WAN IPv6 can't be delegated and 'track interface' doesn't seem to work. Options?

[TheLinuxGuy]

My ISP (5G wireless home internet / T-mobile) gives us a dumb modem that does not allow 'bridge mode' the ISP themselves doesn't do IPv6 prefix delegation. Looking for help fixing issues with http://ipv6-test.com/ and http://test-ipv6.com/ as they fail.

I'm not sure what my options are here other than NAT IPv6? I'm not familiar with IPv6 much but I can connect directly to the modem obtain a V6 address and all dual-stack tests pass.

When opnsense connects to the modem, it obtains a unique IPv6 (non-local-link) and the WAN settings are set for DHCPv6 and my LAN is set "Track interface".

I have been struggling with this for a few weeks - to make sure nothing advanced (vlan, complex rules, vpn settings etc) I ended up spinning up a fresh install of opnsense - straight out of the box with default settings one WAN and one LAN to see if it would work. I did this with both opnsense and pfsense - my luck has been that IPv6 dual stack doesn't work in neither pfsense or opnsense behind this modem.

Perhaps I am missing something to try here? Open to suggestions.

In the alternative - any steps or quick guide on using NAT IPv6 on the LAN and then use outbound NAT to share the single IPv6 I am getting from WAN? or I wonder if pfsense can bind multiple IPv6 addresses to the WAN interface and manage it somehow intelligently by itself and without NAT?

[Maurice]

Without Prefix Delegation, track interface requires a point-to-point WAN interface with SLAAC. If your modem supports this (some do), you can "pass through" the WAN-side /64 to a single LAN.

Otherwise, you would indeed need to bind multiple IPv6 addresses to the WAN interface in order to make them available to hosts in the LAN. But this would require an NDP proxy which as far as I know OPNsense does not currently have.

So if the modem doesn't support PPP, IPv6 NAT would be the only option. Quite awful, but should work. It's configured pretty much the same way as IPv4 NAT: Configure the LAN interface with a static address, switch outbound NAT rule creation to hybrid or manual and create an outbound NAT rule.

Cheers

Maurice

[marjohn56]

Or use Hurricane Electric. Yes, it's tunnelled by over v4, but you do get a static \48 and it works.

[Maurice]

As far as I remember from my HE tunneling days, 6in4 does not work through CGNAT. Which is what 4G / 5G mostly uses.

But a tunnel is indeed an option - when using a different protocol. There are a few providers which give you a static prefix through e. g. WireGuard. ungleich.ch is one I occasionally use on the road and it works quite well.

[TheLinuxGuy]

So if the modem doesn't support PPP, IPv6 NAT would be the only option. Quite awful, but should work. It's configured pretty much the same way as IPv4 NAT: Configure the LAN interface with a static address, switch outbound NAT rule creation to hybrid or manual and create an outbound NAT rule.

will try this thank you

Or use Hurricane Electric. Yes, it's tunnelled by over v4, but you do get a static \48 and it works.

I can give this a try but I think he.net IPv6 tunnel-brokered netblock is blacklisted from NetFlix so it may break my smart devices at home. Are there any other 'free' V6 tunnel brokers?

To circumvent CGNAT, I purchased a VPS (dual-stack IPv6+IPv4) but unfortunately the VPS provide does not give me a /48 or anything larger than a single /64.

My plan to circumvent CGNAT on T-mobile is to tunnel the IPv4 address via wireguard to opnsense and do port forwarding to open ports to: Plex media server and SSH for emergency access to opnsense (unfortunate that thisthis has a SPOF on the VPS/wireguard).

I'm unsure if there's anything I could do on the VPS for IPv6 on this setup to do my own tunnel of the /64 assigned block but IPv6 NAT may be the easiest way out :/

[Maurice]

I would only use IPv6 NAT as the very last resort. It has severe limitations and hardly anyone uses it. So if (or rather: when) you encounter issues you'll be pretty much on your own.

Netflix blocks HE tunnels, that's correct.

Since you're going to use a WireGuard tunnel to a VPS anyway, I'd recommend getting one with more than a /64. There are plenty. That'll make your life much easier.

[TheLinuxGuy]

So if the modem doesn't support PPP, IPv6 NAT would be the only option. Quite awful, but should work. It's configured pretty much the same way as IPv4 NAT: Configure the LAN interface with a static address, switch outbound NAT rule creation to hybrid or manual and create an outbound NAT rule.

I may be missing a step?
My LAN hosts are unable to ping 2001:4860:4860::8888 (google dns)

Here's what I have done to try to setup LAN IPv6 'NAT' (this is on a fresh opnsense)

Interfaces config : LAN
- Static IPv6
- IPv6 address: "fdde:5453:540e:ff12::" and 64
click save

Services : DHCPv6 LAN
- Range start
fdde:5453:540e:ff12::
- Range end
fdde:5453:540e:ff12:ffff:ffff:ffff:ffff
save & restart service

Firewall: NAT : outbound
- Set Hybrid outbound
- Add manual rule
interface WAN
TCP/IP version 6
protocol any
source any
destination any
translation target WAN address
log enabled
save

My Windows 10 client now obtains an IPv6 address from opnsense. But can't ping or pass external ipv6 tests.

There was mention that I may need multiple IPv6 addresses on the system to map 1:1? is this what I am missing? any quick tips on exactly how to set this up, is this a VIP?

[TheLinuxGuy]

Since you're going to use a WireGuard tunnel to a VPS anyway, I'd recommend getting one with more than a /64. There are plenty. That'll make your life much easier.

I just asked my VPS provider if they can do anything for me - if I were to get a block larger than /64 is there perhaps some guidance on what 'service' needs to be running on the VPS itself to delegate the block and then configure opnsense to use it?

The problem with 5G cellular home internet from T-mobile is UDP packet deprioritization during congestion, TCP/HTTP does not suffer from this but TCP VPN tunnels are horrible speed wise and almost unusable.

My home network is a bit complex, so while I do have a VPS to tunnel traffic that I want to have a static IP - not all of my home network would be able to use the wireguard tunnel due to the above reliability. Direct-connect to T-mobile using their CGNAT is what some of my vlans will use and the VPS is primarily to allow streaming and roadwarrior connections coming into my home. Most outbound traffic would need to go via T-mobile IPv6 only network.

[Maurice]

Using native IPv6 with multiple LANs and without an available prefix larger than /64 is indeed impossible without NAT.

The LAN interface identifier should not be zero, that's a reserved anycast address. Better use fdde:5453:540e:ff12::1.
How did you configure Router Advertisements?
Is there a firewall rule on the the LAN interface passing IPv6?
Also, be aware that clients will always prefer IPv4 over IPv6 when using ULAs. Just one of the limitations of IPv6 NAT.

1:1 would be NPT, but you can't use that either without an available prefix.

Regarding the VPS: No particular services required, just the VPN and some static routes. With a static prefix there is no need for DHCPv6 Prefix Delegation, interface tracking and such.

[TheLinuxGuy]

Using native IPv6 with multiple LANs and without an available prefix larger than /64 is indeed impossible without NAT.

ACK. I noticed this in other threads that I was reading on the subject - this is why I was thinking of maybe only have 1 VLAN have IPv6 enabled.

Right now all my VLANs have IPv4 only - I am trying to sort out what I need to do to to get IPv6 to work on this opnsense blank slate/testbox before I touch my production opnsense install that is working perfectly with just IPv4.

The LAN interface identifier should not be zero, that's a reserved anycast address. Better use fdde:5453:540e:ff12::1.

Thanks for this - LAN IPv6 set to fdde:5453:540e:ff12::1 - adjusted DHCP scope to account for start range ::2

How did you configure Router Advertisements?
Is there a firewall rule on the the LAN interface passing IPv6?
Also, be aware that clients will always prefer IPv4 over IPv6 when using ULAs. Just one of the limitations of IPv6 NAT.

Router advertisements are 'disabled' on LAN by default, are settings on it needed to make this work?

Presuming a setting here is needed - would "Assisted" for Stateful DHCPv6 and SLAAC (M+O+A flags) be ideal? any hints on any other settings is appreciated.

LAN firewall rules (recall this is a fresh install test box) do have an IPv6 rule that allows any.

[Maurice]

Router Advertisements are required. "Assisted" is a good default choice. If it works you can optimise later.

Also, you might want to limit the source in the NAT rule to LAN net.

[TheLinuxGuy]

Router Advertisements are required. "Assisted" is a good default choice. If it works you can optimise later.

Also, you might want to limit the source in the NAT rule to LAN net.

Thanks so much for the tips and help here, it works!

On a simple opnsense WAN+LAN setup, in order to get IPv6 from ISP to work in LAN following the steps

Interfaces config : LAN
- Static IPv6
- IPv6 address: "fdde:5453:540e:ff12::" and 64
click save

Services : DHCPv6 LAN
- Range start
fdde:5453:540e:ff12::
- Range end
fdde:5453:540e:ff12:ffff:ffff:ffff:ffff
save & restart service

Firewall: NAT : outbound
- Set Hybrid outbound
- Add manual rule
interface WAN
TCP/IP version 6
protocol any
source LAN
destination any
translation target WAN address
log enabled
save

The Enable Router Advertisements in LAN, to "Assisted" solved it.

[Maurice]

Glad it works, although I feel a little dirty for assisting in the creation of such a monstrosity... ;)

To anyone finding this thread later: Don't do this unless you absolutely have to. I plead not guilty!

Cheers

Maurice

[marjohn56]

Reading through the forum across the road I see a nice script someone has created that dynamically updates NPT if the prefix changes, as we know a lot of ISPs do that sort of thing. Would it be useful to see if we can do similar? I have no experience of NPT at all... as I don't need it, using a sensible ISP as I do.

[Maurice]

"Dynamically updates NDP"? I don't think I understand... Do you mean NPT? Dynamically update the NPT prefix?