SLAAC: which OPNsense settings are relevant?

[zenlord]

Hi, I have been struggling for two weeks now to get IPv6 to work. The initial problem was with my provider, and now I seemingly have everything working, but most apps on my android devices appear to fall back to IPv4 after 30s of trying.

The test at https://ipv6-test.com/ results in a score of 18 or 19/20, even on my android 14 phone, but the 'SLAAC' option always results in a (green) 'NO'. My devices do report having a fe80:...ff:fe... address, which I believe is formatted like a SLAAC address.

I have a very simple network, with 1 single subnet and no VLANs. My ISP assigns me a fixed /56 block, so I have set:
* WAN IPv6 to DHVPv6
* LAN IPv6 to 'Track interface: WAN'
* Assigned a fixed Virtual IP to my LAN interface aaaa:bbbb:cccc:dddd::1/128 -> now changed to /64 (thx to Maurice)

These are the options I have tried, without success:

* "Automatic mode":
      * simply disable the "Manually adjust router advertisements in the Track Interface section" - IIRC, Maurice posted on this forum that OPNsense then automatically advertises SLAAC.
      * disable radvd and DHCPv6 on the LAN interface
* "Unmanaged mode":
      * enable "Manually adjust router advertisements in the Track Interface section"
      * enable radvd daemon and configure it as Unmanaged
      * disable radvd and DHCPv6 on the LAN interface
* "Assisted mode" / "SLAAC mode":
      * enable "Manually adjust router advertisements in the Track Interface section"
      * enable radvd daemon and configure it as Assisted
      * enable the DHCPv6 server on my LAN interface (tried with and without setting a dhcp range)

In the radvd service section, I have tried with and without setting a prefix - if I did, I made sure that it was a /64 prefix.
I have used radvdump on my laptop to test the RA's I receive, both on my network and a similar network in my neighbourhood (only difference being OPNsense versus Unifi Router), and have been able to align the RA's perfectly.
I have tried running a radvd daemon on a RaspberryPi, making sure that that one did not advertise itself as the router/gateway on the network.

My questions:
1. I always restarted the services after changing settings - but I did not always restart OPNsense entirely - should I?
2. Where else can I look or what else can I try (in OPNsense, I think) for relevant settings?

[Maurice]

"SLAAC No" on ipv6-test.com is what you actually want! That's why it's green. The name is a bit misleading, what they actually mean is "EUI-64 No". They just check whether your IPv6 address is based on a MAC address. You typically don't want this for privacy reasons, which is why most devices use privacy extensions by default.

fe80::/64 are link-local addresses, these can only be used in the local network, not for Internet access.

The LAN interface address should be configured as a /64.

You don't have to manually restart radvd after making changes (with very few exceptions, e. g. adding virtual IPs).

Cheers
Maurice

[zenlord]

Thank you again, Maurice. It looks like I've been spending way too much time down the wrong rabbit hole.

So, apparently, my IPv6 setup as such is fully functional, but then the new question is "Why are all apps on my android phone, except for the browser, timeing out or failing once I enable WiFi?"

I have been monitoring my firewall logs to see if anything is being blocked, and apart from a lot of Geo-related blocking I cannot see anything of relevance in the logs... On top of the automatically generated firewall rules to allow certain ICMP traffic, I have added a floating rule to allow *all* ICMP traffic.

Can you recommend me what to do next?

[Maurice]

"All apps failing" is a bit to generic for specific recommendations. What works, what doesn't? DNS resolution? Pinging IPv6 addresses? Pinging IPv4 addresses?

One mistake I've seen made more than once (especially by users who prefer the "try random settings until it works" approach ;)) is enabling DNS64 in Unbound. Make sure this is disabled unless you know exactly what it does and what its dependencies are.

[zenlord]

Well, yes - I know that I'm failing the "be specific" rule, but was hoping to get some high level tips what to test next. I'm afraid we're getting very close to setting up wireshark, which I am not at all familiar with, but if that's what it takes, then that's what I'll do.

Maybe you do see something off in this?

Code Select Expand

LAN:
Status up
MAC address 00:0d:b9:..:..:.. - PC Engines GmbH
MTU                 1500
IPv4 address 192.168.2.1/24
IPv4 gateway auto-detected: 192.168.2.14
IPv6 link-local fe80::20d:b9ff:fe45:cc09/64
IPv6 address 2a02:....:....:902::1/64                           <-- virtual IP
                        2a02:....:....:902:20d:b9ff:fe45:cc09/64
IPv6 gateway auto-detected: 2a02:....:....:902::14
Media         1000baseT <full-duplex>
(The gateway for both IPv4 and IPv6 do not make sense, as that device is a server on my LAN - but if I add gateway addresses for the OPNsense device and give those a higher prio, then my internet connectivity fails for all machines on my LAN)

Code Select Expand

WAN:
Status up
DHCP         DHCPv4 up        DHCPv6 up   
MAC address 00:0d:b9:..:..:.. - PC Engines GmbH
MTU                 1500
IPv4 address 81.82.aaa.aaa/18
IPv4 gateway auto-detected: 81.82.192.1
IPv6 link-local fe80::20d:b9ff:fe45:cc08/64
IPv6 address 2a02:xxxx:xxxx:80e1:cc89:fc32:3be2:44db/128
IPv6 prefix 2a02:....:....:900::/56
IPv6 gateway auto-detected: fe80::217:10ff:fe2b:3173
DNS servers 195.130.130.2
                        195.130.131.2
                        2a02:1800:100::42:2
                        2a02:1800:100::42:1
Media         1000baseT <full-duplex>

I found some online reports related to multicast & IGMP settings, so I disabled all those functions in my Unifi Network application as well as in my Cisco central switch. I also reduced the Group Rekeying Interval and restarted my access points as some Unifi user reported very similar symptoms as mine: IPv6 connectivity seems to be working, but it is not.

[Maurice]

But why does the OPNsense LAN interface even have gateways? These shouldn't exist unless you require them for specific routes. And why does it have two GUAs in the same subnet? If your prefix is static, just configure the LAN interface statically. No need for "track interface".

Other than that, Wireshark it is. Looking at the packets is more promising than trying random settings. ;)

[zenlord]

So far I appear to have always been able to get things working by randomly changing the settings, but today I have taken my first steps in Wireshark :).

But first I have made significant changes to simplify my setup as much as possible:
* I removed all custom routes and gateways (at least temporary)
* I updated to OPNsense 24.1
* I migrated dhcpd, unbound and ntpsec on my Rpi to Kea, unbound and chrony on OPNsense
* I have disabled all multicast optimizations in my Unifi Network application (WiFi and overall network) as well as in my central Cisco switch.

So now all network services are running in OPNsense and I have disabled the Rpi (temporarily).

Wireshark on my laptop (wlan0, same WiFi as my android phone) picks up these 6 "IPv6 Multicast" messages every 300-500 seconds:

Code Select Expand

No. Time Source Destination Protocol Length Info
43 1862.997666324 fe80::20d:b9ff:fe45:cc09 ff02::1 ICMPv6 190 Router Advertisement from 00:0d:b9:45:cc:09
44 1862.998941542 fe80::3354:e5e9:84ba:9992 ff02::1 ICMPv6 86 Neighbor Advertisement 2a02:xxxx:xxxx:xxxx:2e1f:1791:743d:a738 (ovr) is at 5c:e4:2a:d0:a5:2f
45 1863.011271674 fe80::3354:e5e9:84ba:9992 ff02::16 ICMPv6 110 Multicast Listener Report Message v2
46 1863.914649666 fe80::3354:e5e9:84ba:9992 ff02::16 ICMPv6 110 Multicast Listener Report Message v2
47 1864.000173244 fe80::3354:e5e9:84ba:9992 ff02::1 ICMPv6 86 Neighbor Advertisement 2a02:xxxx:xxxx:xxxx:2e1f:1791:743d:a738 (ovr) is at 5c:e4:2a:d0:a5:2f
48 1865.001346469 fe80::3354:e5e9:84ba:9992 ff02::1 ICMPv6 86 Neighbor Advertisement 2a02:xxxx:xxxx:xxxx:2e1f:1791:743d:a738 (ovr) is at 5c:e4:2a:d0:a5:2f

The Router Advertisement packet contains:

Code Select Expand

Frame 43: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits) on interface wlan0, id 0
Ethernet II, Src: PCEngines_45:cc:09 (00:0d:b9:45:cc:09), Dst: IPv6mcast_01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::20d:b9ff:fe45:cc09, Dst: ff02::1
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x69bf [correct]
    [Checksum Status: Good]
    Cur hop limit: 64
    Flags: 0x00, Prf (Default Router Preference): Medium
        0... .... = Managed address configuration: Not set
        .0.. .... = Other configuration: Not set
        ..0. .... = Home Agent: Not set
        ...0 0... = Prf (Default Router Preference): Medium (0)
        .... .0.. = ND Proxy: Not set
        .... ..00 = Reserved: 0
    Router lifetime (s): 600
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Prefix information : 2a02:xxxx:xxxx:xxxx::/64)
    ICMPv6 Option (Route Information : Medium 2a02:xxxx:xxxx:xxxx::/64)
    ICMPv6 Option (Recursive DNS Server 2a02:xxxx:xxxx:xxxx::1)
    ICMPv6 Option (DNS Search List Option <domain>)
    ICMPv6 Option (MTU : 1500)
    ICMPv6 Option (Source link-layer address : 00:0d:b9:45:cc:09)

[Maurice]

5c:e4:2a:d0:a5:2f probably is the laptop you're running Wireshark on?
So... It's working now?