[SOLVED] Dual-Stack: IPv6 on Telekom (Germany) link

[fastboot]

Hi guys,

hope you can point me in the right direction, as I am a little lost and don't know why it does not work.


Setup:
Modem connected to the OpnSense
OpnSense connects to the internet via PPPoE
2 Servers, one connected to DMZ interface of the OPNSense, the other to the LAN interface

Configurations:
Interfaces - WAN
IPv6 Configuration Type = DHCPv6
Request only an IPv6 prefix = Check
Prefix delegation size = 56
Send IPv6 prefix hint = Check
Use IPv4 connectivity = Check

Interfaces - DMZ
IPv6 Configuration Type = Track Interface
IPv6 Interface = WAN
IPv6 Prefix ID = 0
Manual configuration = Check (tried it also without checking this)

Interfaces - LAN
IPv6 Configuration Type = Track Interface
IPv6 Interface = WAN
IPv6 Prefix ID = 1
Manual configuration = Check (tried it also without checking this)

Services - Router Advertisements
DMZ
Router Advertisements = Assisted (Tried also the others)
LAN
Router Advertisements = Assisted (Tried also the others)


Interfaces - Overwiew
WAN
IPv6 address = 2003:xxxxxx/64
IPv6 prefix = 2003:xxxxxxx::/56
IPv6 gateway = auto-detected: fe80::xxxxxx

DMZ
IPv6 address =  2003:xxxxxx/64

LAN
IPv6 address =  2003:xxxxxx/64


I also tried to play with DHCPv6, but I cannot get any Server in LAN or DMZ to get an IPv6 address.

Any help is really much appreciated. I also searched the Forum and also the Web, tried the different proposed solutions, but the Clients/Servers get no external IPv6 address.


fastboot

[bringha]

Hi,

Assuming you have an up and running PPPoE connection with VLAN7 properly configured?!

Normally, manual configuration for router advertising  is not required, should be unchecked in a first step

'request ipv6 prefix only' I have also unchecked

Can you share whether the ipv6 prefixes on your LAN and DMZ interface look as expected, i.e. have the assigned Prefix ID? (0 resp. 1)

Your servers on LAN and DMZ: How are they supposed to get an IPv6 address on their interfaces?

Br br

[meyergru]

The correct setting for SLAAC-only is "Unmanaged". You should disable the DHCPv6 server first.

Does radvd run? If so, try restarting it. Changes in the interface might not be seen unless the daemon is restarted (this should be O.K. later).

Also, try to reduce the two intervals to 200/600 seconds.

If prefixes do not get distributed, have a look at /var/etc/radvd.conf and see if the prefixes are in there.

[fastboot]

Hi,

yes of course. I configured VLAN7 also on the FW, instead of having this on the Modem.

IPv6 prefixes on LAN and DMZ? I have not configured IPv6 yet.

My assumpttion was that the NICs of the Servers will get automatically an IPv6 address for the internet. At least this is how I read all of the documentations. The prefixes I already sent you? DMZ is 0, LAN is 1

[fastboot]

The correct setting for SLAAC-only is "Unmanaged". You should disable the DHCPv6 server first.

Does radvd run? If so, try restarting it. Changes in the interface might not be seen unless the daemon is restarted (this should be O.K. later).

Also, try to reduce the two intervals to 200/600 seconds.

If prefixes do not get distributed, have a look at /var/etc/radvd.conf and see if the prefixes are in there.

Well, I do not see the configuration within "services", if I do not enable "Manual configuration" in the settings. But then I can see the
"Services - Router Advertisements".

[meyergru]

First, your LAN and DMZ IPv6 addresses must be assigned by "track interface" first and should look like:

DMZ: 2003:xxxx:xxxx:xxx0:yyyy:yyyy:yyyy:yyyy/64
LAN: 2003:xxxx:xxxx:xxx1:yyyy:yyyy:yyyy:yyyy/64

Then, the full /64 prefixes can be distributed by radvd. For this to work, the configuration file (auto-generated) must have the correct prefixes (2003:xxxx:xxxx:xxx0/1::/64) in them.

And yes, you should use manual configuration to shorten the intervals for RAs.

[bringha]

The DMZ and LAN Addresses are shown 2003:XXXX in your post. So: can you show the field to see whether prefix ID 0 and 1 are properly assigned to the ipv6 address on the DMZ and LAN interface?

What do you mean with IPv6 has not configured yet?

ipv6 on servers:  Assuming servers with Linux with ipv6 activated, you should then have at least a configuration on /etc/network/interfaces like

iface eth0 inet6 auto

Otherwise you won't get any ipv6 address on the servers

[meyergru]

Or, for newer versions of Debian-based distributions based on netplan, you should have /etc/netplan/01-netcfg.yaml like this:

Code Select Expand

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: yes
      dhcp4-overrides:
        use-dns: true
        use-domains: true
      dhcp6: no
      accept-ra: true
      ipv6-privacy: true
      optional: true
      mtu: 1500


That assumes all ipv6-related tuneables are set correctly.

[fastboot]

Hi guys,

thanks a lot for the prompt replies :)


I disabled the IPv6 settings for the LAN now. But DMZ is stil configured

From Interfaces - Overview for DMZ Interface:
IPv6 address: 2003:XX:XXX:XXXX:2e0:XXX:XXXX:XXXX/64 
It's correctly set as far as I can see. Same I had for the LAN interface, but just with the 1 for sure.


Edit: I also tried the same with the LAN and another Host in there. Just as this is a complete different setup with different onboard tools compared to  the server in DMZ.

With not configured IPv6 I meant the normal setup to have IPv6 connectivity. So I did not use IPv6 so far for the LAN connection(e.g machine2machine, ...).

The server in the DMZ should get the IP automatically, as I did not  turned it off for the whole system.

Example for eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 10.xx.xx.xx/24 brd 10.xx.xx.xx scope global dynamic noprefixroute eth0
       valid_lft 5225sec preferred_lft 5225sec
    inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

I also tested if the Firewall itself can ping for example heise.de via IPv6. That works.

[fastboot]

I guess we can close this as solved.

I rebooted the FW and **BANG** the Server in DMZ had a IPv6 Address... No connection allowed so far, but it's configured.


Maybe for someone else interesting who's running into the same issue.