OPNsense on NetCologne, IPv6 assigned but not a functional gateway

[Knogle]

Hi everyone, I hope you're doing well! 😊

I'm currently facing an issue with my setup on OPNsense when attempting a PPPoE login. While I successfully get an IPv4 address assigned, and it seems like an IPv6 address is also assigned, the WAN6 gateway only displays a link-local IPv6 address. IPv4 connectivity works flawlessly, but I can't seem to get proper IPv6 functionality.

Here's a bit more about my setup:

    Provider: NetCologne (regional ISP in Germany)
    Connection Type: PPPoE with VLAN ID 10
    Authentication: PAP/CHAP

The IPv6 setup requirements provided by my ISP are as follows:

•         SLAAC (Stateless Address Autoconfiguration) as per RFC 4862
•         IPv6 assignment via DHCPv6 as per RFC 3315
•         DHCPv6 Option: IAPD (Identity Association for Prefix Delegation) as per RFC 3633

Am I missing something in the OPNsense configuration to make IPv6 work correctly? For context, this setup works fine on OpenWrt, but I can't seem to replicate the success on OPNsense.

I'd really appreciate any insights or suggestions to help me get this resolved. Thanks in advance for your help! 😊

You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.

[dseven]

You probably need to configure your LAN interface for IPv6, using the "Track Interface" configuration type, pointing to your WAN interface as the parent. https://docs.opnsense.org/manual/ipv6.html

I can't tell from your screenshots if you got a delegated prefix - under Interfaces -> Overview, click the magnifier next to your WAN (PPPoE) interface, and see if you see "Dynamic IPv6 prefix received".

[Knogle]

Ah, thanks for your advice.
I get an IPv6 prefix, and so the LAN interface.
Regarding the missing IPv6 connectivity, i think there is something wrong with my GW settings, am i missing something here?
I will attach a screenshot in my first post.
So according to the gateway settings, WAN6 is defunct.

[meyergru]

According to what I see, the prefix delegation size should be 48, not 63.

Also, you ISP obvious only supports IA_PD, not IA_NA. Thus, your WAN does not get an IPv6 address, which is obvious in the WAN details.

Since a few versions, such shortcoming can be cured if you select "Request prefix only" and "Send prefix hint". You must then choose which prefix ID of your 16 bits available (64-48) shall be used for the WAN interface ("Optional prefix ID"). You should select one that is not used in the Track Interfac section of any of your (V)LANs.

You can also choose some arbitrary 64-bit suffix instead of the EUI-64 of your WAN interface ("Optional Inetrface ID").

[dseven]

According to what I see, the prefix delegation size should be 48, not 63.

I noticed that too, but it seems the /48 was picked up anyway. Not sure if the mismatch could make the gateway defunct - it doesn't seem like it should, but I don't know what else could....

Also, you ISP obvious only supports IA_PD, not IA_NA. Thus, your WAN does not get an IPv6 address, which is obvious in the WAN details.

Eh? The screenshots show an IPv6 address on the WAN interface (separate from the delegated prefix). Edit: It's a SLAAC address, not from DHCP, but it is there...

[meyergru]

According to what I see, the prefix delegation size should be 48, not 63.

I noticed that too, but it seems the /48 was picked up anyway. Not sure if the mismatch could make the gateway defunct - it doesn't seem like it should, but I don't know what else could....

It probably won't once you use "Prefix Hint".

Also, you ISP obvious only supports IA_PD, not IA_NA. Thus, your WAN does not get an IPv6 address, which is obvious in the WAN details.

Eh? The screenshots show an IPv6 address on the WAN interface (separate from the delegated prefix). Edit: It's a SLAAC address, not from DHCP, but it is there...

Your addr6 is empty, mine isn't...

[dseven]

I'm not the OP ;)

It shouldn't be necessary for the WAN interface to have a routable IPv6 address for IPv6 from the LAN to work anyway... so not sure we're focused on the problem here...

[meyergru]

Correct, but then the OP has not yet said what exactly does not function nor what the LAN assigment looks like. His setup is much like mine (PPPoE over a VLAN), so to cut things short, I tell what works for me.

In the screendumps, the WAN gateway is cut short. Is it only a LL-addr?

[Ben S]

In your first post you say

it seems like an IPv6 address is also assigned, the WAN6 gateway only displays a link-local IPv6 address

.. but I don't think that's a problem?  My ISP also provides a link-local gateway address.

I don't know about your ISP but my ISP will provide an address via DHCP which for whatever reason doesn't work.  I've never figured it out.  I just use 'Request a prefix only' and a /64 from my /56 on the WAN interface and all is good.

What do you mean about the gateway being defunct?

On interfaces -> overview for your WAN interface, what else is shown under Routes if you click expand?

[dseven]

We can see the routes in the screenshot of the WAN interface details. "default" appears twice - one for IPv4, and one for IPv6.

I do think we need to focus in on the actual problem. OP suggested that the v6 gateway is showing a defunct status, but that's not shown in any of the screenshots. Searching for past discussions about that seems to bring up Multi-WAN related issues, but nothing else (that I've found so far). OP, other than the defunct gateway, what have you attempted to do and found to be broken?

[Knogle]

Thank you very much for your responses!
I've attached a few screenshots for reference.

As shown in the screenshots, the WAN interface is receiving an IPv6 address. However, it does not appear in the Gateways section, which prevents proper interface traffic monitoring for packet loss, latency, etc., and also impacts the functionality of DDNS for IPv6.

The LAN interfaces and clients are receiving their IPv6 prefixes and addresses correctly, so the issue seems to be limited to the WAN interface and its IPv6 address.

Is there any workaround for this? Currently, only the link-local IPv6 address is displayed in the Gateways section.

Thanks in advance for your help!

[dseven]

I don't see anything wrong in these screenshots. The link-local gateway for IPv6 is fine, so long as that is actually the LLA of your (ISP's) upstream gateway. The gateway is not monitored because you have disabled that ("Disable Gateway Monitoring" is checked).

[mooh]

In the screenshots the IPv6 gateway address is fe80::%pppoe1/64. While that's a valid address I think it is extremely unlikely that your upstream gateway is actually using an address with the interface identifier part consisting entirely of zeros. I'd probably use tcpdump to look at the router announcements on the WAN interface to check their source address(es) and experimentally use those as the gateway. If that works, we can go back to find out why OPNsense uses a bad gateway address.

[Knogle]

I don't see anything wrong in these screenshots. The link-local gateway for IPv6 is fine, so long as that is actually the LLA of your (ISP's) upstream gateway. The gateway is not monitored because you have disabled that ("Disable Gateway Monitoring" is checked).

Thanks a lot!
Yep that's the issue, when i monitor the gateway it goes down, because it's not the link-local address of the upstream gateway.