[Solved] IPv6 on Hetzner vSwitch / 64 er Subnet Seperation

[niclas]

Hello Guys,

this is my first topic on this forum. I use OPNsense for around 1.5 Years now and im happy with it.
Yesterday i switched Servers and had to resetup IPv6. Since then i cant get a route out via a Client in my LAN Network.
Clients in LAN can ping the LAN Adress of the OPNSense and also its WAN address, but nit the WAN GW or any other Target in the Internet. I also mentioned that the OPNSense cant ping the Internet or WAN GW from the LAN Address.

I tried a lot, including different Firewall Rules, MTU´s etc, but no success. So i try to post my problem here to get help from experts.

The Setup looks quite the same on my old OPNSense where this Problem didn´t happens. the only difference is that on the old one the WAN GW wars a llink-local address (fe80::1) so the WAN subnet is /128.

My Setup on the new OPNSense looks like this: (IPv6 Address is a bit randomized)

Public Subnet form Hetzner vSwitch: 2a1:4f8:f01a:1a69::/64
WAN GW: 2a1:4f8:f01a:1a69::1
WAN IP: 2a1:4f8:f01a:1a69::2/126
MTU WAN: 1500
LAN Interface Setup: 2a1:4f8:f01a:1a69:1::1/123
LAN IP: 2a1:4f8:f01a:1a69:1::1/123
MTU LAN: 1350

(MTU`s are correct IPv4 is working perfectly and every device knows the MTU`s)

It would be great to get it working. If so, i will write a guide for IPv6 on Hetzner vSwitch with OPNSense, because there isn't any.

Thanks for your help!

[dseven]

WAN GW: 2a1:4f8:f01a:1a69::1
WAN IP: 2a1:4f8:f01a:1a69::1/126

That doesn't look right - you can't be your own gateway?

[niclas]

@dseven Oh sorry, I made a mistake in writing:

WAN IP is: 2a1:4f8:f01a:1a69::2/126

[dseven]

OK, so then is the 2a1:4f8:f01a:1a69:1::/123 prefix routed to 2a1:4f8:f01a:1a69::2 at the upstream gateaway (presumably something in the Hetzner vSwitch)? If not, you'd have to do some sort of NAT......

[niclas]

Yes Hetzners Gateway is 2a1:4f8:f01a:1a69::1 and the OPNSense need to route outgoing Traffic over it. But form LAN I can't ping it ore something outside. If I ping it via the OPNSense with WAN IP as Source the Ping success.

And if I tried to set the WAN IP as Upstream Gateway on the LAN interface of OPNSense it can ping outside via LAN IP, but a client can't. The clients even can't ping the OPNSense, before undo the LAN GW

[dseven]

Yes Hetzners Gateway is 2a1:4f8:f01a:1a69::1 and the OPNSense need to route outgoing Traffic over it. But form LAN I can't ping it ore something outside. If I ping it via the OPNSense with WAN IP as Source the Ping success.

That doesn't answer the question - the upstream gateway will need to have a route for 2a1:4f8:f01a:1a69:1::/123 pointing to your OPNsense WAN interface at 2a1:4f8:f01a:1a69::2 - without that, responses won't find their way back to your OPNsense LAN.

[niclas]

I can't influence the Upstream GW, because it's managed by Hetzner. Dose this mean the OPNSense need a /64 Subnet on WAN?

In my Previous Subnet The Upstream wars a link-local Adress, why dose this didn't need a route?

[dseven]

If you want to have an IPv6 prefix behind by OPNsense, either that prefix needs to be routed to OPNsense's WAN interface, or you'd have to do NAT.

Presumably when you were using a LLA, you had a routable prefix that was routed to your LLA...?

[niclas]

So I have to use NAT now if I have a LAN and DMZ that i wanna give a IPv6?
Can I use VIP for IPv6 to give a separate IPv6 on WAN for Routing?


Previous the Gateway wars a link local on wan given by Hetzner. So my WAN look like this: 235:248:241::1 and the LAN and DMZ had something like this: 235:248:241::1:1/123. It worked out of the Box.

I'm new to IPv6 so it's a bit complicated to understand for me 😅

[Patrick M. Hausen]

So I have to use NAT now if I have a LAN and DMZ that i wanna give a IPv6?

Or you order one additional /64 for LAN and one additional /64 for DMZ and Hetzner will in their standard procedure route these to the WAN address of your OPNsense.

You cannot meaningfully subnet a /64 in IPv6. Each interface gets a /64 - always. Not larger, not smaller.

[niclas]

But if OPNSense don't claim the additional Subnet, how dose the Hetzner GW know that it has to route it to the OPNSense?

If I wanna use NAT and give my clients local IPv6 addresses how can i claim for example ...::4:10 as WAN destination for my client?

[Patrick M. Hausen]

But if OPNSense don't claim the additional Subnet, how dose the Hetzner GW know that it has to route it to the OPNSense?

You order the additional /64 from Hetzner and they route it statically to the single MAC address where they route everything else, too. Which is supposedly WAN of your OPNsense. Then you configure one address of that /64 statically on the DMZ interface - this becomes the default gateway for your VMs.

[niclas]

Ah now i understood the key difference. The Subnet I used before war's bound to a MAC-Address, but the new one not. On vSwitch you claim your IPv4 and v6, but there is no need for a specific MAC.

How can I bind a second IPv6 from the Subnet to the OPNSense?

[Patrick M. Hausen]

As an alias address on WAN.

If you want an address on LAN or OPT1, then routing must take place and you must use an entire /64.

I don't know if Hetzner support routing additional /64 with a vSwitch. They sure do if you do not use a vSwitch, though.

[Monviech (Cedrik)]

There's also going to be this soon:

https://github.com/opnsense/plugins/pull/4348

With it I managed to put a /128 IPv6 address on the LAN interface thats in the same /64 as the WAN address and this proxy then proxies the NDP message to make it discoverable by the Provider Edge router.

Though configuration and testing is a little arcane, I need more information from people who actually use it for more than that for proper documentation.