IPv6 - LAN hosts cannot ping internet or opnsense router

[sukerman]

Hi All,

----------------
EDIT: My opnsense router is behind my ISP router.  Could it be that it is not passing the IPv6 delegation to opnsense and this is causing the routing problem?  I'm confused because all my LAN devices have an address and the gateway assigned.   It all looks good, but LAN devices cannot ping the gateway.
----------------

I've been banging my head against the wall on this for days, tried to do the reading etc, youtube etc..... lol I have tried.

For anyone searching this is a setup for DIGI Spain.   I am using the supplied router, firewall off, DMZ set to my opnsense box.

In Opnsense, I have enabled link local on the bridge so I get IPv6 assigned.

This ONLY works as far as I can tell if I put WAN interface to DHCP4 and SLAAC for ipv6.

Note, you then have to go to LAN interface settings and click save after any changes before changes to the WAN interface are carried through.

If I set WAN interface to DHCP4 and DHCP6 I do not get IPv6 addresses assigned to the bridge, I have tried DHCPv6 and changing the prefix to 48 / 56 / 60 / 64, I never get an address on the bridge without setting it to SLAAC.

Opnsense seems happy with this setup, I have added a floating IPv6 firewall rule to allow all IPv6 in and out for testing purposes.

Code Select Expand


 DEBUG (igc2)    ->
 LAN (bridge0)   -> v4: 10.2.1.1/16
                    v6/t6: 2a0c:5a87:xxxx:xxxx:xxxx:xxxx:fe10:6075/64
 Nord_UK (ovpnc1) -> v4: 10.100.0.2/16
 OFFICE (igc3)   ->
 WAN (ix2)       -> v4/DHCP4: 10.1.1.2/24
                    v6/SLAAC: 2a0c:5a87:xxxx:xxxx:xxxx:xxxx:fef4:33c3/64
 WAPS (igc4)     ->

root@OPNsense:~ # ping -6 heise.de

PING(56=40+8+8 bytes) 2a0c:5a87:xxxx:xxxx:xxxx:xxxx:fef4:33c3 --> 2a02:2e0:3fe:1001:302::
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=0 hlim=54 time=44.149 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=1 hlim=54 time=44.283 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=2 hlim=54 time=43.910 ms
^C
--- heise.de ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 43.910/44.114/44.283/0.155 ms
root@OPNsense:~ #

Machines on the LAN are issued with IPv6 addresses:

Code Select Expand

➜  ~ ip -6 addr show en0
14: en0: <UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 status UP
    link/ether 3e:5e:xx:xx:xx:6c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::4d3:xxxx:xxxx:1361/64
    inet6 2a0c:xxxx:xxxx:xxxx:xxxx:5e38:aa50:a1aa/64
    inet6 2a0c:xxxx:xxxx:xxxx:xxxx:c303:87d2/64
    inet6 2a0c:xxxx:xxxx:xxxx::1b1c/64

Ping just hangs:

Code Select Expand

~ ping6 heise.de
PING6(56=40+8+8 bytes) 2a0c:xxxx:xxxx:xxxx:xxxx:a29:c303:87d2 --> 2a02:2e0:3fe:1001:302::
....


Code Select Expand

~ ip -6 route
default via fe80::5a9c:xxxx:xxxx:6075%en0 dev en0
default via fe80::%utun0 dev utun0
::1 via ::1 dev lo0
2a0c:xxxx:xxxx:2800::/64 dev en0 scope link

I cannot ping the default route either, this is the same address shown against the LAN bridge in Opnsense, which has 2a0c:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6075/64 and fe80::5a9c:xxxx:xxxx:6075/64.  I cannot ping either address.

Code Select Expand

~ ping6 fe80::5a9c:xxxx:xxxx:6075
PING6(56=40+8+8 bytes) fe80::4d3:xxxx:xxxx:1361%en0 --> fe80::5a9c:xxxx:xxxx:6075
ping6: sendmsg: No route to host
ping6: wrote fe80::xxxx:xxxx:xxxx:6075 16 chars, ret=-1

IPv4, no problem, IPv6 not working, this is a wired connection to the opnsense box.

Code Select Expand

~ ping 10.2.1.1
PING 10.2.1.1 (10.2.1.1): 56 data bytes
64 bytes from 10.2.1.1: icmp_seq=0 ttl=64 time=2.626 ms
64 bytes from 10.2.1.1: icmp_seq=1 ttl=64 time=0.822 ms
^C
--- 10.2.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.822/1.724/2.626/0.902 ms

➜  ~ ping6 fe80::5a9c:fcff:fe10:6075
PING6(56=40+8+8 bytes) fe80::xxxx:xxxx:xxxx:26df%en8 --> fe80::xxxx:xxxx:xxxx:6075
ping6: sendmsg: No route to host
ping6: wrote fe80::xxxx:xxxx:xxxx:6075 16 chars, ret=-1

I don't think its a firewall issue, I've allowed all ipv6 both ways with a floating rule.

I'm no expert on this, could someone point me in the right direction please?

EDIT: tried with clean install and minimal configuration no bridge etc, same result.

Thanks,