Can't get IPv6 working in new dual stack deployment

Started by CJ, Today at 02:05:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 02:05:07 PM
I'm attempting to stand up a dual stack deployment and I can't get IPv6 working.  While I'm familiar with OPNsense and IPv4, this is my first real foray into the world of IPv6.

ISP Router --> OPNsense --> Client

I'm stuck with the ISP router and it has zero configuration options.  OPNsense is an up to date install and reset to defaults.  It receives an IPv6 address from the ISP router and can connect to IPv6 hosts.  The client is unable to connect to anything IPv6.  If I connect the client directly to the ISP router then IPv6 just works.

How do I get IPv6 working on LAN?
Today at 02:42:07 PM #1 Last Edit: Today at 02:46:38 PM by Monviech (Cedrik)
Your ISP router should offer something the like of IPv6 prefix delegation (IA_PD).

It has to delegate a prefix via DHCPv6 that the OPNsense can use. The WAN interface would be configured with DHCPv6, and internal networks like LAN with Identity Association mode.

Then you need a Router Advertisement Daemon like Dnsmasq or Radvd to offer the prefixes (/64) that were subnetted from the delegated ISP prefix (>/64) to internal clients.

-------

If (and only if) your ISP router has no prefix delegation mode, a workaround could be an NDP proxy.
https://docs.opnsense.org/manual/ndp-proxy-go.html
Hardware:
DEC740
Today at 02:47:02 PM #2 Last Edit: Today at 02:56:24 PM by CJ
Quote from: Monviech (Cedrik) on Today at 02:42:07 PMYour ISP router should offer something the like of IPv6 prefix delegation (IA_PD).

Unfortunately, it really does have zero configuration options.  I can't even change the IPv4 subnet.

Quote from: Monviech (Cedrik) on Today at 02:42:07 PMIt has to delegate a prefix via DHCPv6 that the OPNsense can use. The WAN interface would be configured with DHCPv6, and internal networks like LAN with Identity Association mode.

Then you need a Router Advertisement Daemon like Dnsmasq or Radvd to offer the prefixes (/64) that were subnetted from the delegated ISP prefix (>/64) to internal clients.

From what I can tell, that is how the OPNsense defaults are configured for IPv6.  I wasn't able to get it to work, I assume because I'm not getting a prefix from the ISP.

Quote from: Monviech (Cedrik) on Today at 02:42:07 PMIf (and only if) your ISP router has no prefix delegation mode, a workaround could be an NDP proxy.
https://docs.opnsense.org/manual/ndp-proxy-go.html

How would I configure the interfaces?

From what I read online, it appeared that IPv6 NAT was my only solution.  How does the proxy compare to that?
Today at 02:50:07 PM #3
Check /tmp if you find a file that contains "prefix" for you WAN interface.

(eg igb1_prefix6...) out of my head right now.
Hardware:
DEC740
Today at 02:58:22 PM #4
Quote from: Monviech (Cedrik) on Today at 02:50:07 PMCheck /tmp if you find a file that contains "prefix" for you WAN interface.

(eg igb1_prefix6...) out of my head right now.

I'll take a look.  Do the WAN IPv6 defaults need to be changed in order for this to show?
Today at 03:07:23 PM #5
On WAN you need DHCPv6 configured in order for that file to show.

For the ndp proxy, it has an example configuration to follow inside the manual. If you configure it exactly like that, IPv6 will most likely "just work" without any NAT66.
Hardware:
DEC740
Today at 03:32:24 PM #6
Quote from: Monviech (Cedrik) on Today at 03:07:23 PMOn WAN you need DHCPv6 configured in order for that file to show.

For the ndp proxy, it has an example configuration to follow inside the manual. If you configure it exactly like that, IPv6 will most likely "just work" without any NAT66.

I'll give that a try.  There does seem to be some typos/errors in the manual.  There's no or option to the either clause.

Go to Interfaces ‣ LAN and choose either a link-local IPv6 configuration.
Today at 03:40:31 PM #7
Thanks I will fix that, looks like a grammar error.
Hardware:
DEC740
Today at 04:41:18 PM #8
Quote from: Monviech (Cedrik) on Today at 02:50:07 PMCheck /tmp if you find a file that contains "prefix" for you WAN interface.

(eg igb1_prefix6...) out of my head right now.

I reset to defaults and confirmed that my WAN was set to DHCPv6.  I don't see anything prefix in /tmp.
Today at 05:11:32 PM #9
If there is no prefix you have these choices:

- Configure your ISP router to provide a prefix via DHCPv6
- Use the ndp proxy without a prefix via SLAAC
- Use NAT66 with ULAs or a "stolen" "internal" GUA
- Don't use IPv6
Hardware:
DEC740
Today at 05:48:12 PM #10
I installed the ndp-proxy-go plugin and configured it according to the manual.  I unchecked RA under Dnsmasq General.

My client now get global and unique local addresses that match the WAN prefix.  Client default route now shows LAN IPv4 and IPv6.  Client DNS shows WAN gateway for IPv6 and OPNsense for IPv4.

I still have no IPv6 connectivity on the client.  All pings timeout.  Looking at the Firewall Live View I see the client global address being blocked by the default deny rule despite the default LAN allow all rules.
Today at 05:53:53 PM #11
What does your allow all rule for IPv6 on LAN look like exactly? If you have source = LAN net instead of source = any, and you are using the NDP proxy, that would explain the traffic being denied because there is no LAN net. The firewall doesn't have an IPv6 address in that single /64 you use with the proxy on LAN (!).
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 06:15:12 PM #12
Quote from: Patrick M. Hausen on Today at 05:53:53 PMWhat does your allow all rule for IPv6 on LAN look like exactly? If you have source = LAN net instead of source = any, and you are using the NDP proxy, that would explain the traffic being denied because there is no LAN net. The firewall doesn't have an IPv6 address in that single /64 you use with the proxy on LAN (!).

I'm speaking of the default rules that are configured on install.  I have not made any modifications.  The manual implies it should just work.
Print
Go Up Pages1
User actions