IPv6 ping fails on LAN

[neerdoc]

Hi,

I am new to both OPNsense and IPv6, so this might be a silly question/problem.

I have an ISP that supports IPv6 (in Sweden). I have a brand new installation of OPNsense (19.1.7). I have selected DHCPv6 as configuration for my WAN and there I have selected:

• Send IPv6 prefix hint
• SOLICIT
• Prevent Release

I can now see in my Dashboard that I get an 2001:<lots of hex>:2d16 address for my WAN. So far I think I'm good. I can also go to the Console in OPNsense and ping 'ipv6.google.com' successfully.

Now the trouble starts... Only way I managed to enable the DHCPv6 service for my LAN was to set a static IP for the LAN nic. So I took the next one 2001:<lots of hex>:2d17. Now the DHCPv6 service was enabled and prefilled with "Available range". So I set the range from 2001:<lots of hex>:2d20 to 2001:<lots of hex>:2dff just to test. I still did not get an IPv6 address for any of my computers on the LAN, but searching this forum I found a post stating that I needed "Router Advertisment" enabled. Enabled it with:

• Managed
• Normal
• Advertise Default Gateway

and suddenly all my computers had IPv6 addresses! Yay!

So, next step was to test connectivity:

• Tried "ping6 ipv6.google.com" from LAN computer. Nothing. Why?
• Tried pinging within the LAN, works!
• Tried pinging the LAN interface on the firewall, works!
• Tried pinging the WAN interface on the firewall, failed.
• Started the console in OpnSense again. Ping from Default, works.
• Ping from WAN, works.
• Ping from LAN, fails!

I'm stumped. I have been searching for what I'm doing wrong for hours now and I got nothing... The best suggestion I could find was that the firewall somehow blocks it even though the rules indicated it should not. But looking in the firewall logs I only get "PASS" for the ICMP pings going to the firewall, but no one is answering...
Any help is appreciated!

[marjohn56]

Try these settings. If you have enabled the dhcpv6 server then you'll need to disable it first.


Also when using manual settings for dhcpv6 you need to set to assisted, android devices will not play nicely on a managed dhcpv6 system.


WAN Settings for dhcp6c




LAN Settings for Auto dhcpv6 - remember to disable the dhcpv6 server if you have enabled it.

[hbc]

You cannot set the lan address to just one number higher than wan. That would.be in ipv4 like 192.168.1.1 for wan and 192.168.1.2 for lan - both interfaces in same subnet. Are you running opnsense bridged?

Set your lan ipv6 to tracked wan.

[neerdoc]

Awesome!

Now it works perfectly!

I do have new questions though...

If I look at my computer I now have 3 IPv6 addresses on my interface. Why?

• One that starts with fe80:: which I understand is the local-link-address
• One that starts with 2001:9b1:ef8: and says "autoconf secured"
• One that starts with 2001:9b1:ef8: and says "autoconf temporary"

Next question is this: With the "track" setup, all my units gets their IPv6 address from my ISP, correct? If possible, I would like to assign the IPs myself. How would I do that? Would it have worked if I only had used a different subnet for the LAN than what the WAN has?

[marjohn56]

Your LAN gets a prefix delegation. Your WAN may or may not get an IPv6 global address, it's not strictly necessary and often all that is seen on the WAN is the link local fe:: address.


Your clients may get multiple IPv6 global addresses as well as a link-local address. Multiple global addresses are used to enhance privacy and security and the only time you should bypass that is when using a server where it needs a static IPv6 address. In that case you should set up the LAN dhcpv6 server manually and disable privacy extensions on the clients, this is easy to do with Linux type systems, not so easy with Windows but it can be done.


Firstly you need to know if your ISP is supplying a static PD range or whether it is likely to change.