IPv6 in 25.1 SLAAC + DHCPv6-PD on WAN?

[MichaelDK2020]

Hey,

Upgraded OPNSense to 25.1 and (damn murphy :D) my ISP had IPv6 issues around the same time.

So not sure which is causing the issue, but it felt like 25.1 cleared my DHCPv6-PD config.

But the problem is, that I got hold of my ISP, and now they say that I need to use SLAAC for the /64 point to point link network on the WAN interface AND use DHCPv6-PD to request my /48 delegation, but can't see how that can be configured in OPNSense, seems like you can only do one of the two, as if you select SLAAC for IPv6 on the WAN interface, the DHCPv6 options disappears, and if you select DHCPv6, you can't use SLAAC on the WAN interface?

I also need to set some send options no matter what:
IA-PD 1 (Statefull address assignment)
IA-NA 1 (Identity Association for Prefix Delegation)

Normally these could be set if WAN was set to DHCPv6 with Advanced config enabled.

A bit lost on how to fix this, it's been running fine with my ISP on previous versions of OPNSense.

(Danish ISP Ewii, which acquired Kviknet).

Edit:
Looking more into it, it actually seems to be half working, I can perform http/https requests over IPv6 from my LAN, but pinging anything returns request timed out, the same with traceroute on the LAN side, except traceroute works on OPNSense (but ping doesnt in either place), so weird and difficult to figure out if this is a OPNsense issue or ISP issue, the ISP refuses to help with anything since it's not their router. Going to try a 24.7 install and see if it works there.

Edit2:
A clean install of 24.7 works as before, with everything working, so that at least rules out the ISP side of things, will try and update it to 25.1 and see if this breaks this clean install as well.

Edit3: Ok updating the clean/basic config on 24.7 to 25.1 worked, no idea why my normal VM got messed up in the upgrade, but that one has gone through a lot of upgrades over time, guess ill start from scratch on this new VM instead then :)

[khit93]

Hi
Just wondering if you found a solution and would willing to share the working config.
I started fresh on 25.1 and had it running before on pfSense before switching.
both ran the config for kviknet, that I found somewhere online here: https://imgur.com/a/kviknet-opnsense-ipv6-jHchkbN

Since their outage last week, support claims tha they now use standardized DHCPv6 stateless/stateful connections. Have been writing them over email since monday and no matter what I tried, I could not my previous /48 prefix in any packet capture until this evening when I tried again.
Now I suddenly get my prefix again.

If I try to connect to any IPv6-only ressource, I cannot connect and even a ping does not work from any device on my LAN interfaces.
using the ping tools in opnsense indicates that it works as long as I leave my source address blank or set it to the adress assigned on my WAN interface. If I set it as the address assigned to any of my LAN interfaces, the ping does not work.

It seems as if the routing of packages does not work once you use an adress that is different from the one assigned to the WAN interface

[MichaelDK2020]

Sure

From a fully clean install of 25.1, on a VM/Computer, that have these interfaces
WAN = vtnet0
LAN = vtnet1 (I have more mapped as VLANS to this interface).

Interfaces -> WAN

IPv4 = DHCP
IPv6 = DHCP_V6 (it still gets the point to point over SLAAC it seemed)

Scroll down to DHCPv6 client configuration:
-Select Configuration Mode = Advanced
-Then under "Interface Statement", under Send Options enter: ia-pd 1, ia-na 1
-Under Identity Association, check the box "Non-Temporary Address Allocation"
--Under "id-assoc na ID" write 1
--Under "Address IPv6-address", write ::/0
-Under Identity Association, Check "Prefix Delegation"
--Under "id-assoc pd ID", write 1
--Under "Prefix IPv6-Prefix", write 48
-Leave rest empty/default.

Now go to Interfaces -> LAN
- Set both IPv4 and IPv6 to Static
- Give it a static IPv4 address and subnet mask.
- Give it a static IPv6 address in your routed /48 prefix, like 2a06:4003:1015:2::1, with subnet mask 64 (if we pretend that 2a06:4003:1015::/48 is my routed prefix from the ISP, you COULD probably use Track interface, but nothing is really changing ever prefix wise with kviknet/ewii, so seems pointless).
-Leave rest empty/default.

Go to Services -> Router Advertisements, select your LAN interface.
- Set it to stateless, check "Advertise Default Gateway", leave rest as default.

Go to Firewall -> Rules
- Select your LAN, make sure there is the following two rules:
Protocol = IPv4, Source = LAN net, any port, any destination, direction = in, quick = checked
Protocol = IPv6, Source = LAN net, any port, any destination, direction = in, quick = checked
(I think these are created automatically for LAN, but got many other networks, where they were not created auto).

That is more or less it to be honest.

The RA's from the ISP to the WAN interface is 360s, so give it 6min in worst case.

Here are the relevant screenshots:
Interface->WAN:



Interface->LAN:


Firewall Rules:



Router Advertisements:


Pinging from my LAN network:


Traceroute from my LAN network:


Test of IPv6 connectivity on LAN network via browser on different sites:


(DR, surprised they finally started using IPv6)


(Youtube, fully IPv6)


(Changed my ips/interface names, they are different than posted, but same config as above).

[khit93]

Great to have a point of reference. We had the same configs except that as an attempt to get basic connectivity working, I had unchecked the non-temporary address allocation and forgot to set it again when I re-entered the previous working configuration.

[dza]

Hey guys! I also got the same message from support that "you should be able to use it with default" settings.. No.. At least not in opnsense - you won't ever get Prefix Delegation without those custom options.

Here's some more details to get it working properly and consistently - the instructions above are not enough with the recent kviknet/ewii ISP changes (latest version of opnsense?) in my experience.

Interfaces -> Overview: Copy link-local fe80::xx:1 from the Gateway field under WAN.

System -> Gateways -> WAN_DHCPv6: IP-address <insert here>, apply ..

Enjoy! Finally.. ;)

[franco]

There was an upstream bug that was fixed in 25.1.3 WRT potential to miss the route handed out by SLAAC...

https://github.com/opnsense/src/issues/242


Cheers,
Franco

[dza]

There was an upstream bug that was fixed in 25.1.3 WRT potential to miss the route handed out by SLAAC...

https://github.com/opnsense/src/issues/242

Thanks for the relevant comment. I'm on OPNsense 25.1.3-amd64, but still I can't get a connection at all (only addressing), unless I input the link-local address at the "Interfaces -> Overview" into "IP Address" for WAN_DHCPv6 at "System -> Gateways" - I don't think its a lack of route, because adding that does not change output of

Code Select Expand

netstat -rn -f inet6
Neither does it change anything under

Code Select Expand

ifconfig igc0 inet6
by applying that link-local address as "IP Address" on the

Code Select Expand

Interfaces -> Gateways -> WAN_DHCPv6
So I'm unsure why this works - but the only other option is disabling the WAN_DHCPv6 gateway (which STILL allows IPv6 connections and addr despite), which seems even more illogical.

Our ISP's IPv6 setup is quite special and expects a very specific setup.