IPv6 - struggling to configure for it.

Started by v81, September 18, 2025, 11:10:36 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 18, 2025, 11:10:36 AM
Have been running OPNsense for about 8 months.

Very keen to get onboard with IPv6

ISP is Superloop - Australia, Fibre To the Home (IPoE)
I believe they offer /56 or /60 networks.
Hardware is a generic Intel N150 unit with 4 x 2.5GbE interfaces.
LAN on ETH0, WAN on ETH3

OPNsense is at 10.0.10.1/24

Interfaces > WAN is enabled, IPv6 config = DHCPv6

DHCPv6 client configuration... picture attached
You cannot view this attachment.

Have tried variations of Request prefix only and Send prefix hint

Interfaces > LAN is enabled, IPv6 config = Track Interface
Track IPv6 Interface...
Parent interface = WAN
Assign prefix ID = 0
Optional interface ID = blank

Overview picture attached...
You cannot view this attachment.

Also Overview - WAN - Details...
"Dynamic IPv6 prefix received   2401:xxxx:2c11:d300::/56"

Services: ISC DHCPv6: [LAN]...
Enabled
Range 2401:****:2c11:d300::1000 - 2401:****:2c11:d300::2000
Leases = none

From the router shell i can ping-6 opnsense.org
Code Select
root@OPNsense:~ # ping -6 opnsense.org
PING(56=40+8+8 bytes) 2401:****:2c00::11d3 --> 2001:1af8:2050:a001:1::1
16 bytes from 2001:1af8:2050:a001:1::1, icmp_seq=0 hlim=55 time=246.099 ms
16 bytes from 2001:1af8:2050:a001:1::1, icmp_seq=1 hlim=55 time=246.149 ms
16 bytes from 2001:1af8:2050:a001:1::1, icmp_seq=2 hlim=55 time=246.054 ms
^C
--- opnsense.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 246.054/246.101/246.149/0.039 ms

Indeed going insane here...
Learned a thing about packet capture, my first time, hope this helps...
The following captured during and after a 'dhclient -r' and 'dhclient' on a Linux Mint notebook.
Code Select
LAN (removed for brevity following lines)
igc0 2025-09-18 (removed for brevity following lines)
18:58:49.805826 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2600:1901:0:38d7::, source address fe80::5a4e:3549:c55f:c81a, length 88

18:58:54.688015 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 86: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, neighbor solicitation, who has fe80::5a4e:3549:c55f:c81a, length 32

18:58:54.762335 80:30:49:a4:ca:c7 00:d0:b4:04:45:94 IPv6, length 78: fe80::5a4e:3549:c55f:c81a > fe80::2d0:b4ff:fe04:4594: ICMP6, neighbor advertisement, tgt is fe80::5a4e:3549:c55f:c81a, length 24

18:58:54.857481 80:30:49:a4:ca:c7 00:d0:b4:04:45:94 IPv6, length 86: fe80::5a4e:3549:c55f:c81a > fe80::2d0:b4ff:fe04:4594: ICMP6, neighbor solicitation, who has fe80::2d0:b4ff:fe04:4594, length 32

18:58:54.857542 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 78: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, neighbor advertisement, tgt is fe80::2d0:b4ff:fe04:4594, length 24

18:59:01.371127 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2a04:4e42::347, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:01.371460 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2a04:4e42::347, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:01.376861 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2a04:4e42:400::347, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:01.376914 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2a04:4e42:400::347, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:06.997556 00:d0:b4:04:45:94 33:33:00:00:00:01 IPv6, length 166: fe80::2d0:b4ff:fe04:4594 > ff02::1: ICMP6, router advertisement, length 112

18:59:08.046710 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2600:1901:0:38d7::, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:11.056660 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:802::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:11.056861 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:803::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:11.057074 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:800::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:11.057248 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:801::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:13.053724 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:802::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:13.053954 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:803::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:13.054224 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:800::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:13.054437 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:801::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:16.067026 00:11:32:41:3e:9b 00:d0:b4:04:45:94 IPv6, length 86: fe80::211:32ff:fe41:3e9b > fe80::2d0:b4ff:fe04:4594: ICMP6, neighbor solicitation, who has fe80::2d0:b4ff:fe04:4594, length 32

18:59:16.067150 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 78: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, neighbor advertisement, tgt is fe80::2d0:b4ff:fe04:4594, length 24

18:59:16.330020 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 86: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, neighbor solicitation, who has fe80::211:32ff:fe41:3e9b, length 32

18:59:16.330156 00:11:32:41:3e:9b 00:d0:b4:04:45:94 IPv6, length 78: fe80::211:32ff:fe41:3e9b > fe80::2d0:b4ff:fe04:4594: ICMP6, neighbor advertisement, tgt is fe80::211:32ff:fe41:3e9b, length 24

18:58:49.805826 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2600:1901:0:38d7::, source address fe80::5a4e:3549:c55f:c81a, length 88

18:58:54.688015 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 86: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, neighbor solicitation, who has fe80::5a4e:3549:c55f:c81a, length 32

18:58:54.762335 80:30:49:a4:ca:c7 00:d0:b4:04:45:94 IPv6, length 78: fe80::5a4e:3549:c55f:c81a > fe80::2d0:b4ff:fe04:4594: ICMP6, neighbor advertisement, tgt is fe80::5a4e:3549:c55f:c81a, length 24

18:58:54.857481 80:30:49:a4:ca:c7 00:d0:b4:04:45:94 IPv6, length 86: fe80::5a4e:3549:c55f:c81a > fe80::2d0:b4ff:fe04:4594: ICMP6, neighbor solicitation, who has fe80::2d0:b4ff:fe04:4594, length 32

18:58:54.857542 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 78: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, neighbor advertisement, tgt is fe80::2d0:b4ff:fe04:4594, length 24

18:59:01.371127 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2a04:4e42::347, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:01.371460 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2a04:4e42::347, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:01.376861 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2a04:4e42:400::347, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:01.376914 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2a04:4e42:400::347, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:06.997556 00:d0:b4:04:45:94 33:33:00:00:00:01 IPv6, length 166: fe80::2d0:b4ff:fe04:4594 > ff02::1: ICMP6, router advertisement, length 112

18:59:08.046710 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2600:1901:0:38d7::, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:11.056660 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:802::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:11.056861 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:803::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:11.057074 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:800::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:11.057248 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:801::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:13.053724 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:802::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:13.053954 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:803::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:13.054224 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:800::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:13.054437 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, destination unreachable, beyond scope 2404:6800:4015:801::200a, source address fe80::211:32ff:fe41:3e9b, length 88

18:59:16.067026 00:11:32:41:3e:9b 00:d0:b4:04:45:94 IPv6, length 86: fe80::211:32ff:fe41:3e9b > fe80::2d0:b4ff:fe04:4594: ICMP6, neighbor solicitation, who has fe80::2d0:b4ff:fe04:4594, length 32

18:59:16.067150 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 78: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, neighbor advertisement, tgt is fe80::2d0:b4ff:fe04:4594, length 24

18:59:16.330020 00:d0:b4:04:45:94 00:11:32:41:3e:9b IPv6, length 86: fe80::2d0:b4ff:fe04:4594 > fe80::211:32ff:fe41:3e9b: ICMP6, neighbor solicitation, who has fe80::211:32ff:fe41:3e9b, length 32

18:59:16.330156 00:11:32:41:3e:9b 00:d0:b4:04:45:94 IPv6, length 78: fe80::211:32ff:fe41:3e9b > fe80::2d0:b4ff:fe04:4594: ICMP6, neighbor advertisement, tgt is fe80::211:32ff:fe41:3e9b, length 24

18:59:30.751565 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 1294: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2606:4700:3035::ac43:91e7, source address fe80::5a4e:3549:c55f:c81a, length 1240

18:59:30.751599 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 1294: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2606:4700:3035::ac43:91e7, source address fe80::5a4e:3549:c55f:c81a, length 1240

18:59:30.800983 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2606:4700:3035::ac43:91e7, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:30.854475 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 1294: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2606:4700:3035::ac43:91e7, source address fe80::5a4e:3549:c55f:c81a, length 1240

18:59:30.751565 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 1294: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2606:4700:3035::ac43:91e7, source address fe80::5a4e:3549:c55f:c81a, length 1240

18:59:30.751599 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 1294: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2606:4700:3035::ac43:91e7, source address fe80::5a4e:3549:c55f:c81a, length 1240

18:59:30.800983 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 142: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2606:4700:3035::ac43:91e7, source address fe80::5a4e:3549:c55f:c81a, length 88

18:59:30.854475 00:d0:b4:04:45:94 80:30:49:a4:ca:c7 IPv6, length 1294: fe80::2d0:b4ff:fe04:4594 > fe80::5a4e:3549:c55f:c81a: ICMP6, destination unreachable, beyond scope 2606:4700:3035::ac43:91e7, source address fe80::5a4e:3549:c55f:c81a, length 1240
For a moment yesterday i thought i almost had it..
An ipconfig on girlfriends laptop showed an ipv6 address, ran a ping -6 google.com
Got a timeout, a reply and then 2 more timeouts.


On the same internet connection i have tried a GL.iNet Beryl router, enabled IPv6 and it worked right away.

I'm open to wiping / re-configuring the opnsense unit, but i do have a detailed AdGuard home config in it that i don't want to lose.
Aside from taking an image, I'm not sure i can back this up. Still a way to learn with this.
May virtualise it next time around, but I'm vaguely in the school of a router should be on bare metal.

I hope I've included enough detail.
Any assistance greatly appreciated.
September 18, 2025, 11:16:47 AM #1
1. Learn to discriminate between IA_NA (that is the /128 IPv6 your WAN can be assigned - in your case, it is) and IA_PD (that is the /56 prefix that gets delegated to your LAN(s) as /64 with a selectable 8-bit prefix ID).

2. You can actually use the IA_PD for your WAN as well by using a prefix ID that is different from all LAN prefix IDs by selecting "use prefix only" on the WAN IPv6 configuration.

3. I would refrain from using DHCPv6 on LAN and use SLAAC instead.

All of this is explained here. Remember: Try to use the tutorial section as often as possible - it has some very valuable information.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
September 18, 2025, 02:53:44 PM #2
I can't say i understand much of what you're saying.

I'm trying hard, really, but after a week of reading a significant amount of material I'm out of gas.

I think i can understand IA_NA(searched, got IANA, but i don't think you mean this) is like a public IPv6 address, and IA_PD (PD= prefix delegation?)
Ok, so how do i discriminate, what am i missing? Are you saying i have something configured wrong? Can you be more specific?

I have attempted to read the material you linked, but I'm just not grasping it.
Acronyms that have no meaning to me and slashes all over the place.. i get they're subnets.. but i barely know what a subnet is

I was really hoping for a checkbox called auto.. but clearly there isn't one.

I'm pushing against the edge of my ability and understanding here.
I came from a reddit post saying it was crazy how so many people were still not using IPv6 and that it's easier than IPv4 to configure.
I'd kick that dude in the ass if i could, they're clearly factually incorrect.
I can configure IPv4, maybe not terribly well, but i can do it. IPv6, after spending 2-6 hours a day on this for a week.. nothing.
I've learned to capture packets, have learned many other tricks.. but i just want damn IPv6.

I've looked at the tutorial you've described... followed it.. nothing.
I'm clearly missing something, I'd love for someone to actually take me through some REAL diagnostic steps. - reason i did the capture.

Really not trying come off as a prick, but Is there anyone that can actually help, instead of pointing to tutorials/guides that don't work for me.
Because... i have tried them, many of them. And now i have nothing left to try.
September 18, 2025, 03:18:05 PM #3
Your WAN interface looks good. You have a prefix of length /56 delegated - that means you can run up to 256 internal interfaces. You should put 56 instead of 60 in the WAN configuration.

Disable DHCPv6 on LAN - it's not necessary.

Now your LAN needs an IPv6 address. Did you configure that as "track interface" with WAN as the one to track? It looks like you did because it does have an address.

Now all you need to do is

- enable router advertisements on LAN
- add a firewall rule on LAN permitting IPv6 if not already present
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 18, 2025, 03:28:01 PM #4
First off, OpnSense ist not your average consumer appliance that "just works" - but you have discovered that already. It is a professional tool with many bells and whistles. Alas, some knobs have to be turned to achieve the desired results.

Second off, networking is hard and not for the faint of heart.

To make it somewhat easier, there are HOWTOs in the tutorial section (some of which I wrote). Alas, and I also do not want to sound condescending, but if you cannot follow those, you may really be pushing on the edge of your ability.

If you have specific questions, we can answer them here, but it is very hard to lead you to an installation that has undergone "many tutorials" already (and mixing them). I understand the impulse to follow Youtube tutorials that give the impression that this is "all easy" and more often than not, are outdated and made by people who want the clicks and do not have deep OpnSense knowledge.

Maybe it would help you to ask a friend with knowledge in the field to configure OpnSense for you.

And all I wanted to point you to is that the default of having OpnSense's WAN IPv6 assigned from a different range of IPv6 (namely a single IA_NA address) than the LAN(s) (namely IPv6 /64 subnets that are extracted out of a /56 IA_PD prefix) makes it harder to see what is going on, because the IPv6 that you use from OpnSense's WAN will be much different from the LAN subnet IPv6s.

Plus, you try to use DHCPv6 on the LAN side, which is suboptimal in most consumer-type internet access scenarios.

Also, IDK how you have set up your firewall rules for IPv6.

All of the why and how is explained in the HOWTO - that is why I wrote it, but, alas, I cannot explain it any better than that.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
September 19, 2025, 06:47:54 AM #5
Quote from: Patrick M. Hausen on September 18, 2025, 03:18:05 PMYour WAN interface looks good. You have a prefix of length /56 delegated - that means you can run up to 256 internal interfaces. You should put 56 instead of 60 in the WAN configuration.

Disable DHCPv6 on LAN - it's not necessary.
Do you mean Services - ISC DHCPv6 or the LAN IPv6 config type?
If the later I've never had DHCPv6 on the LAN interface
For Interfaces-LAN I've been trying both Track WAN and SLAAC
I'll set Track WAN now.
One thing i don't think I've tried is 56 in the wan config.
Much of the comment about the ISP is that they offer a /60, so was going with that.
I could be wrong here, but i was also under the impression that erring toward a smaller subnet would still work.

QuoteNow your LAN needs an IPv6 address. Did you configure that as "track interface" with WAN as the one to track? It looks like you did because it does have an address.
This is true for most of my attempts.
QuoteNow all you need to do is

- enable router advertisements on LAN
This is set to "Assisted"
Quote- add a firewall rule on LAN permitting IPv6 if not already present
There does appear to be a pass rule, looks healthy and enabled.

If it matters, in

    System: Gateways: Configuration
The IPv6 address on the gateway is an fe80 address.
I hear fe80 is link local, but on ipv6 that might be ok?
thought i'd mention it, wasn't sure if this was supposed to be like that.

This is the part when i pull the trigger and find that yet again it still doesn't work...

Code Select
v81@V81-notebook:~$ ping -6 opnsense.com
PING opnsense.com (2001:1af8:2050:a001:1::1) 56 data bytes
64 bytes from 2001:1af8:2050:a001:1::1: icmp_seq=1 ttl=54 time=312 ms
64 bytes from 2001:1af8:2050:a001:1::1: icmp_seq=2 ttl=54 time=301 ms
64 bytes from 2001:1af8:2050:a001:1::1: icmp_seq=3 ttl=54 time=426 ms
64 bytes from 2001:1af8:2050:a001:1::1: icmp_seq=4 ttl=54 time=421 ms
^C
--- opnsense.com ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4448ms
rtt min/avg/max/mdev = 300.995/364.978/426.259/58.785 ms
OK... the next hardest part is trying not to get too excited, and me mistaken for a teenager when i'm a middle aged man.
That's just fantastic. I'd love to know the exact part that made it work.
2 things i can think of...
1) Setting prefix delegation to /60 instead of the/56 it is now.
2) ISC DHCPv6 off (I was under the impression even though the ISP hands me a subnet i still needed a service to allocate it to my internal clients)
May be i toggled something else without knowing too.

I'm incredibly grateful for your assistance.
PS - That latency.. that's quite a bit.  Cloudflare.com was ~ 10ms
September 19, 2025, 07:58:32 AM #6
Set the router advertisements to unmanaged and you are good to go. IPv6 does not need DHCP, everything is configured automatically. All networks are the same size. That's why people claim it's simpler than IPv4.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 19, 2025, 09:23:56 AM #7
If both /60 and /56 are supported, both will work, so if you got a prefix with both, they all will be fine. You just have less subnets available (16 instead of 256).

You should use unmanaged mode - DHCPv6 should at the maximum be used for supplying DNS servers and then, it is still problematic with changing IPv6 prefixes. SLAAC tells clients to change IPs immediately, while DHCPv6 does not. Also, there is no definitive priority for DNSv4 vs. DNSv6, therefore I personally use DNSv4 only and then, you do not need DHCPv6 at all.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
September 19, 2025, 02:21:24 PM #8
Quote from: meyergru on September 18, 2025, 03:28:01 PMFirst off, OpnSense ist not your average consumer appliance that "just works" - but you have discovered that already. It is a professional tool with many bells and whistles. Alas, some knobs have to be turned to achieve the desired results.
Yep, appreciate all that.
I'm looking to challenge myself a little... maybe ended up a little too much.
I've come from Ubiquiti gear, some frustration combined with hardware failures had me sick of it.
QuoteSecond off, networking is hard and not for the faint of heart.
I honestly thought i had a decent understanding of the basic stuff, enough to at least push forward a little.
I've never considered myself any kind of guru, just decently competent at the basics.
QuoteTo make it somewhat easier, there are HOWTOs in the tutorial section (some of which I wrote). Alas, and I also do not want to sound condescending, but if you cannot follow those, you may really be pushing on the edge of your ability.
I understand where you're coming from here... plenty of people go begging for help without making an effort. You'll have to trust me on this.. I didn't just roll out of bed and post here to be spoon fed. I'm a week into trying this.
I've followed several guides, mostly the documentation, but i did follow the guide you posted and came out no better.
I doubt it's a bad guide, i did suspect the issue was more my end, something i was missing or not understanding.
After more reflection i think it might have been that I'd thought ISC DHCPv6 was supposed to be on by default. It's been on i think all through my attempts, I'd thought it was on by default, and i think my ultimate issue might be this.
I'd say there is a fair chance if I'd simply turned this off your guide would have worked.
But please, have no doubt i did follow your guide.
QuoteIf you have specific questions, we can answer them here, but it is very hard to lead you to an installation that has undergone "many tutorials" already (and mixing them). I understand the impulse to follow Youtube tutorials that give the impression that this is "all easy" and more often than not, are outdated and made by people who want the clicks and do not have deep OpnSense knowledge.

Maybe it would help you to ask a friend with knowledge in the field to configure OpnSense for you.

And all I wanted to point you to is that the default of having OpnSense's WAN IPv6 assigned from a different range of IPv6 (namely a single IA_NA address) than the LAN(s) (namely IPv6 /64 subnets that are extracted out of a /56 IA_PD prefix) makes it harder to see what is going on, because the IPv6 that you use from OpnSense's WAN will be much different from the LAN subnet IPv6s.
This part I'm still not grasping, and to do you the justice of what you've written i'm going to look into it more.
I'm pretty sure I'm in a scenario here where EVERYTHING you end up looking at to learn more just assumes you already know.
Literally searching for 'IA_NA IA_PD' and 'what does IA_NA and IA_PD mean' leave me with results using those terms over and over... but not answering what they're an acronym for.
QuotePlus, you try to use DHCPv6 on the LAN side, which is suboptimal in most consumer-type internet access scenarios.
Not sure if there is a mistake here, as far as I'm aware I've only ever use Track Interface (WAN) or SLAAC.
Are you referring to Services -> ISC DHCPv6?
If so then i'd agree, this might have been where i went wrong.
I'd thought it was always this way, and i could have been wrong about that.
Also thinking in IPv4... you need something to.... configure a host looking for a config... so i assumed it natural to need to run a DHCP server for v6. Clearly i was wrong, and i think several biases and.. yes, it is indeed fair to say previous tutorials might very much have polluted the process.
Lesson learned there.
QuoteAlso, IDK how you have set up your firewall rules for IPv6.

All of the why and how is explained in the HOWTO - that is why I wrote it, but, alas, I cannot explain it any better than that.
You've take time out of your day to help.. not a lot of people make time for that these days.
It's much appreciated.
Apologies for not replying earlier, i took too long on the last reply and made myself late for a docs appointment... lol.
September 19, 2025, 02:29:27 PM #9
Quote from: Patrick M. Hausen on September 19, 2025, 07:58:32 AMSet the router advertisements to unmanaged and you are good to go. IPv6 does not need DHCP, everything is configured automatically. All networks are the same size. That's why people claim it's simpler than IPv4.
Is that 'disabled' by chance?
Only 2 options are 'Assisted' and 'Disabled'
September 19, 2025, 02:51:38 PM #10
See screen shot.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions