Still problems with WAN IPv6 on 24.1.10_3

[tokade]

Hi all,

since I had the problem loosing my WAN IPv6 with 24.1.9 I gave 24.1.10_3 a chance today. After the upgrade and a reboot, I had no IPv6 on my WAN interface.

My ISP is german Telekom (business) with a fixed IP address. Checking with ifconfig there was a fe80:... and a 2003:... inet6 address shown. The Gui didn't show the IPv6 and Dpinger v6 said the IPv6 gateway is offline.

Searching the forum I found this https://forum.opnsense.org/index.php?topic=39995.msg195965#msg195965 and used the workaround by adding the IPv6 to the interface on CLI. So it might be related to the "detach" status.

Is it possible that the patch mentioned in the post https://github.com/opnsense/core/commit/5db3c349 got lost in the 24.1.9 / 24.1.10 versions?

Haven't rebooted yet, but will have an eye on it, if I have to add the IPv6 manually again.

How could I help to narrow down the problem?

Kind regards
Torsten

[franco]

Hi Torsten,

Is this with a static IPv6 or DHCPv6 WAN mode?


Cheers,
Franco

[tokade]

Hi Franco,

yes I get a static IPv4 from Deutsche Telekom (Business) via PPPoE behind a Draytec Router in modem mode (VLAN Tag 7 set on the opnsense).

WAN:
IPv4: PPPoE
IPv6: DHCPv6
For IPv6 is a /56 Prefix delegation size,  unchecked "Request only an IPv6 prefix", checked "Send IPv6 prefix hint" and checked Use "IPv4 connectivity" configured.

LAN:
IPv4: Static IP
IPv6: Track interface

This configuration worked till 24.1.8. I never used a static IPv6 in my configuration, neither one of the other IPv6 options. From 24.1.9 on I have the problem, that no IPv6 is assigned to my opnsense anymore. The gateway monitoring fails and so on...


I was afraid of changing this configuration in the past, but now it seems I have to. Hoping there was no changes from my ISP the same time and the problem isn't related to opnsense at all. Found this article, which describes a problem with Fortinet, but the reason was on ISP side https://telekomhilft.telekom.de/t5/Festnetz-Internet/Keine-Zuweisung-von-IPv6-Adresse-bei-Fortigate/td-p/3879759

Can you please provide me with a correct configuration for this scenario? Need I to change to static IPv6, PPPoEv6? I haven't found anything in the forum, which explains how to setup IPv6 with static IP for Deutsche Telekom Business.

Let me know, if you need more information.

Kind regards and thx
Torsten

[franco]

PPPoEv6 enables the address on WAN and you will be able to use any /64 from your prefix on each LAN statically. This is very straight-forward and avoids complications through DHCPv6 (which relies on the ISP to do the right thing all the time which is rare).


Cheers,
Franco

[tokade]

Hi Franco,

thx for your quick reply. Gonna change the configuration to PPPoEv6 for IPv6 on WAN and will reboot later. Will let you know, if that solves the problem.

Is it right, that my opnsense won't get a IPv6 adress itself?

Torsten

[Patrick M. Hausen]

Is it right, that my opnsense won't get a IPv6 adress itself?

That depends on your ISP.

[franco]

If you don't get one through PPPoEv6 you should at least get a router. So if you need one just assign a VIP on your WAN from a free /64 subnet.


Cheers,
Franco

[tokade]

Hi Patrick, hi Franco,

after the change and reboot, I still get no IPv6 address for the WAN interface from my ISP Deutsche Telekom. The opnsense gets a IPv6 fe80 gateway, but the gateway monitoring fails.

Tracking the WAN interface for LAN doesn't work now either and I can't find any information for the /64 subnets on my opnsense? Where would I find that despite on my ISPs website?

If I give the WAN interface a virtual IP form a free /64 subnet, can I use this address for reverse DNS to my mailserver and webserver. Till now I used the automatic public IPv6 my WAN interface got assigned for that.

Torsten

[franco]

> Tracking the WAN interface for LAN doesn't work now either

You can't track PPPoEv6. It tells the provider to enable IPv6 over PPPoE and automatically hands you a gateway. The ISP can assign you an IP via PPPoE but doesn't have to. It can assign a SLAAC to you but doesn't have to.

Go to LAN, add your static IPv6 config for a /64 subnet of your prefix.

Optionally go to Virtual IPs, add your static IPv6 alias for another /64 subnet of your prefix. (it's not needed for gateway monitoring)

Also note that if you want to monitor a GUA you can't use a ULA or LLA so I guess you never assigned a static IPv6 where it matters.

That should be more than enough to get you going.


Cheers,
Franco

[tokade]

Hi Franco,

I'm lost  :(

I tried slaac and my WAN interface gets the old public IPv6 address again, but in CLI it is shown as detached and in GUI Dashboard it isn't shown at all. Gateway monitoring is not working.

Setting the old public IPv6 via CLI as described in my first post fixes the problem with the gateway monitoring.

Shall I try to set this public IPv6 address as VIP or even use static IPv6 with this address?

[franco]

Hi Torsten,

Not sure how to make that simpler: WAN PPPoEv6 and LAN Static IPv6 and it should just work.


Cheers,
Franco

[tokade]

Changed back to PPPoEv6 and static IPv6 for my LAN

My WAN Interface hast no IPv6 assigned from ISP, but have a gateway address fe80... my LAN Interface has a static IPv6 now.

Gateway monitoring doesn't work as it did for years til 24.1.9. I can't ping any IPv6 address outside, neither from my opnsense CLI/GUI nor from a client in the LAN.

Code Select Expand

ping 2001:4860:4860::8888
PING6(56=40+8+8 bytes) XXXX::1 --> 2001:4860:4860::8888
^C
--- 2001:4860:4860::8888 ping6 statistics ---
150 packets transmitted, 0 packets received, 100.0% packet loss

My opnsense and my website behind HAProxy on the sense isn't reachable by IPv6.

What is the major change from 24.1.8 to 24.1.9ff??

[tokade]

Hi Franco,

I started all over with my old configuration using DHCPv6 for IPv6 on WAN. Which gives me now a public IPv6 address on WAN showing in CLI (X changed by me), but detached! LAN is configured with static IPv6 now.

Code Select Expand

ifconfig -L pppoe1
pppoe1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
        description: WAN (wan)
        inet6 fe80::42b0:XXXX:XXX:XXXX%pppoe1 prefixlen 64 scopeid 0x13
        inet6 fe80::216:XXXX:XXXX:XXXX%pppoe1 prefixlen 64 scopeid 0x13
        inet6 XXX:XXXX:XXX:XXX:4XX0:7XXf:feXX:X8XX prefixlen 64 detached autoconf pltime 1794 vltime 14394
        inet X.X.X.X --> 62.xxx.XXX.XXX netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>


The Gui dashboard for the interfaces shows WAN with my static IPv4 address, but no IPv6 address. In the interface overview the public IPv4 and IPv6 address is shown and also the gateways (screenshot attached).

Now I can ping from opnsense and LAN outside IPv6 addresses, my website is reachable from outside via IPv6. Ping to the IPv6 from opnsense workes, but the gateway monitoring using the same IPv6 doesn't work.

So what is missing or wrong?

Thx for your help!

[franco]

As far as "detached" go there was https://github.com/opnsense/core/commit/3b49f8acd80d6 but it's hardly documented and was said to be not working for other people so the change was added. It should not, however, mess with much IPv6 delivery via DHCPv6 and PPPoEv6 should not interfere as well, but maybe it's more complicated than that.


Cheers,
Franco

[tokade]

Hi Franco,

that's the commit I mentioned in my first post. So is this still included in the 24.1.10_3 or have I to apply a patch?

Sorry for all the questions and trouble.

Kind regards
Torsten