IPv6 WAN works LAN doesent work | Packets get stuck in OPNSense in Proxmox

[frustknex]

Hello everbody, i tried setting up IPv6 for my LAN IPv4 works just fine but i can't seem to get IPv6 to Function.
I am using Proxmox as a Hypervisor and i have a OPNSense VM inside here are all the Settings:

Proxmox Config:

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

auto eno3
iface eno3 inet manual
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/eno3/proxy_arp

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet static
        address 109.230.XXX.38/28
        gateway 109.230.XXX.33
        bridge-ports eno3
        bridge-stp off
        bridge-fd 0

iface vmbr0 inet6 static
        address 2a05:bec0:XXX::3/48
        gateway 2a05:bec0:XXX::1

auto vmbr1
iface vmbr1 inet static
        address 10.10.0.0/24
        bridge-ports eno2
        bridge-stp off
        bridge-fd 0

iface vmbr1 inet6 static
        address 2a05:bec0:XXX:8::2/64

-----

OPNsense Interface Settings:

WAN:
Static IPv6: 2a05:bec0:XXX::2/48
GW: 2a05:bec0:53::1

LAN:
Static IPv6: 2a05:bec0:XXX:8::1/64
GW: Auto-detect

------

PING:

Proxmox Host to WAN Interface : Yes
Proxmox Host to LAN Interface : Yes
Proxmox Host to ISPv6 GW : Yes
Proxmox Host to 2606:4700:4700::1111 : Yes

OPNsense VM to WAN Interface: Yes
OPNsense VM to LAN Interface: Yes
OPNsense VM to Proxmox Host vmbr0: Yes
OPNsense VM to Proxmox Host vmbr1: Yes
OPNsense VM to ISPv6 GW : Yes
OPNsense VM to 2606:4700:4700::1111 : Yes

OPNsense LAN to OPNsense WAN Interface: Yes
OPNsense LAN to Proxmox Host vmbr0 : Yes
OPNsense LAN to Proxmox Host vmbr1 : Yes
OPNsense LAN to ISPv6 GW : No
OPNsense LAN to 2606:4700:4700::1111 : No

Debian VM (connected to LAN Interface)
( IP: 2a05:bec0:XXX:8::25/64 | GW: 2a05:bec0:XXX:8::1 )
VM to LAN Interface : Yes
VM to WAN Interface: Yes
VM to Proxmox Host vmbr0: Yes
VM to Proxmox Host vmbr1: No
VM to google.com: No
VM to ISPv6 GW : No
VM to 2606:4700:4700::1111 : No

( When pinging to 2606:4700:4700::1111 it gets displayed in the OPNsense firewall also when doing traceroute the last place is the OPNSense firewall )
----

ISP Info of my IPv6 Network:

2a05:bec0:XXX::/48   
GW: 2a05:bec0:XXX::1/48

----
Firewall Rules:

Lan & Wan allow from any side everything for IPv6

----

[Maurice]

Where does your ISP route the /48? To the link-local address of eno3? Then you'll have to create a static route on the Proxmox host, routing the /48 to the OPNsense WAN address.
Or did they give you a specific GUA which you should use as the WAN address? Then you'll have to use this as the OPNsense WAN address.

And don't use /48 on vmbr0 and OPNsense WAN, use /64 instead.

Cheers
Maurice

[frustknex]

I don't know where my ISP routes the /48 i have a Server in a colocation rack.
All the Info i got is my IPv6 GW and the starting IPv6 Adress and access to a control panel for "RDNs" Entrys.

I've Switched to a /64 for the WAN:
WAN Interface:
Static IPv6: 2a05:bec0:XXX:9::1/64
GW: 2a05:bec0:53::1

LAN: Interface
Static IPv6: 2a05:bec0:XXX:8::1/64
GW: Auto-detect

[Maurice]

Can you ping the ISP gateway from the Proxmox host when setting the source address to the vmbr1 address? If not, the /48 might actually be on-link on eno3, which would make ND spoofing on the Proxmox host necessary.

[frustknex]

No i cant how would i acomplish this so it works?

[Maurice]

First and foremost, ask your colo provider to route the /48 to your machine without requiring ND for every single address. Having an entire /48 on-link doesn't make a lot of sense to me (if that's actually the case).

If they won't, you'll have to configure the Proxmox host to respond to Neighbor Solicitations for all IPv6 addresses used in the OPNsense LAN(s). I can't provide Proxmox-specific step-by-step instructions, but looking into proxy_ndp and 'ip neigh add proxy' should get you there.

Unfortunately OPNsense itself doesn't provide this feature. That's a long standing limitation I thought about looking into... maybe.

[frustknex]

Looks like i need to configure Proxmox so it responds to "Neighbor Solicitations"