Unable to get IPv6 functionality on the LAN side of the firewall

[GSMartin]

My ISP (Race.com) delegates a /56 prefix. I can succesfully ping and traceroute -6 from Race's ONT and from the OPNsense firewall but ping -6 or traceroute -6 from this host on the LAN results in "Network is unreachable" errors.

This is my setup:

Code Select Expand

[WAN]
   [Generic configuration]
   IPv6 Configuration Type:   DHCPv6

   [DHCPv6 client configuration]
   Configuration Mode:        Basic
   Prefix delegation size:    56
   Request prefix only:       Checked

[LAN]
   [Generic configuration]
   IPv6 Configuration Type:   Tracking

   [Track IPv6 Interface]
   Parent interface:          WAN
   Assign prefix ID:          0

I get this from netstat on the firewall:

Code Select Expand

# netstat -nr6 | grep default
default                           fe80::1621:3ff:fe0e:d846%igc0 UG             igc0

from ifconfig on this host:

Code Select Expand

eno3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.20.1  netmask 255.255.0.0  broadcast 192.168.255.255
        inet6 fe80::8156:32f1:abe0:be2b  prefixlen 64  scopeid 0x20<link>

I am using DNSMASQ for DHCP service with its DNS disabled and Unbound for DNS. Tailscale is also running on the firewall, in case that matters. I can ping -6 my host with its ipv6 address. test-ipv6.com  shows only my DNS server has IPv6 access. Any suggestions?

[BrandyWine]

You have that "allow IPv6" switch set to "on" in the LAN & WAN iface settings?

[meyergru]

You cannot set the prefix id 0 the same for two different interfaces. When you "request prefix only", you will have to set "Optional prefix ID" on WAN to a different 8-bit value than for LAN. Essentially, both are 0 now, so your WAN should get 0 (you can verify that) but LAN cannot be configured like that.

[GSMartin]

BrandyWine, there aren't any "allow IPv6" toggles in WAN & LAN interface settings on the GUI.

meyergru, I changed the setup so that the WAN interface is now specifically set to prefix id 0 and the LAN interface is set to prefix id 1 and then rebooted everything. I still have the same symptoms from the LAN side: "Network is unreachable". I'm not seeing an IPv6 default route on my host.

Code Select Expand

netstat -r -f inet6   
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 eno3
192.168.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eno3


[meyergru]

Did you verify that the WAN gets an IPv6 GUA assigned?

I do not quite understand what you mean by: "I can succesfully ping and traceroute -6 from Race's ONT and from the OPNsense firewall" - The ONT should not be able to ping anything on the internet (much less so with IPv6), unless that is not a pure ONT (i.e. bridge), but a router. If the latter, it must sub-delegate a prefix to your OpnSense and that has to be split up to your LAN(s).

Can you ping an IPv6 target from OpnSense, like "ping 2600::"? It is vital to get IPv6 on your WAN before thinking of delegating it to your LAN side.

You should find out what prefix size your WAN is getting for sub-delegation.

[GSMartin]

I can't be sure about OPNsense WAN side GUA at the moment. While I was working on this problem last night, I started experiencing some bizarre behavior from the OPNsense firewall. It displayed weird pop-ups that said "Dangerous error" and then became non-responsive. Its boot process is now abnormal. Protectli support says they've never seen that behavior before and recommends reinstalling OPNsense. If I still have problems, they will replace the SSD. Anyway, I am currently using my previous firewall (Supermicro E200-9B/pfSense). I have the same issues here (this makes me think that I am missing something basic), though my pfSense WAN interface has the following IPv6 addresses:

Code Select Expand

IPv6 Link Local     fe80::ec4:7aff:fe7f:80f4%igb0
IPv6 Address        2607:9b00:620d:7b00:ec4:7aff:fe7f:80f4
I have only seen Link Local addresses on the LAN side (both in OPNsense and pfSense), is this expected behavior?

The ONT is more than just a simple network terminal. Race provides a Calix u6xw/4227w ONT/"Residential Gateway" at the customer endpoints of its fiber network. I only use it as an ONT, since I normally use a Protectli Vault V1410/OPNsense as a router/firewall feeding two Ubiquiti WiFi access points and some GbE wired connections.

From the Calix GUI I can ping and traceroute, just like I can from the OPNsense GUI. From the OPNsense GUI I can ping and traceroute with IPv6 to arbitrary host FQDNs, as well as IPv6 addresses.

[frakkin64]

BrandyWine, there aren't any "allow IPv6" toggles in WAN & LAN interface settings on the GUI.

It's in Interface > Settings.

"Allow IPv6
If unchecked, IPv6 interface configuration will be ignored and all forwarding traffic will be blocked. Use with care."

According to the manual, it should be enabled by default:
https://docs.opnsense.org/manual/interfaces_settings.html#allow-ipv6

[BrandyWine]

BrandyWine, there aren't any "allow IPv6" toggles in WAN & LAN interface settings on the GUI.

Sorry, I meant

Interfaces -- Settings

[meyergru]

I can't be sure about OPNsense WAN side GUA at the moment.

...

From the Calix GUI I can ping and traceroute, just like I can from the OPNsense GUI. From the OPNsense GUI I can ping and traceroute with IPv6 to arbitrary host FQDNs, as well as IPv6 addresses.

You should be able to see what IPv6 your WAN has, can't you?

I would take the fact that the Calix can do IPv6 as an indication that it acts as a router, not a modem bridge. If it does, it probably uses the IA_PD prefix or the IA_NA IP already - at least, you cannot be sure that it does not interfere with anything your OpnSense needs on the IPv6 side of things, so the rest of the discussion is based on pure speculation.