Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
IPV6 and Comcast Xfinity setup questions
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPV6 and Comcast Xfinity setup questions (Read 1565 times)
jmantoo
Newbie
Posts: 1
Karma: 0
IPV6 and Comcast Xfinity setup questions
«
on:
October 26, 2022, 05:49:06 am »
I'm trying to setup opnsense with ipv6 enabled but im not sure i have it configured correctly. I dont have a typical setup, so it has been impossible to find any information that shows me how it should be setup. here is my configuration.
Cable modem Surfboard SB6183 Comcast/Xfinity is the provider.
OPNSense box itx i7 16gigs ram dual intel nics on board
2 Windows 2019 Servers one is the DHCP server and both are DNS servers
I have both ipv4 and ipv6 working it seems but i keeps getting wierd errors on the OPNSense box for taffic that it cannot route
"Cannot forward src fe08:2::..... , dst 2a05:d018:76c:b683:eeb7:8a44:964d:dc0f, nxt 6, rcvif em1, outif em0
I have ipv6 setup on the OPNSense box
LAN set to track interface
Track IPv6 Interface set to WAN and Manual configuration check to "Allow manual adjustment of DHCPv6 and Router Advertisements"
Wan set to DHCPv6
DHCPv6 client configuration
mode basic
Request only an IPv6 prefix checked
Prefix delegation size 64
Send IPv6 prefix hint checked
Use IPv4 connectivity checked
On the Windows servers I used the prefix provided and set static IPv6 Addresses using the prefix with ::2 and ::3 for each. The DNS servers are set to forward requests to Cloudflare I had to manually enter the IPv6 address of the OPNsense box in the default gateway field. This was the only way to get the servers to connect to the internet. This seemed really strange as they should from my understanding should have not needed a default gateway and RA should have provided this to them.
the DHCPv6 server was set to give out addresses for the prefix::0010 to prefix::ffff /64 I'm not entirely sure this is the correct way to handle this and where I am really questioning that I have things configured wrong.
If any one can help me out on this I would really appreciate it
Regards,
Jman
«
Last Edit: October 26, 2022, 06:00:38 am by jmantoo
»
Logged
yourfriendarmando
Full Member
Posts: 103
Karma: 8
Re: IPV6 and Comcast Xfinity setup questions
«
Reply #1 on:
October 26, 2022, 07:15:25 am »
I will reflect on what I have set up, and present differences taking your mixed environment into account.
I too have Comcast Home/Xfinity, and was able to request a /60 prefix. That way I have networks available from
1000:2000:3000:4000:: to 1000:2000:3000:400f:: 16 available for VLANS, of which I have 4 in use (adm, mgt, work, guest) Used to be 5 with the vpn, but I found it unnecessary. I think Comcast Business gives you a /56 prefix by hint request, which would give you the 0:1:2:xx00:: to xxff:: range for 256 vlans.
For each interface or vlan on your local net:
IPv4 Configuration Type: Static
IPv6 Configuration Type: Track Interface
Track IPv6 Interface Section:
IPv6 Interface: Wan or equivalent
IPv6 Prefix ID: 0-f or 0-ff (Home or Business)
If you keep your local network primarily ipv4, and ipv6 for mostly internet facing items, you will have a better life. I do have DHCPv4 on my firewall, but in your case, it can stay disabled, or set to relay (I haven't used this) to assist with WinDHCPv4. Enable DHCPv6 on the firewall so it works in tandem with Router Advertisements.
My settings for Radvd for each interface are:
Router Advertisements: Managed
Router Priority: Normal
Source Address: Automatic
For each interface serving up DHCPv6:
Give it a range of: ::ffff:0:0:0 to ::ffff:ffff:ffff:0
The firewall, set to track interface, will automatically resolve the network prefix.
Keep your local servers set to static IPv4, but let them have DHCPv6 for ipv6, unless you are guaranteed a static ipv6 block of addresses from Comcast. For those few important servers, you can assign them static IPv6 in DHCPv6 for the corresponding interface:
DUID: xx:yy:zz:aa:bb:cc:dd:ee:ff:00:11:22:33:44
IPv6: ::2 (Again, the firewall will resolve for the track interface component)
Hostname: yourServerName
Description: your description
This way your clients can have both a ipv4 and v6 experience, and choose to resolve your servers to either version.
If you want ipv6 inward access to a service inside your network from the outside, in your Wan firewall rules, you allow by destination port, with host entry pointing to a Host alias by name, which your firewall will resolve to both ipv4 and world unicast ipv6 and thus create two running rules. You still need a NAT inbound rule for the ipv4 to correctly translate to the host alias for ipv4.
You can still have your ADs primarily service DNS requests, and let the firewall forward requests it receives for your local domain, back to the ADs:
In Unbound Overrides, the firewall can send domain requests to your Active Directory DNS servers:
yourDomain localIP1
yourDomain localIP2
As long as your have your firewall handling DHCPv6 and DNS registering names of reserved IPs for your servers, it can service the local requests for v6
In Unbound General:
DHCP Static Mappings: Register DHCP static mappings
It could be a very useful mixed configuration that blends the best of both worlds. Let the firewall handle all things ipv6, and your AD environment handle all thing ipv4. Since without internet, ipv6 makes little sense.
Hopefully this is a good primer or useful even if in pieces. Just don't treat ipv6 like ipv4, it's a whole different beast.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
IPV6 and Comcast Xfinity setup questions