(dumb?) IPv6 question ...

[BSAfH42]

Hi,

I have some IPv6 routing problems ...

my OPNsense is sitting behind a Fritz!Box, IP connectivitiy is served from a VDSL260 german telecom link., IPv4 and native IPv6:

the OPNsense box is configured as "exposed host" (i.e. the Fritz!box does not filter anything, but just forwards everything incoming to OPNsense

On the Fritz!Box, IPv6 ist activated:
DNS-Server/DHCPv6 Server, prefix (IA_PD) and IPv6 addresses are assigned (IA_NA) to clients

there is a /64 network delegated to the LAN
router priority is set to 255 (max)

OPNsense
the WAN interface of OPNsense is connected to the LAN interface of the Fritz!Box

the WAN interface uses DHCPv6 with "Basic" configuration
the interface does get an IPv6 address

Code Select Expand

  WAN 1000baseT <full-duplex> 192.168.178.3
xxxx:xx:xxxx:xxxx:2a8:2cff:fe68:e3e7

The LAN interface is set to "track interface" for IPv6 (track the WAN interface)
it does get an IPv6 address as well

Code Select Expand


igb0: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
        ether 00:a8:2c:68:e3:e6
        inet6 fe80::2a8:2cff:fe68:e3e6%igb0 prefixlen 64 scopeid 0x1
        inet6 xxxx:xx:xxxx:be81:2a8:2cff:fe68:e3e6 prefixlen 64
        inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


Manual configuration    Allow manual adjustment of DHCPv6 and Router Advertisements is activated

the router advertisment daemon is running on the LAN , I tried
"Unmanaged" and "Assisted", with the same routing problem

when set to Unmanaged, the hosts in the LAN network do get  IPv6 addresses from the correct (delegated) subnet:
e.g.

Code Select Expand


2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:a0:98:0c:5c:d5 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 192.168.80.29/24 brd 192.168.80.255 scope global dynamic noprefixroute ens3
       valid_lft 6608sec preferred_lft 6608sec
    inet6 xxxx:xx:773c:be81:ccbe:498f:b967:91d9/64 scope global temporary deprecated dynamic
       valid_lft 6821sec preferred_lft 0sec
    inet6 xxxx:xx:773c:be81:2a0:98ff:fe0c:5cd5/64 scope global deprecated dynamic mngtmpaddr noprefixroute
       valid_lft 6821sec preferred_lft 0sec
    inet6 fe80::2a0:98ff:fe0c:5cd5/64 scope link noprefixroute
       valid_lft forever preferred_lft forever


they can ping the LAN side of the OPNsense

but: they cannot ping the WAN side of the OPNsense box

and of course they cannot ping the Fritz!Box or any other external host.

the DNS resolution works though

Code Select Expand

christian@debmatic:~$ ping -6 www.heise.de
PING www.heise.de(www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85)) 56 data bytes

Code Select Expand

christian@debmatic:~$ traceroute -6 www.heise.de
traceroute to www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85), 30 hops max, 80 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *

Routing on the hosts in the LAN net is

Code Select Expand

christian@debmatic:~$ ip -6 r
xxxx:xx:773c:be81::/64 dev ens3 proto ra metric 100 pref medium
fe80::/64 dev ens3 proto kernel metric 100 pref medium
default via fe80::2a8:2cff:fe68:e3e6 dev ens3 proto ra metric 100 pref high


so clearly, there is something wrong on the OPNsense box.

But what?

The firewall rules on the LAN interface say that all outbound IPv6 traffic is allowed.

Firewall -> Rules -> LAN

Code Select Expand


  IPv6 * LAN net         * * * * * Default allow LAN IPv6 to any rule    
  IPv6 * LAN address * * * * * Default allow LAN IPv6 to any rule

netstat -r -n on OPNsense:

Code Select Expand


Internet6:
Destination                       Gateway                       Flags     Netif Expire
default                           fe80::9a9b:cbff:fe08:3ca0%igb1 UG        igb1
::1                               link#7                        UHS         lo0
2003:ce:773c:be00::/64            link#2                        U          igb1
2003:ce:773c:be00:2a8:2cff:fe68:e3e7 link#2                     UHS         lo0
2003:ce:773c:be80::/64            link#3                        U          igb2
2003:ce:773c:be80:2a8:2cff:fe68:e3e8 link#3                     UHS         lo0
2003:ce:773c:be81::/64            link#1                        U          igb0
2003:ce:773c:be81:2a8:2cff:fe68:e3e6 link#1                     UHS         lo0
2003:ce:773c:be82::/64            link#11                       U      run0_wla
2003:ce:773c:be82:1e4b:d6ff:fe7d:81e0 link#11                   UHS         lo0
2a01:4f8:161:83d1::/64            link#18                       US       ovpnc4
2a01:4f8:161:83d1:cccc::/112      link#18                       U        ovpnc4
2a01:4f8:161:83d1:cccc::2         link#18                       UHS         lo0
fd10::/64                         link#19                       U        ovpns2
fd10::1                           link#19                       UHS         lo0
fd11::/64                         link#17                       U        ovpns3
fd11::1                           link#17                       UHS         lo0
fe80::%igb0/64                    link#1                        U          igb0
fe80::2a8:2cff:fe68:e3e6%igb0     link#1                        UHS         lo0
fe80::%igb1/64                    link#2                        U          igb1
fe80::2a8:2cff:fe68:e3e7%igb1     link#2                        UHS         lo0
fe80::%igb2/64                    link#3                        U          igb2
fe80::2a8:2cff:fe68:e3e8%igb2     link#3                        UHS         lo0
fe80::%lo0/64                     link#7                        U           lo0
fe80::1%lo0                       link#7                        UHS         lo0
fe80::%run0_wlan1/64              link#11                       U      run0_wla
fe80::1e4b:d6ff:fe7d:81e0%run0_wlan1 link#11                    UHS         lo0
fe80::%ovpns3/64                  link#17                       U        ovpns3
fe80::2a8:2cff:fe68:e3e6%ovpns3   link#17                       UHS         lo0
fe80::%ovpnc4/64                  link#18                       U        ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4   link#18                       UHS         lo0
fe80::%ovpns2/64                  link#19                       U        ovpns2
fe80::2a8:2cff:fe68:e3e6%ovpns2   link#19                       UHS         lo0


igb1 is the WAN interface

the OPNsense box it self can reach outside IPv6 hosts:

Code Select Expand


[cbadmin@OPNsense ~]$ ping -6 www.heise.de
PING6(56=40+8+8 bytes) 2003:ce:773c:be00:2a8:2cff:fe68:e3e7 --> 2a02:2e0:3fe:1001:7777:772e:2:85
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=0 hlim=57 time=9.083 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=1 hlim=57 time=8.620 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=2 hlim=57 time=8.865 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=3 hlim=57 time=9.097 ms
16 bytes from 2a02:2e0:3fe:1001:7777:772e:2:85, icmp_seq=4 hlim=57 time=8.651 ms
^C
--- www.heise.de ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 8.620/8.863/9.097/0.204 ms



What am I doing wrong?

What do I miss here?

[fgsfdgfds]

A bit unsure of your setup, due to the router you have etc.
But not sure you can do what your doing with only a /64 subnet.
The reason I think this is because, you router, opnsense and lan network would all be on the same subnet.

I think you need a /56 from your provider and divide this down into /64 networks
Chris

[BSAfH42]

Good hint, Thanks!

But: I can't get a /65 from my provider, no way.

Obviously, I'm free to split the given /64 into smaller chunks internally, but at the moment, I don't know how to do that in OPNsense.

Setup is

VDSL250 (Dt. Telekom) --> Fritz!Box 7530 as DSL-Modem/Router with
1. Link ("exposed host", everything is forwarded  IPv4 , /64 subnet IPv6 -> OPNsense
2. Link -> WLAN (if activated) -> /64 subnet IPv6
3. Link -> guest WLAN, (if activated) /64 IPv6

• router advertisment aktive
  fritzbox is default gateway to the internet
  preference-value in router advirtisment: high
  DNSv6 via router advertisment (RFC 5006): yes
  DHCPv6 server active: yes
    DNS-Server, Präfix (IA_PD) und IPv6-Adresse (IA_NA)
  preference value DHCPv6 server: 255

Verwendete IPv6 Präfixe:

• OPNSense: 2003:ce:773c:be00::/64
  Guest-net  2003:ce:773c:be01::/64
  WAN   2003:ce:77ff:3cef::/64

So the OPNsense receives one /64 prefix. This cannot be changed

OPNsense then has three interfaces + a few VPN tunnels

1) LAN (physical interface, connected to 48 port switch, port-based VLAN on that
2) WLAN (physical interface Ethernet, connected to same switch. different VLAN (prt based an tagged, OPNsense does not see the VLANs
3) buildt-in AccessPoint for management-WLAN only
4) 2 OpenVPN server interfaces, one Wireguard server interface
5) one OpenVPN client interface (get's a different IPv6 network prefix from the server)

So these interfaces 1, 2 and 3 would need smaller networks that /64, as /64 is the maximum I can get from upstream.

Question:
how do I configure that on OPNsense? and where in the UI?

[Patrick M. Hausen]

> Obviously, I'm free to split the given /64 into smaller chunks internally

No, you are not. A /64 is the smallest prefix in IPv6. You need exactly one /64 for each interface/network. All neighbor discovery and autoconfiguration mechanisms depend on that size.

[KHE]

Hi,

as pmhausen already mentioned, the smallest IPv6 Prefix is /64. And I am sure you got a bigger prefix than /64 from your ISP. You can check that in the Fritz!Box in the Menu Internet > Online-Monitor. It will tell you since when you are connected and what IPv6 Address the Fritz!Box has on its WAN and the IPv6-Prefix is including size.
You can select the Prefix size the Fritz!Box requests from the ISP in the Menu Internet > Zugangsart. Blow Verbindungseinstellung should be the checkbox Bestimmte Länge für das LAN-Präfix anfordern. If checked you can then type in the Prefix size. The input field might be a little be short for showing the content, but you can edit it. The availability of the checkbox might depend on the Fritz OS release and if the box is your own or one provided by your ISP.

You already set Fritz!Box to work as DHCPv6 server and to provide a IPv6 prefix (IA_PD). If you are using exposed host in the Fritz!Box this is needed.

For IPv6 to work behind the OPNsense you need the following:

• The OPNsense must ask the Fritz!Box of a prefix delegation
• The OPNsense must split the prefix delegation to its client networks

You need to set the WAN in the OPNsense to get its address via DHCPv6, which I assume you already did. In this WAN Interface settings you need to set then Prefix delegation size which the OPNsense should request from the Fritz!Box. This Prefix delegation size must be at least one smaller than the one in the Online-Monitor of the Fritz!Box. If the Fritz!Box has e.g. /59 you should use /60 or /61. The bigger you can choose the better. If the prefix size in the Fritz!Box is just /62, then you should try to increase the requested one it in the Fritz!Box.

In the LAN and all other Interfaces you set the IPv6 Configuration to Track interface and select a unique prefix ID. The maximum prefix ID you can select depends on the Prefix delegation size you selected in the WAN Interface on the OPNsense. None of your devices in the LAN and the other networks behind the OPNsense is allowed to use a IPv6 Address from the Fritz!Box LAN and Guest-Net.

In the German forum somebody had a similar issue issue.

KH

[BSAfH42]

Thanks!

OK, I checked the settings .. and... it does not do what it should;

Fritzbox:

Code Select Expand


Internet, IPv6

verbunden seit 18.09.2022, 04:13 Uhr, Telekom, Geschwindigkeit des Internetzugangs (verfügbare Bitrate): ↓ 251,6 Mbit/s ↑ 41,5 Mbit/s,
IPv6-Adresse: 2003:ce:77ff:3cef:9a9b:cbff:fe08:3c9d, Gültigkeit: 13891/1291s,
IPv6-Präfix: 2003:ce:773c:[b]be00[/b]::[b]/56[/b], Gültigkeit: 13685/1085s


Code Select Expand


Verwendete IPv6 Präfixe:
Heimnetz2003:ce:7731:[i]a300[/i]::/64
Gastnetz2003:ce:7731:a301::/64
WAN2003:ce:77ff:31d2::/64


Code Select Expand

Portfreigabe

aktiv, 1 Portfreigabe eingerichtet
Exposed Host '192.168.178.3, ::2a8:2cff:fe68:e3e7' aktiviert

WAN on OPNsense is set to DHCPV6

Prefix delegation size is set to 57

Send IPv6 prefix hint is activated

on LAN, Track interface is on WAN, PrefixID = 1

on WLAN (OPT1): Track interface is on WAN , Prefix ID = 3

on AP TRack Interface is on WAN, ID = 2



WAN interface on OPNsense:

Code Select Expand


igb1: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN
        options=4800028<VLAN_MTU,JUMBO_MTU,NOMAP>
        ether 00:a8:2c:68:e3:e7
        inet6 fe80::2a8:2cff:fe68:e3e7%igb1 prefixlen 64 scopeid 0x2
        inet6 2003:ce:773c:[b]be00[/b]:2a8:2cff:fe68:e3e7 prefixlen 128
        inet6 fd00::2a8:2cff:fe68:e3e7 prefixlen 64 deprecated autoconf
        inet6 2003:ce:7731:[i]a300[/i]:2a8:2cff:fe68:e3e7 prefixlen 64 autoconf
        inet 192.168.178.3 netmask 0xffffff00 broadcast 192.168.178.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


LAN interface

Code Select Expand


igb0: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
        ether 00:a8:2c:68:e3:e6
        inet6 fe80::2a8:2cff:fe68:e3e6%igb0 prefixlen 64 scopeid 0x1
        inet6 2003:ce:773c:[b]be81[/b]:2a8:2cff:fe68:e3e6 prefixlen 64
        inet 192.168.80.2 netmask 0xffffff00 broadcast 192.168.80.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


WLAN interface

Code Select Expand


igb2: flags=8b63<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WLAN
        options=4900028<VLAN_MTU,JUMBO_MTU,NETMAP,NOMAP>
        ether 00:a8:2c:68:e3:e8
        inet6 fe80::2a8:2cff:fe68:e3e8%igb2 prefixlen 64 scopeid 0x3
        inet6 2003:ce:773c:[code]be80:2a8:2cff:fe68:e3e8 prefixlen 64
        inet 192.168.81.2 netmask 0xffffff00 broadcast 192.168.81.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[/code]

or, in the GUI interface overview:

WAN

Code Select Expand

IPv6 link-local fe80::2a8:2cff:fe68:e3e7/64
IPv6 address 2003:ce:773c:[b]be00[/b]:2a8:2cff:fe68:e3e7/128
                        fd00::2a8:2cff:fe68:e3e7/64 deprecated
                        2003:ce:7731:[i]a300[/i]:2a8:2cff:fe68:e3e7/64

LAN:

Code Select Expand

IPv6 link-local fe80::2a8:2cff:fe68:e3e6/64
IPv6 address 2003:ce:773c:[b]be81[/b]:2a8:2cff:fe68:e3e6/64

WLAN

Code Select Expand

IPv6 link-local fe80::2a8:2cff:fe68:e3e8/64
IPv6 address 2003:ce:773c:[b]be80[/b]:2a8:2cff:fe68:e3e8/64

AP

Code Select Expand


IPv6 address 2003:ce:773c:[b]be82[/b]:1e4b:d6ff:fe7d:81e0/64


example PC in LAN:

Code Select Expand


ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:a0:98:0c:5c:d5 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 192.168.80.29/24 brd 192.168.80.255 scope global dynamic noprefixroute ens3
       valid_lft 6541sec preferred_lft 6541sec
    inet6 2003:ce:773c:[b]be81[/b]:c199:8655:41bf:6729/64 scope global temporary dynamic
       valid_lft 86158sec preferred_lft 2626sec
    inet6 2003:ce:773c:[b]be81[/b]:670:91e:68d0:9fa/64 scope global temporary deprecated dynamic
       valid_lft 86158sec preferred_lft 0sec
    inet6 2003:ce:773c:[b]be81[/b]:133c:75e4:3833:e383/64 scope global temporary deprecated dynamic
       valid_lft 86158sec preferred_lft 0sec
    inet6 2003:ce:773c:[b]be81[/b]:2a0:98ff:fe0c:5cd5/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86158sec preferred_lft 14158sec
    inet6 fe80::2a0:98ff:fe0c:5cd5/64 scope link noprefixroute
       valid_lft forever preferred_lft forever



for me, that looks exactly as you described it:

Fritzbox gets a /56 from the ISP

• OPNsense requests a /57
• OPNsense WAN has an address in the "homenet" of Fritzbox and a different /64 net
• LAN, WLAN and AP have their own PrefixID and all of them get their own /64 net which is different from the Fritzbox "homenet"
• PC in the LAN net gets adresses from the /64 net of the LAN interface

and still no PC on LAN can reach any external ipv6 host, only the LAN interface of OPNsense

Code Select Expand


christian@debmatic:~$ ping -6 www.heise.de
PING www.heise.de(www.heise.de (2a02:2e0:3fe:1001:7777:772e:2:85)) 56 data bytes
^C
--- www.heise.de ping statistics ---
44 packets transmitted, 0 received, 100% packet loss, time 44042ms

christian@debmatic:~$


so - it's not the IPv6 configuration itself, I guess

router advertisment daemon is running on OPNsense

routing on PC

Code Select Expand

christian@debmatic:~$ ip -6 r
2003:ce:773c:be81::/64 dev ens3 proto ra metric 100 pref medium
fe80::/64 dev ens3 proto kernel metric 100 pref medium
default via fe80::2a8:2cff:fe68:e3e6 dev ens3 proto ra metric 100 pref high
christian@debmatic:~$

so the default route is the LAN interface of OPNsense

Code Select Expand

inet6 fe80::2a8:2cff:fe68:e3e6%igb0 prefixlen 64 scopeid 0x1 which seems to be what it should be

routing on OPNsense is

Code Select Expand


[cbadmin@OPNsense ~]$ netstat -r -6 -n
Routing tables

Internet6:
Destination                       Gateway                       Flags     Netif Expire
[b]default                           fe80::9a9b:cbff:fe08:3ca0%igb1 UG        igb1[/b]
::1                               link#7                        UHS         lo0
2003:ce:7731:a300::/64            link#2                        U          igb1
2003:ce:7731:a300:2a8:2cff:fe68:e3e7 link#2                     UHS         lo0
2003:ce:773c:be00::/64            link#2                        U          igb1
2003:ce:773c:be00:2a8:2cff:fe68:e3e7 link#2                     UHS         lo0
2003:ce:773c:be80::/64            link#3                        U          igb2
2003:ce:773c:be80:2a8:2cff:fe68:e3e8 link#3                     UHS         lo0
2003:ce:773c:be81::/64            link#1                        U          igb0
2003:ce:773c:be81:2a8:2cff:fe68:e3e6 link#1                     UHS         lo0
2003:ce:773c:be82::/64            link#11                       U      run0_wla
2003:ce:773c:be82:1e4b:d6ff:fe7d:81e0 link#11                   UHS         lo0
2a01:4f8:161:83d1::/64            link#18                       US       ovpnc4
2a01:4f8:161:83d1:cccc::/112      link#18                       U        ovpnc4
2a01:4f8:161:83d1:cccc::2         link#18                       UHS         lo0
fd00::/64                         link#2                        U          igb1
fd00::2a8:2cff:fe68:e3e7          link#2                        UHS         lo0
fd10::/64                         link#19                       U        ovpns2
fd10::1                           link#19                       UHS         lo0
fd11::/64                         link#17                       U        ovpns3
fd11::1                           link#17                       UHS         lo0
fe80::%igb0/64                    link#1                        U          igb0
fe80::2a8:2cff:fe68:e3e6%igb0     link#1                        UHS         lo0
fe80::%igb1/64                    link#2                        U          igb1
fe80::2a8:2cff:fe68:e3e7%igb1     link#2                        UHS         lo0
fe80::%igb2/64                    link#3                        U          igb2
fe80::2a8:2cff:fe68:e3e8%igb2     link#3                        UHS         lo0
fe80::%lo0/64                     link#7                        U           lo0
fe80::1%lo0                       link#7                        UHS         lo0
fe80::%run0_wlan1/64              link#11                       U      run0_wla
fe80::1e4b:d6ff:fe7d:81e0%run0_wlan1 link#11                    UHS         lo0
fe80::%ovpns3/64                  link#17                       U        ovpns3
fe80::2a8:2cff:fe68:e3e6%ovpns3   link#17                       UHS         lo0
fe80::%ovpnc4/64                  link#18                       U        ovpnc4
fe80::2a8:2cff:fe68:e3e6%ovpnc4   link#18                       UHS         lo0
fe80::%ovpns2/64                  link#19                       U        ovpns2
fe80::2a8:2cff:fe68:e3e6%ovpns2   link#19                       UHS         lo0
[cbadmin@OPNsense ~]$

which seems to be OK as well

the default route is

Code Select Expand

fe80::9a9b:cbff:fe08:3ca0
which is the link local address of the Fritz!Box as seen from OPNsense:

Code Select Expand

Unique Local Address Ihrer FRITZ!Box: fd00::9a9b:cbff:fe08:3ca0/64

the firewall logs show no reject/block

so, what's wrong?

I can't find anything :-(

[Patrick M. Hausen]

Try a /62 for the delegation size.

[BSAfH42]

delegation size /62

in the Fritz!Box?
or on the OPNsense WAN interface?

[Patrick M. Hausen]

OPNsense WAN.

[BSAfH42]

OPNsense WAN.

did that.

does not help, nothing changes

[BSAfH42]

Try a /62 for the delegation size.

did not help :-(