Static setting of IPv6 block /64

Started by barneby, May 25, 2024, 02:17:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 25, 2024, 02:17:25 AM
Hello,
I am trying to setup IPv6 for my OPNsense router. I got a /64 IPv6 block from the provider. I would like to statically set IPv6 on the WAN and LAN interfaces and then assign IPv6 to clients connecting to the LAN using DHCPv6.

I received information from the provider that I should use the block xxxx:xxxx:ffff:1121::/64 and that xxxx:xxxx:ffff:1121::1 is the gateway.

I made the following settings:

Configuring the WAN Interface:
1. Log in to the OPNsense web interface.
2. Navigate to Interfaces > Assignments.
3. Click on the name of the WAN interface.
4. In the Static IPv6 Configuration section, fill in the following:
    IPv6 Address: xxxx:xxxx:ffff:1121::5
    IPv6 Prefix: 64
    IPv6 Upstream Gateway: xxxx:xxxx:ffff:1121::1
5. Click Save and then Apply Changes.

Configuring the LAN Interface:
1. Navigate to Interfaces > Assignments.
2. Click on the name of the LAN interface.
3. In the Static IPv6 Configuration section, fill in the following:
    IPv6 Address: xxxx:xxxx:ffff:1121::7
    IPv6 Prefix: 64
4. Click Save and then Apply Changes.

Setting Up the DHCPv6 Server:
1. Navigate to Services > DHCPv6 > LAN.
2. Check Enable DHCPv6 server on LAN interface.
3. In the Subnet section, fill in:
    Range: xxxx:xxxx:ffff:1121::1000 to xxxx:xxxx:ffff:1121::2000
4. Click Save.

Configuring Router Advertisements (RA) on LAN:
1. Navigate to Services > Router Advertisements > LAN.
2. In the Router Mode section, select Managed.
3. Click Save.

The result is that the client receives the correct IPv6 address from the set range. He also gets a route.
But I can't get to the IPv6 address of the LAN or WAN interface.
At the same time, I cannot reach any IPv6 address on the Internet.

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether bc:24:11:a5:dd:6b brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    inet 172.16.1.39/24 metric 100 brd 172.16.1.255 scope global dynamic ens18
       valid_lft 5461sec preferred_lft 5461sec
    inet6 xxxx:xxxx:ffff:1121::11f3/128 scope global dynamic noprefixroute
       valid_lft 5459sec preferred_lft 2759sec
    inet6 fe80::be24:11ff:fea5:dd6b/64 scope link
       valid_lft forever preferred_lft forever

ip -6 route
::1 dev lo proto kernel metric 256 pref medium
xxxx:xxxx:ffff:1121::/64 dev ens18 proto ra metric 100 expires 86394sec pref medium
fe80::/64 dev ens18 proto kernel metric 256 pref medium
default via fe80::1c43:adff:fefb:d3a8 dev ens18 proto ra metric 100 expires 1794sec mtu 1500 pref medium

I have all traffic from the LAN net allowed on the firewall.

Where can the problem be?
Thank you for your help.

May 25, 2024, 09:26:03 AM #1 Last Edit: May 25, 2024, 09:43:11 AM by yourfriendarmando
Did your ISP give you an address that looks like this?
2001:0000:0000:0000:0000:0000:0000:0000/128

That would be the IP address of the FW itself on your ISP's network.

Also you should have been given some IPv6 addresses for DNS.

Before you make any changes, see if your routing is working just fine:
Trying pinging Google DNS servers from your Router:
Interfaces: Diagnostics: Ping

2001:4860:4860::8888
2001:4860:4860::8844
May 25, 2024, 10:25:40 AM #2
Ping from the router works fine.
https://i.imgur.com/R2tOFFR.png

But not from the client.
https://i.imgur.com/oKo8A5w.png

I have the rules for the LAN interface set as follows.
https://i.imgur.com/lIN1DsU.png
May 25, 2024, 12:20:06 PM #3
You might check your System Gateways. Sometimes I need to restart or reenable the ipv6 gateway. I think I have disabled gateway monitoring.

Also if you just enabled ipv6, it sometimes costs a full reboot to fully enable it.
May 25, 2024, 12:47:51 PM #4
The gateway is set up like this
https://i.imgur.com/B3XUjLz.png

gateway monitoring is disabled and rebooting doesn't help.

The routes are as follows
https://i.imgur.com/pzhn2hB.png

Also strange is that in DHCPv6 Leases, IPv6 addresses assigned to clients are displayed on the WAN interface. At the same time, I have DHCPv6 configured only for LAN.
https://i.imgur.com/2PDN34J.png
https://i.imgur.com/NVO84qy.png
May 25, 2024, 02:52:21 PM #5
So I now know out where the problem is.
My ISP subnet is already routing. This can also be recognized by the fact that the gateway is in the same subnet as it was assigned to me.
So I can no longer route the subnet on my router. It is therefore necessary to set IPv6 in pass-through mode or ask the ISP not to route the subnet.

Thank you for your help.
Print
Go Up Pages1
User actions