English Forums > High availability

How to do IPv6 with DHCPv6-PD?

<< < (2/8) > >>

meschmesch:
ok, you write
--- Quote ---(there is a PR in github that allows to select the RA SRC address)
--- End quote ---
. What are you referring to?

bimbar:
https://github.com/opnsense/core/pull/5185

bimbar:
I've given up on it. IPv6 NAT stops working intermittently (and who can blame it, it's not supposed to be used), and everything other scenario doesn't work either.

So, if you don't have a static prefix and want to have redundant firewalls, don't bother.

I have disabled IPv6 on one of the firewalls, created an interface group of my internal interfaces, and added a floating rule in the style of "allow ifgroup_internal -> IPv6 -> !ifgroup_internal, allow ifgroup_internal -> IPv6 ->This Firewall", which is the best I can come up with right now.

meschmesch:
I would like to get rid of my frustration here and above all save a lot of people life time that they could waste with Opnsense, IPv6 and CARP. It is definitely the case that Opnsense does not run with Carp IPv6. It's a pity that this is not admitted officially.

Any attempt to implement Carp with IPv6 fails. For example, if you define a virtual interface fd00:..., it will be used instead of the additionally available global IPv6 address 2004:... . and the stupid system tries to transport all packets via fd00 out to the WAN. The solution is to manually change the order of the IPv6 addresses after each reboot. Disable Carp IPv6, apply, re-enable, reboot RA.

If you are lucky, NAT IPv6 to a fd00 address will work. This MAY work for a while. Eventually, however, it will stop working and Opnsese routes fd00 packets into nirvana. I'm really fed up with IPv6 and Opnsense. And I suspect more will have this problem here in Germany, as our providers are moving more and more to only allow accessibility from the WAN via IPv6.

Patrick M. Hausen:
Sorry, but CARP as an isolated issue works as it should in 21.7.5.

We have a redundant setup with a static prefix and a global unicast CARP address for IPv6 on the WAN interface. On the LAN network we also have global unicast addresses for the individual firewalls, but a link local CARP address as the default gateway for all internal systems.

The internal link local CARP including correct router advertisments was introduced in 21.7.5.

Kind regards,
Patrick

Navigation

[0] Message Index

[#] Next page

[*] Previous page