ipv6 not propigating to LAN

[jnaughto]

Hello All,

I just realised today that my IPV6 block of ip addresses are not propagating.   Now I have a Rogers Ignite Modem setup which I cannot put into bridge mode.  Dealing with Rogers Guys can be frustrating all as hell at times.   yet behind it I have an OPN Sense box that sits in front of my home LAN.  The OPNsense box is:

OPNsense 22.7_4-amd64
FreeBSD 13.1-RELEASE
OpenSSL 1.1.1q 5 Jul 2022

latest update.  IPv4 is working fine.  My network configuration is essentially:

Internet <->  Rogers Ignite Modem (port forwarding various ports) <- ZONE A-> OPNSense <- ZONE B -> LAN

I can't bridge due to the fact that I may need to deal with the vendor to address a failed ignite TV box so I had them put in front of the OPNSense server.   The Rogers Modem has an IPv6 block and is doing DHCP for both 6 and 4 in Zone A.   My OPNSense server is showing a IPv6 address on the Wan port:

IPv6 link-local   fe80::XXXXX:814d/64
IPv6 address   2607:XXXXX:814d/64
IPv6 gateway   fe80:XXXXX:691f

Yet the LAN port shows nothing for IPv6. 

The LAN interface has been configured:

IPv6 Configuration Type: Track Interface
IPv6 Interface Wan Interface
IPV6 Prefix ID: 0

On the Wan interface configuration for DHCPv6 Client shows:

Configuration Mode: Basic
Request only an IPv6 Prefix: Checked
Send IPv6 prefix hint: checked
Use IPv4 conectivity: unchecked
Use VLAN priority: disalbed

Now I've noticed that some are referring to Router Advertisements showing up in the Services section but I see nothing there that reflects a RA.  My  DHCPv6 simply has Relay and Leases showing under it.  Yet I did notice on my main Dashboard  DHCPv6 Server is down and will not start.

[jnaughto]

FYI Just so you know my opnsense server does have an IPv6 address, I can from the OPNSense ping with IPv6 address to www.google.ca (2001:4860:4860::8888).

[jnaughto]

Tonight I was able to change rogers modem to do stateless IPv6 from DHCP to stateless for local configuration

Gateway > Connection > Local IP Configuration

I then changed the WAN configuration  on my OPNSense to be :

IPv6 Configuration type:  SLAAC
SLACC configuration
Use IPv4 connectivity: unchecked

The LAN card is still set to:

IPv6 Configuration Type: Track Interface

Track IPv6 Interface:
IPv6 Interface:  Wan Inteface
IPv6 Prefix ID: 0
Manual configuration: unchecked

LAN Interface still does not show up nor does any RA under services...

[Maurice]

If you can't put your ISP-provided router into bridge mode, it would have to support Prefix Delegation for this to work. It's not unlikely that it doesn't. Check its DHCPv6 server settings for DHCPv6-PD or similar.

Cheers
Maurice

[jnaughto]

Thanks Maurice... I was concerned about that... there's no option on the dhcpv6 server on the modem for prefix delegation...   Yet I know the range of ipv6 addresses on the rogers modem and the ipv6 block is unlikely to  change.  Isn't there any way I could simply setup a ipv6 dhcpd server on the opnsense for the lan side to propagate the IPv6 block that the modem has?  The other idea would be to somehow allow the LAN dhcpdc requests to pass through the opnsense server to the modem that has dhcpv6 setup on it to respond to the requests.  Is that possible?  I assume there would have to be some sort of firewall rule to allow the modem to reach out to the LAN clients.

[Maurice]

You cannot use the same /64 in the ISP-provided router's LAN and the OPNsense LAN. That's why relaying DHCPv6 wouldn't help either.

But you could configure the OPNsense LAN interface with a dedicated, static /64 if
- the prefix you get from your ISP is static (seems to be the case),
- the length of this prefix is no longer than /63 and
- the ISP-provided router allows adding static routes.

No chance you can set the ISP-provided router into bridge mode? This would be way easier.

Cheers
Maurice

[Patrick M. Hausen]

Picking an arbitrary GUA /64 that you know nobody is using (possibly because it's part of a larger company assignment or similar) and setting up NPT6 would also work.

I use parts of my German Telecom assigned /56 in private networks throughout my infrastructure.

I would not recommended using ULA because the "happy eyeballs" algorithms of common desktop OS's act weird if only ULA is present.

[Maurice]

@pmhausen, NPTv6 would still require a static route on the ISP-provided router. Unfortunately we don't have an NDP proxy yet (it's on my wish list).

@jnaughto, if there is no other way and you're really desperate, IPv6 outbound NAT should work...

[Patrick M. Hausen]

@pmhausen, NPTv6 would still require a static route on the ISP-provided router. Unfortunately we don't have an NDP proxy yet (it's on my wish list).

Why? The ISP router provides the default gateway in a /64 on its LAN interface. So you can use 2^64 minus a handful nodes on the ISP LAN (theoretically). Spoof ND like we did with ARP in the elder days and you are all set.

OK, I admit I do not know if OPNsense can spoof ND. I do use /64 to /64 NPT on a point to point link, though.

[Maurice]

OK, I admit I do not know if OPNsense can spoof ND.

It can't. FreeBSD has ndproxy, but OPNsense unfortunately doesn't support this yet.

I do use /64 to /64 NPT on a point to point link, though.

Which doesn't require ND. :)

[jnaughto]

@Maurice

@jnaughto, if there is no other way and you're really desperate, IPv6 outbound NAT should work...

I didn't really think there was such a thing as IPv6 and NAT I know this tends to be quite the viral topic.   

Essentially the modem is a Rogers Ignite Modem.  The modem has very little documentation to work with and the interface is quite simplified.  The modems LAN interface can be either configured for stateless ( SLACC  ) or stateful ( dhcpdv6 ) IPv6 deployment.  Yet the prefix is fixed to a /64.   The modem doesn't support any sort of static routing which I could subnet the IPv6 block either so yes routing could be a bit of an issue.

The reason why I've hesitated putting the modem into bridge mode, is that I have 2 ignite TV boxes also behind it.   The idea was to leave them outside of my LAN between the Router and OPNsense router.   I wasn't sure what was going on in these boxes.   I believe they are using both IPv6 and IPv4.  I also wasn't sure what exposure these boxes could be leveraged against the rest of my LAN.   It also helps when there's a TV related issue when dealing with the Rogers support group not to get into "Well my router is in bridge mode...." conversation.  If it's left as they like it and my internal LAN is invisible but functional that's my goal.   Right now everything is working on the LAN side except for IPv6 so at this point little impact. Yet as IPv6 becomes more predominant I'm going to have vast sections of the internet non reachable.

I've played with IPv4 NATs without any issues but I'm going to have to read up on the IPv6 outbound NAT.

[muchacha_grande]

Hi @jnaughto,

Some time ago I had to configure IPv6 outbound NAT because my ISP modem behaves like yours with the extra problem that my ISP doesn't allow me to get into the configuration.

I can say that it works very reliable, despite the fact that it's using NAT.

The trick I found is that ones you have outbound NAT configured, you can enable DHCPv6 and assign IP addresses as if you were given a prefix.
In my case I use a /80 prefix and all my LAN addresses gets public addresses. This works well on windows and linux. It's not useful for android phones because they don't use DHCPv6 to get IPv6, and you can't use SLAAC because you can't use a /64 prefix inside your LAN.

All IPv6 tests I made worked fine so for the purpose of having an IPv6 enabled Internet this solution is suitable.

Cheers

[jnaughto]

Ok so I'm a bit confused.  If I'm going to use NPTv6 to NAT IPv6.  Essentially it's not really a NAT in the meaning that many internal IPv4 address map to 1 IPv4 global addresses, but that I assign an internal IPv6 block of IP addresses that get re-mapped as they leave the OPNsense server to a Valid Global address.

See attached graphic... (tried to include it in-line but had some difficulties having it render)

The modem is infront of my opensense server.   It provides the WAN interface on the OPNSense server an IPv6 address.  Thus any traffic leaving the OPNsense server itself the modem knows how to route it back to that opensense server interface.  The only way I would be able to have IPv6 traffic translate through the Opensense server would be to provide for every system inside my LAN to map an alias IPv6 global alias on the wan interface, and then map that global IPv6 address to an internal host....  That way the modem knows how to return the traffic back to the wan interface of the OPNsense server.   

In comparison to the IPv4 world you would assign a private network 192.168.X/172.16/10.    What IPv6 block to I use on the LAN side to be translated to the Global addresses on the WAN side?

Am I missing something?

[jnaughto]

@muchacha_grande

The trick I found is that ones you have outbound NAT configured, you can enable DHCPv6 and assign IP addresses as if you were given a prefix.

Okay so what does your OPNSense LAN configuration look like?   I'm very curious how you went about mapping the internal IPv6 addresses.  Did you assign a static IPv6 from the modem to your internal LAN interface?

[Maurice]

@jnaughto "Unhappy ISP support staff" vs. "IPv6 NAT" would be an easy choice for me, but hey, it's your network.  ;D

The reason why I've hesitated putting the modem into bridge mode, is that I have 2 ignite TV boxes also behind it. [...] I also wasn't sure what exposure these boxes could be leveraged against the rest of my LAN.

You can add a separate LAN to OPNsense just for untrusted devices which are only allowed Internet access.

It also helps when there's a TV related issue when dealing with the Rogers support group not to get into "Well my router is in bridge mode...." conversation.

You can always temporarily switch to router mode when having to deal with support.

I've played with IPv4 NATs without any issues but I'm going to have to read up on the IPv6 outbound NAT.

Works pretty much the same.

Ok so I'm a bit confused.  If I'm going to use NPTv6 to NAT IPv6.

As discussed above, you can't use NPTv6. Your only options are putting the ISP box into bridge mode or using IPv6 outbound NAT. @muchacha_grande is in a different situation because they don't even have bridge mode available.

Cheers
Maurice