Double NAT, IPV6 Issue

[aeg90]

So I have been using Opnsense for years, but I have a roommate that talked me into doing a double nat for two routers. He has a ASUS router as the main router and I have my lab behind the opnsense one. The ASUS router acts as a WAN connection for opnsense. IPv4 assigns addresses and is able to connect to the internet. IPV6 does not. I have WAN DHCP6 and LAN set to track WAN. I am wondering what is needed to have ipv6 be functional all the while being behind a double nat.

[Patrick M. Hausen]

Enable prefix delegation on the Asus router if

- it is capable to do that
- the ISP provides a prefix large enough so there is room for a sub-delegation

HTH,
Patrick

[stefan00]

Patrick answered the question perfectly.

A bit more Detail from my personal experience:

I do "double NAT" (wrong term for IPv6!) on all my sets since years now. It works (almost) perfectly with Opnsense. And since IPv6 needs no NAT by design, there is no performance regression either - except for the added ethernet latency due to one more hop.

The biggest culprit is getting a large (small) enough prefix from your provider and having it delegated from your uplink router to OPNsense.

The OPNsense (WAN) interface settings vary depending on your uplink router model and settings.

While working on it, your best chance to debug is to see if OPNsense actually got a prefix delegated on your (WAN) interface. During the last releases, the location of this information has changed a bit (now Interfaces->Overview->Detail Popup).

Once you get it running like on the picture below, you are on the road.

[aeg90]

I followed what you said as well as other posts I found on the web. I still can't get it so assign ips to the lan clients. I am able to ping from the opnsense gui ipv6 addresses found on the internet. So DHCP is assigning opensense a ip. I have tried track set for ipv6 in the LAN interface. It will not assign ips. It works when I plug the modem directly into opnsense. So something is not translating or working properly between the asus router and the opnsense box.

DHCP-PD is enabled and so is the Router Advertisement for IPV6. In opensense Dynamic IPV6 prefix is not showing up. I am not sure if it is a misconfiguration with things.

Btw, my ISP is spectrum and all the devices are owned by me. They are not provided by spectrum.

[stefan00]

In opensense Dynamic IPV6 prefix is not showing up.

If you don't see a prefix delegated to OPNsense, it won't work.

Play with your uplink router settings (eg PD, length etc), mode (dhcpc, slaac etc) and OPNsense WAN interface settings (mode, prefix length, prefix hint, prefix ID)

[aeg90]

In opensense Dynamic IPV6 prefix is not showing up.

If you don't see a prefix delegated to OPNsense, it won't work.

Play with your uplink router settings (eg PD, length etc), mode (dhcpc, slaac etc) and OPNsense WAN interface settings (mode, prefix length, prefix hint, prefix ID)

I think the issue is this. I have a WAN prefix length of 56. The uplink router has a lan prefix of 64, opnsense is connecting to and treating the uplink router as the modem, which has a prefix of length of 64. Thus I won't be able to do a second prefix length of 64 with opnsense. At least that is what I gather from reading.

Here is how it looks (my network stack)

Modem >>> ASUS Router >>> traffic to my roommates devices and my lab (opensense)

My Opensense >>> Mikrotik switch >>> My Devices

I am not sure where in the chain it breaks. Like I just said above my ISP provides a prefix length of 56, the ASUS Router LAN is set to 64 and can't be changed.

Is this the issue? Opensense is teating asus' lan as the modem and thus can't assign ips because the range is longer than 128?

[Patrick M. Hausen]

The Asus router must delegate a prefix to OPNsense. You need to check with the vendor documentation if it can do that and how to configure.

[stefan00]

It sounds like the ASUS router is your first problem. But that is just a guess without knowing this piece of hardware.

1. ISP prefix length

I have a WAN prefix length of 56.

good thing. Where can you see this? in the ASUS router? Let's assume YES.

2. ASUS DHCPv6 / Router advertisment setup

The uplink router has a lan prefix of 64 ... The ASUS Router LAN is set to 64 and can't be changed.

The most important prerequisite for a IPv6 router chain is prefix delegation. Your ASUS router must be able to delegate a part of its available /56 network down to the next router in the chain (OPNsense).

Assigning addresses to clients is not the same as delegating a subnet (prefix) to another router. As I understand from what you write, the ASUS router is assigning addresses to its connected clients on its LAN ports.

3. "second prefix" does not exist

Thus I won't be able to do a second prefix length of 64 with opnsense.

There is no such thing as a "second /64" prefix. The client router (OPNsense) can only request 1 prefix. That's why, it must be bigger than /64, at the minimum /63

4. summary

You must find a setting in your ASUS box to delegate a prefix down to OPNsense. In your current configuration, your OPNsense only gets an address. Please try to find some documentation on the ASUS router or post a link here.

Thank of it this way: Let's assume you can convince the ASUS router to delegate a /58 block down. The OPNsense box then simply asks "Hey Asus, give me a /58 subnet which I can handle. Not you, me". That's prefix delegation.

The OPNsense box then grabs the prefix and divides it into smaller chunks to assign it to its own clients. That's the /64 address assignment as you see it on the ASUS router too.

The bad news: If your ASUS router can not delegate subnets (=prefixes) to downstream routers, IPv6 will not work the right way. But honestly, I doubt it.

[stefan00]

The Asus router must delegate a prefix to OPNsense. You need to check with the vendor documentation if it can do that and how to configure.

Long story short ... while I was writing ;-)