How to do IPv6 with DHCPv6-PD?

Started by bimbar, August 24, 2021, 09:43:04 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
November 18, 2021, 08:02:24 PM #15 Last Edit: November 18, 2021, 08:07:50 PM by meschmesch
Does not work - I have no IPv6 internet connection on computers in the LAN in case the following is used:

  • Virtual IP Carp LAN fe80::2:2/64
  • Router Advertisements LAN unmanaged, Priority High, RA Interface LAN_VIP6 (fe80::2:2)
  • WAN_DHCP6 Gateway with address of the Fritzbox (router) on the WAN side

Screenshots attached. As soon as I deactivate the virtual CARP and use RA Interface "LAN dynamic", IPv6 connection to WAN is possible.
November 18, 2021, 08:07:50 PM #16
Running 21.7.5? This is a new feature.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 18, 2021, 08:08:22 PM #17 Last Edit: November 18, 2021, 08:37:51 PM by meschmesch
OPNsense 21.7.5-amd64
Windows reports as gateway fe80::2:2%8, whereas in the interface overview of Opnsense the address is fe80::2:2/64
November 18, 2021, 08:39:16 PM #18
fe80::2:2%8 is correct. There is no prefix length on a gateway. The "%8" is the scope ID, because link local addresses are all the same across all interfaces.

It should be the interface number 8 of your Windows, whatever that means. Here in my home network the entry of e.g. my Nextcloud jail which uses SLAAC is:

fe80::3eec:efff:fe00:5430%epair0b

So the scope is the "epair0b" interface.

So at least the gateway advertisements seem to be correct. Now check the GUA or ULA address of your Windows, and use e.g. tcpdump on the OPNsense to check what happens to outbound packets.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 18, 2021, 10:32:31 PM #19 Last Edit: November 18, 2021, 10:38:15 PM by meschmesch
Windows GUA and ULA seems to be correct. I did a ping -6 google.de on windows, which resulted in a timeout. TCPDUMP results in:


GUA_LAN_Opnsense: 2a02:810b:....
Opnsense LAN fe80 address: fe80::2e0:4cff:fe68:337c
Windows GUA: 2a02:810b:c03f:..f27f

Code Select

Interface Capture output
WAN
igb0 21:29:04.489739 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 156
WAN
igb0 21:29:04.504490 IP6 (flowlabel 0x244af, hlim 55, next-header ICMPv6 (58) payload length: 8) 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 > 2a02:810b:...: [icmp6 sum ok] ICMP6, echo reply, seq 156
WAN
igb0 21:29:05.490666 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 157
WAN
igb0 21:29:05.506616 IP6 (flowlabel 0x244af, hlim 55, next-header ICMPv6 (58) payload length: 8) 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 > 2a02:810b:...: [icmp6 sum ok] ICMP6, echo reply, seq 157
WAN
igb0 21:29:06.491739 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 158


LAN
igb1 21:29:06.772091 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) 2a02:810b:c03f:..f27f > 2a00:1450:4001:811::2003: [icmp6 sum ok] ICMP6, echo request, seq 1779
LAN
igb1 21:29:06.791941 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:07.791570 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:08.806593 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:10.103587 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::dcdf:3597:709c:b416 > fe80::2:2: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::2:2
LAN
igb1   source link-address option (1), length 8 (1): 34:2e:b7:a8:4a:6c


First, I have no idea what 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 is. This is not on my system. Second, Opnsense does not report the used fe80::2e0:4cff:fe68:337c in its overview of the interfaces. However, I can see it in the opnsense terminal window with ifconfig. Third, while playing around the gateway pointing from WAN to the fe80 address of my Fritzbox router got disabled. And voila, packets passed to my windows computer.  ::) Toggling the Gateway on/off did not make any difference. However, after a reboot no IPv6 ping possible any more. Even with IPv6 Gateway enabled or disabled. So this was only a single occurence for whatever reason.

Finally, after a few minutes of doing nothing, ping6 suddenly started to work again on one LAN computer, while on the other LAN computer it didn't work. Completely unpredictible.
November 19, 2021, 08:50:42 AM #20
Do both OPNsense systems have the same GUA prefix on LAN? If not I guess that is the problem here. Can't you set a static prefix and use NAT in that case?

And please permit me to question the business case - you have a dynamic/changing prefix from your provider and want to run a HA pair? Why not get a static /56 or similar?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 19, 2021, 09:50:05 AM #21
Indeed, the prefixes are different. I use track interface on both systems, both either with IPv6 Prefix ID 0x0 or (I also tried) one with 0x0 and the other one with 0x1.

QuoteAnd please permit me to question the business case - you have a dynamic/changing prefix from your provider and want to run a HA pair? Why not get a static /56 or similar?

The provider does not guarantee that the assigned prefix is static. Even though it appears to be static, they may change it from one day to the other. So, this is nothing I can rely on.

As far as I understand, each client can get multiple GUA adresses. In case the goal is to firstly maintain IPv6 connectivity (even with interruption of connections in case of a failure of one firewall), is there some more easy approach how to ensure that the clients are using IPv6 connectivity (and existing GUA) of the other firewall?
November 19, 2021, 10:37:27 AM #22
Quote from: meschmesch on November 19, 2021, 09:50:05 AM
Indeed, the prefixes are different. I use track interface on both systems, both either with IPv6 Prefix ID 0x0 or (I also tried) one with 0x0 and the other one with 0x1.

QuoteAnd please permit me to question the business case - you have a dynamic/changing prefix from your provider and want to run a HA pair? Why not get a static /56 or similar?

The provider does not guarantee that the assigned prefix is static. Even though it appears to be static, they may change it from one day to the other. So, this is nothing I can rely on.

As far as I understand, each client can get multiple GUA adresses. In case the goal is to firstly maintain IPv6 connectivity (even with interruption of connections in case of a failure of one firewall), is there some more easy approach how to ensure that the clients are using IPv6 connectivity (and existing GUA) of the other firewall?

Clients with multiple GUAs on multiple gateways does not work. That's a client problem.
November 19, 2021, 11:08:20 AM #23
Idea:

  • instead of PD just get one IPv6 address per firewall via DHCPv6 on WAN
  • use statically configured ULA on LAN (or a "known available" GUA
  • use link local CARP address on LAN as discussed
  • use NAT on WAN or possibly NPT (I have not tried this, yet, but if NPT works, that would be a next-to-perfect solution

I hope you don't have inbound connections to systems on LAN - in that case I really cannot see a way to implement that with a changing prefix and HA.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 19, 2021, 12:18:43 PM #24
Quoteuse statically configured ULA on LAN (or a "known available" GUA
This means, that for the LAN Interface IPv6 is set to static and e.g. fd00::100 ?
Quoteuse NAT on WAN or possibly NPT (I have not tried this, yet, but if NPT works, that would be a next-to-perfect solution
I assume that NPT requires an external IPv6 Prefix, which however in the present case is not static. So, NPT should not work.

Regarding NAT on WAN - in case this works at all, which is questionable (see discussion above), what would be correct here? Just WAN NAT IPv6 with Source address "LAN" and Translation / target "Interface address"?
November 19, 2021, 12:24:36 PM #25
NAT66 on WAN does not work well, see https://github.com/opnsense/core/issues/5325 .
Dynamic NPTv6 does not (yet?) exist, see https://github.com/opnsense/core/issues/5284 .

So you're pretty much stuck where I am. I have now track interface on just one firewall, no redundancy for v6.
November 19, 2021, 12:32:56 PM #26 Last Edit: November 19, 2021, 02:22:08 PM by meschmesch
...which means that in case

  • you are running services for inbound connections on the LAN
  • and you are not provided with a public IPv4 address
  • and you are not provided with a static IPv6 prefix
high availabililty is not possible with Opnsense. After failover you can still communicate from LAN to WAN (via IPv4), but not vice versa since Ipv6 is not available here.

A heretical question: Can pfsense do it better?  ::)


Nevertheless, I just tested NAT. Setup
Code Select
nat on igb0 inet6 from (igb1:network) to any -> (igb0:0) port 1024:65535
(igb0=WAN, igb1=LAN)

ping google.de:
Quote
WAN
igb0   14:16:53.140591 IP6 2a02:810b:c03f:fe20:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: ICMP6, echo request, seq 2423, length 8
WAN
igb0   14:16:53.156001 IP6 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 > 2a02:810b:c03f:fe20:...: ICMP6, echo reply, seq 2423, length 8
LAN
igb1   14:16:55.239746 IP6 fd00::..:66fb > 2a00:1450:4001:828::2003: ICMP6, echo request, seq 9, length 40
LAN
igb1   14:16:59.960756 IP6 fe80::..:62d6 > fe80::2:2: ICMP6, neighbor solicitation, who has fe80::2:2, length 32

NAT works, the WAN packets originate from the correct WAN interface GUA. On LAN, both addresses correspond to the windows machine performing the ping. However, the ping results in a timeout.
November 19, 2021, 03:48:46 PM #27
Essentially both OPNsense and pfSense are fancy UIs for FreeBSD and pf. I run NAT66 without problems, but, again,  with a static address. I doubt any of this can really be improved in the short term given how IPv6 and pf both work.

Can't you get a static prefix if you have HA requirements? I tend to think HA --> mission critical business. So the budget for a real Internet connection should not be hard to justify.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 20, 2021, 11:31:59 AM #28
Assuming I get the static address, what would be the setup? What is to be set on Wan, Lan?
November 20, 2021, 01:42:50 PM #29 Last Edit: November 20, 2021, 01:45:18 PM by pmhausen
WAN: static GUA on both nodes, another GUA as CARP, provider uses that as the gateway to your e.g. /56.
LAN: static GUA on both nodes, link local as CARP, CARP address for RA. Possibly an additional GUA as another CARP address if you have statically configured systems that don't use RA. Or services like DNS, NTP, ... that need a GUA on internal networks.
DMZ 1, 2, 3, ... like LAN.

Working flawlessly here.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages 1 2 3
User actions