IPv6 works from the clients (aka LAN), but not from the router itself

[vldid]

IPv4 works fine everywhere.

IPv6 works from the clients (aka LAN), but fails from the router itself. E.g., connectivity audit resolves, but fails to ping
mirror.sfo12.us.leaseweb.net. Likewise, from the CLI:

Code Select Expand

# host google.com | grep -i ipv6
google.com has IPv6 address 2607:f8b0:4007:809::200e

# curl --connect-timeout 10 "http://[2607:f8b0:4007:809::200e]"
curl: (28) Connection timed out after 10045 milliseconds
IPv6  works fine from the router to clients. Only the WAN side is broken.

The router is connected to WebPass and gets a proper /56 -  as evidenced by clients working fine.

I suspect I've overlooked an "allow" rule for "This Firewall" in addition to the "Automatically generated rules." Are there examples of relevant allow-rules somewhere I can compare to?

[meyergru]

Per default, the firewall itself can do anything it pleases - i.e., if you did not block it.

Does your WAN have an IPv6 assigned (Interfaces->Overview)? You can get that via a single (/128) IA_NA address or, if you set "Request prefix only" and an otherwise unused prefix ID, via a /64 subnet of the /56 IA_PD prefix that the ISP gives you.

I assume an IPv6 route is in place, otherwise your clients would not be able to reach IPv6 targets.

[vldid]

OK, I will check all you mentioned, thank you! But at a glance, all seems compliant. I also assume that the outgoing traffic from inside OPNSense is not subject to the "Default deny / state violation rule".

I also found this ticket, which sounds suspiciously similar. Will check it as well.

Thank you for checking it out!