Need a bit help on IPv6 routing

[deajan]

Hello,

I'm an OPNsense user since almost 10 years now, and use it at home & work.
I've setup a couple of home ipv6 networks, where I had to use NPTv6 since ISP wouldn't hand out a bigger than /64 prefix delegation, so I have basic IPv6 knowledge.

My problem today is quite different.
I've setup bgp routers which have IPv4 and IPv6 sessions.
My bgp routers are bridged to my OPNSense, which has a DMZ vlan interface in which I have a couple of servers.

So far, my setup looks like:


(BGP-Router(s))--------[bridge]----------(OPNSense WAN_________OPNSense DMZ)----------[bridge]-------------[VM]
2001:X:Y:0::254/48 (VRRP)               2001:X:Y:0:1/48        2001:X:Y:FF:254/64                          2001:X:Y:FF::1/64     
2001:X:Y:0::253/48 (RTR1)               GW 2001:X:Y:0:254                                                  GW 2001:X:Y:FF:254
2001:X:Y:0::252/48 (RTR2)                   

I've setup the wan address as static since I don't plan on running a dhcp server on bgp routers.
I've setup the dmz address as static too, as well as the VM.

I can't ping the BGP routers from the VM (traceroute shows that it stops at opnsense). Ping to OPNsense works.
I can ping both the BGP routers and the VM from OPNSense.
I can ping OPNSense from the BGP routers.

I came to the conclusion that OPNSense doesn't route IPv6 from DMZ to WAN interface.
I did of course setup a ipv4/ipv6 any to any rule on DMZ interface for my tests.
I've also checked that ipv6 forwarding is enabled via:
```
# sysctl net.inet6.ip6.forwarding
net.inet6.ip6.forwarding: 1
```

My IPv6 routing table looks sane to me:
```
netstat -nr

[ipv4...]

Internet6:
Destination                       Gateway                       Flags         Netif Expire
default                           2001:X:Y:0::254   UGS          vtnet4
::1                               link#6                        UHS             lo0
2001:X:Y::/48                 link#5                        U            vtnet4
2001:X:Y:0::1         link#6                        UHS             lo0
2001:X:Y:FF::/64            link#25                       U            vlan04
2001:X:Y:FF::254            link#6                        UHS             lo0
fe80::%vtnet4/64                  link#5                        U            vtnet4
fe80::5054:ff:feb9:2fc7%lo0       link#6                        UHS             lo0
fe80::%lo0/64                     link#6                        U               lo0
fe80::1%lo0                       link#6                        UHS             lo0
fe80::%vlan04/64                  link#25                       U            vlan04
fe80::5054:ff:fe32:b0eb%lo0       link#6                        UHS             lo0
```

All my IPv4 networking works, so my problem looks really IPv6-only.
Since I've setup a /48 on WAN and a /64 on DMZ, is there anything else I should have configured except the firewall rule ?

Also, side question, since my VM in DMZ interface will be publicly accessible and have an AAAA record, I configured it with a static ipv6.
Is that a "good practice", or should I go a SLAAC / DHCP6 way ? If so, doesn't that make things more complicated when trying to find it's IP to setup AAAA records ?

Thanks for any insight.

[Patrick M. Hausen]

You must not set up a /48 on an interface. All interfaces are /64 in IPv6.

[deajan]

Thanks for the reply.
I guess that means that if I setup a /64 on WAN, I will definitly need prefix delegation in order to get multiple /64 subnets, hence configure a DHCPv6 server on the BGP routers ?

Any perhaps "simpler" way to tell OPNSense that it's allowed to use the whole /48 net ?

[Patrick M. Hausen]

You could set a static route on the BGP routers and then statically configure OPNsense interfaces with /64 each. Prefix delegation only automates part of that - the end result is the same.

[deajan]

Makes perfect sense :)
Thank you.