Help with IPv6

[Taomyn]

A bit more information, I tested pinging between the 3 interfaces on the firewall, LAN/GLAN/WAN, and my Windows server, SRV which is on the LAN network, and these were the results:


LAN > WAN - OK
GLAN > WAN - OK
WAN > LAN - FAIL
WAN > GLAN - FAIL
SRV > LAN - OK
SRV > GLAN - OK
SRV > WAN - OK
WAN > SRV - FAIL
LAN > SRV - OK
GLAN > SRV OK


So the problem could lie with the WAN interface not being able to ping the other interfaces, so any idea where I look to fix that?

[bartjsmit]

Apart from ICPM, does http work over IPv6?

Bart...

[Taomyn]

I don't think so, I visited www.kame.net and I never get the proper dancing kame :-(


I've seen another thread here where someone else lost IPv6 connectivity when they upgraded to 17.1.3 https://forum.opnsense.org/index.php?topic=4816.msg18821#msg18821 and I get the same if I try to use the Track IPv6 option for the LAN interface, as I suspect if my DHCPv6 address on the WAN is going to change, I'll need it.


Perhaps IPv6 is broken in the later releases?

[rgo]

Maybe this is the wrong place to ask this.  If you have a WAN address with Public IPv6 address and you want the inside IPv6 LAN address to be fdxx:xxxx:xxxx ( private address ).

Can this be done with opnsense or do all inside LAN IPv6 address haft to be on the public side?  If this can be done dose anyone have a simple check list or how to configure IPv6 WAN <-> NAT <-> inside DHCPv6 <-> LAN?

I have IPv6 working fine.  I want to be able todo the same as IPv4 WAN <-> NAT <-> inside DHCP <-> LAN but on IPv6 too.  If anyone has done this with opnsense I would like to know how you were able to get it working.

I have IPv4 & IPv6 working on 17.1.4

[bartjsmit]

Generally IPv6 does away with the reasons for NAT (address space exhaustion, LAN discovery) but there is no reason why you can't do it. However, the fc00::/7 range is reserved for non-routable addresses. Any router (including OPNsense) will refuse to route these. Only addresses in the 2000::/3 range are publicly routed.

You can set up an internal IPv6 /64 subnet and NAT that to another range on OPNsense. The option for this is NPT (Network Prefix Translation) under firewall, NAT. As its name implies, the host portion of the address stays the same and the first 64 bits of the address are NAT-ed.

Bart...

[rgo]

Well I would like to have the same setup as IPv4 as IPv6.  I looked at that but I could not make it work by just having the public address 2001:xxx:xxx:xxx:xxx and then private address on the LAN side... then have NAT sit between the public 2001: and private fdxx:xxx:xxxx:xxxx:xxxx

NPT how would you config that with lan dhcpv6?  Why I was asking if anyone has it working and how they were able to make it work.  I can not get anything to work beside the default IPv6 setup.

[Taomyn]

Looks like I'm going to have abandon my attempts to get this working unless someone can help me figure out why OPNsense isn't allowing the traffic through. It's causing slow-downs all over my network with devices trying IPv6 first, failing then eventually falling back to IPv4.

[bartjsmit]

Can you see the IPv6 traffic heading out and coming back? Interfaces, Diagnostics, Packet Capture, IPv6 only.

Bart...

[Taomyn]

After restoring the IPv6 settings and rebooting, how awesome is OPNsense    I did a capture on the WAN port whilst visiting ipv6-test.com and I'd say no:

Code: [Select]

11:14:32.064508 IP6 2a02:::::::.62437 > 2001:41d0:8:e8ad::1.80: tcp 0
This just repeats for the entire test, I obfuscated my WAN IP


But if I ping6 ipv6.google.com from the firewall console:

Code: [Select]

11:23:27.386204 IP6 2a02::::::: > 2a00:1450:4007:814::200e: ICMP6, echo request, seq 0, length 16
11:23:27.423328 IP6 2a00:1450:4007:814::200e > 2a02:::::::: ICMP6, echo reply, seq 0, length 16

Traffic does come back

[bartjsmit]

That would indicate that your LAN IP's are not in the delegation and so your ISP is not routing back the packets.

Can you double check that the LAN range is inside? http://www.ipv6calculator.net/

Bart...

[Taomyn]

I'm pretty sure it is because I base the IP of the LAN from the IP gained by the WAN by DHCPv6 from my ISP.


Can I PM you the results of pinging WAN to LAN and then LAN to WAN on the console of the firewall? I don't want to obfuscate them so you can see things exactly as I do nor post them publicly.

[djGrrr]

The LAN IPv6 setting should be set to "Track Interface", this will setup the delegated prefix automatically

[Taomyn]

I did try that, it does nothing, the two internal interfaces simply sit there without ever being assigned an IP, and still no IPv6 traffic flows.

[djGrrr]

are you using the advanced mode for dhcpv6 config on your wan? if so disable it, also, make sure you are not using the same ID on both the internal connections for track interface, and you can take a look at the dhcp log file for hints at why it is not working properly, it could be that you have the wrong prefix size set

[Taomyn]

Nope, using Basic and the IDs are 0 and 1. My ISP has told me that my prefix must be /56.

I could not find a log specific to DHCPv6 and the other DHCP log has nothing of note. After a reboot this is what the system log contains:

Code: [Select]

Apr 1 05:02:08 configd.py: [23e250ea-4cd5-4b30-8bc2-573d0731c8bc] request mac table
Apr 1 05:00:33 configd.py: [c92d608a-f1df-485f-897c-9fc0138a1d7b] request mac table
Apr 1 05:00:00 configd.py: [382e7999-b920-4ed1-95b3-b17771d597db] refresh url table aliases
Apr 1 04:58:35 opnsense: /diag_logs.php: Successful login for user 'root' from: 192.168.1.12
Apr 1 04:58:33 sshlockout[14408]: sshlockout/webConfigurator v3.0 starting up
Apr 1 04:58:33 flowd_aggregate.py: flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 148, in run aggregate_flowd(do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 79, in aggregate_flowd stream_agg_object.add(flow_record_cpy) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/interface.py", line 70, in add super(FlowInterfaceTotals, self).add(flow) File "/usr/local/opnsense/scripts/netflow/lib/aggregate.py", line 258, in add self._update_cur.execute(self._update_stmt, flow) DatabaseError: database disk image is malformed
Apr 1 04:58:32 kernel:
Apr 1 04:58:32 kernel:
Apr 1 04:58:29 lighttpd[46191]: (log.c.217) server started
Apr 1 04:58:26 kernel: done.
Apr 1 04:58:24 root: /etc/rc.d/hostid: WARNING: hostid: unable to figure out a UUID from DMI data, generating a new one
Apr 1 04:58:24 configd.py: generate template container OPNsense/Syslog
Apr 1 04:58:23 kernel: done.
Apr 1 04:58:23 configd.py: [1480ab46-47c1-4ce6-965e-bf934c4a8271] generate template OPNsense/Syslog
Apr 1 04:58:20 kernel: deferred.
Apr 1 04:58:20 opnsense: /diag_logs.php: Web GUI authentication error for 'root' from 192.168.1.12
Apr 1 04:58:20 kernel: done.
Apr 1 04:58:20 opnsense: /usr/local/etc/rc.bootup: miniupnpd: Starting service on interface: opt1, lan
Apr 1 04:58:20 configd.py: generate template container OPNsense/Syslog
Apr 1 04:58:20 configd.py: generate template container OPNsense/Sample/sub2
Apr 1 04:58:19 configd.py: generate template container OPNsense/Sample/sub1
Apr 1 04:58:18 configd.py: generate template container OPNsense/Sample
Apr 1 04:58:16 configd.py: generate template container OPNsense/Proxy
Apr 1 04:58:15 configd.py: generate template container OPNsense/Netflow
Apr 1 04:58:15 configd.py: generate template container OPNsense/Macros
Apr 1 04:58:14 configd.py: generate template container OPNsense/IPFW
Apr 1 04:58:12 configd.py: generate template container OPNsense/IDS
Apr 1 04:58:09 configd.py: generate template container OPNsense/HAProxy
Apr 1 04:58:09 configd.py: generate template container OPNsense/Cron
Apr 1 04:58:08 configd.py: generate template container OPNsense/Captiveportal
Apr 1 04:58:07 configd.py: generate template container OPNsense/Auth
Apr 1 04:58:07 configd.py: generate template container OPNsense/AcmeClient
Apr 1 04:58:05 kernel: .done.
Apr 1 04:58:05 configd.py: [50195eb9-e5e5-46f9-a161-ed11da188d32] generate template *
Apr 1 04:58:04 kernel: ..
Apr 1 04:58:04 kernel: ..
Apr 1 04:58:02 sshd[77658]: Server listening on 0.0.0.0 port 22222.
Apr 1 04:58:02 sshd[77658]: Server listening on :: port 22222.
Apr 1 04:58:02 kernel: done.
Apr 1 04:58:02 kernel: done.
Apr 1 04:58:01 kernel: done.
Apr 1 04:58:01 kernel: done.
Apr 1 04:57:58 configd.py: [31586151-aa58-484d-9a88-60ee6f75a597] rc.newwanip starting pppoe0
Apr 1 04:57:58 opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: Failed to detect IPv6 for WAN[wan]
Apr 1 04:57:58 opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: Informational is starting pppoe0.
Apr 1 04:57:57 configd.py: [11b513e9-2a0b-45f2-b38c-0a2d5e60a446] rc.newwanip starting pppoe0
Apr 1 04:57:57 kernel: done.
Apr 1 04:57:57 kernel: done.
Apr 1 04:57:56 lighttpd[14222]: (log.c.217) server started
Apr 1 04:57:56 configd.py: [d2f23de4-01ad-482a-9c04-3792acb7f504] Linkup starting em0