Issues with static IPv6 configurations from /56

[EmmyOcelot]

Hey everyone, I was given from my cloud provider OVH a /56 so I wanted to get IPv6 setup for my servers hosted on a proxmox instance I have. OPNsense is virtualized in proxmox and acts as my router for my servers to the internet.

From reading the documentation on OVH's end they statically assigned me a /56 with a gateway, so I cannot use SLAAC or DHCPv6. I can break the /56 into /64's but the way they connect back to the main gateway is by use of the first ip of the first /64 which for this example, would make the gateway ip 4a00::1/64. Each subnet gets a next hop using that first subnet. The first ip of each subnet cant be used either as thats reserved to hop back to the root subnet. The way I plan to break these is as follows:

• 4a02::/64 via a next hop of 4a00::3/64 (This will be used as my primary LAN)
• 4a01::/64 via a next hop of 4a00::2/64 (This would become another VLAN in the future)

My end goal is to use all public static IPv6 addresses for my servers behind the LAN with the ability to segment additional VLANs in the future using the other subnets.

On proxmox's end I gave it one of the root ip's 4a00:2/64 for seperate web access.

Now on OPNsense's end, I gave the WAN an ip of 4a00::5/64 with the gateway being 4a00::1. On the LAN side, I gave it an ip of 4a02::1/64. I gave my test vm inside of proxmox an ip of 4a02::11/64 with the gateway of 4a02::1/64.

The current behavior I have right now is as follows on each machine:

• OPNsense VM: It can ping itself internally and externally. It can ping the vm on the LAN. It can ping the OVH gateway and ipv6.google.com
• Test VM: It can ping the LAN gateway but not the internet. It can ping, however, the proxmox hypervisor and the WAN ip of the OPNsense vm
• Proxmox: I can ping both the WAN ip of the OPNsense box and the ip of the test vm. I can even ssh into the test vm from proxmox's shell and vice versa

My main challenge is figuring out how to get the test vm to have internet access using the public subnet. Since I know that OPNsense box can talk to the internet and the test vm can talk to the LAN gateway, I think i've narrowed it down to some configuration inside of OPNsense.

Some solutions I have tried:

• Creating firewall rules on both the LAN and the WAN to allow traffic outbound and inbound for the test VM
• Double checked that IPv6 was up and ensured that 4a00::1/64 is my gateway from OVH
• Adding a outbound NAT rule to allow traffic to the lan to talk externally over the single wan ip

Any ideas on what I should try next or more info would really be appreciated.

[dseven]

I'm not sure if it's just a bad example, but 4a00:: and 4a02:: wouldn't be part of the same /56 !

That aside, for what you're trying to do, there would need to be some way to tell OVH to route prefixes to the WAN address of your OPNsense instance. I'm not sure if OVH offer that. Google finds some people asking for it, but I haven't found any successful reports from a quick look.

You might be able to do something with NAT, but v6 NAT doesn't really seem to work well, though never really tried it myself...

[EmmyOcelot]

I should have been more clear in my example that the subnets im describing are the fourth hexadecimal in. So, my /56 is XXXX:XXXX:XXXX:4a00::/56 and the /64 subnets are modifications to that 4th hexadecimal. (ie XXXX:XXXX:XXXX:4a00::/64 XXXX:XXXX:XXXX:4a02::/64). From my understanding of IPv6, these would be different subnets and should still be apart of the same /56, but correct me if I'm wrong.

As for the current situation, I have yet to see anyone on that uses OVH do this from my google searching. In terms of NAT, I did get NAT66 to work once, but as a test only and that kinda defeats the whole point as to why I want to use IPv6.

[dseven]

Yeah, so I think it's an OVH limitation ... unless there's some way to route prefixes that has not yet come to light......

[EmmyOcelot]

Yeah, there is nothing like that I am aware of. I put a support ticket in with them but wanted to sanity check if it was a simple misconfiguration on my part. If anyone has any ideas or thoughts, I am all ears to give them a listen.

[EmmyOcelot]

Update: solved

After going back and forth with OVH, which told me that:

• The first /64 doesn't work the way I thought it did (i.e., daisy-chaining back to the main subnet)
• They'd get back to me...still waiting on the networking team to get back to me.

I decided to go back and retrace my steps through the OVH control panel for my IPv6 /56 where I could break the subnets into /64's. I looked at the XXXX:XXXX:XXXX:4a02::/64 subnet I made and thought about the fields that were populated for it.

Subnet: XXXX:XXXX:XXXX:4a02::/64
Next-hop address: XXXX:XXXX:XXXX:4a00::3/64

I decided out of curiosity to make this next-hop address my WAN IP in OPNsense, and lo' and behold, it finally worked. OVH was wrong about the root subnet's functionality. My LAN clients can ping the other subnets still, and they can reach the internet just fine; I can even see the traffic in the firewall logs as well getting passed through.
So in order for OPNsense to pass in a subnet from OVH's IPv6 blocks, you have to make the next-hop address for the root subnet the WAN IP in OPNsense. Think this is a small, but very crucial detail OVH should have laid out in their documentation to avoid confusion.

Thanks again, y'all, for the help. Hopefully someone else can use this to avoid the same troubles I did. :/

[dseven]

Nice! That's what I meant by "there would need to be some way to tell OVH to route prefixes to the WAN address of your OPNsense instance" in my original response. Glad you found it!