Can't ping/access WAN interface from internet with NPTv6

[huamiao]

Hi guys,

Sorry for the english since I'm not a native speaker.

I'm going to apply IPv6 to my home network. The ISP provides dynamic prefix so I decided to use  ULA + NPTv6. Here's the configurations/steps:
1. I have 4 vlans, let's pick up one called vlan10 and assign static address fd00:10::1/64 to the interface.
2. WAN is PPPoE connection + DHCPv6 through IPv4 connection. I want to run VPN on the firewall so I didn't tick "Request only an IPv6 prefix" and the WAN interface got a IPv6 address starts with prefix 2408:xxxx..../60.
3. Use RA stateless for client address, so I'll get fd00:10::xxxx:xxxx:xxxx:xxxx at the client side.
4. Setup NPTv6 for WAN, external - blank, internal - fd00:10::/64.
5. Test the clients got the correct address and can access internet via IPv6.
6. Now I want to access services in my network from outside. I've config the firewall rule for ICMP then I can start with ping but failed. Since I also have a public IPv4 address I've tried to ping the address and can confirm it works.
7. I checked the firewall log and found the ICMP packet is blocked and the destination is fd00:10::[wan suffix]. I believe it was done by NPTv6. (But is that right?)
8. The IPSec VPN (road warrior) also won't work. (But it works on IPv4)

How can I done this with ULA+NPTv6 enabled? Thanks.

PS:
1. It works If I port forward the ICMP to an internal ULA or the local-link address of the WAN interface.
2. It won't work if I port forward IPSec to local-link address of the WAN interface. The client just won't connect and the log says "no IKE config found for fe80::[wan suffix]...". That shows the IPSec won't work with local-link address.
3. I also tried to get IPv6 address through "Track Interface" and it works. But I want ULA+NPTv6 here because "Track Interface" may disconnect clients after a wan reconnect and it's hard to manage when using multi-wan.

[Maurice]

2408:xxxx..../60 ist the delegated prefix, correct? Do you also have a WAN address? Should be a /128 (DHCPv6) or /64 (SLAAC).

What did you try to ping from the Internet? The OPNsense WAN address or a host in the LAN? What protocol and destination did you allow in the firewall rule? Must be IPv6-ICMP Echo Request to either the WAN address (for OPNsense itself) or to the ULA of the internal host if you want to ping that. The inbound traffic flow is NPT first, then packet filter, so you have to use ULAs in firewall rules for internal hosts.

Cheers
Maurice

[huamiao]

Thank you for reply.

1. 2408:xxxx....::/60 is the delegated prefix and the interface WAN got an address 2408:xxxx..../64
2. I tried to ping the WAN address, protocol IPV6-ICMP/any, destination is [This Firewall]. As you said, the NPT goes first and then pf. Now I can understand why it blocked fd00:10::[wan addr suffix] in pf's log. But that's WAN's address, the translated address starts with fd00 doesn't even exist in anywhere. That's how NPT works like? Does that mean there is no way to connect to WAN from outside?
3. I also tried to ping a ULA host in vlan10 with addr fd00:10::xxxx, I created a rule with dest by an alias of dynamic ipv6 host, still no luck.  //update, use hosts with whole ULA works.

I know all these troubles are coming with the dynamic prefix, still trying to figure out a way.

[Maurice]

Hosts: Good. For this use case, using static host aliases is recommended anyway. The ULAs are static, no need to make things more complicated by using dynamic host aliases.

WAN: So when pinging the WAN address, these packets get translated by NPT? This shouldn't happen. Unless it's a bug, the most likely explanation is that your WAN address prefix and your external NPT prefix are identical.
Posting real addresses would make things easier, but let's say these are your delegated prefix and your WAN address:

2408:xxxx:xxxx:xxx0::/60
2408:xxxx:xxxx:xxxy:123:45ff:fe67:89ab/64

Is the x part identical for both? If so, what number is y?

[huamiao]

Copy from WAN interface info:
IPv6 address   2408:xxxx:xx0:1234:567:89ff:fe98:765/64
IPv6 prefix   2408:xxxx:xxb:2345::/60

x part is identical, the others are totally different. Looks weired, using wrong prefix length?

[Maurice]

IPv6 prefix   2408:xxxx:xxb:2345::/60

The 5 should be a 0. Is it? Looks alright otherwise.

I took a quick look at how NPT with dynamic external prefix is currently implemented (it's a relatively new feature). Turns out it doesn't actually use the delegated prefix, but the prefix of the WAN interface address. This works for a very specific use case, but not for most and not for yours. It's a known issue and might get fixed at some point in the future: https://github.com/opnsense/core/issues/6158

You could work around the "WAN address unreachable" issue by adding a ULA IP alias with the same interface ID (fd00:10::567:89ff:fe98:765). But you won't be able to use NPT for more than one VLAN.

"Track Interface" currently is the way to go.

Cheers
Maurice

[huamiao]

Hi Maurice,

Thanks again for your reply. I'll keep watching on this.