[SOLVED] My OPNSense cant route IPv6

Started by muchacha_grande, March 12, 2021, 11:08:03 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
March 14, 2021, 01:37:51 PM #30 Last Edit: March 14, 2021, 01:39:40 PM by Maurice
See, that's the issue. You can't have the same prefix on the WAN and the LAN. This is caused by the GPON router delegating the same /64 as the one that it uses for its own LAN. This kind of broken Prefix Delegation is not uncommon with crappy ISP-provided routers. I can dig out the link to a discussion with someone who's router provided by their Swiss ISP did exactly the same thing, but I think it was in the German forum.

Unfortunately, unless you can switch the GPON router to bridged mode or replace it with your own ONT, there is not a lot you can do. Your ISP would have to fix this. And I understand that this is unlikely.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 14, 2021, 02:07:25 PM #31
That's why I am hoping that turning on request prefix only will make dhcp6c not apply an address to the WAN, but only the LAN. Then it should use link-local to the ISP, that's the thought, whether that actually happens I'm not certain, but I can go and test it.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 14, 2021, 02:35:37 PM #32 Last Edit: March 14, 2021, 02:37:09 PM by Maurice
OPNsense will still autoconfigure a WAN address and prefix using SLAAC. You can't disable that, can you (I seriously don't know)?
Even if you can: Since the GPON router uses this prefix for its own LAN, it will do Neighbor Discovery for these destination addresses and not route them to OPNsense. This would require an NDP proxy which OPNsense doesn't have.

But giving it a try doesn't hurt, you're right. :)
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 14, 2021, 04:17:49 PM #33
Certainly on my test router selecting prefix only does stop a GUA being set on the WAN, but no route to the primary router.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 14, 2021, 04:23:54 PM #34
Ah.. missed the blindingly[size=78%] [/size][/size]obvious.[size=78%][/size][size=78%].. [/size][/size]the ISP supplied device will be in the same subnet... sorry, completely passed me by, I'm tired, going back to sleep. :-[ [size=78%]
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
March 15, 2021, 12:06:41 AM #35
Thank you marjohn56 and Maurice. I will try "request prefix only". Now I understand the problem a little more.
I'm used to these kind of troubles with flaw services here in Argentina.
March 15, 2021, 01:22:29 AM #36
Well, after testing "request prefix only" I can say that it didn't work.
Now I will be on IPv4 until I decide what to do with this service. It is possible that I change to another ISP.

Thank you again to both of you and regards...
March 15, 2021, 01:52:00 AM #37 Last Edit: March 15, 2021, 02:15:51 AM by priller
Quote from: Maurice on March 14, 2021, 02:35:37 PM
OPNsense will still autoconfigure a WAN address and prefix using SLAAC. You can't disable that, can you (I seriously don't know)?

OPNsense should only autoconfigure if the A-flag is set in the Router Advertisment from the ISP router. 

To fix this problem of the same prefix appearing on the WAN via SLAAC, and on the LAN from DHCP-PD, you need need to unset the RA's A-flag on the ISP router.   Then on OPNsense set the WAN to "Request only an IPv6 prefix".

So, what config settings are available on the ISP router.  It may appear as a "Managed" option like OPNsense does.

This sound logical?

Ramblings: Not sure if the RA on-link L-flag would confuse OPNsense as it would be informed that the prefix was "on the wire" (WAN), but see if the above is available and it may just work.  Also, if the prefix still existed on the ISP router interface, I don't think it would route properly to OPNsense.  Got'a be some piece of the the ISP router configuration we're not seeing.
March 15, 2021, 12:33:28 PM #38
Quote from: priller on March 15, 2021, 01:52:00 AM
Got'a be some piece of the the ISP router configuration we're not seeing.

Hi priller. The problem is that my ISP doesn't even allow me to enter to the GPON ans see what's inside.

May be, if I ask the ISP to upgrade the service bandwidth they bring me a newer device, and just may be, that device works better with IPv6.
March 15, 2021, 02:12:59 PM #39
@Maurice, there are no coincidences in life. Today I found this https://forum.opnsense.org/index.php?topic=21795.0.
It is a solution to my problem too. I read that you called this "monstrosity", but it works and now I have dual stack  :)
Thank you again and cheers
March 15, 2021, 07:02:43 PM #40
Hehe... Yes, if nothing else works, IPv6 NAT is probably better than nothing™.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 15, 2021, 08:20:04 PM #41
As it is working very well right now, I made a test box with an old motherboard, just to experiment without messing up my system.
I tested NPTv6, but I'm not sure if I did it right. It didn't work.
March 15, 2021, 08:43:10 PM #42
NPTv6 won't work for the same reason that "native" IPv6 doesn't work: No usable prefix available.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
March 15, 2021, 11:58:57 PM #43
Yes... I thought that it was for tha same reason.
I needed to give it a try due to NPT is a better solution than NAT.
My ISP left me with NAT as the only option.

But it works great!!!!
It passes all IPv6 tests.
Print
Go Up Pages 1 2 3
User actions