IPv6 questions

[fgsfdgfds]

probably been done to death, but here goes:
I'm just considering whether to move to IPv6, we live in UK (remote location) and broadband is about 1mb up 10mb down.
This will probably never change as we live on a farm in the countryside.
But if I moved to IPv6, then maybe I could eventually use the Starlink Sats for broadband?
I need fixed IP addresses since I need to OpenVPN  to the farm to remotely control machinery (when I'm away).
Currently using Zen internet and have 8 IPv4s.
If I had the network on IPv6 with zen and maybe Starlink offered fixed IPv6 IPs soon, I could test that and move over?

Some of the machinery PLCs use VNC and Modbus and are IPv4 only.  They do not need internet connectivity, but they must work internally on IPv4.  So presumably if I went to IPv6 for the PCs and phones to use Internet, the PLCs would still work (internally)?

If I used my phone to OpenVPN into the site on IPv6 could I get a local IPv4 address (as well as IPv6) to control the directly PLCs?
Or would I have to control a local PC to do it?

Also my knowledge of IPv6 isn't great (yet).  On IPv6 do you not use private addressing anymore (like 192.168.0.0/24), is it all publicly addressed?
If/when we lose internet connectivity (bad broadband etc etc) can the internal IPv6 network still route around the site normally if it's been assigned public IPv6s and the internet connection is broken for hours/days?

If I'm running 2 WANs for awhile for testing, Starlink and Zen on IPv6, the static addressing will change when 1 drops out.  My servers will need static addresses and need to work normally locally, controlling the machinery, could their IP addresses change and break the working network environment? when WANs switch over and/or drop out completely.

Sorry for the long question.  But wondering whether eventually I'll have to go IPv6, been ignoring it for years...

[bartjsmit]

You don't need IPv6 to use Starlink but you do need to get a plan that doesn't have CGNAT for a real public IP. This may involve a business package and/or a surcharge.

You don't need a fixed public IP to use OpenVPN since it works quite well with dynamic DNS. This will also work with dual WAN. You can configure OpenVPN clients with two public servers so they will fail over from Zen to Starlink and back again.

My OpenVPN tunnels have both an IPv4 and IPv6 subnets.

Bart...

[fgsfdgfds]

I was under the impression that before too long starlink will be offering IPv6 static addresses.
If I was already on IPv6 with Zen, then switching between the 2 on a dual WAN might not be to difficult.

[fgsfdgfds]

Just thinking about it some more:
I suppose the easiest way for me to use IPv6 is to change my router (draytek ADSL) to IPv6 only with Zen.
Then make OPNsense IPv6 and IPv4.

Then I can use IPv6 for internet and IPv4 for internal LAN connections.  Those that are IPv4 only, won't reach the internet (no loss there) but will operate normally locally.

If the WAN goes offline, ALL nodes will have IPv4 addresses, so then continue internally as normal(with no internet access).
Will all the dual IPv6/IPv4 PCs, TVs, phones, tablets etc etc realise they can only reach internet over IPv6 ?  Or will they try to poll OPNsense for internet connections on IPv4 and timeout?

[Maurice]

As Bart mentioned, you can always use IPv6 and IPv4 in the OpenVPN tunnel.

"Private" IPv6 addresses (ULAs) do exist, but you don't need them if you can get a static public prefix. You can use these public IPv6 addresses in the LAN even when the WAN is down. No need for IPv4 fallback.

Dual WAN is a bit tricky, but there are some options. If it's only temporarily, I wouldn't focus on that too much.

If you make the WAN IPv6-only, you'll need to use an external NAT64 service because significant parts of the Internet are still IPv4-only. There are a few public ones listed on https://nat64.xyz/.

Most devices prefer IPv6 over IPv4, so they won't try IPv4 and time out. You can also disable default gateway assignment in the DHCPv4 server settings to make sure nothing ever tries to connect to the Internet using IPv4.

Cheers

Maurice

[bartjsmit]

The mechanism is called Happy Eyeballs (yes, really!)

https://en.wikipedia.org/wiki/Happy_Eyeballs

I would prefer dual-stack throughout since there are still resources that are IPv4 only and some new services may be IPv6 only once the v4 depletion starts to bite.

Bart...

[fgsfdgfds]

Thanks for your input guys.
I think initially, I'll try running a dual stack on my LAN/OPNsense.
Then the IPv4 side of the LAN should need little/no messing with.
Then I can enable IPv6 as well, get some IPv6 subnets from ISP.  Nodes that want to go out on IPv6 do so, others can use IPv4.

What do you think?  Any problems you can fore see with this?

[Maurice]

Yes, going IPv4-only -> dual-stack -> IPv6-only is currently the most common migration path. Although going directly from IPv4-only to IPv6-only is slowly gaining popularity (with separate LANs for legacy IPv4-only devices).

Disadvantages of dual-stack are a more complex configuration (e.g. more firewall rules) and troubleshooting (issues with one protocol are harder to detect if the other one still works).

But if you have no experience with IPv6 and want to set it up yourself, going dual-stack first might indeed flatten the learning curve a bit.

[fgsfdgfds]

OK got my IPv6s from Zen, it won't route.  Zen gave me ND prefix /64 , PD delegation prefix /48 (these only share the first 2a02 of the address, everything else is different)
I have a draytek 2862 on the ADSL, it auths with zen, then gets the IPv4 public subnet routed to the OPNsense IPv4 WAN so it has a public IPv4.  This all works fine.
I then have the draytek PPP the IPv6, after this the draytek pings ipv6.google.com
draytek is set to DHCPv6 to the OPNsense WAN, draytek IPv6 is 2a02:x:x:1:21d:aaff:fe12:2fe8/64
So now I set WAN interface:
DHCPv6
BASIC
Prefix delegation size: 48
nothing else set

OPNsense WAN auto gets: 2a02:x:x:1:230:18ff:fec9:3a03/64

This auto creates a GW with an fe80: address
I now set LAN to static IPv6:
2A02:x:x:1000::1/64
DHCPv6 sever LAN:
server range of: 2a02:x:x:1000::2000 - 2a02:x:x:1000::4000

OPNsense can ping ipv6.google.com
PCs on LAN can ping OPNsense LAN IPV6 ip
PCs can't ping ipv6.google.com or the actual google IP (in case of DNS issue)

Where did I go wrong.
I have tried a root a few times, but since I started with this the reboot seems to take a long time to complete, which didn't happen when I was IPv4 only, maybe there is something bad going on?

Do I need any extra routing adding to the draytek?
Thanks

[Maurice]

First, make sure Router Advertisements are enabled on the OPNsense LAN.

Next, check whether OPNsense gets a prefix from the Draytek. In Interfaces / Overview / WAN, there should be a line "IPv6 delegated prefix". If no, the Draytek DHCPv6 server might not support PD (or not be configured correctly). Then you would indeed need to add a static route on the Draytek. Just route the entire /48 to the link-local address of the OPNsense WAN interface.

Or just configure everything statically. Might also improve startup times. With a static prefix, there is no real need to use DHCPv6 on the OPNsense WAN at all.

[priller]

There seems to be some misunderstanding of DHCPv6, Prefix Delegation and routing.

1) Setting OPNsense WAN to DHCPv6 and requesting a /48 isn't going to do anything productive if the draytek isn't capable of serving PD.  I suspect it is only able to provide host addresses.  Please verify.

2) The concept of setting the WAN to DHCPv6-PD then configuring a static address on the LAN makes no sense from a configuration perspective.  Bit of a contradiction.

3) The core connectivity problem is probably due to the draytek not having a route to the LAN 2A02:x:x:1000::1/64.  It would have to point to the OPNsense WAN interface (next hop route). If the draytek is not capable of IPv6 static routes, then there will be no return traffic.

4) Setting static IPv6 address with an ISP that provides addressing via PD --- If your address space never changes, then you can get away with it, but if it does you will forever be redoing everything.

[fgsfdgfds]

I think delegation from the draytek is the problem....  Would like to try and do that if I can, then fall back to other routing methods etc.
See below web page pasted from draytek (sorry)
------------------
DHCPv6 Server
Authentication Protocol:   None
Prefix Delegation   Enable   Disable     
Prefix   2A02:x12:x34::/48     <this is just written on the page>

DHCPv6 Prefix Delegation

New Prefix:: <this is greyed out> :::/64
Suffix <only the last 3 boxes available>
New Prefix Length   (0~64)
Client Link Local Address   
Client DUID(option)   
--------------------

Do you understand this, no info on the internet....
the new prefix is completely grey out
suffix on has last 3 boxes fillable.

[fgsfdgfds]

There seems to be some misunderstanding of DHCPv6, Prefix Delegation and routing.

1) Setting OPNsense WAN to DHCPv6 and requesting a /48 isn't going to do anything productive if the draytek isn't capable of serving PD.  I suspect it is only able to provide host addresses.  Please verify.

2) The concept of setting the WAN to DHCPv6-PD then configuring a static address on the LAN makes no sense from a configuration perspective.  Bit of a contradiction.

point 2:
If I don't set an IP on the LAN for OPNsense and route PCs through it, how do controlling who gets what from the internet?
won't they just all get out with no rules?

[Maurice]

@fgsfdgfds, again, I recommend a static configuration for this use case.

If you insist on PD, you'll not be able to delegate the entire /48 to OPNsense. You'll have to configure the Draytek with an appropriate PD size and range. I'll not investigate how to do that, sorry.

There are use cases where using PD on the WAN and statically configured LANs makes sense. This is not one of them.

[fgsfdgfds]

OK after looking on the draytek closed forum, sounds like PD isn't very well implemented or working.

So I adjusted the routing table in the draytek and now can ping from PCs on the LAN side, but DNS not working, still looking at why that is,
But in IPv6 how do run firewall rules if the LAN doesn't have an IP on the LAN IP subnet?
In IPv4 you'd have LAN subnet on 1 side (firewall's LAN has an IP in LAN subnet), wan subnet on the other side and rules between.

Surely you'd have WAN IPv6 subnet on 1 side and LAN IPv6 (different subnet) on other with PCs on.  They would send requests to the LAN IP of the firewall and it would pass through the rules to the WAN IP to the other.
Is that not right?