Wrong prefix delegation size

[meschmesch]

Hello,
until last night IPv6 worked fine. After playing a bit around with CARP and IPv6, I reconfigured everything to the previous setup but now the WAN interface shows the wrong prefix delegation size (which should be 57, but it indicates a 58). Further, non of the interfaces using track interface is showing an IPv6 any more. My first question would be how to force the WAN interface to use the Prefix delegation size actually set in the [WAN] Interfaces setting?

My second more general question is the following: since my ISP rarely changes the prefix, I cannot set a CARP for virtual WAN which corresponds to a real IPv6 GUA but I would have to use someting like fe80::1 or fd00::1. Is that possible? If yes, is there any additional routing required on the side of the ISP router or any NAT in opnsense or whatsoever?

Thanks!!

[franco]

Hi,

You can send a hint as per the IPv6 setting (extra checkbox) but if the ISP ignores it that's all there is. If they changed something then you can't do much about it.

CARP IPv6 with router advertisements only works on link-local anyway. The GUAs are shuffled to the clients, but the client doesn't route through the firewall using the GUA. But that's for the LAN side. For the WAN side I'm not sure what a CARP GUA would achieve apart from mimicking IPv4. I've never had the need to set this up.


Cheers,
Franco

[meschmesch]

Thanks for the answer Franco! The ISP somehow ignores indeed the hint. I have now set the prefix length in the WAN settings to the prefix length acutally provided to me (which was currently 58). Not a nice solution, but it works for the moment.

Regarding CARP IPv6 I have to explain the background: I cannot configure the Ipv6 HA setup as illustrated in the manual (https://docs.opnsense.org/manual/how-tos/carp.html). This is because I have only a quasi static IPv6 which may change from time to time. My idea was to use WAN track interface and have the LAN on firewall 1 assigned a different v6 subnet than LAN on firewall 2. In the above example of the manual: Firewall 1 LAN 2001:db8:1234:1::1/64, Firewall 2 LAN 2001:db8:1234:2::1/64. Nevertheless, a common virtual CARP address is broadcasted fe80::2 for both LANs.

I assume  ::) that the routing is done via the fe80::2, which is either pointing to firewall 1 in the master mode or to firewall 2 in the backup mode. If yes, this would make use of the less powerful firewall 2 only in exemptional cases (firewall 1 is newer, faster, has more RAM etc).

Is that understanding correct?

[franco]

Hmm, doing CARP with different nodes that run on a dynamic DHCPv6 link is a bit tricky. You start to move the same IPv6 clients from one subnet to the next using separate prefix IDs between boxes, but only one box is connected via DHCPv6 so you should really use the same prefix for the same LAN. But I don't know if DHCP(v6) does establish on failover and/or if you really got two separate DHCPv6 links to the provider. From your example it doesn't appear to be the case.


Cheers,
Franco

[meschmesch]

I configured both firewalls to independently acquire their prefixes, no Carp for IPv6. The main firewall just uses RA with higher priority than the backup firewall. This will provide me the IPv6 via the main firewall in case of the main firewall = Master. And in case the main firewall fails, IPv6 will automatically use the backup. It is not seamless I assume, but it should work.