PPPoE IPv6 Prefix Delegation with Static WAN Assignment

[marjohn56]

For VPN etc, just use the address of the LAN(s). Unless it's for some really esoteric reason you do not need an address on the WAN. GUAs are just that, the GUAs on the LAN side are global addresses, not natted in any way.

[benyamin]

The root of the question is a way to configure publicly routable IPv6 addresses on the WAN...

That's all I'm trying to address.

Complexity, latency, energy, manageability, security, space, bufferbloat (although the fritz is one of the "better" CPE's). With an OPNSense box orders of magnitude more powerfull than a fritznox there's no benefit.

There is likely some benefit to it operating as a bastion host. There could also be some benefit to it acting as a RG (Residential Gateway), and I am curious as to whether having it act as such would solve your problem (or at least assist with troubleshooting it) as I detail below.

I took the fritzbox example as a "proof of concept" as supported and implemented by my ISP with IPv6 PD, don't understand why you keep refering to it ;-). Besides the fact I don't use a Fritzbox your suggestion is about a dhcp6c client configuration over PPPoE, that is going to my ISP (not to a fritzbox) that _doesn't_ give anything else than a IPv6 prefix. So with or without IA-NA's, that address is not automagicly created by dark matter or forces.
Even more important is that any override scripts breaks the excelent integration of the Track Interface configuration option in the OPNSense GUI, which I use for over 10 interfaces that are getting their /64 from the /48.

Firstly, the Track Interface configuration will not change (provided you are tracking the WAN). You would still need to do this. So you could consider this configuration item completed..

The dhcp6c override script exposes several advanced settings not otherwise in the GUI, including how solicit messages are packaged together. Depending on how the DHCPv6 request is crafted will likely determine how your ISP's BNG will respond.

In your OP, you mention your PoC with the Fritzbox works, i.e. it gets a routable IPv6 address and a PD. It is worth mentioning that your ISP's BNG will most likely treat a PPP request from your CPE - or more correctly, RG - differently depending on what your RG is. It will also treat requests from your subscriber network, i.e. behind the RG, differently too. If you have your Fritzbox setup as your RG doing the PPPoE, and your OPNsense box merely doing a DHCPv6 request via your Fritzbox (or PPPoE if that fails - which is unlikely), your OPNsense box will likely get an IA-NA IPv6 address for your WAN as well as the PD.

Having said all that, on your WAN interface, did you tick Request only an IPv6 prefix (in standard configuration view), or neglect to tick Non-Temporary Address Allocation for Identity Association (which is the IA-NA btw - in Advanced configuration view)...? If so, that would likely be the cause of your problem. I also presume your PPPoE is setup as a "dual-stack" with PPPoE via IPv4 and your IPv6 Configuration Type set as DHCPv6 (and not Static). Lastly, did you make sure that Prefer to use IPv4 even if IPv6 is available at System: Settings: General > Networking > Prefer IPv4 over IPv6 is not ticked (perhaps unrelated).

You could achieve something similar with the override script too. My previous posts were about hacking that up, but I now think that unnecessary. I think you could probably achieve what you want with a standard script setup, specifying your WAN interface in id-assoc na 0 only if necessary. I still think that could possibly work without your Fritzbox, but I think it is worthwhile checking with it in the mix in bridge or pass-through mode before adding the complexity of PPPoE/DHCP <--> RG <--> BNG interactions.

You could give some of this a go and share what you learn. I leave it up to you.

[netnut]

For VPN etc, just use the address of the LAN(s). Unless it's for some really esoteric reason you do not need an address on the WAN. GUAs are just that, the GUAs on the LAN side are global addresses, not natted in any way.

Yeah, that's exactly what I'm doing now. The wish is to have a single IPv6 tunnel with multiple v4 & v6 phase2's in it. Initiating that from one of the LAN interfaces, makes that segment a little bit more special than the others. Besides the single IPv6 tunnel, there are more IPv4 only tunnels initiated from WAN. So doing everything (VPN like) from WAN for both IPv4 & IPv6 makes it more clean (and IPv4 like).
I also can create a seperate IPv6 LAN interface/segment dedicated for VPN stuff and share that with all the other LAN segments so there's no special from a VPN perspective, but the WAN interface is there already and makes the most sense. That's why I want a IPv6 address there...

The dhcp6c override script exposes several advanced settings not otherwise in the GUI, including how solicit messages are packaged together. Depending on how the DHCPv6 request is crafted will likely determine how your ISP's BNG will respond.

I already quoted the ISP instructions in the first post, besides the prefix itself there is _no_ response. The WAN ip address assignment should be done by the CPE itself (hence OPNSense). Suggesting pppoe configs (with or without fritzboxes) doesn't help. The answer is already been given, using a VIP, but that creates funky IPSec routing (with IPv4 in IPv6) behaviour as mentioned in my previous post.

[benyamin]

I already quoted the ISP instructions in the first post, besides the prefix itself there is _no_ response. The WAN ip address assignment should be done by the CPE itself (hence OPNSense). Suggesting pppoe configs (with or without fritzboxes) doesn't help. The answer is already been given, using a VIP, but that creates funky IPSec routing (with IPv4 in IPv6) behaviour as mentioned in my previous post.

With respect, I disagree. IMHO, using a VIP is a poor solution. It appears you are getting some non-native IPv6 weirdness (6to4 tunnel maybe?).

I'm only suggesting the DHCP config - and perhaps topology - can likely resolve your issue. Address assignment is negotiated with the ISP: they are the one routing it for you. You cannot tell them the way it's going to be.

Maybe if I explain it a different way...

In your Fritzbox PoC, on the Fritzbox itself, did you need to use the Derive global address using the assigned prefix Connection Settings option in order to get an IP? If so, in the override script, couldn't you just assign PD 0 to WAN...? Just like the Fritzbox?

Did you even try it with the Fritzbox in front of OPNsense and have OPNsense as a pure DHCP client (no PPPoE)?

Did you check those options in my previous post? Namely:

[On] your WAN interface, did you tick Request only an IPv6 prefix (in standard configuration view), or neglect to tick Non-Temporary Address Allocation for Identity Association (which is the IA-NA btw - in Advanced configuration view)...? If so, that would likely be the cause of your problem. I also presume your PPPoE is setup as a "dual-stack" with PPPoE via IPv4 and your IPv6 Configuration Type set as DHCPv6 (and not Static). Lastly, did you make sure that Prefer to use IPv4 even if IPv6 is available at System: Settings: General > Networking > Prefer IPv4 over IPv6 is not ticked (perhaps unrelated).

If you're able to confirm the above, then I'll happily spend my time to help you create a working override script as I know it (my time) isn't being wasted. However, going around in circles won't get either of us anywhere.

[benyamin]

Also, perhaps this will give you some insight:

https://community.ui.com/questions/USG-IPv6-XS4all-new-firmware/3fb9d68b-cdea-42f2-a4d3-d21b18cb13c5#answer/b45c1dfa-4f0c-4c3c-afd0-df136c493ed5