How to do IPv6 with DHCPv6-PD?

[bimbar]

Scenario is 2 firewalls behind a router that hands out prefixes via DHCPv6-PD.
Since the firewalls are effectively standalone, they get different prefixes, which they in turn hand out to the LAN.

Now the problem is that each client gets the 2 prefixes, and gets 2 default routes but does not typically associate the prefix to the default router, so that for example clients are trying to communicate with the prefix from fw1 over the gateway fw2, which the firewall drops.
I can prioritize the default gateways, but then it still can happen that a client chooses the wrong prefix for the assigned gateway.

So, how can that be solved? I could go stateful with dhcpv6, but then each client only gets one IP and redundancy is lost.

[meschmesch]

Same problem here. I could work around that by allowing as last rule on the LAN interface all IPv6 traffic instead of allowing only traffict originating from LAN net.

Another problem: for IPv4 I can define a virtual IP which is "shared" between the two firewalls. What about IPv6? It appears that with prefix delegation each firewall has to use its own IPv6 adresses. So it's not possible to assign an IPv6 adress to a domain in order to reach a server behind the firewall. Either the domain points to the address of the first or to the address of the second firewall?

Where am I wrong here?

[bimbar]

As I run it now, I have internal ULA addresses and NAT on WAN. The internal side is done with CARP fe80::1 and this is advertised via RA (there is a PR in github that allows to select the RA SRC address).
I have one external service with dyndns, but that's not redundant.

There is a heap of RFCs I read that basically mean that in the end it's not possible because the end devices do not cleanly implement said RFCs (source and nexthop selection). They don't even respect the RA priorities.

So that's not perfect. Maybe best to stick to IPv4 or use something like cloudflare for internal services.

[meschmesch]

@bimbar, do I understand correctly that "internally" you only work with ULA addresses?

Regarding the external service, I also have no solution yet. But since sooner or later I may loose my public IPv4 access with IPv6 remaining as only access possibility from outside, I have rent a virtual server which has a public IPv4 address and forwards any request e.g. on port 443 via IPv6 to my firewall (using 6tunnel).

I consider that on this virtual server I may run a script which tests accessability of firewall 1 and firewall 2 using the IPv6 addresses of the firewalls each published via DynDNS to respective Domains. In case connection is lost to one of the Domains (i.e. firewalls), the script just instructs 6tunnel to use the other domain for forwarding requests.

[bimbar]

Explicit Routes should not be required.

If you want to do outgoing NAT, the Firewalls should also request an address, not only a prefix.

I do work with ULA addresses only on LAN.

[meschmesch]

ok, you write

(there is a PR in github that allows to select the RA SRC address)

. What are you referring to?

[bimbar]

https://github.com/opnsense/core/pull/5185

[bimbar]

I've given up on it. IPv6 NAT stops working intermittently (and who can blame it, it's not supposed to be used), and everything other scenario doesn't work either.

So, if you don't have a static prefix and want to have redundant firewalls, don't bother.

I have disabled IPv6 on one of the firewalls, created an interface group of my internal interfaces, and added a floating rule in the style of "allow ifgroup_internal -> IPv6 -> !ifgroup_internal, allow ifgroup_internal -> IPv6 ->This Firewall", which is the best I can come up with right now.

[meschmesch]

I would like to get rid of my frustration here and above all save a lot of people life time that they could waste with Opnsense, IPv6 and CARP. It is definitely the case that Opnsense does not run with Carp IPv6. It's a pity that this is not admitted officially.

Any attempt to implement Carp with IPv6 fails. For example, if you define a virtual interface fd00:..., it will be used instead of the additionally available global IPv6 address 2004:... . and the stupid system tries to transport all packets via fd00 out to the WAN. The solution is to manually change the order of the IPv6 addresses after each reboot. Disable Carp IPv6, apply, re-enable, reboot RA.

If you are lucky, NAT IPv6 to a fd00 address will work. This MAY work for a while. Eventually, however, it will stop working and Opnsese routes fd00 packets into nirvana. I'm really fed up with IPv6 and Opnsense. And I suspect more will have this problem here in Germany, as our providers are moving more and more to only allow accessibility from the WAN via IPv6.

[Patrick M. Hausen]

Sorry, but CARP as an isolated issue works as it should in 21.7.5.

We have a redundant setup with a static prefix and a global unicast CARP address for IPv6 on the WAN interface. On the LAN network we also have global unicast addresses for the individual firewalls, but a link local CARP address as the default gateway for all internal systems.

The internal link local CARP including correct router advertisments was introduced in 21.7.5.

Kind regards,
Patrick

[bimbar]

We discussed this via PM and I still think that opnsense works for that, if you have a static GUA.
I think your setup is still not quite right.

[meschmesch]

Sorry, but CARP as an isolated issue works as it should in 21.7.5.

...which means that besides CARP something like NAT for IPv6 to a link local address fd00... does not work? Correct? At least that is what I'm experiencing.

We have a redundant setup with [...] a link local CARP address as the default gateway for all internal systems.

In other words, you define an fe80... CARP address on e.g. the LAN interface and additionally (or instead?) of the normal fe80 gateway you define the fe80-Carp address as gateway for this interface (Gateway-Interface = LAN)? Correct?

[Patrick M. Hausen]

...which means that besides CARP something like NAT for IPv6 to a link local address fd00... does not work? Correct?

Possibly.

We have a redundant setup with [...] a link local CARP address as the default gateway for all internal systems.

In other words, you define an fe80... CARP address on e.g. the LAN interface and additionally (or instead?) of the normal fe80 gateway you define the fe80-Carp address as gateway for this interface (Gateway-Interface = LAN)? Correct?

Yes - if I understand you correctly

See screenshots for details.

[meschmesch]

And additionally you have to define a further Gateway (System-Gateways-Single) or do you keep the "normal" IPv6 Gateway there?

[Patrick M. Hausen]

Why would you define a gateway on LAN?

On WAN I have static GUA on both firewalls and another static GUA as CARP. This is used as the gateway to my network on the outside.

I don't NAT. I was just referring to the fact that CARP does work, IMHO.