Problems with IPv6 subnetting

[XerXes]

Hi,

I'm having problems with setting up working IPv6 on my OPNsense installation running on Proxmox. I have a /56 assigned from Hetzner.

This is the /etc/network/interfaces of the host machine:

Code Select Expand

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp4s0
iface enp4s0 inet static
        address x.x.1x.x/26
        gateway x.x.x.1
        up route add -net 94.130.161.0 netmask 255.255.255.192 gw 94.130.161.1 dev enp4s0
        post-up sysctl -w net.ipv4.ip_forward=1
        post-up sysctl -w net.ipv6.conf.all.forwarding=1
        post-up iptables -t nat -A PREROUTING -i enp4s0 -p tcp -m multiport ! --dport 22535,8006 -j DNAT --to 10.10.10.1
        post-up iptables -t nat -A PREROUTING -i enp4s0 -p udp -j DNAT --to 10.10.10.1
# route x.x.x.0/26 via 94.130.161.1

iface enp4s0 inet6 static
        address 2a01:xxxx:xxxx:f300::1/128
        gateway fe80::1

iface enp4s0 inet6 static
        address 2a01:xxxx:xxxx:2b1d::/64
        gateway fe80::1

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.0/31
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.10.10.1/31' -o enp4s0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.1/31' -o enp4s0 -j MASQUERADE
#OPNSense WAN - Proxmox LAN

iface vmbr0 inet6 static
        address 2a01:xxxx:xxxx:f300::1336/127
        up ip -6 route add 2a01:xxxx:xxxx:f300::/56 via 2a01:xxxx:xxxx:f300::1337 dev vmbr0

auto vmbr1
iface vmbr1 inet manual
        ovs_type OVSBridge
#VM Net

I can ping both the host machine (f300::1336) and the OPNsense (f300::1337) from the internet.

WAN interface is setup like this:

Code Select Expand

IPv6  address: 2a01:xxxx:xxxx:f300::1337/127
Gateway: 2a01:xxxx:xxxx:f300::1336
Block bogon networks checked

The gateway shows up as online.

I have created a VLAN called DMZ, with the following setup:

Code Select Expand

IP address: 2a01:xxxx:xxxx:f301::1/64
Gatewaay: Auto-detect
Nothing else is checked

The situation is as follows, I can ping the internet from inside of the VM's assigned to this VLAN, IPv6 is working, HOWEVER I cannot access / ping these VM's from the outside, not from the host machine, not from the internet.

So if I ping 2a01:4f8:13b:f301::1234 (which is assigned to my mail server), I will get address unreachable. It is probably some stupid thing I'm not getting (I'm a beginner), so any help or poke in the right direction would be greatly appreciated.

Thanks in advance.

[Saarbremer]

Hi,

did you enable incoming traffic (e.g. ICMP) for IPv6 on WAN for your DMZ host(s)?

Firewall -> Rules -> WAN

[XerXes]

That is actually my first rule on the WAN interface:

Code Select Expand

Protocol Source Port Destination Port Gateway Schedule Description
IPv6 ICMP * * * * * * Allow ICMP

[Patrick M. Hausen]

Change:

IPv6 ICMP

to:

IPv6 IPV6-ICMP

[XerXes]

Changed. I'm posting whole IPv6, because it doesn't matter anyway:

When I ping the DMZ IP address now, this shows up:

Code Select Expand

PING 2a01:4f8:13b:f301::1337(2a01:4f8:13b:f301::1337) 56 data bytes
From 2a01:4f8:13b:2b1d:: icmp_seq=1 Destination unreachable: Address unreachable

It's showing completely different IP, not unknown actually, this IP is assigned to enp4s0 interface, but shouldn't have anything to do with OPNsense.

EDIT: If I remove the IP from /etc/network/interfaces on the host, it still shows up this:

ping -6 2a01:4f8:13b:f301::1
PING 2a01:4f8:13b:f301::1(2a01:4f8:13b:f301::1) 56 data bytes
From 2a01:4f8:13b:f300::1336 icmp_seq=1 Destination unreachable: Address unreachable

Could this line in /etc/network/interfaces be a problem?

up ip -6 route add 2a01:4f8:13b:f300::/56 via 2a01:4f8:13b:f300::1337 dev vmbr0

[Patrick M. Hausen]

What is /etc/network/interfaces? Doesn't look like OPNsense to me?

[XerXes]

OPNsense is running on Proxmox. So /etc/network/interfaces is Debian 12 running Proxmox. I'm trying to route IPv6 prefix /56 I have from Hetzner to OPNsense (I also have original /64 from them, haven't found use for it yet).

IPv4 is working fine, only with IPv6 I can ping f300::1337, which is OPNsense WAN from the internet, but can't ping f301::1 (VLAN DMZ), etc.

I think /etc/network/interfaces is somehow configured wrong.

[Patrick M. Hausen]

Sorry, no idea. I never used Proxmox.

[Saarbremer]

Hi,

first: The IP in a line "From $IP" is the IP of the device telling you that it can't reach the address.

Please check the routes in proxmox. Unfortunately, I have no experience with proxmox and cannot help you with this.

[Maurice]

Weird thing is that you're saying the host 2a01:4f8:13b:f301::1234 has working outbound IPv6 Internet connectivity via OPNsense, which makes a routing issue less likely. Did you double check this is actually the case? What does a traceroute from this host to the Internet tell you?

Not a Proxmox expert either and this doesn't look like an OPNsense issue.

Cheers
Maurice