Help with IPv6

[Taomyn]

I finally have an IPv6 address from my ISP so OPNsense is working just fine in this respect (I have a PPPoE connection, with a VLAN, the IPv6 address is set on the WAN interface as DHCPv6, using IPv4 connectivity).


Now that it's working where do I go next? I'd like to get this working internally now as I have a small test project that can use IPv6 and want to use this to further my knowledge of IPv6.


I'm assuming I need to now enable IPv6 on the LAN interface so what IPv6 option do I set? I did look in the wiki, skipping past the tunnel stuff to "Step 3", and it mentions using "Static IPv6", but no information on what address to use.


BTW, is the wiki search function meant to work, because I enter a search term e.g. ipv6, press enter and all I see is "Searching......"

[bartjsmit]

Pick a /64 within your delegation and assign a static IP to the LAN interface from that subnet. Enable router advertisements from the dhcpv6 service and watch the magic happen (SLAAC permitting) ;-)

Bart...

[Taomyn]

Thanks Bart. Spookily my ISP just called to tell me that IPv6 should be enabled, but the only extra information I could get out of them was that I was to use DHCPv6 for the WAN connection, and to use /56 for the prefix delegation size and not /64.

But how to now get a static from my public IP I don't know - see, I'm very new at this ;-) The firewall tells me I have a public IPv6 address with a /64 subnet, the IPv6 test ping to ipv6.google.com works (I did sit the WAN "DHCPv6 Prefix Delegation size" to 56).

[bartjsmit]

Given the size of the overall address space, I can't see your ISP changing your range any time soon but it's worth keeping an eye on your WAN interface across a couple of reconnects.

RFC3177 says that you should assign a /64 for any network that contains hosts https://tools.ietf.org/html/rfc3177 so the /56 gives you the option to create a DMZ (or even a few hundred).

Bart...

[Taomyn]

I'm trying to confirm what the /56 prefix is that I've been assigned, but I can't figure out how to get the firewall to tell me. Any ideas?

[bartjsmit]

Is there an IPv6 address showing on the interface section of your dashboard?

The first 14 characters is your /56. E.g. 2001:0db8:85a3:4700:feed:8a2e:0370:7334 would be part of a 2001:0db8:85a3:47::0/56 delegation.

You can also get the IPv6 from the console (or SSH) with ifconfig

Ignore the fe80: address, routable addresses start with 2001:

Bart...

[Taomyn]

Ok got that, so if my IPv6 address is:

2065:456:1:88fd:325:22aa:eda2:2fc4/64

Then would my prefix be:

2065:456:1:88::0/56

And then if I wanted to I can subnet it for example:

2065:456:1:8801::0/64
2065:456:1:8802::0/64
etc

And avoid the one being used by the WAN link i.e.

2065:456:1:88fd::0/64

[bartjsmit]

Yes, spot on. Once you have your internal computers set up, try http://cav6tf.org/ to test.

Bart...

[Taomyn]

Great, and sorry for all the questions but I was trying things out and nothing works. I'm hoping this thread will be useful to others should they come looking.


When I set an interface to "Static IPv6" the address setting asks for what I assume the "/" number after it (the advanced help is greyed out for this which isn't helpful), so does that mean I assign it the subnet and choose 64? When I do this all I see assigned to the interface is just the subnet.

[Taomyn]

Quick update as I am making progress:

WAN - working, I can ping ipv6.google.com

LAN - working, I assigned it a subnet, can ping ipv6.google.com

Internal PC - I enabled "Unmanaged" router advertisements for the LAN DHCPv6 server (nothing else changed), I renewed the IPs on my workstation, it gets what looks like two IPv6 addresses based off the subnet assigned (one is designated temp), I can ping LAN and WAN, but I cannot ping ipv6.google.com

[bartjsmit]

Does your DNS server resolve AAAA records? You can try ping to 2001:4860:4860::8888 or 2001:4860:4860::8844

Bart...

[Taomyn]

Yes, it seems to be working - all my devices are getting IPv6 IPs now which is nice :-)

Code Select Expand

C:\WINDOWS\system32>ping -6 ipv6.google.com


Pinging ipv6.l.google.com [2a00:1450:4007:812::200e] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.


Ping statistics for 2a00:1450:4007:812::200e:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\WINDOWS\system32>ping -6 2001:4860:4860::8844


Pinging 2001:4860:4860::8844 with 32 bytes of data:
Request timed out.


Ping statistics for 2001:4860:4860::8844:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\WINDOWS\system32>nslookup ipv6.google.com 192.168.1.10
Server:  homer.windowsserver.local
Address:  192.168.1.10


Non-authoritative answer:
Name:    ipv6.l.google.com
Address:  2a00:1450:4007:812::200e
Aliases:  ipv6.google.com

[Taomyn]

Just an update, it's still not fully working i.e. none of my internal devices can communicate to the Internet via IPv6, but internally everything is working, and the firewall itself is able to send traffic so I don't think it's my ISP.


I've also added a rule to allow IPv6 ICMP from external and that works fine from a test website I found.


Any ideas? Do I need to enable another option somewhere to allow the traffic to from the LAN to the WAN interfaces? The "Default allow LAN IPv6 to any rule" is present and I don't see the traffic being blocked.

[bartjsmit]

Sounds like a routing issue. Perhaps a typo on your lan side? I.e. your traffic is going out OK but return packets never make it back because your lan is outside your range and your ISP routes it to somebody else.

Bart...

[Taomyn]

Ok, well I'm now confused.


I just noticed that the WAN IP has changed, just slightly, though things were still the same and not fully working, but now my ISP has finally come back to me with my prefix and it doesn't match up with the IP their DHCPv6 is giving my WAN interface.


So knowing what the ISP is saying is my prefix, is it possible for it to not match the DHCPv6 address I get assigned?