ipv6 issues

[hescominsoon]

OPNsense 22.1.2-amd64

all intel nics on an atom board.  radvd is running.  It's been an issue with any BSD based firewall...i am on Comcast business using a /55 prefix.  I have an ipv6 address on the wan..for some reason, it is not pulling the subnets on the internal subnets. 

[ar]

IPv6 Configuration Type would be DHCPv6 I guess, Prefix /55 is not a typo? All I can see is that Comcat Business offers /56. Maybe try with "Use IPv4 connectivity" enabled and on the LAN interface use to track the WAN for IPv6.

[5SpeedFun]

I have Comcast business "working" on 21.7.8 (which should be, I think, Similar)
Edit: Mar 10, 2022:  This is working on 22.1.2_1 as well for me.
Edit2:  Your track interface must start at 1 since 0 is on your wan interface.
Edit3:  If you have Cocmast SecurityEdge on, TURN IT OFF.  It will make DNS very flaky.  I had to call Comcast in order to get this turned off and then everything ran perfectly.

Try the following settings which work for me:

On your "wan/internet" interface:

IPv6 Configuration Type -> DHCPv6
DHCPv6 client configuration -> Basic
Prefix delegation size -> 59
Send ipv6 prefix hint [X]
[SAVE]

On your lan interface:
IPv6 Configuration type: Track interface

and under Track IPv6 Interaface:
IPv6 Interface: [_Name_of_wan_interface+]
IPv6 Prefix ID: 1
(don't use 0 as I think that conflicts with the "wan/interface" IIRC)
[SAVE]

This should work if your hosts support SLAAC.  Works for me on iphone/android/windows/linux/mac hosts just fine.

Be aware that the /59 that is assigned MAY CHANGE DYNAMICALLY.    If you are trying to run static ip servers inside your lan on ipv6.....it doesn't work well because of the /59 that can change when your modem is replaced or your opnsense box reboots.

If the above doesn't work for basic ipv6 connectivity, please post your comcast modem/router model & firmware version and I may be able to assist further.

Also: don't forget to add lan firewall rules so that your computers with ipv6 addresses can contact the internet.

[hescominsoon]

I jsut reformatted the firewall.  at the beginning..before any configuration...wan and lan had approiate ipv6.  comcast has said /54, /55, /56..it depends on where youare.  I've tried all thjree.  now when I re do everything..it efuses to work with any /number.  comcast of course says it's on myend..which i agree with.  Like i said..linux firewalls work fine..without any tweaking..i s3et the prefix size and it jsut works.  For some reason opnsense jsut refuses.

[hescominsoon]

so case in point.  if i turn track interface off..the wan will get an ipv6 /128 on the interface.
then if i set the prefix to 56 and add track 6 on the internal vlan interface...using 0x0..and...nothing. 
applying interface changes i give up on after more than two minutes of it thinking.  This behavior has been consistent across different hardware devices..so it's not the hardware.  Right now i have the prefgix set to /56 and the physical lan interface says the following:
1000baseT <full-duplex>    192.168.255.1
track6

it refuses to gran a subnet once the system has the vlan interfaces added.  Any ideas?  I've been digging around but i cnanot find a reason why Opnsense refuses to to ipv6 at all.

[linuxha]

I setup my WAN with a /60, prefix hint and dhcpv6. Someone suggested consumer IPv6 only gets /60 not /64 like the commercial accounts. I've setup my LAN interface to track the WAN interface and set the IPv6 Prefix ID to 1 for the first interface (and 2 for the second LAN). Now I have IPv6 addresses on both interfaces. But I'm a bit confused as the networks don't match the WAN interface or the dhcp6dump interface. I have 2001:... on the WAN and in the dump. But I have 2601:... on the LANs. Hmm, they do belong to Comcast (my ISP) so that checks. But when I attempt tp ping6 google.com from the LAN hosts, it stops at the router's LAN interface (I used traceroute6 to figure that out). Now I'm stuck, but at a new place.

[Patrick M. Hausen]

You cannot set up an interface with /60 in IPv6. All interfaces are /64. Always. You might get a /60 (I get a /56) via prefix delegation but you can only use individual /64s out of that range on your interfaces.

I would check with the support of your provider what exactly they do. Guesswork will not help, there will be one and only one working configuration for any particular ISP.

[linuxha]

You cannot set up an interface with /60 in IPv6. All interfaces are /64. Always. You might get a /60 (I get a /56) via prefix delegation but you can only use individual /64s out of that range on your interfaces.

Ah, sorry, poorly worded on my part.

On the WAN interface I set  "Prefix delegation size" to /60. But WAN will get a /128, the LANs (which are tracking the WAN) will get /64.

And now the really strange part, routing is working! I have at least 2 of my servers able to reach IPv6 and the IPv6 test site (ipv6-test.com). I need to work on a third. I have to turn off IPv6 on a third server as it was having issues with IPv6. :-)

[hescominsoon]

except my internal interfaces get....nothing.  I have noticed when I switch modems the BSD based firewalls then do ipv6 correctly but then I lose connectivity every 3-5 minutes for about 5-20 seconds.  When I plug a laptop or desktop directly into the modem however everything works fine.  it's only opn(and PF)sense that have this weird behavior.  This latest version it went from partially working to nothing at all.

[marjohn56]

Most ISPs that use DHCP6 only provide a /128 on the WAN, that is if they even provide a GUA address at all, some will not even provide that, instead relying on a link-local address between your WAN and the ISP BNG. Routing will still work as Opnsense uses the default route via the WAN interface, even if it is link-local, to route packets out to the ISP BNG. Therefore do not assume you will always see a GUA address on the WAN.

[linuxha]

Most ISPs that use DHCP6 only provide a /128 on the WAN, that is if they even provide a GUA address at all, some will not even provide that, instead relying on a link-local address between your WAN and the ISP BNG. Routing will still work as Opnsense uses the default route via the WAN interface, even if it is link-local, to route packets out to the ISP BNG. Therefore do not assume you will always see a GUA address on the WAN.

BNG - What is that? Sorry this level of IPv6 is new to me.

GUA - Global Unique Address.

I am fortunate, I now have a GUA and I do see Opnsense using the link-local as the default route. Not sure what issue hescominsoon is running into.

[marjohn56]

BNG - What is that? Sorry this level of IPv6 is new to me.

Broadband Network Gateway

[linuxha]

Thanks :-)

[linuxha]

... then if i set the prefix to 56 and add track 6 on the internal vlan interface...using 0x0..and...nothing.  ...

@hescominsoon, did you try 0x1 instead of 0x0? I had to change mine on each interface. 0x0 didn't work for me. I incremented for each LAN I added under IPv6.

[5SpeedFun]

except my internal interfaces get....nothing.  I have noticed when I switch modems the BSD based firewalls then do ipv6 correctly but then I lose connectivity every 3-5 minutes for about 5-20 seconds.  When I plug a laptop or desktop directly into the modem however everything works fine.  it's only opn(and PF)sense that have this weird behavior.  This latest version it went from partially working to nothing at all.

If you are on comcast business, and have static /56, one of the /64's is going to be on your wan interface.  Try requesting /59 on your wan interface, and then try assigning 0x1 to one of your internal interfaces and "track interface" of your wan connection.  This is working for me.