Opnsense as IPV6 router?

[martijnk]

Hi all,

My ISP gave me an IPv6 Subnet /48. Now I need to split that into 64's so I can give out subnets to my customers.

So my ISP send me this (numbers are fake for privacy reasons):

My range : 3A03:6970:C131::/48
Our Router: 3A03:6970:C131:1::1/64
Your Router Gateway: 3A03:6970:C131:1::2/64 : range is routed to 2.
You can connect multiple routers but your range is routed to 2.

Sure enough when I configure that ::2 address and ::1 as a gateway IPv6 works and I can ping, browse etc.

However, question is how do I setup my OPNsense appliance to act as router/gateway for the IPv6 range?

And second question, when I want to use an address like 3A03:6970:C131:54::1, this falls out of the subnet where my gateway is located. Do I need to route this through OPNsense as well?

IPv6 has always been very confusing to me but it's probably me lacking the knowledge about it :)

Thanks!

[Maurice]

Set the OPNsense WAN address to 3A03:6970:C131:1::2/64.
Create the gateway 3A03:6970:C131:1::1 and enable "Upstream Gateway".
Configure the OPNsense LAN interfaces with addresses from within your /48 (but NOT 3A03:6970:C131:1::/64). For example, LAN1 3A03:6970:C131:A::1/64, LAN2 3A03:6970:C131:B::1/64 etc.
Create Firewall rules to allow inbound IPv6 on the LAN interfaces (if not already there).
Setup Router Advertisements and optionally DHCPv6.

That should be it for a basic setup.

Cheers

Maurice

[martijnk]

Ah right so I need a seperate LAN interface for every /64 subnet that will then act as the gateway for that subnet right, that makes zense. I will test this thanks!

[martijnk]

Ok so I got it half working.

I added the LAN IPv6 address 3A03:6970:C131:A::1/64.

Then I added a VM with IP: 3A03:6970:C131:A::2/64 and gateway 3A03:6970:C131:A::1/64.

I can ping the gateway, I can ping the WAN IPv6 of OPNSense. I can resolve IPv6 DNS but I can't access the internet, I get no ping replies.

Any idea?

Btw I do have the firewall rules allowing IPv6 to any in on the LAN interface (they were auto created).

[Maurice]

Try ping and trace route directly from OPNsense, with the source address set to WAN and LAN. What works, what doesn't?

[martijnk]

Try ping and trace route directly from OPNsense, with the source address set to WAN and LAN. What works, what doesn't?

It works fine from WAN but if I use LAN as source interface I get 'no route to host'.

[Maurice]

?

I would need more info. Interface configurations, gateway configuration, routing table, output of traceroute.

Could also be an ISP issue. You might want to try a traceroute to your LAN address from the Internet

[martijnk]

?

I would need more info. Interface configurations, gateway configuration, routing table, output of traceroute.

Could also be an ISP issue. You might want to try a traceroute to your LAN address from the Internet

Thanks for your help so far!

I'm thinking more and more it's an ISP issue, but to summarize:

ISP router: 2A01:5340:D000:1::1/64
My router: 2A01:5340:D000:1::2/64 (Prefix is routed to this IP)
My prefix: 2A01:5340:D001::/48

I've added IPv6 to the WAN interface with IP 2A01:5340:D000:1::2/64 and upstream gateway 2A01:5340:D000:1::1/64. Enabled gateway monitoring and it's online. I can ping IPv6 over the internet (from the OPNSense firewall/shell).

For the LAN interface I've added IPv6 address: 2A01:5340:D001::1/64 with no gateway specified. Then for the firewall, IPv6 is already allowed so nothing to do there but to make sure I've set ICMPv6 to allow on the WAN side. Next I've enabled router advertisement to router only but I did try unmanaged and assisted as well.

I then booted up a Windows machine gave it IP 2A01:5340:D001:1::1337/64 with gateway 2A01:5340:D001::1.

- I can ping the gateway just fine but I can't access the internet.
- I can resolve DNS names.
- I can't ping the WAN side of OPNSense and I can't ping the ISP router.
- When I do a ping from the LAN side of opnsense I get no route to host.


Routes: (little bit hard to read).

^{Proto
Destination
Gateway
Flags
Use
MTU
Netif
Netif (name)
Expire
Action
ipv4   default   193.122.39.1   UGS   347   1500   vtnet1   wan       
ipv4   127.0.0.1   link#3   UH   754   16384   lo0           
ipv4   192.168.0.0/16   link#1   U   1389   1500   vtnet0   lan       
ipv4   192.168.0.1   link#1   UHS   0   16384   lo0           
ipv4   193.122.39.0/24   link#2   U   1180   1500   vtnet1   wan       
ipv4   193.122.39.254   link#2   UHS   0   16384   lo0           
ipv6   default   2A01:5340:D000:1::1   UGS   89   1500   vtnet1   wan       
ipv6   ::1   link#3   UH   0   16384   lo0           
ipv6   2A01:5340:D000:1::/64   link#2   U   194   1500   vtnet1   wan       
ipv6   2A01:5340:D000:1::2   link#2   UHS   0   16384   lo0           
ipv6   2A01:5340:D001::/64   link#1   U   11   1500   vtnet0   lan       
ipv6   2A01:5340:D001::1   link#1   UHS   0   16384   lo0           
ipv6   fe80::%vtnet0/64   link#1   U   59   1500   vtnet0   lan       
ipv6   fe80::bc65:faff:fe29:399f%vtnet0   link#1   UHS   0   16384   lo0           
ipv6   fe80::%vtnet1/64   link#2   U   54   1500   vtnet1   wan       
ipv6   fe80::54c6:e7ff:fe1c:231%vtnet1   link#2   UHS   0   16384   lo0           
ipv6   fe80::%lo0/64   link#3   U   0   16384   lo0           
ipv6   fe80::1%lo0   link#3   UHS   0   16384   lo0}           


Traceroute from the internet shows nothing special, just timeouts.

I also did a reinstall, doing everything from scratch but same result :(

Thanks again!

[Maurice]

ISP router: 2A01:5340:D000:1::1/64
My router: 2A01:5340:D000:1::2/64 (Prefix is routed to this IP)
My prefix: 2A01:5340:D001::/48

This differs from your original post where the router addresses were within your routed /48. Now it seems they are not.

I then booted up a Windows machine gave it IP 2A01:5340:D001:1::1337/64 with gateway 2A01:5340:D001::1.

Unlike the VM you previously mentioned, this machine's address is not in your LAN subnet. Should be 2A01:5340:D001::1337/64.

The routing table seems okay.

[martijnk]

ISP router: 2A01:5340:D000:1::1/64
My router: 2A01:5340:D000:1::2/64 (Prefix is routed to this IP)
My prefix: 2A01:5340:D001::/48

This differs from your original post where the router addresses were within your routed /48. Now it seems they are not.

I then booted up a Windows machine gave it IP 2A01:5340:D001:1::1337/64 with gateway 2A01:5340:D001::1.

Unlike the VM you previously mentioned, this machine's address is not in your LAN subnet. Should be 2A01:5340:D001::1337/64.

The routing table seems okay.

Ah yes, it's a typo my bad. I have it now on 2a01:5340:D001::1234 but it gives the exact same result.

About the first one, the provider says the router is in D000 and the prefix is in D001. Anyway let me give you the original IPs I got from my provider:

Your range : xxxx:5940:C001::/48
Our Router: xxxx:5940:C000:1::1/64
Your Router Gateway: xxxx:5940:C000:1::2/64 : Prefix is routed to 2.
You can connect multiple routers but prefix is routed to 2.

That's weird indeed right? So yeah their router is out of my subnet?

[Maurice]

That's not weird, the WAN subnet may be inside or outside of the routed prefix. Both cases are common.

I'd again recommend doing a traceroute from the Internet to the OPNsense LAN address (2A01:5340:D001::1) and see at which hop this fails. For example, lg.he.net allows you to do that.