Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall blocks traffic from delegated IPv6 prefixes
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall blocks traffic from delegated IPv6 prefixes (Read 1010 times)
astronaut
Newbie
Posts: 34
Karma: 0
Firewall blocks traffic from delegated IPv6 prefixes
«
on:
October 19, 2022, 11:57:21 am »
I have set up OPNsense as the primary router between my DSL modem and a secondary router (OpenWRT with WiFi AP):
DSL Modem -> OPNsense -> LAN1 -> OpenWRT -> LAN2
OPNSense gets a /58 prefix from the DSL modem (dynamic IP). Prefix delegation of /60 ranges is set up in DHCPv6 section of OPNsense. The OpenWRT WAN section gets an IPv6 address and a /60 prefix.
Internet access via IPv6 in LAN1 works without any notable issues.
Internet access via IPv6 works in LAN2 as long as OpenWRT is set up to work as an IPv6 relay. Clients in LAN2 then get an IPv6 from the same range as LAN1 (e. g. 2001:0db8:0:d7c0::/64). However, I then have trouble connecting via IPv6 to some internal servers with static local ULAs in LAN2.
Therefore, I set up OpenWRT as a DHCPv6 server to distribute IPv6 addresses from the delegated range (e.g. 2001:0db8:0:d7d1::/64): I can access the static local ULAs, but then internet access via IPv6 fails. I can see in the OPNsense firewall that the traffic from the client in LAN2 is being blocked ("Default deny / state violation rule").
I would expect that traffic from delegated prefixes is automatically allowed to pass the firewall. Is this expectation wrong? Or am I doing something wrong? Any hints are welcome. If you need more information on my setup, let me know.
Logged
efahl
Newbie
Posts: 17
Karma: 2
Re: Firewall blocks traffic from delegated IPv6 prefixes
«
Reply #1 on:
October 19, 2022, 06:49:52 pm »
Not answering your question, but maybe giving you some options...
Do you really want the OpenWrt device to be a secondary router? There's the "dumb AP" mode you can configure, then all the IP management could be done in OPNsense:
https://openwrt.org/docs/guide-user/network/wifi/dumbap
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Firewall blocks traffic from delegated IPv6 prefixes