IPv6 Tunnelbroker + ubiquiti switch

[GreenMatter]

I use opnsense as my router which is connected to IPv6 provider via tunnel (tunnelbroker) - all is set as per manual in opnsense docs. Router itself has ipv6 connectivity but none of clients behind US16 switch do. LAN consists of vlans, each of interfaces has its own /64 prefix address (/48 tunnel). I can do ping6 from interface address to outside world. In opnsense dhcpv6 and RA are enabled. Lan clients get ipv6 address assigned but when trying to establish IPv6 communication I receive message "network unreachable". Is there anything else I need to do?

[Maurice]

I can do ping6 from interface address to outside world.

So the tunnel works and you probably have a LAN issue.

"Allow IPv6 to any" firewall rules exist on VLAN interfaces? 'Advertise Default Gateway' is enabled in RA settings?

Cheers
Maurice

[GreenMatter]

I've set floating rules to block ipv6 inbound traffic to local interfaces and to allow all outbound traffic.
DHCPv6 is enabled.
RA is set as "Assisted", Priority - "Normal", Source - "Automatic" and Advertise Default Gateway is enabled...

[Maurice]

I've set floating rules to block ipv6 inbound traffic to local interfaces and to allow all outbound traffic.

Why oh why?

all is set as per manual in opnsense docs

I very much doubt the manual says to create such rules. How is this supposed to work if you block inbound traffic from the (V)LANs?

[GreenMatter]

Hi, You were right, I had floating rules wrongly set. Now I have 2 inbound rules of different directions. And these are the only ipv6 manually created rules. But now is even more strange - within one vlan, 3 (1 windows, 1 debian, 1 Synology) out of 4 (another debian doesn't work) clients were able to establish ipv6 communication. All of them are dhcp6 clients but only those 3 got default route set. And in other 2 vlans, none of clients work - mainly wifi clients - phones and windows desktops. Could this have been related to freeradius being in charge?
EDIT:
That 4th not working debian client upon reloading iface shows: "no link-local IPv6 address for ens256"... It seems like default gateway is not reachable for them as on working clients is set in local address.
EDIT2:
After having manually added to aforementioned 4th client (debian server) gateway (gateway's link-local) all works fine.
So, question is why most of clients in other vlans don't receive default gateway address or don't configure their interfaces upon receiving it?

[GreenMatter]

After having manually added to aforementioned 4th client (debian server) gateway (gateway's link-local) all works fine.
So, question is why most of clients in other vlans don't receive default gateway address or don't configure their interfaces upon receiving it?

Anybody, anything?  :D

[GreenMatter]

Issue in one of clients (above) was caused by its internal routing; that's solved.
But I can't overcome another issue: I've set ipv6 on 4 interfaces and 3 out of them work fine. I can't get it working in that one particular vlan. Clients get ipv6 addresses but no ipv6 DNS (they are set in dhcpv6, radvd is same for all applicable vlans), gateway (link-local) is assigned but not reachable. I've disabled all firewall rules for that vlan leaving only ipv6 floating rules applied and still nothing.
What else may block ipv6 connectivity?

[GreenMatter]

So, I will keep writing my diary to myself  ;)
In vLAN where I can't get ipv6 to work properly, dhcpv6 assigns clients ipv6 from other vlans ranges. I really don't get it as interface, dhcpv6 and radvd settings are the same with exception of vlan bits/numbers for respective networks addresses