can all setup a GUA with the correct prefix.

Problem:
* Clients seemingly don't have a route on IPv6.

Other than setting system DNS and changing unbound, I pretty much have a bog standard setup. Not sure what else I need to do. Any advice is welcomed.

Below is radvdump output on opnsense. "igc1" is the LAN inteface

Code: [Select]

root@OPNsense:~ # radvdump
#
# radvd configuration generated by radvdump 2.19
# based on Router Advertisement from fe80::62be:b4ff:fe03:9cf3 <-- the LAN interface
# received by interface igc1
#

interface igc1
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag on;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvLinkMTU 1500;
        AdvSourceLLAddress on;

        prefix 2404:c800:dead:beef::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        DNSSL myhome
        {
                AdvDNSSLLifetime 600;
        }; # End of DNSSL definition

}; # End of interface definition
And here is my windows "ipconfig /all"; the address ending "fe0c:9cf3" is the LAN interface on the router.

Code: [Select]

Ethernet adapter vEthernet (Virtual Switch Wifi):

   Connection-specific DNS Suffix  . : myhome
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 9C-B6-D0-8F-E4-81
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2404:c800:dead:beef:8494:910:1e7:7485(Preferred)
   Link-local IPv6 Address . . . . . : fe80::8494:910:1e7:7485%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.20.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, July 3, 2022 2:21:02 PM
   Lease Expires . . . . . . . . . . : Sunday, July 3, 2022 2:55:26 PM
   Default Gateway . . . . . . . . . : fe80::62be:b4ff:fe03:9cf3%11
                                       192.168.20.1
   DHCP Server . . . . . . . . . . . : 192.168.20.1
   DHCPv6 IAID . . . . . . . . . . . : 949794512
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-79-51-59-9C-B6-D0-8F-E4-81
   DNS Servers . . . . . . . . . . . : 2404:c800:dead:beef:62be:b4ff:fe03:9cf3
                                       192.168.20.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       myhome
And the adapter is on a "private" network, so there should not be too much windows firewall shenanigans.

[walkerx]

what happens if you try setting dhcpv6 to dhcpv6 and set router advertisements to assisted.

[LoneGumMan]

what happens if you try setting dhcpv6 to dhcpv6 and set router advertisements to assisted.

Yea, tried that too before posting here, but things get a bit weird. Hence I went with SLAAC.

Changing WAN to DHCPv6
* WAN DHCPv6 with the option "Send IPv6 prefix hint" checked (this gives me more consistent behavior)
* LAN DHCPv6 adding the LAN interface's link local address as DNS does not do anything; windows gets a 2404 address for DNS server, probably my ISP's
* RA set to "assisted", and adding my LAN link local address gets it to publish my local DNS server in RA, but windows still gets the same 2404 DNS address for some magical reason.

The whole DHCP delegate thing is still new to me, so I am not sure if I am reading this right.

Several observations:
* WAN side looks fine, still get the same /64 prefix
* LAN side, RA is publishing a /56 prefix of a slightly different prefix; I thought it'd use the same prefix as the WAN interface?
* Windows does not seem to get a GUA at all, and the DNS server address is, for some reason, not in my address range. I am guessing it's from the ISP, but I have my LAN link-local address added to both DHCPv6 and RA already.

I don't have the time to do a tcpdump yet to capture the DHCP messages, nor am I that proficient to be frank

Below are the radvdump.

From WAN side

Code: [Select]

interface igc0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 0;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;
        AdvLinkMTU 1500;

        prefix 2404:c800:dead:beef::/64
        {
                AdvValidLifetime 1800;
                AdvPreferredLifetime 1800;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition

}; # End of interface definition
And from my LAN

Code: [Select]

interface igc1
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag on;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference high;
        AdvLinkMTU 1500;
        AdvSourceLLAddress on;

        prefix 2404:c805:1bad:ba00::/56
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        RDNSS fe80::62be:b4ff:fe03:9cf3
        {
                AdvRDNSSLifetime 600;
        }; # End of RDNSS definition


        DNSSL myhome
        {
                AdvDNSSLLifetime 600;
        }; # End of DNSSL definition

}; # End of interface definition

WIndows "ipconfig /all"

Code: [Select]

Ethernet adapter vEthernet (Virtual Switch):

   Connection-specific DNS Suffix  . : myhome
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 00-E0-4C-A1-C9-D9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8b6:e9f5:6fc5:5fab%34(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.20.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, July 3, 2022 10:53:38 PM
   Lease Expires . . . . . . . . . . : Sunday, July 3, 2022 11:05:54 PM
   Default Gateway . . . . . . . . . : fe80::62be:b4ff:fe03:9cf3%34
                                       192.168.20.1
   DHCP Server . . . . . . . . . . . : 192.168.20.1
   DHCPv6 IAID . . . . . . . . . . . : 570482764
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-79-51-59-9C-B6-D0-8F-E4-81
   DNS Servers . . . . . . . . . . . : 2404:c800:dead:babe:62be:b4ff:fe03:9cf3
                                       192.168.20.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       myhome

[agh1701]

Who is the isp?

[LoneGumMan]

Who is the isp?

it is not Charter/Spectrum. 

[LoneGumMan]

Going back to SLAAC on the WAN side, a bit of new observation that didn't jump out before.

If I uncheck the "Allow manual adjustment of DHCPv6 and Router Advertisements" on the LAN interface, then RA publishes the expected /64 prefix , but there is no RDNSS, so there is no DNS for IPv6 for Windows to pick up.

If I set "Allow manual adjustment of DHCPv6 and Router Advertisements", and go and reload all config, then RA publishes RDNSS, but there is no prefix if I use stateless / assisted mode.

Something is always missing, and if I go DHCPv6, then RA publishes both, but Windows does not seem to pick up a path.

There's always something missing