[SOLVED] Getting public IPv6 addresses to LAN

[mike8971267]

Hello friends!

I'm brand new to opnsense and happy to have my first install up and running (sorta). All IPv4 seems to work (opnsense public WAN address, LAN private addresses via DHCP, DNS options, NAT, etc). I'm having issues getting public IPv6 addresses out to the LAN clients. Opnsense gets an IPv6 WAN address from my ISP, and can itself ping remote servers with IPv4 and IPv6. It is also able to send ULA addresses to LAN clients via DHCPv6 with my private static prefix, allowing all LAN machines to ping/connect each other via IPv6.

However, none of the LAN machines get public IPv6 addresses, or can ping/connect remote servers via IPv6; Only opnsense seems to have IPv6 WAN connectivity. I'm sure I'm making some very simple newbie mistake and it feels great+awful to be just one step away.

Potentially relevant settings follow (private prefixstuffs altered):

Services: DHCPv6: [LAN]:

• Range is set to my private ULA range: fd00:0000:0000:0000:0000:0000:0001:0000 to fd00:0000:0000:0000:ffff:ffff:ffff:ffff. I started with the 0001:0000 offset so I could leave the very last 16-bits for static address assignments handed out via DHCPv6. So far those seem to be working.
• Prefix Delegation Range is left empty, because I'm not sure I understand what to do.
• DNS Servers is set to two local DNS servers on the LAN
• Domain search list is just "home", because that's the domain I've been using the last few years
• The rest of the settings left blank

Services: Router Advertisements: [LAN]:

• Router Advertisements: Assisted
• Router Priority: Normal
• Source Address: Auto
• Advertise Default Gateway: Checked
• All remaining settings left default/blank

According to "Interfaces Overview", my ISP has given me a WAN IP address with a /56 assignment.

In summary, I'm just one requirement away from success:

• Public WAN IPv6 for opnsense
• Static private ULA IPv6 for opnsense
• Static ULA IPv6 leases for all LAN clients
• WAN IPv6 for all LAN clients + WAN connectivity

Also potentially relevant: I had all this working last week on OpenWRT, before making the switch to opnsense.

Thank you so much for reading this far. Any help, advice, insight, is appreciated.

[BoodahsFever]

On the LAN interface(s) make sure the:

 "IPv6 Configuration Type" is set to track interface.

 After that a config item at the bottom appears and should be configured as:

Track IPv6 Interface
 "IPv6 Interface": WAN
" IPv6 Prefix ID": Whatever subnet prefix you want.
 "Manual configuration": enable checkbox if you want to adjust things like DNS server or domain name.

It will probably work after these tiny adjustments.

[mike8971267]

Hey thank you for your advice. I might be one step closer now.

So first, I noticed I may have had the wrong "Prefix delegation size" selected in the wan DHCPv6 client config. After looking at my "overview" for WAN, it said /56 and I think matching that in my config that suddenly showed more information over on the dhcp server area.



After that I changed the IPv6 type to "Track Interface" per your suggestion. It would not allow me to enter a ULA prefix in the "IPv6 Prefix ID" so I left it at 0 (?).



With this change, my LAN machines now get IPv6 addresses (!). They just don't have connectivity for some reason so I may still be a step away. Firewall "live view" doesn't show anything being denied on IPv6 during some tests (pings, wgets). I am also using ProxMox but have disabled the firewall there for both interfaces (LAN and WAN), which I feel wouldn't be an issue because the router itself still has both IPv4 and IPv6 connectivity to the internet.

Also now in the DHCPv6 server area, the "Available range" shows my public IP block rather than the previous ULA block, and none of the LAN clients get private IPs on my ULA range. I think I could give that up to get IPv6 WAN working though, and just statically configure the extra private addresses (sad as that may be).

[BoodahsFever]

I would not bother with private ipv6 addresses if i where you. It's not worth the trouble. With a /56 prefix you should have plenty of normal (public) addresses. No need for NAT or PAT and that is the best thing about IPv6 All clients with IPv6 enabled will have a local link address anyway which they can use to chat with each other if they are on the same network.

For the IPv6 Prefix ID I use different numbers for different LAN interfaces. A subnet per interface if you will. On my LAN the value is three and that makes xxxx:xxxx:xxxx:xx03:xxxx:xxxx:xxxx:xxxx on my /57 prefix i can play with the last two digits (03) in case of a /56 you should be able to use the four digits (:xx33: or :3333:) as IPv6 Prefix ID. Which would result in:  xxxx:xxxx:xxxx:3333:xxxx:xxxx:xxxx:xxxx.
To be clear to get the :3333: value the Prefix ID should have 3333 as a value.

I don't use the DHCPv6 Server (again not worth the hassle) instead i use Router Advertisment in unmanaged mode. My clients get /64 IPv6 addresses via SLAAC that way with prefix:prefix id the 3333 value:suffix{MAC-Address and two extra bits}. I also advertise the DNS server my clients should use which is my case the Unbound Service of OPNSense. But you could advertise any DNS server of your liking offcourse.

Make sure that your /56 is the right prefix. I have Ziggo in the Netherlands and they have two networks. One area get's a /56 and another (mine sadly) gets an /57. When i use /56 as a prefix hint then i do get an address but it's all wrong and routing won't work.

Make sure you get a working ipv6 gateway with a local link address (router of the ISP). See if you can ping it or set the gateway monitoring to enabled.

Check that OPNSense passes IPv6 traffic (outbound) as a firewall rule and log that rule if you want to use live view.

In -> Firewall -> Settings -> Advanced.  Make sure the checkbox "Allow IPv6" in enabled for obvious reasons.

[mike8971267]

Thank you again for your help! Everything seems to be working now on my end.

Yeah agreed about getting the prefix right, according to the ISP. That was definitely my first biggest issue. After that, I may have been messing things up by setting the LAN::DHCP range to my desired URA range. Once I set it to simply "::" to "::ffff", I believe that helped a lot.

I then gave the router a ULA address using the Virtual IP feature, as I've seen recommended in various places. Setting Router Advertisements to "Assisted" did seem to allow LAN clients to get their own IPs (both public and from my ULA prefix), and after rebooting my modem and staring off into space awhile, routing started to work as well.

At that point I kinda gave up on having the DHCP server setup static private IPs and just added them statically to all my machines as an extra address. So now all machines get internet, can reach each other through their private static ULA's, and use advertised DNS servers (I have a couple here).

Thank you again!

Also if anyone in the future would like to ask about specific settings, and I'm still using them, I can share.

[Juuze]

Hello mike8971267,

as I understood correctly you disabled the DHCPv6 Server for your LAN network and only enabled "Assisted"-Mode in the Route Advertisements?

Route Advertisements set to "Assisted"-Mode, the DHCPv6 Server is required, in my understanding, because you set those M and O flags.

Anyway I followed all of your steps but still it's impossible for me to get working IPv6 in my LAN interface. My clients get a external IPv6-Address but I can't reach anythin. I've checked if my IPv6-Prefix is set correctly.

The think that is confusing to me is that my IPv6-Address on my WAN interface says something like: "xxxx:yyyy:4b00:x::yyyy and my LAN interface get the IPv6-Address of something like xxxx:yyy:4b47:zzzz:: is that a problem with a /57 size? Could that be the problem why my routing doesn't work?

[almodovaris]

AFAIK former UPC region was /57 and supposed to go /56 (I don't know if it already happened), while the rest of Ziggo is /56.

My setup is as follows:

WAN IPv4: DHCP
WAP IPv6: SLAAC

SLAAC gives something like

2001:aaaa:bbbb:cc00:dddd:eeee:ffff:fff1

My LAN IPv6 is static, namely 2001:aaaa:bbbb:cc10:dddd:eeee:ffff:fff0.

You just have to choose for hybrid Firewall: NAT: Outbound and add a rule to it:

Interface: WAN
Protocol: IPv6
pass from any to any

Yes, that means your LAN IPv6 subnet will be routed through 2001:aaaa:bbbb:cc00:dddd:eeee:ffff:fff1, which will be your public IPv6 address. But it will still work, e.g. IPv6 pings from a laptop from LAN work okay.

After you have checked that IPv6 works, save the OPNsense configuration and backup it to the cloud, you will need it later.

I have tested it with DHCPv6 instead of SLAAC: also works okay.