Zenarmor & IPv6: Bad Combo (At least on ATT Fiber/US)

[lrosenman]

@SunnyValley: Is this now a dead ticket, and I need to cancel my subscription and remove the software? 

[almodovaris]

Have you upgraded to 22.1.r1? Maybe it behaves differently.

[lrosenman]

IIRC 22.1 is NOT ready for SunnyValley, so no.

[sy]

Hi,

22.1 repo is published.

[lrosenman]

Are there changes in 22.1 (Either OPNSense or Zenarmor) that would possibly affect this issue?

[lrosenman]

per private email, it was worth a try, and:

SUCCESS

it's working, modulo the fact that pkg update doesn't like to talk to the IPv6 repos.
(Other IPv6 works fine).

I wonder if there's a way to force pkg -4 for the OPNSense / SunnyValley stuff?

[lrosenman]

another user suggested setting the IPv4 preferred over IPv6 and running the updates, which DID upgrade more code.

Now that it's on:
OPNsense 22.1.r1-amd64

and removing the 4 over 6 preference it's still working, and my IPv6 issue is GONE.

[JasMan]

Hi,

The reason for the loss of connectivity is that when Zenarmor packet engine opens the interface in the netmap mode, netmap re-initializes that interface, causing a DOWN/UP link event.
Seeing an interface DOWN/UP event, OPNsense fires IPv4/IPv6 address re-configuration. For IPv4, this takes milliseconds, bur for IPv6, due to auto-configuration, WAN tracking etc, this process might take about 15-60 seconds during which time you might lose WAN connectivity.
After this, everything should be back to normal.
We’re aware of this issue, however the solution involves working with 3rd parties (netmap team, OPNsense team etc).
For the final solution, several options are on the table and we’re working on them.
I hope this helps clarify the situation

So happy to read this explanation. 
I thought that I'd a missconfiguration in my OPNsense due to the long "outages" during IFs down/up.

[walkerx]

If you can, get a static ipv6 and set opnsense to use static ipv6 and setup dhcpv6 and router assists, this will allow ipv6 to continue working.

i had this similar issue with a uk based isp and if set dhcpv6 to track ipv4 and wan i lost ipv6 when zenarmour was activated. i raised this with zenarmour around apr-may 2022.