Archive > 22.7 Legacy Series

ipv6 wireguard Nat help

(1/3) > >>

Dmonroe:
Hello, I'm trying to convert as much of my network as I can to ipv6-only. Right now I'm trying to convert my wireguard server to use ipv6 addresses, and I've run into a problem. I get my prefix via DHCPv6 from my ISP, so they can change it at any time, and my clients connect to the server using dynamic dns. Wireguard, however, requires that the clients have static addresses, which makes sense, because the server would have no way to tell the client it's new address when it's trying to establish a connection. The way around this, and also how wireguard works with ipv4, is to have a static internal network and use NAT to connect to the internet, which is what I'm trying to set up with wireguard using ipv6. However, it seems that ipv6 NAT does not currently work. I can successfully ping machines on my LAN over ipv6 from a wireguard client, and I can sucessfully ping ipv4-only internet hosts via tayga, but when I try to ping ipv6 hosts on the internet it doesn't go through. Googling found this: https://forum.opnsense.org/index.php?topic=13896.0 from 2019 which seems to be the same problem and has no resolution. Is there any way to get this working, or am I stuck using ipv4 for wireguard? Attached is a screenshot of my outbound NAT settings.
 Thanks in advance.

Maurice:
In general, IPv6 outbound NAT works with DHCPv6 WANs. Quite a few people use this. If the behaviour mentioned in the 2019 thread actually was a bug, it probably has been fixed at some point. There was a bug in 22.7, but that has been fixed in 22.7_4: https://github.com/opnsense/changelog/blob/master/community/22.7/22.7#L142

Your issue might be specific to WireGuard or your config. Can you post your wg tunnel address and allowed IPs?

Cheers
Maurice

YipieKaie:
Sorry to say this but it still problems with IPV6 not fixed with the patch
And i revert to 22.1 and have take a closer  look at the IPV6 and the problem is the same
the only different is that it dont pop up at the console it got blocked in firewall instead
this applies only my mobile phones all servers and pc works fine

 //Peter

Greelan:
I'd suggest ULAs configured for the tunnel and otherwise set up in accordance with the how-to (https://docs.opnsense.org/manual/how-tos/wireguard-client.html) should achieve what you want. NAT for the ULAs should work fine

YipieKaie:
Thx Greelan

I know know what cause this problem.
Mobile phones need to talk (Stateless DHCPv6 and SLAAC (O+A flags).
I use Managed (Stateful DHCPv6 (M+O flags)

DHCPv6-Prefix Delegation. It result in each client receiving a Link Local from a
DHCPv6 server rather than a single IP address

If i use Stateless it works fine and it then use multiple addresses from its prefix
So there is nothing wrong with OPNsense its my configuration that i use since i have
Static IPV4/IPV6 addresses on my internal network, and i also have a static IPV4/IPV6 address
from my ISP.

//Peter

Navigation

[0] Message Index

[#] Next page