Assigning Global IPv6 to LAN behind OPNsense as down-stream router

Started by iTheMask, August 16, 2025, 12:23:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 16, 2025, 12:23:54 PM Last Edit: August 16, 2025, 12:32:47 PM by iTheMask
I'm trying to assign global IPv6 addresses to the LAN side of my OPNsense VM, but I could use some guidance for my unusual setup.

My setup:
  • OPNsense is running in a virtual machine. Its role is to route traffic from my main network to VMs on a different subnet and perform NAT so those VMs can access the internet via my main network.
  • IPv4 setup is done with static private IP on the WAN side of OPNsene with DHCPv4 and DNS via DNSmasq.
  • WAN side of the OPNsense VM is connected to my main network. LAN connects to other VMs.

Challenges:
  • My ISP provides a dynamic /56 IPv6 prefix that changes often (power loss, reconnection, etc.).
  • My main router (not OPNsense) only delegates a single /64 subnet and provides addresses via SLAAC only.
  • Currently, OPNsense itself gets a /128 via SLAAC from the main router.
  • Attempting to configure LAN IPv6 using "Track Interface" fails because the parent interface shows up empty.

I've already tried to use ISC DHCPv6 and Kea DHCPv6 without any success as it seems both will require static IPv6 (and even if dynamic prefix is supported I will need /64 subnet which I wasn't able to get)

What I want to achieve:
1. To use the ISP-provided /56 prefix to get out a second /64 subnet for the VMs LAN, leaving the main network untouched:
A. LAN VMs to get global IPv6 addresses via DHCPv6 with static MAC assignments
B. or SLAAC if thae DHCPv6 server is not possible
2. Worst case to get IPv6 connectivity via the /128 of OPNsense as NAT connection

Is any of these possible in OPNsense? (even if it require scripting) or is there a built-in way to handle this kind of dynamic prefix delegation?

Thanks in advance for any advice!
August 16, 2025, 12:32:03 PM #1
I maintain a plugin that can do something for you, but its rather hacky in its nature, and if it doesnt work I cannot really help as its quite hard to troubleshoot.

If you want something generally stable, use this:

https://docs.opnsense.org/manual/ndproxy.html#offering-services-behind-nat-cloud-setup

If you want something more hacky look at the other example :)
Hardware:
DEC740
August 16, 2025, 12:38:21 PM #2
Quote from: Monviech (Cedrik) on August 16, 2025, 12:32:03 PMI maintain a plugin that can do something for you, but its rather hacky in its nature, and if it doesnt work I cannot really help as its quite hard to troubleshoot.

If you want something generally stable, use this:

https://docs.opnsense.org/manual/ndproxy.html#offering-services-behind-nat-cloud-setup

If you want something more hacky look at the other example :)
Thanks, I would love to hear about your plugin

I will keep ndproxy in mind as last resort to just establish outward connections only
August 16, 2025, 12:56:28 PM #3 Last Edit: August 16, 2025, 01:01:40 PM by Monviech (Cedrik)
Well ndproxy is that plugin. Sorry I dont have anything else xD

This here also works but your prefix is very unstable:
https://docs.opnsense.org/manual/ndproxy.html#simple-setup-for-home-users

The one with NPTv6 in my post before is generally stable and you can NAT inbound and outbound just fine with it.
Hardware:
DEC740
Print
Go Up Pages1
User actions