Default ipv6 configuration does not work

[IsaacFL]

On the interface, Track IPv6 interface, if I do not check: "Allow manual adjustment of DHCPv6 and Router Advertisements" then I do not get a working ipv6 configuration.

Clients recieve an ipv6 address, and can access local ipv6 hosts, but external ipv6 is broken:

Code Select Expand

ping -6 www.google.com

Pinging www.google.com [2607:f8b0:4007:801::2004] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.



Manually setting, Router Advertisements, and selecting LAN (static) is required to get a working configuration.  Dynamic does not work.

looking at the radvd.conf, the difference between working and non-working interface setups is that working has:

Code Select Expand

route ::/0 {
RemoveRoute off;
};


Non-working interfaces are missing the above entirely.

In my mind, default configuration should result in a working setup.

[Greelan]

Agreed that the significance of the "manual adjustment" checkbox is a little obscure/not well explained

FWIW, with DHCPv6 on WAN, Track Interface on LAN, and Unmanaged (ie SLAAC) under Router Advertisements, "dynamic" works fine for me. But there are a number of possible configurations for IPv6, so YMMV

[Maurice]

Are there other devices (routers) on your network which might send Router Advertisements?

In the non-working case, when you perform a traceroute -6, what is the first hop?

[IsaacFL]

There are no other routers.

From my LAN interface, which I have the manual setup unchecked, so default.

tracert -6 www.google.com

Tracing route to www.google.com [2607:f8b0:4007:80e::2004]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  OPNsense.XXXXXXX.com [2603:8001:abcd:ef10:215:5dff:fe7e:5814]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.

[IsaacFL]

I can use the firewall diagnostic ping, and using default interface, goes thru fine, picking LAN, no response.

[Greelan]

As a matter of interest, what is the "default"? I can't recall. Does it assume that a DHCPv6 server will be configured?

[IsaacFL]

default, sets it up as assisted, configures dhcpv6
default radvd.conf is:

Code Select Expand

# Generated config for dhcp6 delegation from wan on lan
interface hn1 {
AdvSendAdvert on;
AdvLinkMTU 1500;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix 2603:8001:abcd:ef10::/64 {
AdvOnLink on;
AdvAutonomous on;
};
RDNSS 2603:8001:abcd:ef10:215:5dff:fe7e:5814 { };
DNSSL iznmort.com { };
};


obfuscated my prefix and rdnss

The only configuration I can to reliably work is where radvd.conf has:

Code Select Expand

route ::/0 {
RemoveRoute off;
};


The clients get ipv6 addresses and can communicate to local resources but going external stops working.

This was a new install of opnsense 21.1 when it can out (moved from pfsense) and now updated to 21.1.1
It had the problem at initial install, also, but I just immediately went to manual config and got working with trial and error.  Now I am trying to figure out what the issue is.

[Greelan]

When I first installed OPNsense a number of months ago I think I remember reading in a third party setup guide that manual adjustment needed to be checked. So I am not sure whether it is an "issue" as such or just a configuration requirement. But if the latter, again it could be made clearer

[IsaacFL]

It doesn't seem to be anything to do with "manual" or not.

I can duplicate manually the setting in Router Advertisements and it is just as broken as the default setting.

Something is not right with the Radvd setup. Unmanaged vs Assisted vs Stateless DHCP doesn't make a difference either.  But I have to select RA Interface to (static) or it stops working to external.

[Maurice]

It should work in automatic as well as "manual dynamic" mode and does so for most, so something seems special about your setup.

This can't really be an RA issue if even a ping originating from OPNsense itself doesn't work (Interfaces: Diagnostics: Ping, Source Address LAN). That's what you're saying, right? And this works when you switch RA Interface to "static"?

What does a traceroute using the OPNsense diagnostics tool (Source Address LAN) show for RA Interface "dynamic" as well as "static"?

You mention switching from pfSense. Did you by any chance try to import anything from an old config?

[IsaacFL]

No, ping from opnsense itself works on "default" interface which I believe is WAN. But if I choose another interface it doesn't. Ping to an ipv6 address on another sub-nets works. Just not leaving the router.

There is really nothing special about my setup. I have been using pfsense with ipv6 for many years and have even used opnsense in the past.

I did switch from pfsense but I built the opnsense up from clean install.  As I mentioned from the very beginning, new install, the ipv6 did not work at all.  To get it to work I switched ipv6 to manual configuration, "unmanaged", and trying dynamic, then static to get it to work.

It has been working like that for several weeks, until I decided to test it a bit to see what the issue was. First I switched to "Stateless" on the RA since that never really worked on pfsense, and setup DHCPv6. This worked, but Windows 10 seemed to ignore DHCPv6 with DNS only, so I decided to try out "Assisted".

This also worked, so I thought I would go back to the interface and uncheck the Manual override for one of the interfaces.  This is when everything stopped working.  My testing seemed to show that the thing that broke it was switching on the RA from interface (static) to interface(dynamic).

The thing to note was that the clients were still getting ipv6 addresses, and seemed OK for local traffic even to other sub-nets.  But nothing could go to the internet via ipv6. I could even see in my firewall logs traffic being passed as expected, but something was happening after that.

In the mean time I have switched everything back to "Assisted" and using static and it is working now, but I think there is an issue with the radvd.conf. 

Firstly, checking "Advertise Default Gateway" doesn't seem to do anything that I can tell. Secondly, I don't understand why that picking LAN(static) vs LAN(dynamic) should be turning off or on the "route ::/0".  I would have expected the "Advertise Default Gateway" would have maybe controlled that?

It is definitely an RA issue, as I have taken DHCPv6 in and out of the configuration.

Here is tracert with my current working configuration from the LAN (with altered addresses abcd:ef):

Code Select Expand

# /usr/sbin/traceroute6 -w 2 -n  -m '18' -s '2603:8001:abcd:ef10:215:5dff:fe7e:5814'   'dns.google'
traceroute6: Warning: dns.google has multiple addresses; using 2001:4860:4860::8888
traceroute6 to dns.google (2001:4860:4860::8888) from 2603:8001:abcd:ef10:215:5dff:fe7e:5814, 18 hops max, 20 byte packets
1  2605:e000:400:3a::1  14.039 ms  10.872 ms  10.758 ms
2  2605:e000:0:4::a:8449  16.740 ms  21.569 ms  12.390 ms
3  2605:e000:0:4::a:849c  16.002 ms  14.527 ms  15.983 ms
4  * * *
5  2001:1998:0:8::5c  20.476 ms *
    2001:1998:0:4::366  32.801 ms
6  2001:4860:1:1::844  18.655 ms
    2001:4860:1:1::c20  19.100 ms
    2001:4860:1:1::c24  26.818 ms
7  *
    2001:4860:0:1110::1  17.873 ms
    2607:f8b0:80e1::1  26.505 ms
8  2001:4860:4860::8888  25.908 ms  17.279 ms  18.034 ms

With (dynamic) it is just time outs.

[IsaacFL]

For this, I went from working configuration.

going to interface LAN - unchecking Manual ..., had to first go and disable DHCPv6 on LAN.
after Apply, here is trace route after:

Code Select Expand

# /usr/sbin/traceroute6 -w 2 -n  -m '18' -s '2603:8001:abcd:ef10:215:5dff:fe7e:5814'   'dns.google'
traceroute6: Warning: dns.google has multiple addresses; using 2001:4860:4860::8888
traceroute6 to dns.google (2001:4860:4860::8888) from 2603:8001:abcd:ef10:215:5dff:fe7e:5814, 18 hops max, 20 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *

[IsaacFL]

I am not sure if I mentioned it but the other subnets were still working fine, while I did this break of the LAN interface by removing the manual control of the on the LAN interface.

[IsaacFL]

I went ahead set it back to manual configuration, rebooted the router now and LAN(dynamic) works fine now, so it could have something messed during setup.

the route ::/0 is not in the configuration now and it works fine on every interface. So I don't know what it could have been.

Maybe another time I will try switching back to interface / unchecked manual and test again but for now I am just happy it works.

[marjohn56]

I've just checked this on my test router and all is good, works as it should, sounds like a bit of junk in your config that needed clearing. However I did discover one thing, totally unrelated to Opnsense and that is my 'newish' spare motherboard's built in LAN ports don't appear to support VLAN ID tagging from that advanced tab,  and I was getting four different V6 subnet addresses on my test LAN port! ( multiple VLANs on my test router ). Had to re-configure my switch to make it play nicely. After a bit of web surfing it appears I have to set the VLAN using powershell... well you learn something new every day!