Lost ip6 connectivity in LAN

Started by GreenMatter, February 25, 2025, 01:42:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 25, 2025, 01:42:44 PM
Hello,

I have had dual stack (with tunnel broker) working fine. Recently I've noticed that all devices in LAN can't communicate via IP6 in LAN (ip6 DNS, to ping gateway...) despite having assigned ip6 addresses ( /64). At the same time I can connect to WAN ip6 services.
What may had happened and how to troubleshoot it? OPNsense is up to date: 25.1.1.
OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)
February 25, 2025, 03:22:36 PM #1
What does "I can connect to WAN ip6 services" mean? Are you saying that LAN hosts can reach the internet via IPv6, but can't get DNS from, or ping, your OPNsense firewall's LAN IP address? What do your firewall rules for LAN look like?
February 25, 2025, 05:22:58 PM #2
Quote from: dseven on February 25, 2025, 03:22:36 PMWhat does "I can connect to WAN ip6 services" mean? Are you saying that LAN hosts can reach the internet via IPv6, but can't get DNS from, or ping, your OPNsense firewall's LAN IP address? What do your firewall rules for LAN look like?
I meant, in LAN:
 - I'm not able to connect to local services (tried "nc -vz...", mainly DNS) or ping them
in WAN:
- contrary to above, I can ping them or test with netcat

I followed opnsense howto: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html so, I don't have very special firewall rules...
OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)
February 25, 2025, 09:12:12 PM #3
That document is just all kinds of wrong. How stuff like that gets into the official OPNsense docs is beyond my comprehension. smh...

If you want to be able to use IPv6 from your LAN, you will need at least one firewall rule to allow it - similar to the "Default allow LAN to any rule", but for IPv6.
February 26, 2025, 11:21:31 AM #4
Quote from: dseven on February 25, 2025, 09:12:12 PMThat document is just all kinds of wrong. How stuff like that gets into the official OPNsense docs is beyond my comprehension. smh...

If you want to be able to use IPv6 from your LAN, you will need at least one firewall rule to allow it - similar to the "Default allow LAN to any rule", but for IPv6.
Yes, I changed my config completely:
- disabled dhcpv6
- set RAD to "unmanaged" and in vlan where I manually assign ipv6 I set to "router only"
- removed those extra ipv6 fw rules and that's where I'm not so sure of it. Is it ok to rely only on automatic rules(?):
You cannot view this attachment.
and

You cannot view this attachment.
Now it works, but do I need to create fw rule to be more on safe side?
OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)
Print
Go Up Pages1
User actions