NPTv6 not working as expected

Started by Mechanix, February 16, 2025, 03:01:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 16, 2025, 03:01:34 PM Last Edit: February 16, 2025, 03:17:45 PM by Mechanix
So here a little background:
My Opnsense is configured behind a FritzBox (doing PPPoE Passthrough). From my ISP I get a /56 prefix so plenty of room to delegate to VLANs.The Fritzbox is configured to assign IPv6 prefixes (IA_PD)
So far, the Opnsense gets prefix

Code Select
cat /tmp/pppoe0_prefixv6
2001:xxx:xxx:9300::/56
The LAN interfaces, which track the PPPoE interface, all get a /64 address assigned. Since I'm using many Android devices in my network, I configured the Route Advertisements to "Assisted" to have both DHCPv6 and SLAAC.
So far everything works as expected with the IPv6 connectivity (all IPv6 online tests pass)

Now here comes the rub. I'm also using Wireguard in dual stack. Since the ISP changes the prefix pretty often I decided to use ULA.
For the IPv6 server address I've assigned a additional ULA address, lets say fd00:1234:5678:10:1/64 and the clients starting with fd00:1234:5678:10:2/128
I've also configured NPTv6 for the ULA like this:

Code Select
Interface: PPPoE
Internal IPv6 Prefix (source): fd00:1234:5678:10::/64
External IPv6 Prefix (target): empty
Track interface: LAN

I can ping6 the Wireguard server interfaces as well as all internal IPv6 interfaces but the internet connectivity fails.

From the logs I can see the ipv6-icmp going from the WG1 to PPPoE interface but the source address is not correctly NAT-ed:

Code Select
PPPoE 2025-02-16T14:58:44 fd00:1234:5678::3 2001:4860:4860::8888 ipv6-icmp let out anything from firewall host itself
PPPoE 2025-02-16T14:58:44 fd00:1234:5678:10::3 2001:4860:4860::8888 ipv6-icmp binat rule
WG1 2025-02-16T14:58:44 fd00:1234:5678:10::3 2001:4860:4860::8888 ipv6-icmp WireGuard LAN Access

I recently upgraded to 25.1.1.

Is this issue known, or am I missing something in my configuration?

Thanks
February 16, 2025, 04:33:12 PM #1
What's that bi-nat rule about? Have you configured bi-nat?

I setup something similar to what you have for a test, and it's working. Instead of tracking LAN, I created a loopback interface which tracks my WAN interface, and used that for NPTv6...
February 16, 2025, 04:42:29 PM #2 Last Edit: February 16, 2025, 04:52:54 PM by Mechanix
Thanks for you reply. That bi-net log entry comes because I've enable logging on the NPTv4 sequence.
How did you configure the loopback to track your WAN?

Edit: I've found it and its working! Thanks for the hint.

Wonder why this has changed from 25.1 to 25.1.1 though
February 17, 2025, 04:29:43 PM #3
BTW, if you do use a loopback interface for this, be sure to use the "Allow manual adjustment of DHCPv6 and Router Advertisements" option, because otherwise ISC DHCPv6 will try to use that interface, fail, roll over, and die (completely - not just for the new interface) - https://forum.opnsense.org/index.php?topic=43053.0 (guess who just noticed that his DHCPv6 hosts were offline since yesterday? sigh...)
Print
Go Up Pages1
User actions