[Solved] OPNSense IPv6 Routing Issues /56 Prefix-Delegation.

Started by uyouzeca, July 25, 2025, 12:57:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 25, 2025, 12:57:57 PM Last Edit: August 06, 2025, 02:49:45 PM by uyouzeca
Good Day!

IPv6 Routing seems to be broken for one setup on 25.1.12, where my LANs are unable to ping internet even though theres GUA.

Setup Config:
ONT Device to OPNSense, of which my ISP assigns a /128 Address for my WAN, and PD of /56, using DHCPv6 (ONT is bridged)
Configured 8 VLANs to Track Interface WAN, Manual Configuration Checked. Each VLANs are using Prefix-ID, from 0x0 to 0x7
ISC DHCP6 are configured for entire /64 range for each VLANs (:: to ::ffff:ffff:ffff:ffff), and set Prefix-Delegation to /64 (I do not wish to delegate prefix downstream).
Router Advertisments are set to Managed for all VLANs, to Advertise Default Gateway, and configure DNS to use Unbound on OPNSense.

Debugging Done:
ALL VLAN Intefaces have GUA address assigned to it.
All clients are able to obtain an GUA address automatically on all VLANs, and has gateway set to OPNSenses' ULA on the VLAN.
Using GUA assigned on VLAN as source address, diagnostic pinging to internet (Cloudflare or Google) works.

DHCPv6 Clients on VLANs are able to ping gateway (OPNSense) only using ULA and vice versa. (OPNSense <---> Clients)
DHCPv6 Clients are unable to ping to OPNSense using GUA and vice versa.  (OPNSense <-!-> Clients)
DHCPv6 Clients are of course unable to ping any public GUA addresses (Basically all GUAs are unpingable, except its own GUA on the client)
It is safe to assume firewall rules are not involved, A rule for all VLANs to !bogonsv6 is set to allow.



Interestingly, for another setup of mine, where ISP provides /128 WAN and /64 PD, this same config works flawlessly for 1 LAN. (IPv6 no issues)

August 06, 2025, 02:42:17 PM #1
<Solved> Migrating to Dnsmasq, and using Dnsmasq's RA.

TL;DR, Issue with Router Advertisment service, handover to Dnsmasq's RA

In preparation of 25.7 and future proofing, the decision to migrate configuration from ISC to Dnsmasq actually resolved the issue.

It appears that there was some issue with the Router Advertisment service that resulted in routes not being advertised to clients downstream,
this was discovered in Dnsmasq mid configuration, where setting Dnsmasq > DHCP Ranges > RA Mode to Default (Forcing built in Router Advertisment service to do the RA) actually resulted in the same issue, where GUAs are addressed to clients, but clients are unable to visit internet.

Resolved by disabling built in Router Advertisment service, and setting Dnsmasq's RA Mode to SLACC, with DHCP Ranges also from :: to ::ffff:ffff:ffff:ffff, and constructor of VLAN interface to inherit the prefix from.

I have yet to upgrade the Opnsense, and it is on 25.1.12, for control testing.
Print
Go Up Pages1
User actions