Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?

Started by trdeal, February 04, 2026, 07:05:54 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
Today at 04:29:15 PM #15
Quote from: nero355 on Today at 03:33:48 PM
Quote from: franco on Today at 03:25:21 PMIn some cases there's a bad SLAAC address on the WAN. It's not easy to get rid of it programmatically.
Isn't that easily fixed with the setting "Request a Prefix Only" on the WAN Interface ?
No. This disables requesting an address via DHCPv6, but it doesn't disable SLAAC. There's currently no way to disable SLAAC on a DHCPv6 interface.

Quote from: nero355 on Today at 03:33:48 PMUsually you don't need more than that since your OPNsense will use the Link-Local address to communicate with your ISP's Router :)
OPNsense needs a GUA as a source address for many local services (DNS resolver, firmware updater etc).
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Today at 04:31:44 PM #16
> OPNsense needs a GUA as a source address for many local services (DNS resolver, firmware updater etc).

Yes but not necessarily on the WAN side.


Cheers,
Franco
Today at 04:38:00 PM #17
Quote from: franco on Today at 04:31:44 PMYes but not necessarily on the WAN side.
Technically correct, but I've seen so many side effects when the WAN interface itself is left without a GUA that I don't recommend that. Some services really don't like that.

But yes, you're technically correct.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Today at 04:47:40 PM #18
It's a brave new world since https://github.com/opnsense/dhcp6c/commit/369b4dcf ;)
Today at 04:54:32 PM #19
Do I read this correct? There are ISPs who do this in direct violation of RFC 3633? Or has this RFC been superseeded?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 04:55:44 PM #20
Hi,
The upstream router was the issue, it had a IPv6 Group object to route the IPv6 networks behind Opnsense but did not include the IPv6 object representing Opnsense FW. Updating the IPv6 Group object for routing and the problem was resolved. It was not DNS this time only human error :(

Run an Audit -> Connectivity
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 26.1.1 (amd64) at Thu Feb  5 15:49:16 GMT 2026
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 929 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
PING(1548=40+8+1500 bytes) 2a02:8010:d00d:1:8395:9cef:ffaa:d122 --> 2001:1af8:5300:a010:1::1
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=1 hlim=56 time=23.762 ms
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=2 hlim=56 time=24.991 ms
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=3 hlim=56 time=24.747 ms

--- 2001:1af8:5300:a010:1::1 ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/stddev = 23.762/24.500/24.991/0.531 ms
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 929 packages processed.
All repositories are up to date.
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***
Today at 05:20:55 PM #21
Quote from: Patrick M. Hausen on Today at 04:54:32 PMDo I read this correct? There are ISPs who do this in direct violation of RFC 3633? Or has this RFC been superseeded?

No, we're doing this now since it's no longer in the RFC (and it works nicely to put a prefix on WAN).
Today at 06:08:26 PM #22
That's what I meant by superseeded:

Code Select
Obsoleted by: 8415                                     PROPOSED STANDARD
Updated by: 6603, 7550                                      Errata Exist

So, yes. The standard has changed.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 06:21:43 PM #23
Quote from: Patrick M. Hausen on Today at 06:08:26 PMSo, yes. The standard has changed.

RFC-9915 obsoletes 8415.
Print
Go Up Pages 1 2
User actions