IPv6: neighbor solicitations not answered by opnsense

Started by meiser, April 03, 2023, 08:55:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 03, 2023, 08:55:24 PM
Hi,

I installed opensense in a proxmox VM with two interfaces, one WAN connected to a 5G router, the other LAN.

On WAN side, I get a public IPv4 address and a IPv6 address via SLAAC (no DHCPv6 possible).  The LAN interface is static IPv4 and "track WAN" for IPv6. Therefore, I get a /64 on the LAN side. The LAN clients receive a /64 via SLAAC and can ping each other via IPv4/IPv6. But I cannot ping the opnsense VM or any host in the Internet via IPv6.

The neighbor solicitations are not answered by opnsense.
Code Select

19:59:42.743631 IP6 xxxx:xxxx:xxxx:xxxx:5054:ff:fe21:d971 > ff02::1:ff21:d976: ICMP6, neighbor solicitation, who has xxxx:xxxx:xxxx:xxxx:5054:ff:fe21:d976, length 32


The client is xxxx:xxxx:xxxx:xxxx:5054:ff:fe21:d971, the opnsense WAN interface is xxxx:xxxx:xxxx:xxxx:5054:ff:fe21:d976

BTW, I can ping any host in the Internet via IPv6 from opnsense.

Could you give me some advice what I could check?.

Thanks a lot for your help.
Regards,
meiser
April 04, 2023, 10:00:21 AM #1
Are you allowing the necessary ICMPv6 traffic from WAN?

https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

I allow all ICMPv6 because I wish anybody the very best of luck in scoping out my IPv6 address range with ping, since it will take them longer than the half life of a proton (the subatomic particle, not the car)

Bart...
April 04, 2023, 12:46:01 PM #2
Hi,

if I understand it correctly, ICMPv6 is allowed by default via the auto-generated firewall rules on WAN and LAN side.

Regards,
meiser
April 04, 2023, 03:46:15 PM #3
Maybe you only get one IPv6 /64 Prefix from your ISP? Then you would have to use NAT66 with ULAs fc00:: in your LAN Segment.

For more than 1 /64 Prefix to work you need at least a /56 from your ISP, and a transfer net with a static route to the IPv6 Address of your WAN Interface.
Hardware:
DEC740
April 04, 2023, 06:14:14 PM #4
Yes, it's only one /64. But why does it work with the residential CPE which I "reverse-engineered"? It also runs a NDP proxy.
Isn't it possible to support this scenario? I read multiple times that this is not a good IPv6 design, but it's reality.
April 04, 2023, 07:19:27 PM #5
ULA won't work because desktop operating systems boycott it. Mac OS at least assumes "no IPv6" if it does not have a GUA.

You could borrow a GUA /64 from someone - most people with a static assignment have quite enough - configure that statically and use NPT6.

I get a /56 with my German Telekom business DSL line, that's 256 different /64. I use some of them in cloud environments I run for the reason that ULA alone does not quite work. As long as I do not use any of these /64s on the public Internet, everything is fine.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 05, 2023, 12:15:21 PM #6
I found out that it's "RFC 7278: Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link" which has to be supported.
Print
Go Up Pages1
User actions