Gateway monitoring with IPV6 prefix only

[edz]

My IPv6 setup with my ISP is by prefix only.  I have all my VLANs correctly setup and clients are receiving a IPv6 address.  Gateway monitoring is enabled on the IPv6 Gateway and despite it showing as Offline, I have full IPv6 connectivity, confirmed with IPv6 test websites and ping6 to google.

As my ISP is not providing a IPv6 address, dpinger does not start:

Code Select Expand

/system_gateways.php: The WAN_DHCP6 IPv6 gateway address is invalid, skipping.

If I disable Gateway monitoring, my IPv6 connection stops working, until I re-enable Gateway monitoring.  Can anyone explain what is happening here?

[bartjsmit]

On my gateway monitoring, I see a link-local IPv6 address of an ISP router. I.e. it does not show a routable IPv6 address in 2000::/3.

What do you get when you open a shell on OPNsense and run this?

netstat -r | grep default

Bart...

[edz]

With IPv6 working (and the IPv6 gateway showing Offline)

Code Select Expand

root@opnsense:~ # ping6 www.google.com
PING6(56=40+8+8 bytes) 2001:8003:2810:****:**:***:***:2a11 --> 2404:6800:4006:810::2004
16 bytes from 2404:6800:4006:810::2004, icmp_seq=0 hlim=118 time=12.587 ms
16 bytes from 2404:6800:4006:810::2004, icmp_seq=1 hlim=118 time=12.412 ms
16 bytes from 2404:6800:4006:810::2004, icmp_seq=2 hlim=118 time=12.173 ms

Code Select Expand

root@opnsense:~ # netstat -r | grep default
default            cpe-121-209-127-25 UGS        igb0
default            fe80::3e94:d5ff:fe UG         igb0

[marjohn56]

Sometimes I get issues with this, most of the time I can resolve it by going to the firewall->Settings->Advanced, static route filtering and enabling and applying Bypass firewall rules for traffic on the same interface. I save it, go to the gateway and resave the v6 gateway. If it's then working I go back to the firewall and disable the rule, that usually fixes it - but not always. However as using the ISP gateway as a ping target tends to give me a longer RTT than pinging a Google DNS server I tend to use Google as a target.

[edz]

Unfortunately that has not worked for me.

Just to recap what I'm seeing:

• My ISP does not provide an IPv6 address, only a /56 delegated prefix.
• Because I do not have an IPv6 address, dpinger does not start (address is invalid).  I am using Cloudflare's IPv6 address as the monitor address
• My IPv6 gateway is showing as down, but I have full IPv6 functionality as shown by the ping6 and netstat -r | grep default commands above. A gateway IP is not shown on the gateway screen although visible from the command line
• If I disable gateway monitoring, the gateway shows as Online however IPv6 routing stops and it is no longer a default route even though the gateway screen shows it as 'active'

Should I raise a bug for this?

Edit: I've put the gateway monitor address to the ISP link local. 20 minutes later, IPv6 functionality began to work and the Gateway is showing as Online.  Strange!

[Greelan]

Not really strange, as your WAN interface will have a link local address and is able to communicate with the ISP gateway over the local link. You just won't be able to use a public IP as the monitor address. Of course the issue is if your ISP loses public internet connectivity your gateway will still show as up even though you won't be able to get to the internet over ipv6

[edz]

Not entirely strange, but what is strange was that it took up to 20min for the firewall to realise there was a IPv6 gateway and to add a route.

I do understand the issue with the ISP losing IPv6 connectivity and my firewall not knowing any different, but glad it is working now.

[Greelan]

The 20 minutes probably reflects the dhcp6c cycle? If you did a release/renew of the WAN interface when you changed the gateway monitor IP then it probably would have come up straight away