Weirdness with IPv6 and DHCPv6...

Started by Ed V., February 28, 2024, 10:54:20 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 28, 2024, 10:54:20 PM
I am hoping that folks here can help me figure out my woes and get things working.

I upgraded from v24.1.1 to v24.1.2 and went through the (now routine) process of resetting to "Factory Default" and building my configuration from scratch.

The current hardware has been in place for 5+ years and has been upgraded in-place several times.

I'm now having issues getting the firewall to "pass" IPv6 traffic to my ISP.

My ISP delegates a /64 to my connection, which I then populate into the LAN using "Tracked Interface" and "Allow Manual...".

With OpnSense v24.1.1 and prior, I was able to configure the ISC DHCPv6 server without having to set Router Advertisements or set a Range for DHCPv6 (it used defaults I presume), just adding my internal DNS and NTP server.

With v24.1.2, I find that the only way IPv6 IPs are assigned to internal hosts is to turn on SLAAC in Router Advertisements, which has the effect of bypassing the configured DHCPv6 range and "pulling" directly from the ISP.

If I set Router Advertisements to anything except "Assisted" or "Stateless", no internal host is assigned a DHCPv6 address (other than local /private).

Even with "Assisted" or "Stateless", internal hosts are not able to connect to the Public Internet using IPv6.  Browsing to IPv6 only websites or testing using the two main services (test-ipv6 and ipv6-test) fail.

I have reset to "Factory Default" several times trying to get this working - to no avail.

If I've missed something, or if there's a "lingering" file somewhere that might be holding on to "bad" IPv6 data that I need to whack from CLI, or if you need /want more diagnostic data - please let me know.

Relevant sections of /conf/config.xml are below:

Code Select
<lan>
  <if>igb1</if>
  <descr>LAN</descr>
  <enable>1</enable>
  <lock>1</lock>
  <spoofmac/>
  <ipaddr>192.168.144.1</ipaddr>
  <subnet>24</subnet>
  <ipaddrv6>track6</ipaddrv6>
  <track6-interface>wan</track6-interface>
  <track6-prefix-id>0</track6-prefix-id>
  <dhcpd6track6allowoverride>1</dhcpd6track6allowoverride>
</lan>

Code Select
<dhcpdv6>
  <lan>
    <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
    <enable>1</enable>
    <range>
      <from>re:da:ct:ed:5555:0000:0000:0001</from>
      <to>re:da:ct:ed:5555:ffff:ffff:ffff</to>
    </range>
    <prefixrange>
      <from/>
      <to/>
      <prefixlength>64</prefixlength>
    </prefixrange>
    <dnsserver>fde4:b3e2:db9e:1a29::11</dnsserver>
    <ntpserver>fde4:b3e2:db9e:1a29::11</ntpserver>
    <numberoptions>
      <item/>
    </numberoptions>
    <ramode>assist</ramode>
    <rapriority>medium</rapriority>
    <ramininterval>200</ramininterval>
    <ramaxinterval>600</ramaxinterval>
    <radomainsearchlist/>
    <radnsserver/>
    <rasamednsasdhcp6>1</rasamednsasdhcp6>
    <ranodefault>1</ranodefault>
  </lan>
</dhcpdv6>

Code Select
<nat>
  <outbound>
    <mode>automatic</mode>
  </outbound>
  <rule>
    <protocol>tcp/udp</protocol>
    <interface>lan</interface>
    <category/>
    <ipprotocol>inet</ipprotocol>
    <descr>Intercept outbound DNS queries and redirect to PiHole</descr>
    <tag/>
    <tagged/>
    <poolopts/>
    <associated-rule-id>nat_65d91bc09703b2.76952125</associated-rule-id>
    <target>PiHole_Host</target>
    <local-port>DNS_TLS</local-port>
    <source>
      <address>PiHole_Host</address>
      <not>1</not>
    </source>
    <destination>
      <any>1</any>
      <port>DNS_TLS</port>
    </destination>
    <updated>
      <username>root@192.168.144.21</username>
      <time>1708729571.0813</time>
      <description>/firewall_nat_edit.php made changes</description>
    </updated>
    <created>
      <username>root@192.168.144.21</username>
      <time>1708727232.6187</time>
      <description>/firewall_nat_edit.php made changes</description>
    </created>
  </rule>
  <rule>
    <protocol>tcp/udp</protocol>
    <interface>lan</interface>
    <category/>
    <ipprotocol>inet6</ipprotocol>
    <descr>Intercept outbound DNS queries and redirect to PiHole</descr>
    <tag/>
    <tagged/>
    <poolopts/>
    <associated-rule-id>nat_65d924dbac0c71.59779010</associated-rule-id>
    <target>PiHole_Host</target>
    <local-port>DNS_TLS</local-port>
    <source>
      <address>PiHole_Host</address>
      <not>1</not>
    </source>
    <destination>
      <any>1</any>
      <port>DNS_TLS</port>
    </destination>
    <updated>
      <username>root@192.168.144.21</username>
      <time>1708729563.7049</time>
      <description>/firewall_nat_edit.php made changes</description>
    </updated>
    <created>
      <username>root@192.168.144.21</username>
      <time>1708729563.7049</time>
      <description>/firewall_nat_edit.php made changes</description>
    </created>
  </rule>
</nat>

Code Select
<Alias version="1.0.1">
  <geoip>
    <url/>
  </geoip>
  <aliases>
    <alias uuid="d47480b8-89de-4d95-8d12-daba56730cd1">
      <enabled>1</enabled>
      <name>DNS_TLS</name>
      <type>port</type>
      <proto/>
      <interface/>
      <counters>0</counters>
      <updatefreq/>
      <content>53
      853</content>
      <categories/>
      <description>DNS ports with and without TLS</description>
    </alias>
    <alias uuid="59778dc9-8707-4d63-8a59-a49b04da72ea">
      <enabled>1</enabled>
      <name>DNS_Lookups</name>
      <type>host</type>
      <proto/>
      <interface/>
      <counters>0</counters>
      <updatefreq/>
      <content>192.168.144.11
      fde4:b3e2:db9e:1a29::11</content>
      <categories/>
      <description>Systems permitted to query external DNS</description>
    </alias>
    <alias uuid="d774f802-ff64-482e-a4ca-7e76802355ed">
      <enabled>1</enabled>
      <name>PiHole_MAC</name>
      <type>mac</type>
      <proto/>
      <interface/>>
      <counters>0</counters>
      <updatefreq/>
      <content>dc:a6:32:06:df:1a</content>
      <categories/>
      <description>PiHole Server eth0</description>
    </alias>
    <alias uuid="3f41e408-4ccc-4645-9e93-3aee9bbda99f">
      <enabled>1</enabled>
      <name>PiHole_Host</name>
      <type>host</type>
      <proto/>
      <interface/>
      <counters>0</counters>
      <updatefreq/>
      <content>192.168.144.11
      fde4:b3e2:db9e:1a29::11</content>
      <categories/>
      <description>PiHole Server eth0</description>
    </alias>
  </aliases>
</Alias>
February 28, 2024, 11:21:43 PM #1
Is there a reason for forcing DHCPv6?

Router advertisements and SLAAC can configure your network just fine. E.g. DHCPv6 (assisted) is not taken into account by Android

Stateless btw means to not use DHCPv6 for anything else than static configuration, e.g. assignment of DNS Servers.

SLAAC also does not mean "to pull" addresses from ISP. SLAAC is just auto-config of your hosts with the RA announced prefix (coming from your ISP and being tracked for LAN).


So: Am I missing something or do you just want to use DHCPv6?
February 29, 2024, 12:54:26 AM #2
I'm open to switching up, changing out, etc.

With v24.1.1 and prior if I didn't use the ISC DHCPv6, I couldn't specify my internal DNS /NTP servers along with associated Firewall /NAT rules, which resulted in "sneaky" apps and services bypassing my PiHole adblocker, which is why I defaulted to using it with v24.1.2.

My issue right now is that no matter how I configure "Router Advertising" and/or "ISC DHCPv6", I can't reach the Public Internet on any device (Android, Microsoft, Linux, Apple, BSD, Cisco IOS, etc.) with IPv6.

Even when I set <ramode>assist</ramode> or <ramode>stateless</ramode>, the only thing that changes is that my internal systems can "pull" an IPv6 address from the ISP allocation.

They still can't get anywhere...
February 29, 2024, 10:27:18 AM #3
Please stop talking about "pulling" IPs from your ISP. That is just wrong.

What does your WAN configuration look like?
February 29, 2024, 01:34:29 PM #4
Retrieving?  Obtaining?  Requesting?  :D

WAN:
Code Select
<wan>
  <if>igb0</if>
  <descr>WAN</descr>
  <enable>1</enable>
  <lock>1</lock>
  <spoofmac/>
  <blockpriv>1</blockpriv>
  <blockbogons>1</blockbogons>
  <ipaddr>re.da.ct.ed</ipaddr>
  <subnet>27</subnet>
  <gateway>WAN_GW</gateway>
  <ipaddrv6>dhcp6</ipaddrv6>
  <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
  <dhcp6-ia-pd-send-hint>1</dhcp6-ia-pd-send-hint>
  <dhcp6prefixonly>1</dhcp6prefixonly>
  <adv_dhcp6_interface_statement_send_options/>
  <adv_dhcp6_interface_statement_request_options/>
  <adv_dhcp6_interface_statement_information_only_enable/>
  <adv_dhcp6_interface_statement_script/>
  <adv_dhcp6_id_assoc_statement_address_enable/>
  <adv_dhcp6_id_assoc_statement_address/>
  <adv_dhcp6_id_assoc_statement_address_id/>
  <adv_dhcp6_id_assoc_statement_address_pltime/>
  <adv_dhcp6_id_assoc_statement_address_vltime/>
  <adv_dhcp6_id_assoc_statement_prefix_enable/>
  <adv_dhcp6_id_assoc_statement_prefix/>
  <adv_dhcp6_id_assoc_statement_prefix_id/>
  <adv_dhcp6_id_assoc_statement_prefix_pltime/>
  <adv_dhcp6_id_assoc_statement_prefix_vltime/>
  <adv_dhcp6_prefix_interface_statement_sla_len/>
  <adv_dhcp6_authentication_statement_authname/>
  <adv_dhcp6_authentication_statement_protocol/>
  <adv_dhcp6_authentication_statement_algorithm/>
  <adv_dhcp6_authentication_statement_rdm/>
  <adv_dhcp6_key_info_statement_keyname/>
  <adv_dhcp6_key_info_statement_realm/>
  <adv_dhcp6_key_info_statement_keyid/>
  <adv_dhcp6_key_info_statement_secret/>
  <adv_dhcp6_key_info_statement_expire/>
  <adv_dhcp6_config_advanced/>
  <adv_dhcp6_config_file_override/>
  <adv_dhcp6_config_file_override_path/>
</wan>
February 29, 2024, 08:13:45 PM #5 Last Edit: February 29, 2024, 08:23:10 PM by marcquark
Been having weird IPv6 issues recently, too. Noticed today that for whatever reason my OPNsense doesn't have a default IPv6 route anymore. Clients and the firewall itself (on the WAN interface) have their addresses properly assigned, but the route is missing, resulting in no connectivity. Could that be your problem aswell?

If memory serves me correctly, my problem came with the update to 24.1.2, but i don't remember exactly. I have daily config backups - is the OPNsense release version in there somewhere so that i can verify?

/e: I think i might have solved my issue, and it might be related to gateways. My IPv6 gateway existed prior to upgrading to v24 with the gateway stuff being migrated during upgrade. I had configured upstream monitoring and set one of OpenDNS's addresses as the monitoring target. I now went and removed the gateway. It got automatically recreated and the default route appeared. Added the monitoring target again and enabled gateway monitoring. So far so good, route is still there. Will see tomorrow whether this all survives a nightly reboot.
March 01, 2024, 09:14:24 AM #6
Quote from: Ed V. on February 29, 2024, 01:34:29 PM
Retrieving?  Obtaining?  Requesting?  :D

With SLAAC every host creates their own IPv6 and your router provides the necessary info (coming from ISP). But nobody pulls something from somewhere else.

Let's continune:
* Do your LAN hosts have global IPv6 addresses?
* If yes, are DNS servers properly configured? Can you resolve AAAA records?
* What firewall rules are defined for IPv6 in on LAN, in/out on WAN? Is traffic allowed?
* If yes, what happens during traceroute / tracert on windows for IPv6 on some external host, e.g. google.com?
** If it works smoothly, you're online
** If not: What"s your default gateway's status? Set and gateway monitoring active signaling "green"?
* If no, did you check firewall live view for evidence on which rules blocked traffic?

Let's see what you got.
March 01, 2024, 04:00:46 PM #7 Last Edit: March 01, 2024, 05:29:33 PM by Ed V.
With "Router Advertisements" for "[LAN]" set to Assisted with "Advertise Default Gateway" selected, here is the data: (There is no change if RA is set to "Unmanaged" or "Stateless".)

OPN

Interfaces
Code Select
# ifconfig igb1
igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
        options=4e0072b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 00:e0:67:1f:25:29
        inet6 fe80::2e0:67ff:fe1f:2529%igb1 prefixlen 64 scopeid 0x2
        inet6 fde4:b3e2:db9e:1a29::1 prefixlen 64
        inet6 2001:579:4c:120:2e0:67ff:fe1f:2529 prefixlen 64
        inet 192.168.144.1 netmask 0xffffff00 broadcast 192.168.144.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

# ifconfig igb0
igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4e0072b<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 00:e0:67:1f:25:28
        inet6 fe80::2e0:67ff:fe1f:2528%igb0 prefixlen 64 scopeid 0x1
        inet 98.187.162.137 netmask 0xffffffe0 broadcast 98.187.162.159
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Routes
Code Select
# route -n6v show default
RTA_DST: inet6 ::; RTA_NETMASK: inet6 ::; RTA_IFP: link ; RTM_GET: Report Metrics: len 272, pid: 0, seq 1, errno 0, flags:<UP,GATEWAY,STATIC>
locks:  inits:
sockaddrs: <DST,NETMASK,IFP>
:: :: link#0
   route to: ::
destination: ::
       mask: ::
    gateway: fe80::2ef8:9bff:fe9d:b419%igb0
        fib: 0
  interface: igb0
      flags: <UP,GATEWAY,DONE>
recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

locks:  inits:
sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
:: fe80::2ef8:9bff:fe9d:b419%igb0 :: igb0:0.e0.67.1f.25.28 fe80::2e0:67ff:fe1f:2528%igb0

ICMP Ping test
Code Select
# ping6 -c 6 2001:4860:4860::8888
PING6(56=40+8+8 bytes) 2001:579:4c:120:2e0:67ff:fe1f:2529 --> 2001:4860:4860::8888
16 bytes from 2001:4860:4860::8888, icmp_seq=0 hlim=59 time=21.475 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=1 hlim=59 time=21.968 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=2 hlim=59 time=22.530 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=3 hlim=59 time=22.799 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=4 hlim=59 time=21.856 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=5 hlim=59 time=21.361 ms

--- 2001:4860:4860::8888 ping6 statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 21.361/21.998/22.799/0.520 ms

DNS test
Code Select
# dig -6 aaaa www.google.com @2001:4860:4860::8888

; <<>> DiG 9.18.24 <<>> -6 aaaa www.google.com @2001:4860:4860::8888
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13950
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.                        IN      AAAA

;; ANSWER SECTION:
www.google.com.         300     IN      AAAA    2607:f8b0:4023:1006::63
www.google.com.         300     IN      AAAA    2607:f8b0:4023:1006::67
www.google.com.         300     IN      AAAA    2607:f8b0:4023:1006::68
www.google.com.         300     IN      AAAA    2607:f8b0:4023:1006::6a

;; Query time: 30 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888) (UDP)
;; WHEN: Fri Mar 01 08:12:56 CST 2024
;; MSG SIZE  rcvd: 155

LAN Host

Interface
Code Select
$ ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.144.11  netmask 255.255.255.0  broadcast 192.168.144.255
        inet6 2001:579:4c:120:5555:9a73:b10d:e091  prefixlen 128  scopeid 0x0<global>
        inet6 fe80::53bb:1ff4:f59c:40b3  prefixlen 64  scopeid 0x20<link>
        inet6 2001:579:4c:120:5da5:38c7:9eda:8988  prefixlen 64  scopeid 0x0<global>
        inet6 fde4:b3e2:db9e:1a29::11  prefixlen 64  scopeid 0x0<global>
        inet6 fde4:b3e2:db9e:1a29:bd3f:cf4f:9cfb:1838  prefixlen 64  scopeid 0x0<global>
        ether dc:a6:32:06:df:1a  txqueuelen 1000  (Ethernet)
        RX packets 710197  bytes 377753836 (360.2 MiB)
        RX errors 0  dropped 6  overruns 0  frame 0
        TX packets 472106  bytes 53403899 (50.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Routes
Code Select
$ ip -6 route show
::1 dev lo proto kernel metric 30 pref medium
2001:579:4c:120:5555:9a73:b10d:e091 dev eth0 proto kernel metric 100 pref medium
2001:579:4c:120::/64 dev eth0 proto ra metric 100 pref medium
fde4:b3e2:db9e:1a29::/64 dev eth0 proto ra metric 100 pref medium
fde4:b3e2:db9e:5b10::1 dev lo proto static metric 30 pref medium
fde4:b3e2:db9e:5b10::1 dev lo proto kernel metric 256 pref medium
fde4:b3e2:db9e:5b10::2 dev lo proto kernel metric 30 pref medium
fde4:b3e2:db9e:5b10::2 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 1024 pref medium
default via fe80::2e0:67ff:fe1f:2529 dev eth0 proto ra metric 100 pref medium

ICMP Ping test to OPN [LAN] Interface
Code Select
$ ping6 -c 6 fde4:b3e2:db9e:1a29::1
PING fde4:b3e2:db9e:1a29::1(fde4:b3e2:db9e:1a29::1) 56 data bytes
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=1 ttl=64 time=0.560 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=2 ttl=64 time=0.237 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=3 ttl=64 time=0.271 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=4 ttl=64 time=0.248 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=5 ttl=64 time=0.298 ms
64 bytes from fde4:b3e2:db9e:1a29::1: icmp_seq=6 ttl=64 time=0.180 ms

--- fde4:b3e2:db9e:1a29::1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5112ms
rtt min/avg/max/mdev = 0.180/0.299/0.560/0.122 ms

$ ping6 -c 6 2001:579:4c:120:2e0:67ff:fe1f:2529
PING 2001:579:4c:120:2e0:67ff:fe1f:2529(2001:579:4c:120:2e0:67ff:fe1f:2529) 56 data bytes
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=1 ttl=64 time=0.610 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=2 ttl=64 time=0.267 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=3 ttl=64 time=0.255 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=4 ttl=64 time=0.271 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=5 ttl=64 time=0.253 ms
64 bytes from 2001:579:4c:120:2e0:67ff:fe1f:2529: icmp_seq=6 ttl=64 time=0.178 ms



--- 2001:579:4c:120:2e0:67ff:fe1f:2529 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5098ms
rtt min/avg/max/mdev = 0.178/0.305/0.610/0.139 ms

ICMP Ping test to ISP Gateway
Code Select
$ ping6 -c 6 fe80::2ef8:9bff:fe9d:b419
ping6: Warning: IPv6 link-local address on ICMP datagram socket may require ifname or scope-id => use: address%<ifname|scope-id>
PING fe80::2ef8:9bff:fe9d:b419(fe80::2ef8:9bff:fe9d:b419) 56 data bytes

--- fe80::2ef8:9bff:fe9d:b419 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5116ms

ICMP Ping test to Advertised Gateway
Code Select
$ ping6 -c 6 fe80::2e0:67ff:fe1f:2529
ping6: Warning: IPv6 link-local address on ICMP datagram socket may require ifname or scope-id => use: address%<ifname|scope-id>
PING fe80::2e0:67ff:fe1f:2529(fe80::2e0:67ff:fe1f:2529) 56 data bytes

--- fe80::2e0:67ff:fe1f:2529 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5106ms

ICMP Ping test to Public IPv6
Code Select
$ ping6 -c 6 2001:4860:4860::8888
ping6: connect: Network is unreachable

DNS test
Code Select
$ dig -6 aaaa www.google.com @2001:4860:4860::8888
;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:4860:4860::8888#53(2001:4860:4860::8888) for www.google.com failed: network unreachable.
;; no servers could be reached

NAT Rules from OPN
Code Select
# pfctl -s nat
no nat proto carp all
nat on igb0 inet from (igb1:network) to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from (lo0:network) to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from 127.0.0.0/8 to any port = isakmp -> (igb0:0) static-port
nat on igb0 inet from (igb1:network) to any -> (igb0:0) port 1024:65535
nat on igb0 inet from (lo0:network) to any -> (igb0:0) port 1024:65535
nat on igb0 inet from 127.0.0.0/8 to any -> (igb0:0) port 1024:65535
no rdr proto carp all
no rdr on igb1 proto tcp from any to (igb1) port = ssh
no rdr on igb1 proto tcp from any to (igb1) port = http
no rdr on igb1 proto tcp from any to (igb1) port = https
rdr on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS4> round-robin
rdr on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS4> round-robin
rdr on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain -> <PiHole_DNS6> round-robin
rdr on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain-s -> <PiHole_DNS6> round-robin

Firewall Rules from OPN
Code Select
# pfctl -s rules
scrub in all fragment reassemble
block drop in log on ! igb1 inet6 from fde4:b3e2:db9e:1a29::/64 to any
block drop in log on ! igb1 inet6 from 2001:579:4c:120::/64 to any
block drop in log on igb1 inet6 from fe80::2e0:67ff:fe1f:2529 to any
block drop in log inet6 from fde4:b3e2:db9e:1a29::1 to any
block drop in log inet6 from 2001:579:4c:120:2e0:67ff:fe1f:2529 to any
block drop in log on igb0 inet6 from fe80::2e0:67ff:fe1f:2528 to any
block drop in log on ! igb1 inet from 192.168.144.0/24 to any
block drop in log inet from 192.168.144.1 to any
block drop in log on ! igb0 inet from 98.187.162.128/27 to any
block drop in log inet from 98.187.162.137 to any
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "1d245529367b2e34eeaff16086aeafe9"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
pass log quick inet6 proto carp from any to ff02::12 keep state label "cf439d72ef4d245e8ad4a1405df1f665"
pass log quick inet proto carp from any to 224.0.0.18 keep state label "2ffa978d51f7b3fbc9000c2895106ee7"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823"
block drop in log quick proto tcp from <sshlockout> to (self) port = https label "6baefc2a9cf2536834c092a51134a45c"
block drop in log quick from <virusprot> to any label "8e367e2f9944d93137ae56d788c5d5e1"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "fef3d333d96a8d3558956de1fffc61cc"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "d2bd536587a9f5680c1f850b2d346839"
pass in log quick on igb1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "3420206ced96c01ef73fbc4ac9deb745"
pass in log quick on igb1 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "0fd202708c326aebbe44ab710b6d3652"
pass out log quick on igb1 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "83f6c28de8efae9b444094e4a5bf898c"
pass in log quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "a6cd2cce1bc1d912f6258ef1f3fb07e1"
pass in log quick on igb0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "f7e4334c3e7dc4ba900c5780b828d4a3"
pass out log quick on igb0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "5ba1258fcaf073eff4060b40ff63044d"
block drop in log quick on igb0 inet from <bogons> to any label "b7cd97a164650b538506fb551a0369e7"
block drop in log quick on igb0 inet6 from <bogonsv6> to any label "f140a48ddade668b9d6f5259669a1d5c"
block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 100.64.0.0/10 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "1eb94a38e58994641aff378c21d5984f"
block drop in log quick on igb0 inet6 from fc00::/7 to any label "45afd72424c84d011c07957569151480"
pass in quick on lo0 all no state label "7535c94082e72e2207679aadb26afd92"
pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
pass in log quick on igb1 proto tcp from any to (self) port = ssh flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass in log quick on igb1 proto tcp from any to (self) port = http flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass in log quick on igb1 proto tcp from any to (self) port = https flags S/SA keep state label "bb72618316fdf630cdf15f33ae3d699f"
pass out log route-to (igb0 98.187.162.129) inet from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts label "25317b606bbeb8522d3dc66b350595a1"
pass out log route-to (igb0 fe80::2ef8:9bff:fe9d:b419) inet6 from (igb0) to ! (igb0:network) flags S/SA keep state allow-opts label "91af02f708c71d296f2293a00f2ec1cc"
pass in quick on igb1 inet6 proto tcp from <PiHole_MAC> to any port = domain flags S/SA keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto tcp from <PiHole_MAC> to any port = domain-s flags S/SA keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto udp from <PiHole_MAC> to any port = domain keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet6 proto udp from <PiHole_MAC> to any port = domain-s keep state label "457120e994cd0bc8ece2f03bef41ce56"
pass in quick on igb1 inet proto tcp from <PiHole_MAC> to any port = domain flags S/SA keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto tcp from <PiHole_MAC> to any port = domain-s flags S/SA keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto udp from <PiHole_MAC> to any port = domain keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet proto udp from <PiHole_MAC> to any port = domain-s keep state label "da04446f4f456e601986ba812cf5fb9d"
pass in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain flags S/SA keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain-s flags S/SA keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to <PiHole_DNS6> port = domain-s keep state label "59adab1e255c74a28ba408bf44d657b1"
pass in quick on igb1 inet proto tcp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain flags S/SA keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto tcp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain-s flags S/SA keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto udp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain keep state label "6dad948e502d0194a27c640890dff3d6"
pass in quick on igb1 inet proto udp from ! <PiHole_MAC> to <PiHole_DNS4> port = domain-s keep state label "6dad948e502d0194a27c640890dff3d6"
block drop in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto tcp from ! <PiHole_MAC> to any port = domain-s label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet6 proto udp from ! <PiHole_MAC> to any port = domain-s label "d6c370a1fc10e5ce2e50b1e4f723de00"
block drop in quick on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto tcp from ! <PiHole_MAC> to any port = domain-s label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain label "4a346edff76c061eec2c613d413af50b"
block drop in quick on igb1 inet proto udp from ! <PiHole_MAC> to any port = domain-s label "4a346edff76c061eec2c613d413af50b"
pass in quick on igb1 inet6 from (igb1:network) to any flags S/SA keep state label "8ebd079ac5051cde9aa14391041e0025"
pass in quick on igb1 inet6 from fe80::/10 to any flags S/SA keep state label "8ebd079ac5051cde9aa14391041e0025"
pass in quick on igb1 inet from (igb1:network) to any flags S/SA keep state label "2e0fe9f0e69a777054d36feee301301c"

Alias Table for "PiHole_MAC"
Code Select
# pfctl -t PiHole_MAC -T show
   192.168.144.11
   2001:579:4c:120:5555:9a73:b10d:e091
   fde4:b3e2:db9e:1a29::11
   fe80::53bb:1ff4:f59c:40b3
March 01, 2024, 06:21:17 PM #8
Just for grins - here's what a Microsoft Windows system sees.

Interface
Code Select
Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . : lan.local.us
   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection #2
   Physical Address. . . . . . . . . : F0-2F-74-D3-B8-52
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:579:4c:120:8bf1:529:2289:3504(Preferred)
   IPv6 Address. . . . . . . . . . . : fde4:b3e2:db9e:1a29::eb1e(Preferred)
   Lease Obtained. . . . . . . . . . : Friday, March 1, 2024 09:38:41
   Lease Expires . . . . . . . . . . : Saturday, March 2, 2024 09:38:40
   IPv6 Address. . . . . . . . . . . : fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:579:4c:120:7c17:d9fb:7c25:26cf(Preferred)
   Temporary IPv6 Address. . . . . . : fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf(Preferred)
   Link-local IPv6 Address . . . . . : fe80::e0be:a038:5030:f7f2%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.144.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, March 1, 2024 09:37:55
   Lease Expires . . . . . . . . . . : Saturday, March 2, 2024 09:37:55
   Default Gateway . . . . . . . . . : fe80::2e0:67ff:fe1f:2529%16
                                       192.168.144.1
   DHCP Server . . . . . . . . . . . : 192.168.144.11
   DHCPv6 IAID . . . . . . . . . . . : 703606644
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-D5-E4-3E-B4-0E-DE-F7-4D-3D
   DNS Servers . . . . . . . . . . . : fde4:b3e2:db9e:1a29::11
                                       192.168.144.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Routes
Code Select
C:\>route print -6
===========================================================================
Interface List
22...f0 2f 74 d3 b8 d0 ......Realtek PCIe 2.5GbE Family Controller #2
30...00 15 5d 58 33 d0 ......Hyper-V Virtual Ethernet Adapter #5
16...f0 2f 74 d3 b8 52 ......Intel(R) I211 Gigabit Network Connection #2
19...0a 00 27 00 00 13 ......VirtualBox Host-Only Ethernet Adapter
  7...00 ff 15 55 9b 77 ......TAP-Windows Adapter V9 for OpenVPN Connect
26...........................OpenVPN Data Channel Offload
32...b4 0e de f7 4d 41 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
24...00 15 5d 8f c9 29 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
16    281 2001:579:4c:120::/64     On-link
16    281 2001:579:4c:120:7c17:d9fb:7c25:26cf/128
                                    On-link
16    281 2001:579:4c:120:8bf1:529:2289:3504/128
                                    On-link
16    281 fde4:b3e2:db9e:1a29::/64 On-link
16    281 fde4:b3e2:db9e:1a29::eb1e/128
                                    On-link
16    281 fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf/128
                                    On-link
16    281 fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b/128
                                    On-link
19    281 fe80::/64                On-link
16    281 fe80::/64                On-link
24   5256 fe80::/64                On-link
19    281 fe80::6b4e:bc42:6225:64b2/128
                                    On-link
24   5256 fe80::7061:9fd4:cd1f:fa4f/128
                                    On-link
16    281 fe80::e0be:a038:5030:f7f2/128
                                    On-link
  1    331 ff00::/8                 On-link
19    281 ff00::/8                 On-link
16    281 ff00::/8                 On-link
24   5256 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\>netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    256  2001:579:4c:120::/64       16  Ethernet 4
No       System    256  2001:579:4c:120:7c17:d9fb:7c25:26cf/128   16  Ethernet 4
No       System    256  2001:579:4c:120:8bf1:529:2289:3504/128   16  Ethernet 4
No       Manual    256  fde4:b3e2:db9e:1a29::/64   16  Ethernet 4
No       System    256  fde4:b3e2:db9e:1a29::eb1e/128   16  Ethernet 4
No       System    256  fde4:b3e2:db9e:1a29:7c17:d9fb:7c25:26cf/128   16  Ethernet 4
No       System    256  fde4:b3e2:db9e:1a29:bfcb:42c0:7157:544b/128   16  Ethernet 4
No       System    256  fe80::/64                  30  vEthernet (Default Switch (Wi-Fi))
No       System    256  fe80::/64                  19  Ethernet 3
No       System    256  fe80::/64                  26  OpenVPN Connect DCO Adapter
No       System    256  fe80::/64                   7  Local Area Connection
No       System    256  fe80::/64                  22  Ethernet 5
No       System    256  fe80::/64                  16  Ethernet 4
No       System    256  fe80::/64                  32  Bluetooth Network Connection
No       System    256  fe80::/64                  24  vEthernet (Default Switch)
No       System    256  fe80::42cc:5baf:e39e:6a0f/128   32  Bluetooth Network Connection
No       System    256  fe80::493c:96ef:b3b1:1fae/128   30  vEthernet (Default Switch (Wi-Fi))
No       System    256  fe80::6b4e:bc42:6225:64b2/128   19  Ethernet 3
No       System    256  fe80::7061:9fd4:cd1f:fa4f/128   24  vEthernet (Default Switch)
No       System    256  fe80::b847:d5ca:dbb3:ee08/128   22  Ethernet 5
No       System    256  fe80::d18b:9f01:61a2:2f2e/128    7  Local Area Connection
No       System    256  fe80::e0be:a038:5030:f7f2/128   16  Ethernet 4
No       System    256  fe80::ff59:d680:5693:b9e4/128   26  OpenVPN Connect DCO Adapter
No       System    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       System    256  ff00::/8                   30  vEthernet (Default Switch (Wi-Fi))
No       System    256  ff00::/8                   19  Ethernet 3
No       System    256  ff00::/8                   26  OpenVPN Connect DCO Adapter
No       System    256  ff00::/8                    7  Local Area Connection
No       System    256  ff00::/8                   22  Ethernet 5
No       System    256  ff00::/8                   16  Ethernet 4
No       System    256  ff00::/8                   32  Bluetooth Network Connection
No       System    256  ff00::/8                   24  vEthernet (Default Switch)

ICMP Ping test to OPN RA Gateway
Code Select
C:\>ping -6 fe80::2e0:67ff:fe1f:2529

Pinging fe80::2e0:67ff:fe1f:2529 with 32 bytes of data:
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms
Reply from fe80::2e0:67ff:fe1f:2529: time<1ms

Ping statistics for fe80::2e0:67ff:fe1f:2529:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

ICMP Ping to Public IPv6
Code Select
C:\>ping -6 2001:4860:4860::8888

Pinging 2001:4860:4860::8888 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2001:4860:4860::8888:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
March 02, 2024, 07:03:14 PM #9
I don't mean to hijack this thread, but I think my symptoms might be related to your difficulties here.  It sounds like I picked the wrong time to convert off of Ubiquiti to opnsense!

I configured the WAN interface for DHCPv6 client, requesting only a prefix enabled, sending a prefix-hint enabled, and requesting a /56 prefix.  I then configured each of my internal interfaces (LAN, OPT1-4) to each to use interface tracking and assigned a unique ipv6 prefix-id to each internal interface.

I'm getting my external /56 prefix assignment properly, the FW IPv6 routing table has the correct link-local next-hop for a default gateway (FiOS ONT), and the firewall is able to ping6 www.google.com without issue.

My internal clients are seeing the the correct IPv6 prefix configured by DHCPv6 stateless configuration.  Internal clients can ping FW solely on FE80: prefix, and cannot ping past the FW.  On my windows client, I have the following neighbor information (sanitized of course.  I have confirmed that on the other subnets, they are assigned the correct prefix ID of ":60x:" where X is the is prefix ID that I set in the opnsense):

Code Select

PS C:\> netsh interface ipv6 show neighbors interface=Ethernet

Interface 11: Ethernet

Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
2600:xxxx:xxxx:600::1240                      00-00-00-00-00-00  Unreachable
2600:xxxx:xxxx:600:12ca:71fe:5029:2e2c        00-00-00-00-00-00  Unreachable
2600:xxxx:xxxx:600:227c:14ff:fea1:e7de        Unreachable        Unreachable (Router)
2600:xxxx:xxxx:600:ed94:3f26:dcc6:c3aa        00-00-00-00-00-00  Unreachable
2600:xxxx:xxxx:3700:227c:14ff:fea1:e7de       20-7c-14-a1-e7-de  Stale (Router)
fe80::227c:14ff:fea1:e7de                     20-7c-14-a1-e7-de  Stale (Router)
ff02::1                                       33-33-00-00-00-01  Permanent
ff02::2                                       33-33-00-00-00-02  Permanent
ff02::c                                       33-33-00-00-00-0c  Permanent
ff02::16                                      33-33-00-00-00-16  Permanent
ff02::fb                                      33-33-00-00-00-fb  Permanent
ff02::1:2                                     33-33-00-01-00-02  Permanent
ff02::1:3                                     33-33-00-01-00-03  Permanent
ff02::1:ff00:1240                             33-33-ff-00-12-40  Permanent
ff02::1:ff29:2e2c                             33-33-ff-29-2e-2c  Permanent
ff02::1:ffa1:e7de                             33-33-ff-a1-e7-de  Permanent
ff02::1:ffa2:9713                             33-33-ff-a2-97-13  Permanent
ff02::1:ffb2:7848                             33-33-ff-b2-78-48  Permanent
ff02::1:ffdf:3bd8                             33-33-ff-df-3b-d8  Permanent


Can you check your neighbor list on your windows host?  I think this is a router-advertisement issue and the configuration that used to work doesn't work anymore?

Thoughts?  (Again I apologize if my interruption is unwelcome.  First time post on this forum.)

Thanks,
-Pete
March 02, 2024, 07:52:18 PM #10
Very relevant to the thread (in my opinion anyhow).

Something changed about how OPNsense is handling IPv6 between the 24.1.1 and the 24.1.2 releases and it's causing me issues.

I did check my IPv6 neighbors on Windows 11 and have the same "Unreachable" results that you have (different ranges of course).

I read through the most recent doc page on "Router Advertising" - nothing stands out as being "different", though just having to enable it is new in the 24.1.2 release (either it was "automagickal" in 24.1.1 or DHCPv6 was handling the RA part as well).

Hopefully wiser and more experienced folks here can help us provide enough data to troubleshoot and resolve...
March 02, 2024, 10:22:36 PM #11
Following... 

I'm also seeing similar issues with 24.1.2_1 when DHCPv6 is enabled on the LAN, and have to use "Assisted" mode.  It's working, so not a huge deal, but I'm wondering why DHCPv6 doesn't work as intended.
March 04, 2024, 10:16:14 AM #12
Your windows tells you what's wrong:

Code Select
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
16    281 2001:579:4c:120::/64     On-link
...


There is no default gateway for your IPv6 router.  There should be one having ::/0 as target prefix. This is consistent with the error messages. Your host(s) just don't know where to go to when trying to talk to the internet.

It's interesting to see that it still claims the announced default gateway but you route table doesn't reflect this. I am

This is a host misconfiguration originating in a weird RA / DHCPv6 configuration. This might be a bug in OPNsense or an absent bug (as you mentioned it worked earlier) or a misconfiguration.

I guess we need DHCPv6 and RA config to see what might be wrong.




March 04, 2024, 11:50:11 AM #13
Quote<ranodefault>1</ranodefault>
Can you double check if "Advertise Default Gateway" is on? Your radvd config shows it is off.
March 04, 2024, 04:52:42 PM #14
Here is the DHCPDv6 stanza.

I did "turn on" Default Gateway during the troubleshooting (checkbox selected and the "ranodefault" no longer appears in conf/config.xml), but it did not make a difference.

Troubleshooting over the weekend:
1 - Set up an additional Microsoft Windows 11 system from scratch (same IPv6 problem)
2 - Completely reset the Network Interfaces and the Network Stack on the original Microsoft system (no change)
3 - Tested a MacOS system (same IPv6 problem) borrowed from a friend

All LAN systems can see /ping the "IPv6 Default Gateway" provided by my ISP (fe80::2ef8:9bff:fe9d:b419) and other LAN systems using both the Private and Public IPv6 addresses, but cannot reach any system on the Public Internet.

DHCPDv6
Code Select
<dhcpdv6>
  <lan>
    <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
    <enable>1</enable>
    <range>
      <from>2001:579:4c:3700::</from>
      <to>2001:579:4c:3700:ffff:ffff:ffff:ffff</to>
    </range>
    <prefixrange>
      <from/>
      <to/>
      <prefixlength>64</prefixlength>
    </prefixrange>
    <dnsserver>fde4:b3e2:db9e:1000::11</dnsserver>
    <ntpserver>fde4:b3e2:db9e:1000::11</ntpserver>
    <numberoptions>
      <item/>
    </numberoptions>
    <ramode>assist</ramode>
    <rapriority>medium</rapriority>
    <ramininterval>200</ramininterval>
    <ramaxinterval>600</ramaxinterval>
    <radomainsearchlist/>
    <radnsserver/>
    <rasamednsasdhcp6>1</rasamednsasdhcp6>
  </lan>
</dhcpdv6>

Microsoft Windows IPv6 Route
Code Select
C:\>route print -6
===========================================================================
Interface List
22...f0 2f 74 d3 b8 d0 ......Realtek PCIe 2.5GbE Family Controller #2
29...00 15 5d 58 33 d0 ......Hyper-V Virtual Ethernet Adapter #5
15...f0 2f 74 d3 b8 52 ......Intel(R) I211 Gigabit Network Connection #2
19...0a 00 27 00 00 13 ......VirtualBox Host-Only Ethernet Adapter
  5...00 ff 15 55 9b 77 ......TAP-Windows Adapter V9 for OpenVPN Connect
25...........................OpenVPN Data Channel Offload
30...b4 0e de f7 4d 41 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
36...00 15 5d 8f c9 29 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
15    281 2001:579:4c:3700::/64    On-link
15    281 2001:579:4c:3700:5be9:bf0:9b9f:3923/128
                                    On-link
15    281 2001:579:4c:3700:cc03:b286:53d8:a7fb/128
                                    On-link
15    281 fde4:b3e2:db9e:1000::/64 On-link
15    281 fde4:b3e2:db9e:1000:5555::6b1e/128
                                    On-link
15    281 fde4:b3e2:db9e:1000:c08d:7634:5276:2feb/128
                                    On-link
15    281 fde4:b3e2:db9e:1000:cc03:b286:53d8:a7fb/128
                                    On-link
19    281 fe80::/64                On-link
15    281 fe80::/64                On-link
36   5256 fe80::/64                On-link
19    281 fe80::6b4e:bc42:6225:64b2/128
                                    On-link
36   5256 fe80::7ce3:8317:eb17:da67/128
                                    On-link
15    281 fe80::e0be:a038:5030:f7f2/128
                                    On-link
  1    331 ff00::/8                 On-link
19    281 ff00::/8                 On-link
15    281 ff00::/8                 On-link
36   5256 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\>netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    256  2001:579:4c:3700::/64      15  Ethernet 4
No       System    256  2001:579:4c:3700:5be9:bf0:9b9f:3923/128   15  Ethernet 4
No       System    256  2001:579:4c:3700:cc03:b286:53d8:a7fb/128   15  Ethernet 4
No       Manual    256  fde4:b3e2:db9e:1000::/64   15  Ethernet 4
No       System    256  fde4:b3e2:db9e:1000:5555::6b1e/128   15  Ethernet 4
No       System    256  fde4:b3e2:db9e:1000:c08d:7634:5276:2feb/128   15  Ethernet 4
No       System    256  fde4:b3e2:db9e:1000:cc03:b286:53d8:a7fb/128   15  Ethernet 4
No       System    256  fe80::/64                  29  vEthernet (Default Switch (Wi-Fi))
No       System    256  fe80::/64                  19  Ethernet 3
No       System    256  fe80::/64                  25  OpenVPN Connect DCO Adapter
No       System    256  fe80::/64                   5  Local Area Connection
No       System    256  fe80::/64                  22  Ethernet 5
No       System    256  fe80::/64                  15  Ethernet 4
No       System    256  fe80::/64                  30  Bluetooth Network Connection
No       System    256  fe80::/64                  36  vEthernet (Default Switch)
No       System    256  fe80::42cc:5baf:e39e:6a0f/128   30  Bluetooth Network Connection
No       System    256  fe80::493c:96ef:b3b1:1fae/128   29  vEthernet (Default Switch (Wi-Fi))
No       System    256  fe80::6b4e:bc42:6225:64b2/128   19  Ethernet 3
No       System    256  fe80::7ce3:8317:eb17:da67/128   36  vEthernet (Default Switch)
No       System    256  fe80::b847:d5ca:dbb3:ee08/128   22  Ethernet 5
No       System    256  fe80::d18b:9f01:61a2:2f2e/128    5  Local Area Connection
No       System    256  fe80::e0be:a038:5030:f7f2/128   15  Ethernet 4
No       System    256  fe80::ff59:d680:5693:b9e4/128   25  OpenVPN Connect DCO Adapter
No       System    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       System    256  ff00::/8                   29  vEthernet (Default Switch (Wi-Fi))
No       System    256  ff00::/8                   19  Ethernet 3
No       System    256  ff00::/8                   25  OpenVPN Connect DCO Adapter
No       System    256  ff00::/8                    5  Local Area Connection
No       System    256  ff00::/8                   22  Ethernet 5
No       System    256  ff00::/8                   15  Ethernet 4
No       System    256  ff00::/8                   30  Bluetooth Network Connection
No       System    256  ff00::/8                   36  vEthernet (Default Switch)


C:\>C:\>ping 2001:4860:4860::8888

Pinging 2001:4860:4860::8888 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 2001:4860:4860::8888:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>
Print
Go Up Pages1 2
User actions