How to do IPv6 with DHCPv6-PD?

[meschmesch]

Does not work - I have no IPv6 internet connection on computers in the LAN in case the following is used:

• Virtual IP Carp LAN fe80::2:2/64
• Router Advertisements LAN unmanaged, Priority High, RA Interface LAN_VIP6 (fe80::2:2)
• WAN_DHCP6 Gateway with address of the Fritzbox (router) on the WAN side

Screenshots attached. As soon as I deactivate the virtual CARP and use RA Interface "LAN dynamic", IPv6 connection to WAN is possible.

[Patrick M. Hausen]

Running 21.7.5? This is a new feature.

[meschmesch]

OPNsense 21.7.5-amd64
Windows reports as gateway fe80::2:2%8, whereas in the interface overview of Opnsense the address is fe80::2:2/64

[Patrick M. Hausen]

fe80::2:2%8 is correct. There is no prefix length on a gateway. The "%8" is the scope ID, because link local addresses are all the same across all interfaces.

It should be the interface number 8 of your Windows, whatever that means. Here in my home network the entry of e.g. my Nextcloud jail which uses SLAAC is:

fe80::3eec:efff:fe00:5430%epair0b

So the scope is the "epair0b" interface.

So at least the gateway advertisements seem to be correct. Now check the GUA or ULA address of your Windows, and use e.g. tcpdump on the OPNsense to check what happens to outbound packets.

[meschmesch]

Windows GUA and ULA seems to be correct. I did a ping -6 google.de on windows, which resulted in a timeout. TCPDUMP results in:


GUA_LAN_Opnsense: 2a02:810b:....
Opnsense LAN fe80 address: fe80::2e0:4cff:fe68:337c
Windows GUA: 2a02:810b:c03f:..f27f

Code: [Select]

Interface Capture output
WAN
igb0 21:29:04.489739 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 156
WAN
igb0 21:29:04.504490 IP6 (flowlabel 0x244af, hlim 55, next-header ICMPv6 (58) payload length: 8) 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 > 2a02:810b:...: [icmp6 sum ok] ICMP6, echo reply, seq 156
WAN
igb0 21:29:05.490666 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 157
WAN
igb0 21:29:05.506616 IP6 (flowlabel 0x244af, hlim 55, next-header ICMPv6 (58) payload length: 8) 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 > 2a02:810b:...: [icmp6 sum ok] ICMP6, echo reply, seq 157
WAN
igb0 21:29:06.491739 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 8) 2a02:810b:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: [icmp6 sum ok] ICMP6, echo request, seq 158


LAN
igb1 21:29:06.772091 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) 2a02:810b:c03f:..f27f > 2a00:1450:4001:811::2003: [icmp6 sum ok] ICMP6, echo request, seq 1779
LAN
igb1 21:29:06.791941 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:07.791570 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:08.806593 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::2e0:4cff:fe68:337c > ff02::1:fff6:f27f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a02:810b:c03f:..f27f
LAN
igb1   source link-address option (1), length 8 (1): 00:e0:4c:68:33:7c
LAN
igb1 21:29:10.103587 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::dcdf:3597:709c:b416 > fe80::2:2: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::2:2
LAN
igb1   source link-address option (1), length 8 (1): 34:2e:b7:a8:4a:6c

First, I have no idea what 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 is. This is not on my system. Second, Opnsense does not report the used fe80::2e0:4cff:fe68:337c in its overview of the interfaces. However, I can see it in the opnsense terminal window with ifconfig. Third, while playing around the gateway pointing from WAN to the fe80 address of my Fritzbox router got disabled. And voila, packets passed to my windows computer.  Toggling the Gateway on/off did not make any difference. However, after a reboot no IPv6 ping possible any more. Even with IPv6 Gateway enabled or disabled. So this was only a single occurence for whatever reason.

Finally, after a few minutes of doing nothing, ping6 suddenly started to work again on one LAN computer, while on the other LAN computer it didn't work. Completely unpredictible.

[Patrick M. Hausen]

Do both OPNsense systems have the same GUA prefix on LAN? If not I guess that is the problem here. Can't you set a static prefix and use NAT in that case?

And please permit me to question the business case - you have a dynamic/changing prefix from your provider and want to run a HA pair? Why not get a static /56 or similar?

[meschmesch]

Indeed, the prefixes are different. I use track interface on both systems, both either with IPv6 Prefix ID 0x0 or (I also tried) one with 0x0 and the other one with 0x1.

And please permit me to question the business case - you have a dynamic/changing prefix from your provider and want to run a HA pair? Why not get a static /56 or similar?

The provider does not guarantee that the assigned prefix is static. Even though it appears to be static, they may change it from one day to the other. So, this is nothing I can rely on.

As far as I understand, each client can get multiple GUA adresses. In case the goal is to firstly maintain IPv6 connectivity (even with interruption of connections in case of a failure of one firewall), is there some more easy approach how to ensure that the clients are using IPv6 connectivity (and existing GUA) of the other firewall?

[bimbar]

Indeed, the prefixes are different. I use track interface on both systems, both either with IPv6 Prefix ID 0x0 or (I also tried) one with 0x0 and the other one with 0x1.

And please permit me to question the business case - you have a dynamic/changing prefix from your provider and want to run a HA pair? Why not get a static /56 or similar?

The provider does not guarantee that the assigned prefix is static. Even though it appears to be static, they may change it from one day to the other. So, this is nothing I can rely on.

As far as I understand, each client can get multiple GUA adresses. In case the goal is to firstly maintain IPv6 connectivity (even with interruption of connections in case of a failure of one firewall), is there some more easy approach how to ensure that the clients are using IPv6 connectivity (and existing GUA) of the other firewall?

Clients with multiple GUAs on multiple gateways does not work. That's a client problem.

[Patrick M. Hausen]

Idea:

• instead of PD just get one IPv6 address per firewall via DHCPv6 on WAN
• use statically configured ULA on LAN (or a "known available" GUA
• use link local CARP address on LAN as discussed
• use NAT on WAN or possibly NPT (I have not tried this, yet, but if NPT works, that would be a next-to-perfect solution

I hope you don't have inbound connections to systems on LAN - in that case I really cannot see a way to implement that with a changing prefix and HA.

HTH,
Patrick

[meschmesch]

use statically configured ULA on LAN (or a "known available" GUA

This means, that for the LAN Interface IPv6 is set to static and e.g. fd00::100 ?

use NAT on WAN or possibly NPT (I have not tried this, yet, but if NPT works, that would be a next-to-perfect solution

I assume that NPT requires an external IPv6 Prefix, which however in the present case is not static. So, NPT should not work.

Regarding NAT on WAN - in case this works at all, which is questionable (see discussion above), what would be correct here? Just WAN NAT IPv6 with Source address "LAN" and Translation / target "Interface address"?

[bimbar]

NAT66 on WAN does not work well, see https://github.com/opnsense/core/issues/5325 .
Dynamic NPTv6 does not (yet?) exist, see https://github.com/opnsense/core/issues/5284 .

So you're pretty much stuck where I am. I have now track interface on just one firewall, no redundancy for v6.

[meschmesch]

...which means that in case

• you are running services for inbound connections on the LAN
• and you are not provided with a public IPv4 address
• and you are not provided with a static IPv6 prefix

high availabililty is not possible with Opnsense. After failover you can still communicate from LAN to WAN (via IPv4), but not vice versa since Ipv6 is not available here.

A heretical question: Can pfsense do it better? 


Nevertheless, I just tested NAT. Setup

Code: [Select]

nat on igb0 inet6 from (igb1:network) to any -> (igb0:0) port 1024:65535(igb0=WAN, igb1=LAN)

ping google.de:

WAN
igb0   14:16:53.140591 IP6 2a02:810b:c03f:fe20:... > 2a03:4000:2:ee9:68bb:31ff:fecd:dd60: ICMP6, echo request, seq 2423, length 8
WAN
igb0   14:16:53.156001 IP6 2a03:4000:2:ee9:68bb:31ff:fecd:dd60 > 2a02:810b:c03f:fe20:...: ICMP6, echo reply, seq 2423, length 8
LAN
igb1   14:16:55.239746 IP6 fd00::..:66fb > 2a00:1450:4001:828::2003: ICMP6, echo request, seq 9, length 40
LAN
igb1   14:16:59.960756 IP6 fe80::..:62d6 > fe80::2:2: ICMP6, neighbor solicitation, who has fe80::2:2, length 32

NAT works, the WAN packets originate from the correct WAN interface GUA. On LAN, both addresses correspond to the windows machine performing the ping. However, the ping results in a timeout.

[Patrick M. Hausen]

Essentially both OPNsense and pfSense are fancy UIs for FreeBSD and pf. I run NAT66 without problems, but, again,  with a static address. I doubt any of this can really be improved in the short term given how IPv6 and pf both work.

Can't you get a static prefix if you have HA requirements? I tend to think HA --> mission critical business. So the budget for a real Internet connection should not be hard to justify.

[meschmesch]

Assuming I get the static address, what would be the setup? What is to be set on Wan, Lan?

[Patrick M. Hausen]

WAN: static GUA on both nodes, another GUA as CARP, provider uses that as the gateway to your e.g. /56.
LAN: static GUA on both nodes, link local as CARP, CARP address for RA. Possibly an additional GUA as another CARP address if you have statically configured systems that don't use RA. Or services like DNS, NTP, ... that need a GUA on internal networks.
DMZ 1, 2, 3, ... like LAN.

Working flawlessly here.