accessing ipv6 IPs on WAN

Started by Onkel-tobi, February 11, 2024, 09:58:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 11, 2024, 09:58:17 AM
Hi,

i am trying to establish a Wireguard site2site connection from an opnsense to a fritzbox.
Fritz!Box is only having IPv6 address now and I found out that I am not able to connect to ipv6 addresses.
My OPNSense is sitting behind a fritzbox with ipv4 address.
I have now enabled also ipv6 on WAN interface (DHCPv6) but it is not working.
Any hints?

Thanks,
Tobi
February 11, 2024, 10:15:26 AM #1
I assume the fritzbox side has a CGNAT connection (probably Deutsche Glasfaser), so it is only reachable via IPv6. If the other side is reachable via IPv4, you could open the connection the other way around for starters.

As far as I understand, that side also has a fritzbox, but in what mode? Modem-only or as a front router with the OpnSense behind it? You would have to make IPv6 work on the OpnSense in order to get this done. This should be easy when the Fritzbox is used as a modem only, you only have to take into consideration that DG and some other providers do not hand out IA_NA, only prefixes (IA_PD). Thus, your WAN connection would not get a GUA, but you can use the LAN GUA from the assigned prefix for outgoing IPv6 connections.

Otherwise you will have to find instructions on how to make IPv6 work behind a Fritzbox as a router.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 11, 2024, 10:24:00 AM #2
Quote from: meyergru on February 11, 2024, 10:15:26 AM
I assume the fritzbox side has a CGNAT connection (probably Deutsche Glasfaser), so it is only reachable via IPv6.
That's true. It's Vodafone but only IPv6 is available.
My fritzbox has an ipv4 address but connection wasn't working already.

If I am trying to resolve an ipv6 I am getting no answer.
February 11, 2024, 10:55:50 AM #3
You need to get more specific. This is guesswork only.

- Which of the two fritzboxes?
- If you are trying to resolve an IPv6 from where?

Draw a network plan and name everything like "Fritzbox A/B", in which modes the devices work.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 11, 2024, 03:06:25 PM #4
Attached you can see an rough overview:

- remote fritzbox is on IPv6
- my fritzbox is on IPv4 and just for DSL dial in
- OPNsense holds the networks (e.g. for new site2site VPN)

IPv6 request from OPNSense fails.
February 11, 2024, 05:39:24 PM #5 Last Edit: February 11, 2024, 05:42:27 PM by meyergru
So "your" fritzbox on the right acts as a router.

IPv4 seems to work, so devices in your LAN can access the internet via IPv4, but not via IPv6?

You should first see what you Fritzbox tells you about IPv6: Does it get an IPv6 Address and/or an IPv6 Prefix from your ISP?
What settings you do have for IPv6 in your Fritzbox "LAN" (which is the WAN of the OpnSense)?

They should look like the following (you must make the fritzbox delegate the IPv6 prefix it gets from your ISP via DHCPv6 to your OpnSense, preferably both by assigning a NA GUA to your OpnSense WAN and by having a subnet of your /56 prefix delegated to the clients of your OpnSense):

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 11, 2024, 05:47:20 PM #6 Last Edit: February 11, 2024, 06:11:29 PM by meyergru
You now see why it is generally a bad idea to have a fritzbox as a router in front of an OpnSense: Many things have to be configured twice. For IPv4, you have double NAT, which makes port forwarding more difficult. And with IPv6, you have to sub-delegate prefixes. In and of itself, this is not an easy task in the first place, much less if you introduce another possible point-of-failure.

Also, you render many services of the fritzbox useless, like the WLAN. That is why I prefer a pure modem approach to let OpnSense handle the internet connection.

Having said that, I have never tried such a configuration for these very reasons and only speak theoretically, so no warranty that this works. I would expect some stability problems with his as well: If your ISP uses dynamic prefixes and changes them at will, I would guess that the OpnSense learns them only after its DHCPv6 lease time is over, thus causing an intermittent loss of IPv4 connection in the meantime.

With OpnSense handling the connection itself, it would recognize such a prefix change. This is less of a problem with IPv4 because the fritzbox will handle this via NAT.

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 17, 2024, 03:40:20 PM #7
Well, I have never had an issue with double NAT etc, as I am routing the networks as needed.
Regarding the ipv6 issue its not going easier as I am using unbound and ADGuard ;)
I am not getting an IPv6 from my fritzbox.
And I can't even resolve ipv6 addresses via adguard / unbound.
Print
Go Up Pages1
User actions