Help needed for static IPv6 /48

[TimmiORG]

Hi all,

please note that I'm currently trying to enable IPv6 on my OPNsense.

I received a IPv6 /48 and a GW from my ISP.

GW is ::0000::1
OPNSense is ::0000:2/64

The OPNsense is able to reach services in the Internet via IPv6.

I have create add static IPv6 to an existing interface.
OPNSense is ::0001:1/64
client is ::0001:546f:78ff:fe58:21/64 via SLAAC

The client is able to reach the OPNsense via ::0001:1 but I'm not able to reach something in the internet nor the GW of the ISP (::0000::1).

WAN Interface:
IPv6:  ::0000:2/64
GW: ::0000::1
Router Advertisements: Router Only

LAN Interface
IPv6: :0001:1/64
GW: auto
Router Advertisements: Unmanaged
Advertise Default Gateway: true

For me it looks like that this is not getting answered:

19:56:30.191565 IP6 fe80::21f:9eff:feff:2f41 > ff02::1:ff58:21: ICMP6, neighbor solicitation, who has ::0001:546f:78ff:fe58:21, length 32

I guess this is what I'm missing?

Note that you need to create and set a gateway address for this mode to connect to your next gateway hop which your ISP should provide to you as well.

from https://docs.opnsense.org/manual/ipv6.html#static-ipv6

But I don't understand what is needed.

Would be great if you could give me any point to look into.

Thank you

[Saarbremer]

Hi,

- is your gateway set as default gateway?
- is the gateway for WAN set to Auto?
- what does "cannot reach" mean? Ping or Connection to apllication or both do not work?
- did you allow traffic in on LAN?

If that's all checked
- does firewall live view show blocked packets
- can you packet capture and see if there's any traffic at all?

And:
-is you ISP ready? Mine told me IPv6 was working, except it didn't as they failed to deploy it to their routers.

[TimmiORG]

Hi Saarbremer,

- is your gateway set as default gateway?

You mean set to active? If so, I would say yes as it is working.

- is the gateway for WAN set to Auto?

It was set to the GW of the ISP, I changed it now to auto.

- what does "cannot reach" mean? Ping or Connection to apllication or both do not work?

The OPNsense is able to use IPv6, But the subnet of the LAN is not able to reach anything outside the /64.

- does firewall live view show blocked packets
- can you packet capture and see if there's any traffic at all?

I can see the traffic from LAN reaching the WAN interface.
This is the answer on the ICMP Echo:

    19:56:30.191565 IP6 fe80::21f:9eff:feff:2f41 > ff02::1:ff58:21: ICMP6, neighbor solicitation, who has ::0001:546f:78ff:fe58:21, length 32

-is you ISP ready? Mine told me IPv6 was working, except it didn't as they failed to deploy it to their routers.

In general I guess yes. But I managed it only in the same /64 as the default GW so far.

For me it looks like that I don't receive the IPv6 multicast to ff02::/16.
I can see the packets with tcpdump but not with tcpdump -p. So the kernel is dropping them already.

[zan]

WAN Interface:
IPv6:  ::0000:2/64
GW: ::0000::1
Router Advertisements: Router Only

LAN Interface
IPv6: :0001:1/64
GW: auto

The assignments don't look right but it's not clear to me since you didn't provide the full prefix.

Let say you have been given aaaa:bbbb:cccc::/48 as your prefix by your ISP.
Can you provide what have you configured to your WAN and LAN with full IPv6 address format (substitute your 48 prefix with aaaa:bbbb:cccc)?

[TimmiORG]

Hi zan,

OK no problem.

So the configuration will look like this:
ISP IPv6 GW: aaaa:bbbb:cccc::1

WAN:
static IPv6: aaaa:bbbb:cccc::2/64
GW: auto
Router Advertisements: Router Only

LAN:
static IPv6: aaaa:bbbb:cccc:1::2/64
GW: auto
Router Advertisements: Unmanaged
Advertise Default Gateway: true

Hope this does look better.

Thank you for your help.

[Saarbremer]

The OPNsense is able to use IPv6, But the subnet of the LAN is not able to reach anything outside the /64.

What does reach mean? Name resoultion, PING, HTTP, physical proximity? Please state your observation more precise.

I can see the traffic from LAN reaching the WAN interface.

Can you see the traffic leaving the WAN interface?

For me it looks like that I don't receive the IPv6 multicast to ff02::/16.

ff02::1 is a multicast address; the old guys still familiar with the ancient IPv4 call this a broadcast.

Regarding you issue:
* Inspect your prefix. Did you correctly derive an IPv6 and statically assign it to the LAN interface? Check again, the prefix MUST match! If unsure, check again three more times.

* Set the network range to /64. Don't use /65 to save addresses, don't use /63 because you need it. It is /64! Your OPNsense's LAN IP shall be <prefix/48bits>:<someID/16bits>:<something/64bits>/64. Something is often set to :0000:0000:0000:0001

* Check that your client in LAN has a valid public IPv4 address that matches in the first 64 bits with the LAN IP of Opnsense. There will be some fe80::... or other adresses starting with f... but they are not relevant here.

So the address MUST be <prefix/48>:<someID/16>:<something_other_than_opnsense/64>

If no -> Configure RA and DHCPv6 accordingly. Stateless RA, no DHCPv6 should usually work.
If yes

* Run a ping towards the LAN IPv6 of OPNsense, does it work?
If yes
{
* Run a ping towards an IPv6 outside your network, does it work?
If yes -> Check your OPNsense to support you further required network traffic
If no -> Check your OPNsense on WAN: Did the traffic even leave the OPNsense on WAN?
}
If no
{
* Traffic is already rejected on LAN as incoming
-> Check LAN rules}
}


BTW: Checking firewall rules usually means enable logging and inspect the protocols.

[TimmiORG]

Hi Saarbremer,

What does reach mean? Name resoultion, PING, HTTP, physical proximity? Please state your observation more precise.

The OPNsense is able to reach DNS or ping via IPv6 in the Internet. I can do VPN via IPv6 into the OPNsense.

Can you see the traffic leaving the WAN interface?

Yes I can see that the traffic is leaving the WAN interface.
After that I see this on WAN:

19:56:30.191565 IP6 fe80::21f:9eff:feff:2f41 > ff02::1:ff58:21: ICMP6, neighbor solicitation, who has aaaa:bbbb:cccc:1:546f:78ff:fe58:21, length 32

Important: Only if the interface is in promiscuous mode. So that packet is ignored by the kernel. Means OPNsense is not blocking nor answering it.

* Inspect your prefix. Did you correctly derive an IPv6 and statically assign it to the LAN interface? Check again, the prefix MUST match! If unsure, check again three more times.

WAN static IPv6: aaaa:bbbb:cccc::2/64
LAN static IPv6: aaaa:bbbb:cccc:1:1/64
 

* Check that your client in LAN has a valid public IPv4 address that matches in the first 64 bits with the LAN IP of Opnsense. There will be some fe80::... or other adresses starting with f... but they are not relevant here.

The client is: aaaa:bbbb:cccc:1:546f:78ff:fe58:21/64 and it can reach the LAN IPv6 of the OPNsense.

Thank you again for your help.

[zan]

Ok thanks your address assignments look good. Normally it should work.

fe80::21f:9eff:feff:2f41 > ff02::1:ff58:21: ICMP6, neighbor solicitation, who has ::0001:546f:78ff:fe58:21

Was fe80::21f:9eff:feff:2f41 your LAN LLA? Or was it your WAN (Your ISP gateway's LLA)?
If it was your LAN's then maybe you need to check your client's settings why it is not answering NS.
If it was WAN's then perhaps your prefix is a link prefix (not routed), better check with your ISP.

[Saarbremer]

Hi

The OPNsense is able to reach DNS or ping via IPv6 in the Internet. I can do VPN via IPv6 into the OPNsense.

That is not my question. But given the other answers it seems as if your ISP does not route the /48 prefix to your OPNsense. In a static setup there is no DHCP announced prefix that would prove me right. There should be no neighbor solicitation for your LAN client's IP in any other network than your LAN.

[TimmiORG]

Hi Zan,

looks like fe80::21f:9eff:feff:2f41 is the LLA of the ISP GW.

If it was WAN's then perhaps your prefix is a link prefix (not routed), better check with your ISP.

Can you explain this a bit more?

Then I can check on Monday with my ISP.

Thx


Hi Saarbremer

OK I will check with the ISP.

Thx

[zan]

A link prefix is if the ISP expected all the addresses of that prefix are on the same link (between your ISP and your router). For a packet addressed to a new destination in the prefix, ISP will lookup its cache for destination's MAC, perform neighbor discovery (NS) if not found, and wait for NA before sending the packet to the destination if replied (and cache the destination's MAC).

Routed prefix is if ISP only need to know your router address via neighbor discovery and send all packets to your router and expects your router to route them.

I suspect your prefix is a link prefix because your ISP performs neighbor discovery for your ::546f:78ff:fe58:21 on your WAN link.

Ideally you should be using a routed prefix, because you can't segregate a link prefix without installing a program like ndproxy that responds to neighbor discovery for all addresses within your prefix. This is a hack btw.

Please clarify with your ISP.

[TimmiORG]

Hi Zan,

thank you for the explanation.
I will get in touch with my ISP.

Once again thank you

[TimmiORG]

Hi all,

just to update this thread.
ISP changed the network to be routed as Zan have explained.

IPv6 is working perfect now.

Also I have upgraded to 24.1.2 in the meantime without any issues until now.

Once again thanks for all the help.
Timmi