IPV6 routing with multi-wan and tunnel

Started by misty soul, June 07, 2023, 05:46:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 07, 2023, 05:46:15 PM
Hello,

I have an IPV6 routing problem.
I have a network with OpnSense on a physical box with 4 physical ports.

One port (igc0) has a fiber connexion, with a vlan configuration, so I have in the Interfaces/other types/VLAN a configuration for vlan01 with parent=igc0. This vlan device is for the [WAN] interface, with an IPV4 gateway on the other side of the fiber.
Due to a bug in the Isp network, this connexion cannot hanfle IPV6 directly. So on top of [WAN], I also have GIF tunnel (with parent interface WAN), this is the [TUNNEL] interface, with a gateway on the other side of the tunnel.

Another port (igc3) has a wireless connexion, which supports directly both IPV4 and IPV6, this is my [HERTZIEN] interface, with both and IPV4 and an IPV6 gateway on the other side of the wireless link.

The IPV6 prefixes on fiber and wireless links are different. The hosts on the [LAN] sides do have IPV6 addresses using both prefixes.

My ultimate goal was that when one host uses the wireless IPV6 prefix it is routed through the wireless gateway, and when it uses the fiber IPV6 prefix it is routed through the fiber gateway.

As I understand, this should be achieved not by setting static routes, but rather using firewall rules using the source address (i.e. the prefix)  and specifying the gateway. One rule for one prefix and one gateway, another rule for the other prefix and the other gateway. Is this the right approach?

So I set up rules according to this:
  - [LAN] if prefix matches fiber prefix, use gateway at far end of the tunnel
  - [LAN] default gateway is wireless gateway
  - [HERTZIEN] allow IPV6-ICMP to any address with wireless IPV6 prefix
  - [WAN] allow IPV6-ICMP to any address with fiber IPV6 prefix
  - [TUNNEL] allow IPV6-ICMP to any address with fiber IPV6 prefix

With this settings
  - I can ping from outside to any LAN host using its wireless IPV6 address
  - I can ping for any LAN host using its wireless IPV6 address to outside
  - I can ping from any LAN host using wireless IPV6 address to any LAN host using its fiber IPV6 address
  - I can ping from any LAN host using fiber IPV6 address to any LAN host using its wireless IPV6 address
  - I can ping from outside to TUNNEL interface using its fiber IPV6 address
  - I can ping from outside to WAN interface using its fiber IPV6 address
  - I *cannot* ping from outside to LAN hosts using their fiber IPV6 address
  - I *cannot* ping from LAN hosts using fiber IPV6 address to [WAN], [TUNNEL] or outside

So basically, the IPV6 connexion fails between either WAN/TUNNEL and LAN.


What do I do wrong?
June 08, 2023, 01:00:32 AM #1
Would you please draw up a diagram using draw.io and snap a picture and post here to better clarify your issue.
June 08, 2023, 12:58:59 PM #2 Last Edit: June 08, 2023, 01:03:54 PM by misty soul
Here are the physical layout (which probably does not really matter), and more importantly the logical layout with the various links.

The idea is to have the servers (black boxes on the bottom of the drawing) use either the tunnel IPV6 gateway or the wireless IPV6 gateway depending on which IPV6 adress is used. All servers have both types of addresses.

Does it make more sense?
June 08, 2023, 02:26:30 PM #3
I believe the issue here's the vlan. have you looked thru the opnses docs? below link is the sample example of what you are trying to achieve with HE tunnel...

https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html
June 08, 2023, 02:48:33 PM #4
Yes, I read this doc and used it to set up my configuration.
The changes I did were only that
  1) it was not a HE tunnel but something different set up specifically for me by an administrator of a remote server
  2) I use fixed IPV6 addresses and not SLAAC

Rereading this page, I noticed I forgot to tick the "upstream gateway" when I created the single gateway for the tunnel. I fixed this but it did not fix the connexion problem. Ping IPV6 still does not traverse from LAN to WAN or TUNNEL in either direction.
The LAN firewall rules are in the attached screenshot. The plagnole_ipv6_fibre alias corresponds to the IPV6 adresses that have the fiber prefix. These are the ones that do not go through firewall.
June 08, 2023, 03:02:36 PM #5
your GIF is using the VLAN rather than the interface. try that to see if it fixes the issue.
June 08, 2023, 03:20:10 PM #6
I just tried, it did not work.
I had to add the interface first so it showed up as the parent interface for GIF, and I also added firewall rules for IPV6-ICMP on this interface.

The ping that did not work before the change still didn't work after the change.

The ping that did work before the change (from outside to the WAN and TUNNEL IPV6 addresses) did not work after the change, so I had to revert the change and attache the GIF to the vlan again (the vlan is required by my fiber ISP).
June 08, 2023, 03:32:10 PM #7
I think you'd need static routes for IPv6 since I noticed the IPv6 GW for wireless is NOT on the OPNsense.
June 08, 2023, 04:31:25 PM #8
Could you elaborate on static routes?
Can I set up different static routes depending on source IP ?
I have only seen destination IP for setting static routes.
June 14, 2023, 09:57:58 AM #9
For the record, someone helped me found the problem.
I had the same /64 network on several interfaces which created problems in the routing tables.
After splitting my overall /56 network into several different /64 sub-networks and using a different number on the various interfaces, routing became possible between LAN and WAN.
June 14, 2023, 11:44:52 AM #10
Glad it worked out...
Print
Go Up Pages1
User actions