Enabling ipv6 via the docs for Sky/nowtv - Resolved

[mannp]

Firstly, thanks for the how-to re sky UK which is what I am following here -> https://docs.opnsense.org/manual/how-tos/SkyUK.html#wan-interface

I have the following config, and I am trying to get ipv6 working after a couple of years with a stable ipv4 setup :)

Qotom Opnsense -> VMG3925-B10B (Modem mode) -> Nowtv (Sky)

So ipv4 is working, and I have a connection to the internet via ipv4.

I have this time added the ipv6 elements of this how-to and also enabled the general ones in the ipv6 docs (like un blocking ipv6 for the firewall).

I get an IPv6 prefix /56 seen in the overview of the WAN interface, and the single gateway is created by opnsense, with a gateway address.

My issue is that I cannot get any traffic through that single gateway and enabling gateway monitoring shows it as down.

Any pointers as what sort of rookie error I may have made please?

Thanks in advance :)

[Maurice]

The gateway might not respond to pings, but that doesn't necessarily mean it's actually down. You might want to disable gw monitoring for testing.

Does the OPNsense LAN interface get an IPv6 address? Do the hosts in the LAN get IPv6 addresses? Can they ping OPNsense? Can they ping IPv6 hosts on the Internet?

Cheers
Maurice

[mannp]

Thanks for responding :)

Actually watching some YouTube videos, I do not see an ipv6 IP address listed in the interface summary page for the WAN.

The interface summary for LAN does show an ipv6 /64 address listed yes.

The gateway also has an ipv6 address.

I read/heard somewhere that pings are disabled by default for ipv6 opnsense, but not sure if that is the case, or I am mixing up videos :-/

Trying to ping the LAN interface with -> ping -v -6 <address> just hangs and does nothing, like it is not getting a reply.

I will try disconnecting and reconnecting my nix desktop to see if I get an ipv6 address now.

Edit: Okay, so I can see 4 ipv6 listed under ipv6 address in network manager, with default route having ipv4 and ipv6 addresses listed, as well as a DNS6 entry. With looks more promising...

Edit2: Strangely within DHCPv6 / leases my desktop showed but as a red icon ie offline. I enabled and disabled ipv4 and 6 in the linux settings and the DHCPv6 lease now shows as online.

[Maurice]

I do not see an ipv6 IP address listed in the interface summary page for the WAN.

That's expected, just like the docs say:
Sky provide a /56 IPv6 delegation, they do not provide a global IPv6 address on the WAN interface, this is link local only.

The interface summary for LAN does show an ipv6 /64 address listed yes.

The gateway also has an ipv6 address.

Good.

Trying to ping the LAN interface with -> ping -v -6 <address> just hangs and does nothing, like it is not getting a reply.

Do you have any IPv6 firewall rules other than the default allow LAN IPv6 to any? This allows pinging OPNsense from the LAN, too.

[mannp]

Thank you, I have been checking ipv6 blocking rules and have made some changes.

I now see ipv6 rule "Default deny / state violation rule" denying a lot of ipv6 requests in the log.

I have created a floating ICMP IPV6 rule for LAN and WAN and I can now ping the LAN interface IP.

I wondered if there are any ipv6 rules that automatically get configured but might not have been?

I ask as I presume I don't need any outgoing rules to enable external outbound access like I do with ipv4, as that is not the way ipv6 works.

I note from the general ipv6 manual I do not get anything when running the following command;

netstat -nr6 | grep default

... but the default route is configured in the network manager config and I can ping it from my desktop.

[Maurice]

I have been checking ipv6 blocking rules and have made some changes.

What "IPv6 blocking rules"? None should be required.

I have created a floating ICMP IPV6 rule for LAN and WAN and I can now ping the LAN interface IP.

You don't need that. The "Default allow LAN IPv6 to any rule" is absolutely sufficient.

I ask as I presume I don't need any outgoing rules to enable external outbound access like I do with ipv4, as that is not the way ipv6 works.

You don't need outgoing rules at all, neither for IPv6 nor for IPv4.

Keep it simple. The only IPv6 firewall rule you really need is the "Default allow LAN IPv6 to any rule". Then, when it works, you can create additional rules.

[mannp]

Finally making some progress thank you :)

I can now ping external ipv6 addresses and the https://ipv6-test.com/ shows some connectivity for ipv6 :) .. Cool.

I have ICMP shown as filtered which is odd, so will do some reading about, and I cannot get the ipv6 wan gateway to monitor at all, just shows as down (back to forcing up for the moment).

9/10 and 15/20 on the test site scores :)

Thanks again :)

[Maurice]

I have ICMP shown as filtered which is odd

You'd need a firewall rule on the WAN interface which allows inbound IPv6 pings for this test to succeed. Also, make sure the host which you use to access the website allows IPv6 pings from the Internet.

I cannot get the ipv6 wan gateway to monitor at all, just shows as down (back to forcing up for the moment)

The gateway might simply not respond to pings, there is nothing you can do about that. You could try a different monitor IP, but since you don't have a WAN GUA, this might not easily work either. If you don't strictly depend on IPv6 gateway monitoring, just keep it disabled.

Cheers
Maurice