Can't seem get 6RD tunnel on WAN side with LAN setting Track Interface to work

[Henrik]

Hello all.
New user on OPNSense (was on pfSense before but for various reasons I decided to try on OPNSence) and sorry for my n00bness on this platform, but here goes.

I am running OPNSense (latest version, currently 25.1.9_2 as of 2025-07-01).
My ISP is offering ipv6 by 6RD tunnel, and this worked fine under pfSense and on my ISP's router (bad as it is).
But not getting it to work on opnSense. If anyone wonders, it is Telia in Sweden.


All the settings are being set correctly from what I can see, ip addresses, RA, DNS etc.
Except for default route.

ipv6 default route points to LAN instead of the 6RD border gateway and I think this is the main reason.
Everything is looking correct. Clients get correct RA, clients get IP-adresses and DNS-settings.
But just can't reach the internet via ipv6, which I think is pretty symptomatic of lacking a route out onto the internet.

I've tried tinkering with static ipv6 adresses, different RA modes, pure ipv6 NAT etc.
Nothing gets the OPNSense 6RD handler to point the default ipv6 route to the 6RD Border gateway. It's super stuck just pointing to LAN.

Tried to scour the internet and tried various hints and links, none of which worked.
So coming here hoping some of you awesome peeps will be able to help me.

Happy Tuesday everyone!

[franco]

Hey and welcome,

Haven't had any complaints on 6RD for a while now so this is a bit unexpected.

Not sure why LAN would have a default route. Easiest first check is System: Gateways: Configuration and see the auto-generated gateway for 6RD which needs to be marked as "Upstream Gateway".

Does a LAN gateway exist there?


Cheers,
Franco

[Henrik]

Hi Franco, thanks for responding.
I am sure it's some sort of misconfiguring on my end but I am unable to see what it is.

As for your question.... Nope, there are no LAN gateway under System --> Gateway --> Configuration.
Attaching gateway and routes pics.

Below config of WAN and LAN:

Telia 6RD Settings (https://www.sweclockers.com/forum/trad/1432656-borja-kor-ipv6-hemma-med-6rd):
6rd Prefix = 2001:2002::
Border Relay Address = 217.209.228.166 (6rd-br1.telia.com)
6rd prefix length = 32
IPv4 mask length = 0

WAN:
IPv6 Configuration Type: 6RD Tunnel

6RD Rapid Deployment
6RD prefix:               2001:2002::/32
6RD Border Relay:         217.209.228.166
6RD IPv4 Prefix length:   32 bits
6RD IPv4 Prefix address:  Auto-detect


LAN
IPv6 Configuration Type: Track Interface

Track IPv6 Interface
Parent interface:       WAN
Assign prefix ID:   0x0
Optional interface ID:   0x
Manual configuration:   

• Allow manual adjustment of DHCPv6 and Router Advertisements

[Henrik]

I think I found the problem.

I had an IKEA DIRIGERA hub on the network. It's used for the remote to my daughter's closet lightning to work.
Safe to say, ipv6 is probably not IKEA's strong suite; it is announcing itself as a router and sending RA to that effect on the network.
My private IPv6 prefix is on fd02, but saw strange new prefixes as fd09 and fd11 popping up on the network (this was not happening on opnSense for some reason).
But as I got no leads here (no worries) I then switched back to the new pfSence 2.8.
While IPv6 worked there out of the box, sort of, I had issues there too.
It still handled it's own gateways and LAN and WAN correctly, it was just clients being misled.

I got my first hint as static IPv6 settings worked, but DHCP clients got bogus addresses
But I also got them fd09 and fd11 on a machine with static ipv6 so obviously it wasn't DHCP; it was RA's.
but I saw rouge private IPv6 prefixes being announced on the net.
Finally tracked it down using wireshark.
Turned it off and the problems went away once the addresses became stale.
As that killed the lightning I then moved to another ip-net I have.

I have two physical nets; one behind the firewall (now again pfSense I am sad to say), and one behind my ISP's router (I need it for TV services etc).
So it is now mucking up IPv6 there too, but to no ill effect, it's not neeeded there/I don't care.

So this all told me it's time to get a L3 switch with VLAN's and do some network segmentation.
But it also sort of hints it's not really good idea that a firewall looses is primary function due to rouge RA's, allowing another device to usurp the gateway like that. At least not without some sort of config for it imo.

That said, sorry for going back to pfSense.
Will try out the new stuff in 2.8; might be back soon.