IPv6 downstream router (FritzBox) requires OPNsense to behave like ISP

[Maurice]

Why do you delegate ULA prefixes? You can't use ULAs for Internet access.

Simply configure KEA with GUAs based on the static prefix you get from your ISP.

[GerhardHeus]

Okay so the routing from OPNsense to Fritzbox should be okay now.

Are you having Router Advertisements set up on OPNsense, so that the Fritzbox gets a default gateway advertised on the link its connected on (igc0).

I have is activated without specific settings per (V)LAN interfacve; I added a specific configuration for LAN and disabled it, so for LAN it should now be disabled. I did not notice any difference in behaviour in any of the systems.

[Monviech (Cedrik)]

I would use GUAs as well, maybe the Fritzbox is weird here.

Anyway if the following is true its not a routing issue anymore:

-> KEA leased IA_NA and IA_PD to Fritzbox
-> KEA installed a route targeting the link local address of the Fritzbox
-> There are Router Advertisements sent to the Fritzbox
-> The IPv6 default route of the Fritzbox points to the OPNsense router

Though I probably cannot help more now if there's no bug to hunt anymore. Routing should be clean now.

(Also, setting the /48 GUA prefix in KEA does not mean it takes authority over it. You can safely do that, just be careful with the range you use for IA_PD so it doesnt overlap with what you use on the interfaces of the OPNsense and you are good.)

[GerhardHeus]

Dear Naurice and Cedrik, once again many thanks for your support and comments. It *seems* to work now with KEA with GUA + Legacy Track Interface + RA without configuration active for LAN. There were two things needed: 1) the route must be set up; this is now working fine after the patch and 2) I originally set the delegated length in KEA to a value lower than 64, knowing that Fritz needs at least 2 /64 prefixes. Then I read in some documentation that ISC DHCPv6 supplies prefixes in /64's; when I changed the delegated length in KEA to 64, also Fritz accepted the prefixes for both its guest and non-guest networks (the numbering is slightly different than in the ISC DHCPv6 case, but that doesn't matter.

It is running now for a few hours; maybe it is too early to give a definitive judgement, but I am alreay v ery happy about the result. Onve again, many thanks!

[Monviech (Cedrik)]

Thank you for providing info that helped to find a bug and verify the prefix delegation with KEA.

I feel like you were the first one trying (that I read), so the feedback was very valuable :)

[GerhardHeus]

Thank you. Maybe one suggestion: in the KEA documentation of OPNsense, the example for prefix delegation shows a delegated length of 56. It might be worthwhile to mention that there may be systems that require 64 as a delegation length.