Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
NPTv6 for Multi-WAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: NPTv6 for Multi-WAN (Read 4013 times)
mrancier
Newbie
Posts: 34
Karma: 4
NPTv6 for Multi-WAN
«
on:
February 08, 2021, 04:06:53 pm »
I am not well versed in IPv6 and am trying to configure load Balancing and FailOver for UVERSE and XFINITY, which are both dual-stack ISPs with PDs. Is there an example configuration for NPTv6 and MultiWan IPv6 configuration ? The default documentation is written from the POV of previous understanding of the underlying issue.
Thanks in advance.
Logged
mrancier
Newbie
Posts: 34
Karma: 4
Re: NPTv6 for Multi-WAN
«
Reply #1 on:
February 10, 2021, 03:00:47 pm »
I realize this is not a normal setup by any means, and I do appreciate any help you all can give.
I've done the following, which seems to be working, but I am unsure if it is correct :
I configured the IPv6 Gateway group same as the IPv4 : Weighted 5/4 (WAN1/WAN2)
Created an NPT rule for my XFINITY connection with the source prefix being UVERSE IPv6, and destination being XFINITY prefix.
Modified default LAN IPv6 gateway to the IPv6 GW Group.
I tested a few times and did see addresses in the XFNITY prefix identified.
Does that seem correct ? Is there any additional config needed ?
Thanks.
UPDATE:
Forgot to mention that LAN is Tracking UVERSE, so all my clients are getting v6 Addresses on that prefix which is why I only have the one NPT rule.
«
Last Edit: February 10, 2021, 03:02:30 pm by mrancier
»
Logged
mrancier
Newbie
Posts: 34
Karma: 4
Re: NPTv6 for Multi-WAN
«
Reply #2 on:
February 11, 2021, 12:59:35 am »
I've made a small to the config. I grabbed a ULA prefix from the ultratools ULA generator and set it up as my DHCPv6 range. Configured the LAN IPv6 as a static in the ULA range. Added NPT rules for both GUA prefixes from XFINITY and UVERSE, and configured my RA as assisted. Everything appears to work as desired with the exception of IPv4 fallback. It seems too slow and the IPv6 test sites tend to fail the test about 80% of the time. Does anybody have any ideas as to how to resolve that ?
Thanks.
Logged
mrancier
Newbie
Posts: 34
Karma: 4
Re: NPTv6 for Multi-WAN
«
Reply #3 on:
February 11, 2021, 01:49:26 am »
It seems that devices will prefer IPv4 Address when presented with a ULA IPv6 Address.
Is there a way to for the LAN interface to track 2 WAN IPv6 prefixes and forgo NPT completely ?
«
Last Edit: February 11, 2021, 04:53:53 am by mrancier
»
Logged
mrancier
Newbie
Posts: 34
Karma: 4
Re: NPTv6 for Multi-WAN
«
Reply #4 on:
February 11, 2021, 03:48:44 pm »
In the interest of relaying a complete documented account, here are my findings :
Configuring the IPv6 Load Balancing with NPT worked as follows :
Generate Unique ULA subnet prefix
Configure LAN interface with static ULA IP on said prefix
Configure Gateway groups for IPv6 for the GUA of the providers
Configure NPT rules corresponding to each of the GUA prefixes from providers
Configure DHCPv6 for the ULA prefix on Lan
Configure RA to your convenience, in my case Assisted
Caveats :
So far the only issue is that some clients, Windows clients in particular, tend to prefer connecting on IPv4 when getting a ULA address. There are workarounds (netsh command, GPO(!), etc), but it might not be convenient for folks with lots of problematic clients. This does not hinder most functionality, but underutilizes IPv6 ?
If anyone has any feedback on this I would very much appreciate it.
Update:
So, for posterity, the best way to implement NPTv6, if you are fortunate enough to have consistent prefixes, is to track the one interface with set prefix (or set lan static on it + dhcpv6 + RA)and have a single NPTv6 rule for the prefix on the failover/second WAN). This will give a GUA address for your clients and should mitigate ICMPv6 and IPSEC issues. Works quite well, and failover to ipv4 is flawless(seemingly).
«
Last Edit: February 12, 2021, 03:10:18 am by mrancier
»
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: NPTv6 for Multi-WAN
«
Reply #5 on:
February 12, 2021, 05:32:43 am »
Thanks for documenting this!
GUAs are indeed required to make clients prefer IPv6 over IPv4. You could split one of the PD prefixes into an internal and an external part. If you get 2001:db8::/56 from ISP1, use 2001:db8::/57 as the NPTv6 source (for both rules) and 2001:db8:0:80::/57 as the NPTv6 destination (for the WAN1 rule). Then, use 2001:db8:0:1::/64 for LAN1, 2001:db8:0:2::/64 for LAN2 and so on. I haven't tried that, but see no reason why it shouldn't work.
That being said, I've so far always avoided NPTv6 and instead used a "load distribution" approach for dual WAN setups:
1. Advertise prefixes from both WANs in the same LAN and / or
2. advertise prefixes from WAN1 in some LANs and prefixes from WAN2 in other LANs.
3. Mix and match 1. and 2. until the average traffic distribution is as desired.
This doesn't give you true load balancing, especially not in peak load situations. But it's good enough for many use cases.
[Update]
Didn't see your update. Interesting. So you're doing load balancing with normal routing on one WAN and NPTv6 on the other? Good to know that this actually works.
[/Update]
Cheers
Maurice
«
Last Edit: February 12, 2021, 05:41:18 am by Maurice
»
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
mrancier
Newbie
Posts: 34
Karma: 4
Re: NPTv6 for Multi-WAN
«
Reply #6 on:
February 12, 2021, 02:38:21 pm »
Indeed. It seems this is the preferred method, followed by the ULA assignments. There are no obvious shortcomings and the LB setup is, so far, working as advertised (60/40 in my case).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
NPTv6 for Multi-WAN