[SOLVED] My OPNSense cant route IPv6

Started by muchacha_grande, March 12, 2021, 11:08:03 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
March 13, 2021, 11:46:26 PM #15
So from your PC you cannot ping the gateway LAN GUA ?
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 14, 2021, 12:01:26 AM #16
Quote from: marjohn56 on March 13, 2021, 11:46:26 PM
So from your PC you cannot ping the gateway LAN GUA ?

Right
March 14, 2021, 12:17:57 AM #17
What rules are set in the firewall for LAN, have you allowed IPv6?
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 14, 2021, 12:50:22 AM #18
I'm allowing everything, IPv4 and 6
March 14, 2021, 12:59:02 AM #19
Can you ping the client from the LAN interface in Interfaces->Diagnostics? Make sure to select the LAN interface and IPv6.

OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 14, 2021, 01:06:04 AM #20
Didn't work with GUA addresses... the only thing that worked it selecting LAN and IPv6 Link-Local
March 14, 2021, 01:25:48 AM #21
That makes no sense. if they both have a GUA and its in the same subnet and they are both /64 masks it has to work unless the firewall is blocking and you say it isn't. Can you PM me the addresses of both the LAN and the PC you are trying to ping from.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 14, 2021, 01:27:26 AM #22
 better still, do an ifconfig from the shell and send me that, along with the output of ifconfig from the client it its linux or ipconfig /all if its a PC
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 14, 2021, 02:02:00 AM #23
This from OPNSense:

Code Select
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=810098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
        ether 00:0c:29:72:00:ee
        inet6 fe80::20c:29ff:fe72:ee%em0 prefixlen 64 scopeid 0x1
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=810098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
        ether 00:0c:29:72:00:f8
        inet 192.168.100.254 netmask 0xffffff00 broadcast 192.168.100.255
        inet6 fe80::20c:29ff:fe72:f8%em1 prefixlen 64 scopeid 0x2
        inet6 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:f8 prefixlen 64 autoconf
        inet6 2803:xxxx:xxxx:xxxx::1 prefixlen 128
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
        groups: enc
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33160
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
        groups: pfsync
em0_vlan2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:0c:29:72:00:ee
        inet6 fe80::20c:29ff:fe72:ee%em0_vlan2 prefixlen 64 scopeid 0x7
        inet6 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee prefixlen 64
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        groups: vlan
        vlan: 2 vlanpcp: 0 parent interface: em0
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


I cutted off the rest of the vlans because they only have IPv4, for now.

And this is from my Windows 8 box:

Code Select
Adaptador de Ethernet Ethernet:

   Sufijo DNS específico para la conexión. . : muchachagrande.com.ar
   Descripción . . . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller #3
   Dirección física. . . . . . . . . . . . . : 70-54-D2-CB-70-86
   DHCP habilitado . . . . . . . . . . . . . : sí
   Configuración automática habilitada . . . : sí
   Dirección IPv6 . . . . . . . . . . : 2803:xxxx:xxxx:xxxx:a57e:5d63:f83b:9e0d(Preferido)
   Dirección IPv6 temporal. . . . . . : 2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288(Preferido)
   Vínculo: dirección IPv6 local. . . : fe80::a57e:5d63:f83b:9e0d%41(Preferido)
   Dirección IPv4. . . . . . . . . . . . . . : 192.168.2.10(Preferido)
   Máscara de subred . . . . . . . . . . . . : 255.255.255.0
   Concesión obtenida. . . . . . . . . . . . : sábado, 13 de marzo de 2021 11:06:45 a.m.
   La concesión expira . . . . . . . . . . . : sábado, 13 de marzo de 2021 11:13:13 p.m.
   Puerta de enlace predeterminada . . . . . : fe80::20c:29ff:fe72:ee%41
                                       192.168.2.1
   Servidor DHCP . . . . . . . . . . . . . . : 192.168.2.1
   IAID DHCPv6 . . . . . . . . . . . . . . . : 779113682
   DUID de cliente DHCPv6. . . . . . . . . . : 00-01-00-01-18-C7-EF-5A-70-54-D2-CB-70-86
   Servidores DNS. . . . . . . . . . . . . . : 192.168.2.1
   NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado


I did a packet capture on Windows side while making a ping. I captured only ICMPv6 packets.
For some reason, the PC does a network solicitaion to find out the MAC of the destination IP, but OPNSense doesn't respond.

Code Select
No. Source                                                Destination
1   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
2   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
3   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
4   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
5   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
6   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
7   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
8   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
9   2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86
10  2803:xxxx:xxxx:xxxx:b1ab:fe5b:4ec4:e288  ff02::1:ff72:ee
Neighbor Solicitation for 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee from 70:54:d2:cb:70:86

March 14, 2021, 02:46:34 AM #24
Sorry for interrupting, but I have to ask the obvious question: Is the 2803:xxxx:xxxx:xxxx part on em1 different from the 2803:xxxx:xxxx:xxxx part on em0_vlan2? The obfuscation makes it impossible to tell.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 14, 2021, 03:32:38 AM #25
How come there is a vlan on em0, that's the WAN interface isn't it? If it's not, and its just named wrong you cannot have two interfaces with the same /64 on them. Not even sure how you've even managed that..


So tell us, what is the parent interface for that vlan?
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 14, 2021, 03:41:27 AM #26
em0 is an IPv4-only LAN (untagged), em0_vlan2 is the dual-stack LAN, em1 is the WAN. All good. But the question is indeed: Do WAN and LAN have the same prefix? I very much suspect so...
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 14, 2021, 05:28:09 AM #27
That's right @Maurice.
em0 is the original LAN interface.
After a while I've got a managed switch and I separated the net in different vlans.
em0_vlan2 is the new working vlan. em0 is the untagged vlan.
March 14, 2021, 06:51:21 AM #28
Quote from: Maurice on March 14, 2021, 02:46:34 AM
Sorry for interrupting, but I have to ask the obvious question: Is the 2803:xxxx:xxxx:xxxx part on em1 different from the 2803:xxxx:xxxx:xxxx part on em0_vlan2? The obfuscation makes it impossible to tell.

No, they are the same. It is a /64 preffix... I have to manage using the 64 bits that my ISP left me.

To start from scratch I temporally connected to em0, so I'm not on a vlan anymore, for now.
When I set IPv6 to tracking WAN on em0, the results were the same as with em0_vlan2.
Then, I set a manual IPv6 2803:xxxx:xxxx:xxxx:1::1/80 on em0 and configured radvd and dhcp6.
Now, my PC receives a /80 address and can ping router LAN IP and WAN IP, but still can't ping outside.
Doing a packet inspection on WAN/ICMPv6 I realize that it happens the same thing that when sending a ping from router LAN. When the ISP router does a Neighbor Solicitation to know where to send the ping response, OPNSense doesn't respond with the Neighbor Advertisement.
March 14, 2021, 12:59:42 PM #29
Not sure what's going on because of the obfuscation, but



2021-03-13T14:55:14   dhcp6c[661]   add an address 2803:xxxx:xxxx:xxxx::1/128 on em1
2021-03-13T14:55:14   dhcp6c[661]   create an address 2803:xxxx:xxxx:xxxx::1 pltime=1209600, vltime=3498554121644045568
2021-03-13T14:55:14   dhcp6c[661]   make an IA: NA-0
2021-03-13T14:55:14   dhcp6c[661]   add an address 2803:xxxx:xxxx:xxxx:20c:29ff:fe72:ee/64 on em0_vlan2
2021-03-13T14:55:14   dhcp6c[661]   create a prefix 2803:xxxx:xxxx:xxxx::/64 pltime=1209600, vltime=1209600


Try turning on request prefix only.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
Print
Go Up Pages 1 2 3
User actions