Static IPv6 gateway not adding route

[roo.h.taylor]

OPNsense 24.1.8-amd64 in a Proxmox virtual machine.  When I add an IPv6 gateway on my WAN interface via the web interface, it does not create a route to the gateway.  Thus, the gateway appears down as there is no route to it.  When I manually add the route via SSH

Code Select Expand

route -6 add <IP> -interface vnet0 followed by

Code Select Expand

route -6 add default <IP> I have full connectivity.

When adding the gateway I un-checked the "Disable Host Route" option, indicating that a route SHOULD be created.  I've tried all sorts of things, including rebooting, and starting from scratch.  I have the gateway selected at the upstream gateway on the WAN interface for the static IPv6 configuration.  I have no idea if I'm missing something, or if this is a bug.

[bartjsmit]

Routing in IPv6 is dynamic via multicast.

Services: Router Advertisements:

Pick LAN and set your daemon to be unmanaged with high priority. Tick advertise default gateway and your LAN clients will find it.

Bart...

[roo.h.taylor]

Thanks for the reply Bart, but I wasn't having issues with routing within my LAN.  My provider has given me a static IPv6 upstream gateway to use on my WAN side, which is also outside the /64 subnet that my OPNSense WAN is using.  In order to route past my OPNsense machine, I need the next hop to be this static gateway.

When I add the gateway via System > Gateways > Configuration, it doesn't add a route into the routing table so OPNsense doesn't know the next hop to route IPv6 traffic to.  If I add a route to the static address manually everything works as expected, but routes added via the command line do not survive reboots.  Should adding a static gateway address not add a static route on the assigned interface as well?

My provider has done the same thing with IPv4 addresses, and I have a static IPv4 upstream gateway.  When I add the IPv4 gateway it adds a route in the routing table and everything works as expected;  but not so with the IPv6 gateway.

[bartjsmit]

Are you allowing ICMPv6 everywhere? It is quite possible that the next hop is advertising but the WAN interface is blocking the advertisements

[bimbar]

IPv6 can absolutely use static routes.

[bartjsmit]

IPv6 can absolutely use static routes.

I'm not saying it can't , only that you may not have to set it if the ISP router advertises the route.

[roo.h.taylor]

Are you allowing ICMPv6 everywhere? It is quite possible that the next hop is advertising but the WAN interface is blocking the advertisements

I am allowing IPv6 everywhere.  First rule on the WAN interface is a blanket IPv6 allow while I tried to get it figured out.  But that wouldn't have - and didn't - change anything, because there is still no route to the gateway address.  Doesn't matter if IPv6 is allowed through the firewall if it doesn't know where to send it.

If I manually add a static upstream gateway, specify that it is a "far gateway", and that a route should be added, I would expect the routing table to subsequently contain a route to said upstream gateway.  That's the behaviour that I'm not seeing.  Even when I select said gateway as the default gateway for the WAN interface.  Routing table remains void of any IPv6 routes that tell it how to get to the static gateway.

I even tried setting the "Dynamic gateway policy" option on the WAN interface, so that I could try to specify a route via the interface, but it wouldn't allow that either.

When I manually add that route via the command line, everything works as expected.  So my only issue, is that the route to the gateway is not created when the gateway is added.  I'm just not clear if this is a bug or intended behaviour.  To me, a "Far gateway" MUST be available on the link, and therefor a route should be added for the address into the routing table, so this seems like a bug.

[roo.h.taylor]

I'm just not clear if this is a bug or intended behaviour.

On GitHub issue 7556, fichtner confirmed that "Far gateways" do not work and the "Far" option should be disabled for IPv6.  So it seems it is a bug more or less.