IPv6 Router Advertisements (RA) for SLAAC not working when gateway IPv6 static

[frazzetta127]

Update: This is solved below.

If you are configuring IPv6 for the first time on your device and would like to use this as a reference, please scroll down to "LAN Static IP Configuration" and follow the screenshots. You will also want to check the updates on the link below for the changes. (In short, you have to use a /64 instead of a /48.)

https://forum.opnsense.org/index.php?topic=32433.msg163504#msg163504


---

I want to preface this by saying that while I am pretty good with it, I do not consider myself an expert in IPv6. I have been using it for five years, and yet there are still some oddities with it that I do not fully comprehend.

--

I am trying to migrate from pfSense to OPNsense, but I am having trouble getting IPv6 RA to work. I am fairly certain that I've found a bug as I imagine it's rather difficult for the package maintainers to test in every single type of environment.

Here is a screenshot from my phone on my pfSense network. I get a local IPv4 address, link-local IPv6 address, and two IPv6 addresses (one temporary) from SLAAC with the correct prefix configured in RA.


Here is a screenshot from my phone on my OPNsense network with identical settings. I only get a local IPv4 address and link-local IPv6 address.


When my phone is connected, the OPNsense terminal fills up with errors: "cannot forward src fe80:..." showing the address of my phone and other phones on the network. If I try to run an ipv6 test from the phone, it obviously fails.

This doesn't just affect phones, of course. I can see that the SLAAC entries are missing on my Windows and Linux devices as well.

---

My environment is a home lab. My ISP provides me with a /30 IPv4 subnet and a /48 IPv6 subnet.

Because I have a few servers that require static IPv6 addresses (public addresses), I have assigned my IPv4 and IPv6 addresses statically on both WAN and LAN interfaces of the OPNsense router.

Example of static IP on a client device, note the field for gateway is the same as the static LAN Interface IPv6 address:


Because the limited OPNsense IPv6 guides I've found all use "track interface", it is my belief that there is some kind of a bug affecting environments running static IPv6 addresses. When I choose track interface, I do not seem to be able to set a static IPv6 on the LAN interface. I need a static IPv6 address on the OPNsense LAN interface to enter as my gateway when configuring static IPv6 on the clients.

Most newer Windows, Linux, and Apple computers will get their address from DHCPv6. However, DHCPv6 is not required on an IPv6 network. Many devices like iPhones, Android phones, Rokus, and other multimedia devices will only use SLAAC. So while I do not even need to run a DHCPv6 server, I do so anyways.

---

With all of that out of the way, here are side by side screenshots of my configuration on OPNsense vs my configuration on pfSense. I will always start with the OPNsense screenshot first. If the right edge of the photo is truncated, you may need to right click and open it in another window.


LAN Static IP configuration

OPNsense


pfSense



WAN Static IP configuration

OPNsense


pfSense



DHCPv6 Configuration

OPNsense


pfSense


---

Router Advertisements

These are probably the screenshots that matter the most. My annotations are truncated by the forum, please right click and open in a new window to see the full image.

OPNsense


pfSense




---

Additional information: Both my pfSense and OPNsense configs are pretty basic. I did a factory reset on pfSense and set it up from total scratch today to make sure there wasn't a step or setting I was missing. I documented every setting with screenshots and then reproduced the exact same settings on the OPNsense router. I've tried restarting the services, restarting OPNsense, etc.

The evidence seems to be pretty clear that something with OPNsense is not working correctly, but if I can figure out how to find Router Advertisements in Wireshark, my next step is to do a package capture with OPNsense to see if there are any RA packets whatsoever.

Open to any advice you may have.

[wbk]

Hi Frazzetta,

First of all, thank you for writing out your situation. I was reading your post thoroughly to see where it matches my situation, and did not skip forward to see the replies that were not there yet.

My configuration is quite a bit different, the only corresponding item being the lack of router advertisements. I was also depending on static IPv6 in the network, because I don't know enough about IPv6 to have it match DNS entries with SLAAC.

It worked till a couple of weeks (months, by now, I realize) back.

In case you solve your issue outside of the forum, would you mind posting the configuration you ended up with?

Sorry for not being of any help!

[bimbar]

I don't think /48 for the LAN network mask can work. Please use /64.

[frazzetta127]

I don't think /48 for the LAN network mask can work. Please use /64.

This is incorrect. I am given a /48 by my ISP and it works fine on other router platforms, including the project OPN was forked from, pfSense.

[frazzetta127]

Hi Frazzetta,

First of all, thank you for writing out your situation. I was reading your post thoroughly to see where it matches my situation, and did not skip forward to see the replies that were not there yet.

My configuration is quite a bit different, the only corresponding item being the lack of router advertisements. I was also depending on static IPv6 in the network, because I don't know enough about IPv6 to have it match DNS entries with SLAAC.

It worked till a couple of weeks (months, by now, I realize) back.

In case you solve your issue outside of the forum, would you mind posting the configuration you ended up with?

Sorry for not being of any help!

I stopped checking on this because no one got back to me. I am still on pfSense at the moment.

When you say configuration, what do you mean outside of the GUI screenshots? Is there a conf file I can pull from the shell? I am back here today because I plan to boot into OPNsense over the weekend again to run more tests with the goal of either bumping the thread here (already done) and opening a ticket on github with more data in hand. I really want to make the switch to OPNsense as it solves some other issues I am having with pfSense.

[franco]

> When my phone is connected, the OPNsense terminal fills up with errors: "cannot forward src fe80:..." showing the address of my phone and other phones on the network. If I try to run an ipv6 test from the phone, it obviously fails.

This is because the phone you are using won't accept DHCPv6 and instead thinks it can reach a GUA from a link-local address. That's easy to find out when you tcpdump the traffic.

That means as you suggested SLAAC isn't working. (It also means Android is weird.)

Make sure radvd is running:

# pgrep radvd

And show the configuration:

# cat /var/etc/radvd.conf

> This is incorrect. I am given a /48 by my ISP and it works fine on other router platforms, including the project OPN was forked from, pfSense.

Except SLAAC only works for /64 (on the LAN side) anyway. It will also tell you about it if you try to configure something else and fall back to a sane /64.

Try not to ask overly complex questions where you expect community to give a commercial grade response.


Cheers,
Franco

[bimbar]

I don't think /48 for the LAN network mask can work. Please use /64.

This is incorrect. I am given a /48 by my ISP and it works fine on other router platforms, including the project OPN was forked from, pfSense.

You do get a /48 from your provider, but you are supposed to split that up into multiple /64 networks for the LAN interfaces. IPv6 autoconfiguration behaviour is not defined with networks that are not /64. Which is the reason the address type is called modified EUI-64 -> https://en.wikipedia.org/wiki/IPv6_address#Modified_EUI-64 .

I would argue that it works on pfsense because that doesn't even seem to let you choose the prefix length, probably forcing /64.

[jeremy.mcmillan]

FWIW, IPv6 supports CIDR, but in practice the routing tables can get huge if everyone uses a diversity of prefixes, especially nets smaller than 48 bit prefixes. The solution, by consensus and convention, is to only use 48 and smaller prefixes for router infrastructure, and delegation for nets smaller than 48 should all be 64 bit prefixes even for single hosts connecting to a VPN concentrator.

While using a 48 for your LAN may be POSSIBLE, expect problems because hosts expect to deal with 64s and routers don't want bloated routing tables.

[frazzetta127]

I don't think /48 for the LAN network mask can work. Please use /64.

This is incorrect. I am given a /48 by my ISP and it works fine on other router platforms, including the project OPN was forked from, pfSense.

You do get a /48 from your provider, but you are supposed to split that up into multiple /64 networks for the LAN interfaces. IPv6 autoconfiguration behaviour is not defined with networks that are not /64. Which is the reason the address type is called modified EUI-64 -> https://en.wikipedia.org/wiki/IPv6_address#Modified_EUI-64 .

I would argue that it works on pfsense because that doesn't even seem to let you choose the prefix length, probably forcing /64.

I apologize for the late reply. I had reverted to pfSense and had not had a chance to try reinstalling OPNsense to try some of the other suggestions out.

I assumed that having the SLAAC configuration set to /64 would be enough to meet the spec. I did not realize that I would also need to configure the LAN interface to /64. I will give that a shot. Unfortunately, it means reconfiguring all of my static IPv6 addresses to be longer. I'll report back either way.

I'll also check /var/etc/radvd.conf etc

[frazzetta127]

Ok this specific issue is solved now. Here is a recap of how to fix it if you have the same issue:

When using a /48 IPv6 subnet from your ISP (Comcast, in my case), you actually want to assign it as a /64 on your LAN interface.

Example: Comcast has assigned you 2001:543:c1e::/48

Set your router LAN IP as 2001:543:c1e::1 /64
This means your subnet will be "2001:543:c1e:0:" instead of just "2001:543:c1e:".

However, you can still use 2001:543:c1e::1 as the 0 is automatically interpreted when you use :: in the address.

Here's what you could use for a DHCP range: 2001:543:c1e:0:888::1 - 2001::543:c1e:0:888::ffff. Note that in this case you have to actually type the :0: because the :: comes later in the address.

As far as router advertisements go, you do not need to specify any range. Make sure that all fields under "Advertise Routes" are empty. Make sure that Router Advertisements are configured as "Assisted" and router priority is "Normal". Check the box for "Advertise Default Gateway"

Restart services for RA and DHCPv6.

Thanks to everyone that contributed to the answer here. I generally never ask for help on the internet because if I can't figure it out, the problem is too complex and I am too autistic to properly explain it. This was a situation where I had no other options than to turn to this community for help. Thanks again.

[franco]

Thanks, we appreciate the follow-up! Glad it's working now.


Cheers,
Franco

[gjarboni]

First off, thanks to OP. I was definitely spinning my wheels before I read this. I was running into trouble trying to assign a /65 to two interfaces (instead of /64 to one). I switched back to a /64 and everything started working.

Was I doing something wrong, by trying to subnet like this? I have IPv6 connectivity via a tunnel with Hurricane Electric. I guess I could try asking them for another /64, but that seems somewhat ugly.

Thanks for reading!

Jason M.

[Maurice]

Don't use a /65, this only means trouble (SLAAC doesn't work etc.). HE will give you a /48, just enable it in your account's settings.

Cheers
Maurice

[gjarboni]

Don't use a /65, this only means trouble (SLAAC doesn't work etc.). HE will give you a /48, just enable it in your account's settings

Thanks, Maurice! I'll do that.