IPv6 troubles, cannot make routing work.

[SeeJayEmm]

I've recently switched to OpnSense and am trying to utilize the IPv6 prefixes provided to me by my ISP (Spectrum) but I cannot get LAN traffic to consistently route outside of my network.  IPv4 is working fine.

My WAN interface is configured for DHCP & DHCPv6. DHCPv6 Config:

• Prefix Delegation: 60
• Send IPv6 Prefix Hint: Checked

Interfaces > Overview > WAN shows both an IPv6 address and an IPv6 prefix which is a /60 as requested. Both GUA.

On my VLAN I'm testing this with I have a Static IPv4 that works fine and I have IPv6 set to track the WAN interface. Currently manual configuration is unchecked. I have tried checking it and several variations of settings in RA but right now I'm just trying to make this work as "out of the box" before I go tweaking.

Checking the VLAN in Interfaces > Overview shows IPv6 addressing. A link-local address as well as a GUA that out of the Prefix assigned to this interface and it has the correct mask (/64).

On my test system, it has a link-local fe80 and 2 GUAs with the correct prefix. One is a /64 and one is a /128. I can ping both of these from the OpnSense router and I can ping the OpnSense router from the test system.

When I try to ping a public address (i.e. google.com) from the test system it times out.  Traceroutes stop after the 1st hop.

When I try to ping a public address from OpnSense it works.
When I try to ping a public address from OpnSense, and source from the vlan interfaces (ping 6 -I vlan0.xxx) it also works fine and indicates it's sourcing using the GUA of that interface.

I could use some help trying to figure out where to go next to troubleshoot this issue. I've been digging through forum and reddit posts for a couple days now and nothing has worked.

Edit:
I left out that I do have an IPv6 rule in the firewall to allow traffic out from that network.

[Patrick M. Hausen]

Does your end system have a default gateway for IPv6? Either the GUA or the LL address of OPNsense in that particular LAN.

[SeeJayEmm]

Yes, there's a ::/0 route with the next-hop of the fe80 of the router's vlan interface.

Also, if I run a packet capture I can see the outbound traffic but no return.

IPv6, length 118: 2603:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:3f80 > 2607:f8b0:4009:81c::200e: ICMP6, echo request, seq 16, length 64

Thanks for replying. I'm learning as I go with IPv6 so if I'm missing something obvious please let me know.  I'm starting to think this is an ISP issue.

[SeeJayEmm]

So, I do think it's OpnSense but i can't figure out what I'm doing wrong.

When I reboot, or reload services, there's a window where pings from one of my inside machines to google will work and once the services are done reloading they stop working again.  That leads me to believe there's something in the pf I'm missing but I don't know what. My rules are pretty basic.

But then again that doesn't explain why I see the outbound packets on the WAN interface during my testing.

I could really use some help on how to troubleshoot this further.

[SeeJayEmm]

Going to keep adding my troubleshooting in hopes someone sees this and can help me out.

I saw a post online suggesting to check "Request only an IPv6 prefix".  I did this. Surprisingly pings from my test system out started working. Wanted to see if this was a reproducible solution I unchecked the box and saved, ping briefly dropped and then came back again. Once more I checked it and same thing, pings dropped briefly and came back.

I'm at a complete loss.  Checking the box, in and of itself, doesn't seem to be the solution just the fact that I toggled it.  I'm not in a position to reboot but tomorrow I plan on rebooting to see if a) the pings continue to work and if not, if b) toggling that checkbox fixes it again.

[opnfwb]

I've had Spectrum cable internet service in the past and one thing that did then was to associate their IPV6 PD with the MAC of the device on the modem.

For instance, say you had your router plugged in to the modem, and then you swap in your laptop directly to the modem. If the modem wasn't power cycled, it would not issue any IPv6 addresses to the "new" MAC on the laptop.

I'm not sure if this is your exact scenario but, if you spoofed a WAN MAC address on the OPNsense box, or if you changed interfaces (new MAC on a different interface), I've seen this trip up IPV6 PD on Spectrum without also power cycling the modem.

[SeeJayEmm]

Definitely familiar with that issue. Yesterday I did power cycle the CM and then OpnSense in hopes that was part of the issue and it didn't immediately fix anything.

The toggle mentioned in my previous post came after that.

To be clear, IPv4 has been working flawlessly this whole time.

[opnfwb]

One thing I forgot to mention, I've also had to change the IPV6 DUID in some cases to get a new PD issued.

Basically what I think is happening is the ISP is issuing a PD and then won't "release" another one to you until some pre-defined time limit on their end. Usually 24-72 hours. This can make getting an IPv6 PD really frustrating because it looks like an OPNsense issue but in my experience with Spectrum, ATT Fiber, and Google Fiber, they all do the same thing. Also, in the case of Google fiber it takes 5 minutes after a reboot to get an IPv6 PD. The firewall won't immediately come up with a prefix. If I reboot sometimes I'll have to manually go in and restart radvd and my wan6 gateway pinger to get the monitor to start tracking the interface again.

So, after all that, this is what I would try and see if you can consistently get a prefix assigned.

1. Turn off the cable modem
2. In the OPNsense web interface, go to your WAN assigned NIC and change the spoofed MAC address, save your changes (it will take a while because OPNsense will try to renew the WAN interface and we unplugged the modem in step 1)
3. Go to Interfaces/Settings and generate a new IPv6 DHCP DUID. In my experience it doesn't matter which one you use, just generate a new one and click "save". Again it may take a while to save because OPNsense will go through a WAN renew script and we still have the cable modem offline.
4. Shutdown the OPNsense box.
5. Plug the cable modem in and let it come up and initialize the link.
6. Start OPNsense after the cable modem is fully online

The above steps should get you a new IPv4 and IPv6 PD every time. I realize you aren't having an issue with IPv4 but that's the nature of changing the MAC and DUID. Most ISPs seem to base their IPv6 PD on some combo of MAC/DUID, that's why I change both if I'm trying to get a new PD.

Sorry for the long post, I hope this helps.