[SOLVED] LAN clients cannot ping internet IPv6 addresses

[jaykumar2005]

Another IPv6 setup help,

I am running OPNsense 23.7.5, Etisalat UAE ISP and need help with setting up IPv6. I was able to get IPv6 on the WAN and LAN interfaces as well as LAN clients seems to get the IPv6

• OPNsense get /64 prefix on both LAN/WAN interfaces 2001:--redacted--/64
• LAN clients also get /64 address 2001:--redacted--/64

Code: [Select]

WAN
===

IPv4 Configuration Type: PPPoe
IPv6 Configuration Type: SLAAC

LAN
===
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: Track Interface
I can ping IPv6 address on internet from the OPNsense itself, but I cannot ping the LAN clients
LAN clients cannot ping OPNsense IPv6 address or any IPv6 on the internet

Default route on the LAN clients

Code: [Select]

ip -6 route show default

default proto ra metric 1024 expires 1566sec mtu 1492 pref medium
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev eno2 weight 1
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev wlo1 weight 1

• Any attempt to enable - Allow manual adjustment of DHCPv6 and Router Advertisements - I lose IPv6 on the LAN interface
• Floating firewall rule to allow IPv6 ICMP for both direction, on any inferface is in place

Any help appreciated

[Saarbremer]

Hi,

did you already check with IPv6 on WAN as DHCPv6? Tracking interface for LAN works (to my knowledge) with DHCPv6 on WAN only, not SLAAC.

How is LANs Router Advertisement configured? Managed, Assisted, None,...

Furthermore, are the WAN and LAN IPs on different prefixes? It does not become clear to me.

In any case, you should be able to inspect the traffic from LAN to the internet and check if ICMP packages even come in on LAN and if yes whether there is any response that might get lost.

[jaykumar2005]

The WAN and LAN are set to these

Code: [Select]

WAN
===

IPv4 Configuration Type: PPPoe
IPv6 Configuration Type: SLAAC

LAN
===
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: Track Interface


• Tracking interface for LAN seems to be working as I am getting /64 prefix IPv6 on LAN as well
• I cannot enable Router Advertisement, as soon as I enable it, I loose IPv6 on the LAN interface
• WAN/LAN get /64 prefix IPv6 with identical IP's except for last octets

I cannot even ping the LAN interface of the OPNsense from any of the LAN clients, which I think is due to incorrect or non-existing default route.

Please refer to the default route from one of the LAN clients

Code: [Select]

ip -6 route show default

default proto ra metric 1024 expires 1566sec mtu 1492 pref medium
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev eno2 weight 1
nexthop via fe80::7e5a:1cff:fe6d:2f10 dev wlo1 weight 1

[Saarbremer]

Hi,

I was actually interested in the actual IP address (up to some redaction). SLAAC on WAN does not correctly work with Track Interface.

The reason is that SLAAC does not provide prefix delegation and so LAN hosts get the same prefix as WAN hosts. I guess in your setup the ISP does SLAAC for the whole /64.

I did some quick research and it seems you can request a delegated prefix via DHCPv6 on PPPoE (see below, but the answer is not very detailed nor verbose). Having that (WAN = DHCPv6) might work, but I cannot test it not have I any detailed information on the ISP's actual setup.

See here for reference on reddit.com:
https://www.reddit.com/r/dubai/comments/txi6or/comment/ik5knh0/?utm_source=share&utm_medium=web2x&context=3

[doktornotor]

I guess in your setup the ISP does SLAAC for the whole /64.

If your ISP sucks that much that they only provide a single /64, you should tick the " Request only an IPv6 prefix" checkbox on WAN. You cannot use that /64 on both interfaces.

[jaykumar2005]

The IPv6 I get on WAN/LAN are identical except last octet with /64 prefix

Code: [Select]

LAN 2001:XX:XX:XX:XX:XX:XX:2f10/64

WAN 2001:XX:XX:XX:XX:XX:XX:2f13/64
The reddit post mentioned above is the exact situation I am in.

Can someone translate it to OPNsense setup?

I gave up on MikroTik and used cisco ISR router. I was able to configure dialer interface via ppp, request dhcp-pd prefix and create own DHCP with ULA addresses. So now I have both stable internal IPv6 network and ipv6 internet access.

If I change WAN to  "Request only an IPv6 prefix", the WAN interface only get a link-local address

Code: [Select]

fe80::7e5a:1cff:fe6d:2f11

[Patrick M. Hausen]

If I change WAN to  "Request only an IPv6 prefix", the WAN interface only get a link-local address

Code: [Select]

fe80::7e5a:1cff:fe6d:2f11

That is perfectly ok and intended. Your LAN clients will (if all else goes well) be able to communicate using the GUA from that single /64 and your OPNsense will route the packets using a link-local address.

[jaykumar2005]

That would required DHCPv6 and Route Advertisement enabled, right?

That is perfectly ok and intended. Your LAN clients will (if all else goes well) be able to communicate using the GUA from that single /64 and your OPNsense will route the packets using a link-local address.

[doktornotor]

You do not need DHCPv6 for anything. Having only fe80:: on WAN is just perfectly fine.

[Saarbremer]

Hi, sorry I was unclear about this earlier:

You don't need DHCPv6 on WAN, nor do you need DHCPv6 on LAN in order to get this specific setup to work. SLAAC is your friend.

[jaykumar2005]

Solved this with following config, IPV6 works with Etisalat Dubai, which gives /64 prefix. LAN clients get IPv6 Global Addresses and routing to external IPv6 addresses


[WAN]

Code: [Select]

IPv4 Configuration Type: PPPoE
IPv6 Configuration Type: DHCPv6
DHCPv6 client configuration
  Use IPv4 connectivity: Checked

[LAN]

Code: [Select]

IPv4 Configuration Type: Static IPv4
IPv4 Configuration Type: Track Interface
Track IPv6 Interface
  IPv6 Interface: WAN
  Manual configuration: Checked (Allow manual adjustment of DHCPv6 and Router Advertisements)

Services: Router Advertisements: [LAN]

Code: [Select]

  Router Advertisements: Unmanaged