[Solved] IPv6 Not working

Started by dsduarte, April 26, 2024, 06:39:11 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 26, 2024, 06:39:11 AM Last Edit: April 26, 2024, 04:53:39 PM by dsduarte
Hi... I'm trying to get IPv6 to work after migrating from an OpenWRT router.

This is my wan ifconfig:

Code Select
igc0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=48420b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO,NOMAP>
        ether 50:64:2b:35:20:e0
        hwaddr 00:e2:69:5b:b6:a7
        inet6 fe80::5264:2bff:fe35:20e0%igc0 prefixlen 64 scopeid 0x1
        inet6 2804:xxxx:xxxx:0:d109:666d:92ee:8f7d prefixlen 128
        inet 179.xxx.xxx.6 netmask 0xfffffc00 broadcast 179.152.55.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


And here is my LAN interface:

Code Select
vlan010: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (opt2)
        options=4000000<NOMAP>
        ether 00:e2:69:5b:b6:a8
        inet6 fe80::2e2:69ff:fe5b:b6a8%vlan010 prefixlen 64 scopeid 0xa
        inet6 2804:xxxx:xxxx:1180:2e2:69ff:fe5b:b6a8 prefixlen 64 tentative
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        groups: vlan
        vlan: 10 vlanproto: 802.1q vlanpcp: 0 parent interface: lagg0
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


I can't finish to setup DHCPv6 on LAN... there is an alert message:

Code Select
No available address range for configured interface subnet size.

On a windows machine connected to this LAN, I get only a private IP:

Code Select

   Sufixo DNS específico de conexão. . . . . . : local
   Endereço IPv6 de link local . . . . . . . . : fe80::d55d:e5f5:c92c:d6d2%6
   Endereço IPv4. . . . . . . .  . . . . . . . : 192.168.1.131
   Máscara de Sub-rede . . . . . . . . . . . . : 255.255.255.0
   Gateway Padrão. . . . . . . . . . . . . . . : fe80::2e2:69ff:fe5b:b6a8%6
                                                 192.168.1.1


But if I move the cables (WAN and LAN) and to the OpenWRT device, the same windows machine get the IPv6:

Code Select
   Sufixo DNS específico de conexão. . . . . . : lan
   Endereço IPv6 . . . . . . . . . . : 2804:xxxx:xxxx:1537::70f
   Endereço IPv6 . . . . . . . . . . : 2804:xxxx:xxxx:1537:3f33:d068:54a1:b5aa
   Endereço IPv6 . . . . . . . . . . : fd7c:acb1:e35e::70f
   Endereço IPv6 . . . . . . . . . . : fd7c:acb1:e35e:0:f226:66be:45db:e0ec
   Endereço IPv6 Temporário. . . . . . . . : 2804:xxxx:xxxx:1537:2842:ef5e:52d8:59a5
   Endereço IPv6 Temporário. . . . . . . . : fd7c:acb1:e35e:0:2842:ef5e:52d8:59a5
   Endereço IPv6 de link local . . . . . . . . : fe80::d55d:e5f5:c92c:d6d2%6
   Endereço IPv4. . . . . . . .  . . . . . . . : 192.168.1.131
   Máscara de Sub-rede . . . . . . . . . . . . : 255.255.255.0
   Gateway Padrão. . . . . . . . . . . . . . . : fe80::5264:2bff:fe35:20e1%6
                                                 192.168.1.1


The OpenWRT config is extremely simple...

I do not know what to check anymore...

Can anybody please point what to do?

My setup is a 4x2.5Gbps ethernet mini PC runing OPNSense (no virtualization)... 1 port is connected to the ISP Modem... 2 of the remaning ports are connected by LAGG (loadbalance) to a switch which send 3 differents VLAN's (LAN, iot and GUEST) to the Firewall.... I'm trying to config IPv6 only on the LAN VLAN with the Track opation (Tracking WAN).

I thogth that my device was receiveing a /128 IP but latter I realized that this /128 is the WAN interface IP but the /64 prefix is being delegated....

Can anybody please help me?

Thanks!!!
April 26, 2024, 09:06:34 AM #1
Hi,

first of all: When you don't need DHCPv6, don't use it. SLAAC just works fine and hes less points of configuration and hence configuration mishaps. No DHCPv6 needed.

Hence, "Track Interface" on all local interfaces, using the automatic settings, just is enough.

If you need to use DHCPv6 for some reason, make sure you assigned the correct IP range to the DHCPv6 pool.

April 26, 2024, 01:40:16 PM #2
Hi... I have also configured "Router Advertisements"... no mode seems to work... On LAN interface I tried with both checked an unchecked "Manual Configuration"...
I tried to configure Track WAN on other interfaces but only one I can ativate... When I try to activate Track on the second interface I get this error:

Code Select
The following input errors were detected:

You specified an IPv6 prefix ID that is already in use.

If I try to chance prefix ID I get this error:

Code Select
The following input errors were detected:

You specified an IPv6 prefix ID that is out of range.

On LAN Interface, IPv6 Prefix ID is set to "0" and if i try to change it I get this error:

Code Select
The following input errors were detected:

You specified an IPv6 prefix ID that is out of range.
April 26, 2024, 01:50:03 PM #3
What prefix size did you request/obtain from your ISP for your IPv6 prefix? Usually, it should be /56, but some providers only give you a /64 prefix. In that case, you can only assign this prefix to one (V)LAN.

You can configure a prefix hint. Try to request a /56 prefix and see if that works.

I have a /56 prefix and thus still have 8 bits worth for VLANs. On all of my VLANs, the GUA part looks like the one you showed, but without the "tentative" suffix.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
April 26, 2024, 02:00:38 PM #4
I tried other length but only /64 seems to work...
But I thinnk I found a possible root cause and unfourtnatly I have no idea why... on logs I found:

On System logs I found this:

Code Select
<3>vlan010: a looped back NS message is detected during DAD for 2804:xxxx:xxxx:1180:2e2:69ff:fe5b:b6a8. Another DAD probes are being sent.
April 26, 2024, 02:15:31 PM #5
I believe (as opposed to: I know) that the DAD occurs because all of your VLANs try to get the same IPv6, because you only have one /64 prefix. The EUI-64 bits are all the same if they share the same parent interface.

As I wrote: With a /64 prefix, you are limited to one IPv6 VLAN. You could try to convince your ISP to give you a longer prefix. There is no shortage of these, so I think your ISP is just clueless. This has been discussed over and over again here on the forum.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
April 26, 2024, 02:24:02 PM #6
Quote from: meyergru on April 26, 2024, 02:15:31 PM
I believe (as opposed to: I know) that the DAD occurs because all of your VLANs try to get the same IPv6, because you only have one /64 prefix. The EUI-64 bits are all the same if they share the same parent interface.

As I wrote: With a /64 prefix, you are limited to one IPv6 VLAN. You could try to convince your ISP to give you a longer prefix. There is no shortage of these, so I think your ISP is just clueless. This has been discussed over and over again here on the forum.

but only 1 VLAN has IPv6 configured... only the VLAN 10, which is the main VLAN (called LAN) is configured to IPv6.... The others are IPv6 config are set to "None".
April 26, 2024, 02:25:13 PM #7
Adding to this, this cluelessness of ISPs is why a lot of people want this:

https://github.com/opnsense/core/issues/7079
Hardware:
DEC740
April 26, 2024, 04:11:47 PM #8
I can't find the reason of those loops... I tried to rebuid the interfaces... Before that the IP that was apearing on loop was the IP with ISP prefix... now the IP is the internal.. In both cases was the LAN interface IP:

NOW:
Code Select
vlan010: a looped back NS message is detected during DAD for fe80:a::2e2:69ff:fe5b:b6a8. Another DAD probes are being sent.

BEFORE:
Code Select
<3>vlan010: a looped back NS message is detected during DAD for 2804:xxxx:xxxx:1180:2e2:69ff:fe5b:b6a8. Another DAD probes are being sent.
April 26, 2024, 05:12:13 PM #9
Finnaly I could solve the proble, thankfully to this topic:

https://forum.opnsense.org/index.php?topic=9986.0

QuoteHello,
I did a lot of checks to find out why fe80::1:1 is marked as duplicated on vtnet2. The only device where this address is used is indeed the opnsense installation. Further investigations brought up, that the switch is the reason. Several years ago I created an isolated port group for DMZ on it but probably forgot to save the running configuration into the startup configuration. So after a powerloss the switch no longer had that isolated port group. So the LAN and the DMZ interface could "see" each other via the switch. Oddly enough it never caused any problem until now. I now recreated that isolated port group on the switch and the duplicate mark is gone. THis time I made sure it is saved into the startup configuration.

That quote gave the hint to look for the switch...
Turns out, I had a TP-Link TL-SG108E which is 8x1Gbps Managed switch... A few months ago I got a white label chinese 2.5Gbps Managed Switch to replace  the TP-link and get 2.5Gpbs connections...

On both TL-SG108E and OPNSense I had 2 ports on LAG (link aggregation Group) configured...
On the white label switch, there was no LAG configuration... or at least not by that name... There is a "Trunk Group Setting" which I grouped the resepctive ports and gues what?? No more loop logs and clients are getting I their IPv6's!!!

Thank you guys for tring to help me on this!!!
Print
Go Up Pages1
User actions