WAN IPv6 can't be delegated and 'track interface' doesn't seem to work. Options?

[marjohn56]

Sorry typo... fingers are struggling to follow brain.

[Maurice]

No worries, happens to the best!

Well, in this particular case it wouldn't help, because @TheLinuxGuy doesn't even have a single /64 GUA prefix available, only the WAN address. So they can't use NPT at all.

But in general, yes, dynamically updating the NPT prefix would be very useful. This is just one aspect of the whole "firewall rules with dynamic prefixes" can of worms. There's an old open feature request for that: https://github.com/opnsense/core/issues/2544

[marjohn56]

Yes that thread... Not read it for a while. Interesting that last comment from bu7cher. Could be very useful. The script that I am referring to is here: https://github.com/gewuerzgurke84/pfSense-dynamicNptAddress

[tswalker]

My ISP (5G wireless home internet / T-mobile) gives us a dumb modem that does not allow 'bridge mode' the ISP themselves doesn't do IPv6 prefix delegation. Looking for help fixing issues with http://ipv6-test.com/ and http://test-ipv6.com/ as they fail....

/snip

same boat as you are, I tried to get this to work *without* going the static IPv6 on LAN and fell flat on my face...  I thought that perhaps instead of using DHCPv6 on LAN, to use relay instead, but nope... would not *relay* anything.. atleast it didn't seem to, and I have no clue what to put in as the destination server.. i used the Nokia access points' fbb.home IPv6 address, which seemed to sorta work.. but ya, no.

[Maurice]

This has nothing to do with DHCPv6 in the OPNsense LAN (which you don't even need). The issue is the 5G router being unable to "see" the hosts in the OPNsense LAN. You only have a single /64 which is used for the 5G router's LAN. The 5G router has no way of knowing that there are hosts using the same /64 in the OPNsense LAN. As mentioned, this would require an NDP proxy which OPNsense doesn't have.

There is no great solution here. Options are:
- Get a "better" Internet connection with more than just a single /64. I understand this is not available everywhere.
- Use a firewall with an integrated 5G modem. Still limits you to a single LAN and I don't know if T-Mobile allows "bring your own modem".
- Use a firewall which has an NDP proxy. Still limits you to a single LAN.
- Use a VPN tunnel. Might have a performance impact.
- Run OPNsense as a transparent filtering bridge. Severely limits its functionality and only allows a single LAN.
- Use ULAs and IPv6 NAT. Results in IPv6 almost never being used.

This is a common problem so if anyone has a better solution, I would be happy to hear about it.

[tswalker]

This has nothing to do with DHCPv6 in the OPNsense LAN (which you don't even need). The issue is the 5G router being unable to "see" the hosts in the OPNsense LAN. You only have a single /64 which is used for the 5G router's LAN. The 5G router has no way of knowing that there are hosts using the same /64 in the OPNsense LAN. As mentioned, this would require an NDP proxy which OPNsense doesn't have.

There is no great solution here. Options are:
- Get a "better" Internet connection with more than just a single /64. I understand this is not available everywhere.
- Use a firewall with an integrated 5G modem. Still limits you to a single LAN and I don't know if T-Mobile allows "bring your own modem".
- Use a firewall which has an NDP proxy. Still limits you to a single LAN.
- Use a VPN tunnel. Might have a performance impact.
- Run OPNsense as a transparent filtering bridge. Severely limits its functionality and only allows a single LAN.
- Use ULAs and IPv6 NAT. Results in IPv6 almost never being used.

This is a common problem so if anyone has a better solution, I would be happy to hear about it.

Is there a possibility to get lan segment DHCPv6 requests through the WAN to the modem?  If the modem is capable of providing them (which it does do, cause i get them if I connect say directly to the modem on wifi.. it has it's own segment and provides both ipv4 and ipv6 addressing)

[muchacha_grande]

- Use ULAs and IPv6 NAT. Results in IPv6 almost never being used.

I think I have a workaroud to the issue of "IPv6 never used" beause of ULAs
It is, I have to say, even more a monstruosity than the fact of using NAT.
Instead of using ULAs I used GUAs, I know, it is not fine, but I've been using this for a week and it's working very fine and stable.
I know that my ISP assigned me a /64 segment so I can use these addresses as I need.
I have some VLANs, so I choosed a /80 preffix changing the last 16 bits of the network address in each VLAN.

[Maurice]

@tswalker, that wouldn't help you. Assigning addresses is not the issue here, routing / Neighbor Discovery is.

@muchacha_grande, that's actually not the worst idea. The downside is that SLAAC doesn't work when using a /80, so you can't use devices which don't support DHCPv6 (like Android).

[muchacha_grande]

@Maurice, that's right. I believe that I'm thinking in IPv6 as it were IPv4.
Now, I have a question. How can be achieved an IPv6 configuration with more than one VLAN?
There should be some subnetting in the config

[Maurice]

I believe that I'm thinking in IPv6 as it were IPv4.

Yeah, a common mistake. We've all been there.

Now, I have a question. How can be achieved an IPv6 configuration with more than one VLAN?
There should be some subnetting in the config

You need a unique /64 for each VLAN. Most ISPs give you a /56 or /48, so you can create at least 256 /64 subnets. If you only have a single /64... Well, we're back at the beginning. Doesn't really work, no great solution available, only workarounds.

[muchacha_grande]

Ok, now I stated to see the bigger picture. My ISP wants me to have only one subnet. It is very stingy.

[almodovaris]

Asus routers have an IPv6 configuration called Passthrough. Maybe Opnsense should get something like that.

Those also have an option called FLET'S IPv6 Service.

If you know Asuswrt Merlin, you may ask Merlin how to do it, he develops third-party firmwares for Asus routers.

[tswalker]

Asus routers have an IPv6 configuration called Passthrough. Maybe Opnsense should get something like that.

Those also have an option called FLET'S IPv6 Service.

If you know Asuswrt Merlin, you may ask Merlin how to do it, he develops third-party firmwares for Asus routers.

Interesting, seems that OpenWRT has something similar:
https://www.reddit.com/r/tmobileisp/comments/luslbf/how_are_you_getting_around_the_lack_of_ipv6/gpuuim4/?utm_source=share&utm_medium=web2x&context=3

[Maurice]

OpenWrt does have the aforementioned NDP proxy.
Not sure what Asus is doing, probably the same.

[tswalker]

OpenWrt does have the aforementioned NDP proxy.
Not sure what Asus is doing, probably the same.

I noticed there is ndproxy(4) in freebsd?

https://www.freebsd.org/cgi/man.cgi?query=ndproxy&apropos=0&sektion=4&manpath=FreeBSD+11-current&format=html


This is getting beyond my capability to follow very easily...  but I'm willing to learn/figure out.