Can't make IPv6 work

[muchacha_grande]

Hi,
my ISP recently implemented IPv6. I have an optic fibre GPON terminal and an OPNSense box on a DMZ IP, so my network is nated twice and it works fine.
When I set the WAN interface to get an IPv6 via DHCPv6, I can ping the Internet from the WAN interface of the OPNSense box, but not from the LAN interface. I tested setting LAN as track interface and fixed IPv6, but nothing.
One thing I noted is that the IPv6 gateway is set as fe80::1.
May be someone can give me an idea.
Thanks..

[Greelan]

Is IPv6 allowed under Firewall>Settings>Advanced?

[muchacha_grande]

Thank you for your reply.

Is IPv6 allowed under Firewall>Settings>Advanced?

Yes it is. As it comes as default.

[Greelan]

Have you set the correct prefix delegation size on the WAN interface?

I'd also check that you've selected an appropriate Router Advertisement mode under Services>Router Advertisements (eg "Stateless" if you intend using SLAAC). You may need to enable "Allow manual adjustment of DHCPv6 and Router Advertisements" under the Interfaces menu for the relevant interface for this purpose.

[muchacha_grande]

I think that my ISP is assigning me a /64 network. I discovered that by accident when I connected my PC directly to the ISP router modem and I realize that I had IPv6 connectivity.
Then I analyzed the addresses assigned by the router and saw that they are composed of 64 bits of the assigned network and 64 bits taken from the local link IPv6 address of the PC.
So my conclusion is that the ISP is delegating me a 64 bit network. May be I'm a bit confused on the subject.
Also I saw that the default gateway was set to fe80::1.
After that, I enabled IPv6 on the WAN interface of OPNSense and it took the corresponding /64 address and the gateway.
I tried using DHCP, SLAAC, and fixed address. Only worked with DHCP and fixed address.
Then I enhabled IPv6 on the different VLAN interfaces I have. I tried using tracking, SLAAC and fixed address.
I didn't get IPv6 automatically so I set it manually but using /80 prefix, son each VLAN had a different IPv6 network, as I use with IPv4.
The problem is that I can't ping google from any VLAN interface, but I works from WAN.
It seems that OPNSense were not routing. But given my weak knowledge on IPv6 it's more likely that I'm doing something wrong.

[Greelan]

Sounds like what is happening is that the ISP router is taking the prefix, which means OPNsense can’t get anything. (The only thing it is getting is an address on its WAN address from the ISP router out of the prefix - ie the OPNsense box is treated like any other host on the LAN side of the network from the ISP router.)

I don’t have a double router setup like you but I think what you probably need to do is disable IPv6 on the ISP router so that it doesn’t get in the way. Not sure whether you then need to bridge it to OPNsense.

Unless your ISP is really stingy I reckon you are getting a larger prefix, like a /60 or even a /56. You are seeing a /64 on your PC when connecting likely because your router is configured to hand that out (either it has a prefix ID set for that interface or is simply handing out the lowest /64 out of the delegated prefix). Check with your ISP to find out what prefix size they give out or just google it.

You should be getting two things from your ISP - a /64 out of which a /128 is assigned to your WAN interface, and then a separate prefix (as I said, likely /60 or even /56) out of which /64s can be allocated on the LAN side (using prefix IDs of 0-F for a /60 prefix and 00-FF for a /56 prefix).

You really should be keeping your LAN side networks as /64. That’s the basic assumption for IPv6 (eg SLAAC does not work with smaller networks) and you are likely to encounter other issues with something like /80 networks.

[muchacha_grande]

Thank you for your very clear explanation.
In my experience, I can say that my ISP is not stingy in that sense, but it is very reserved in the way they provides the service. They don't allow me to set anything on the modem, so the only thing I can ask them to modify is the WiFi and a DMZ. Of course, I turned off the modem WiFi and set a DMZ to OPNSense box, so I can control my own WiFi inside my LAN.
Now, with the implementation of IPv6, I don't know how they will treat that service because they didn't even officially talked about this yet.
I searched for information on the web, but is too soon to find something.
I think in the future, we will find out how it works. That is the way that ISPs work here in Argentina.
They give a basic service and you don't ask questions.

With the information you gave me, I will make some more tests.

Thank you very much