[SOLVED] IPv6: provider issues address outside of fixed /56 block

[zenlord]

Hi,
Short and maybe stupid question, but my service provider is ignoring my requests to solve my issue (and I am not entirely sure that my configuration is not the culprit).

A few months ago, I requested a fixed IPv6 address and shared the DUID of my OpnSense appliance. The provider confirmed that all was set up correctly on their end. However, the IPv6 address that my OpnSense appliance receives through DHCPv6 is outside of the block that is supposed to be reserved for me, and it does not match the IPv6 prefix that OpnSense tells me it has received:

OpnSense interfaces overview:
IPv6 link-local   fe80::20d:b9ff:fe45:cc08/64
IPv6 address   2a02:xxxf:0:80e1:b032:6391:eea0:89df/128
IPv6 prefix   2a02:xxx2:1c0c:4800::/56
IPv6 gateway   auto-detected: fe80::217:10ff:fe87:b386

-> 1. The address is outside of the prefix
-> 2. The address actually has changed already at least once, so whatever they have issued to me, it is not a fixed IPv6
-> 3. The prefix is not the same as the one I was told I would receive (2a02:xxy7:1020:900::/56)

I have already released/renewed the IPv6 and IPv4 addresses, and have also rebooted twice. I have asked my provider to double check the modem ID in their systems (/my account), and they always confirm everything is set up correctly.

I can make outbound things work (as confirmed by an ipv6test website) by adding a virtual IP address inside the prefix and manually setting up a route, but inbound, computers on my LAN are not reachable from outside with that setup.

My configuration is pretty standard, I believe:
1. the WAN interface is configured to use DHCPv6, with 'send prefix hint' set and 'prefix delegation size' set to 56
2. the LAN interface is set to track the WAN interface, and I have tried both with the option to manually adjust RA and without.

Is there anything I could be doing wrong, or can I firmly demand a solution from my provider?

[Maurice]

The WAN address being outside of the delegated /56 is completely normal. They are unrelated.

It seems you requested a fixed prefix, not a fixed address, correct? Or both? What's your goal? A fixed WAN address for OPNsense or a fixed prefix for your LANs?

Your ISP might route the fixed prefix to you without delegating it via DHCPv6. Have you tried whether you can actually use 2a02:xxy7:1020:900::/56?

Cheers
Maurice

[zenlord]

Thank you so much for your fast reply. I appear to have some reading to do before scouring my provider :).

I don't know whether I will receive a fixed IPv6 address or prefix, but I would assume that the prefix is allocated to me exclusively, so I can reach my server.

I have indeed tried setting manually an address in the prefix:
My radvd configuration (running on a rPi on my LAN but I also tried with the radvd service on OpnSense):

Code Select Expand

interface eth0 {
  AdvSendAdvert on;
  MinRtrAdvInterval 3;
  MaxRtrAdvInterval 10;
  prefix 2a02:xx07:1020:902::/64 {
    AdvOnLink on;
    AdvAutonomous on;
    AdvRouterAddr on;
  };
  RDNSS 2a02:xx07:1020:902::15 {};

My laptop's ip addresses:

Code Select Expand

3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 5c:e4:2a:d0:a5:2f brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.197/24 brd 192.168.2.255 scope global dynamic noprefixroute wlan0
       valid_lft 6778sec preferred_lft 5929sec
    inet6 2a02:xx12:1c0c:4802:708b:871b:556e:907e/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86395sec preferred_lft 14395sec
    inet6 2a02:xx07:1020:902:2e1f:1791:743d:a738/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86400sec preferred_lft 14400sec
    inet6 fe80::3354:e5e9:84ba:9992/64 scope link
       valid_lft forever preferred_lft forever

My laptop's ip routes:

Code Select Expand

default via 192.168.2.1 dev wlan0 proto dhcp src 192.168.2.197 metric 3003
10.66.71.0/24 via 192.168.2.1 dev wlan0
192.168.2.0/24 dev wlan0 proto dhcp scope link src 192.168.2.197 metric 3003

2a02:xx07:1020:902::/64 dev wlan0 proto ra metric 3003 pref medium
2a02:xx12:1c0c:4802::/64 dev wlan0 proto ra metric 3003 mtu 1500 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
default via fe80::7e5b:6b13:4b53:6f84 dev wlan0 proto ra metric 3003 pref medium

My laptop's resolv.conf:

Code Select Expand

# Generated by resolvconf
domain [my domain]
nameserver 192.168.2.15
nameserver 2a02:xx07:1020:902::15
options trust-ad edns0 single-request timeout:1

If I run the tests at https://test-ipv6.com, these are the results:

Code Select Expand

Test with IPv4 DNS record ok (0.952s) using ipv4
Test with IPv6 DNS record bad (0.785s)
Test with Dual Stack DNS record ok (1.137s) using ipv4
Test for Dual Stack DNS and large packet ok (0.168s) using ipv4
Test IPv6 large packet bad (0.554s)
Test if your ISP's DNS server uses IPv6 ok (2.645s) using ipv4
Find IPv4 Service Provider ok (0.648s) using ipv4 ASN 6848
Find IPv6 Service Provider bad (0.793s)

Apart from an internal DNS server, I don't have any other network-related services running on this LAN. The DNS server forwards all traffic to DNSSEC servers, and serves a few local hosts/addresses with A, AAAA and PTR records.

/edit: added resolv.conf and ip routes

[Maurice]

First you have to check whether your ISP routes the static prefix to you without delegating it via DHCPv6. You can e. g. add 2a02:xx07:1020:900::1/128 as an IP alias to the OPNsense WAN interface and use that as the source address to ping a host on the Internet. If this doesn't work, you'll have to talk to your ISP again.

[zenlord]

Well, I'm a whole lot further now, and maybe the problem has been solved - thank you for your help! Without it, I would still be focusing on errors made by my provider...

I am able to successfully run several online IPv6 tests from my laptop, but the ping from the Virtual IP as you instructed is failing. I also don't seem to be able to reach a server on my LAN via its IPv6 address, so I need to test some more.

Since I could finally manage my 'Fixed IP address' settings in the management panel offered by my provider, I decided to just choose another DUID, update both on my provider's side and in OpnSense and then reboot OpnSense. That immediately fixed me getting the wrong IPv6 prefix. Since I had rebooted my appliance a few times already, I'm blaming their cache settings.

I went back to the most basic settings imaginable:
* WAN: DHCPv6 + prefix size set to 56 + request only prefix
* LAN: track WAN interface + disable 'manual adjustment'
* Added a Virtual IPv6 to my OpnSense appliance: 2a02:xx07:1020:902::1/128

I also tried with these additional settings, but they didn't make a difference:
* Added a Gateway to 2a02:xx07:1020:902::1
* Added and enabled a route in OpnSense to route all 2a02:xx07:1020:900::/56 traffic through this gateway

So, now all clients on my LAN receive IPv6 addresses within the IPv6 prefix that is allocated to me by my provider. But still I fail on all online IPv6 tests. I did restart the networking components on my laptop (iwd and dhcpcd) and even switched browsers.

Any idea?

[zenlord]

Just a quick note that everything is working, both outbound and inbound.

The main issue was resolved once I had access to a functional admin panel to change the DUID in my provider's records. After one more reboot I indeed received the correct /56 prefix.

Then setting up my internal network was a bit more involving than some online tutorials had led me to believe:
* I set the LAN interface to "track interface: WAN"
* I set the option "Request only prefix"
* I enabled the DHCPv6 server on the LAN interface
* I enabled the radvd service on the LAN interface
* I set a virtual IP on my LAN interface.

Thank you again!