IPv6 /56 wan without upstream static routing

Started by mmaridev, April 12, 2023, 11:55:48 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 12, 2023, 11:55:48 AM
Hi,

my (cloud) provider delivers me a /56 subnet. Their gateway is the first IP of the subnet. The /56 is not statically routed through the MAC of my NIC, I need NDP. Also, DHCPv6 is not provided on their end.Setting up a WANv6 IP for OPNsense works fine. I'm able to allocate a ::2/56 IP, set ::1 as gw and the firewall can ping / reach the internet on v6. What I can't get to work is traffic from the LAN / other interfaces.

I have tried many different configurations but none of these announced via NDP the IPs I had on other interfaces and on the clients. Also Router Advertisements wasn't helpful, even when manually putting a /64 under Advertise Routes. This way I see from tcpdump the packages leaving on the WAN, then the solicitations arriving from the upstream router but no answer from OPNsense.

What's the right way to do this?
April 12, 2023, 03:15:58 PM #1
Let say xxxx:xxxx:xxxx:xx00::/56 is your given prefix.
You slice that prefix into multiple /64 prefixes, from xxxx:xxxx:xxxx:xx00::/64 to xxxx:xxxx:xxxx:xxFF::/64.
You can then assign each /64 prefix to each interface.

It's up to you how you gonna do it. I suggest something like this:

  • xxxx:xxxx:xxxx:xx00::2/64 to WAN address since your ISP is using the ::1 for your upstream gateway.
  • xxxx:xxxx:xxxx:xx01::/64 for LAN. Assign the ::1/64 to LAN address, assign WAN address to its upstream gateway.
  • xxxx:xxxx:xxxx:xx02::/64 for VLAN2, xxxx:xxxx:xxxx:xx03::/64 for VLAN3, and so on.
  • Enable radvd on each interface and set it to 'Unmanaged' for SLAAC and check the 'Advertise default gateway'.
All your clients will get their addressess from SLAAC and you should have a working IPv6 at this point.
April 13, 2023, 10:17:33 AM #2
Hi Zan,

thank you so much for your reply.
I modified my setup as per your suggestion. IP assignation via SLAAC works fine.
Unfortunately, the behaviour doesn't change. From a client in LAN i can ping both the OPNsense LAN IP and WAN IP but not the upstream gateway nor anything else in the WAN.

Thank you,
Marco
June 02, 2023, 02:00:38 PM #3
Hello everyone i configured also the /64 slices and the the /56 static and i have the same behaviour from the wan i can ping from the lan not. also RADV didnt help. anyone has a clue?
June 02, 2023, 02:27:00 PM #4
You don't configure a /56 static on WAN. Either you chose a separate /64 or use a /128 single address.


Cheers,
Franco
August 08, 2023, 01:41:41 PM #5
Hi there,

I have a setup similar to OP's. My provider gave me a /56 subnet where xxxx:xxxx:xxxx:xx00::1 is the ISPs router.

I tried to recreate Zan's solution but can't configure xxxx:xxxx:xxxx:xx00::2 as the upstream gateway for LAN, it says the address is outside the LAN subnet. xxxx:xxxx:xxxx:xx01::1/64 is the LAN Interface address.

Hope someone can help me.
Kind regards
August 08, 2023, 02:04:42 PM #6
Don't specify a static gateway unless your provider tells you to.

Make sure ICMPv6 is allowed so the WAN interface can use NDP https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
August 08, 2023, 03:58:55 PM #7
@axguru You don't configure an upstream gateway for the LAN interface, only for the WAN interface.

If you do indeed have the same issue as the OP (the provider not routing the /56 to your WAN address, but instead performing ND for every single address), there is no workaround I'm aware off. OPNsense doesn't have an ND proxy.

Why do providers do that? That's not how routing works.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions