IPv6 Setup questions

[Steve28]

Long time pfSense user setting up OPNSense for the first time...

- My IPS gives me a /56 which I use for two LANs 
- WAN interface gets an IPv6 address from the ISP via DHCPv6
- My LAN interfaces are set to track the WAN

With this, everything works.  Computers on the LANs get IPv6 address and it's good.

With this setup - it appears DHCPv6 is active on the LANs as well and the interface doesn't appear under Services->DHCPv6.  That surprised me, as in pfSense, you would have to manually set that up if you wanted it.  How does this work with SLAAC?  IS this a "normal" setup?  I thought one of main features of IPv6 is that it is more setup to "just work" without the need to DHCP.  Essentially I am asking what the default setup is for IPv6 on LAN when "Track Interface" is used and all other settings are left default.

With regard to firewall rules.  I know that ICMP is heavily used in DHCP - do I need to setup WAN rules to allow that traffic or is that automagically configured somewhere?  I don't see that in the automatic rules list.

[marjohn56]

By default when using track interface dhcpdv6 is auto configured along with RADVD and runs in managed mode. If you wish to change any of it to manual configuration then select 'Allow manual configuration..'  located in the Track Interface section of the LAN interface page. When ticked you will see that menu options appear for your LAN(s) under Services->DHCPv6 and Router Advertisements is also visible. You must manually enter the address ranges you wish to use.

If you wish to use no dhcpdv6, you may disable the dhcpdv6 option in the dhcpv6 ->LAN set up page. Also setting change  the settings of the Router Advertisements to suit your preference in the Services->Router Advirtisements->*** page.


If you look in the Rules you'll see that the there are 'Automatically generated rules', these can be expanded by clicking the expand button to the right of that text.

[Steve28]

Thanks for the info.  I guess my question is what is a "Standard" IPv6 deployment... is it Managed?  What is a disadvantage of going SLAAC only on the LAN.

If you look in the Rules you'll see that the there are 'Automatically generated rules', these can be expanded by clicking the expand button to the right of that text.

Right - however, there are no rules allowing ICMP traffic in the WAN appearing in the automatically generated list.  My question is: does ICMPv6 get auto-allowed on the WAN when Firewall->Settings->Advanced "Allow IPv6" is checked?  Should I add one?  My understanding is this is required for proper functioning of IPv6.

[marjohn56]

how longs a piece of string?

The default automatic mode is judged to be the optimal for a simple setup, but that's only in the opinion of whoever designed it that way. You can tailor it to your needs, but as only you know what your needs are .....😊


But default ICPM6 is blocked, RFC says ICMP6 should be open - but then people complain that it should be closed. Easy just to add a WAN rule to pass all ICMP6.

[Steve28]

how longs a piece of string?

long enough  8)

The default automatic mode is judged to be the optimal for a simple setup, but that's only in the opinion of whoever designed it that way. You can tailor it to your needs, but as only you know what your needs are .....😊

Is the default mode "Managed" or "Assisted"?

[marjohn56]

Assisted, otherwise Android stuff would not work.

[Steve28]

Thanks much, @marjohn56 !