OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • [SOLVED] IPv6 via OpenVPN + NPT, incorrect source address for the router itself
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] IPv6 via OpenVPN + NPT, incorrect source address for the router itself  (Read 4501 times)

Dronov

  • Newbie
  • *
  • Posts: 12
  • Karma: 2
    • View Profile
[SOLVED] IPv6 via OpenVPN + NPT, incorrect source address for the router itself
« on: October 09, 2017, 02:53:37 pm »
Dear helpful opnsense users,

This is follow up question for my update-related question[1], which turned out to be an IPv6 connectivity issue. I suspect it might be something known and straightforward.

I have an OpenVPN tunnel set up on opnsense box, with all the traffic (IPv4 and IPv6) going through the tunnel. My ISP does not provide v6 connectivity, so v6 has only one way out - via VPN (for v4 I have "kill switch" floating rule). VPN server assigns routed X.Y.Z::/64 network to the opnsense. Opnsense box uses NPT to translate it to/from internal network A.B.C::/64 (not site local, a regular net for historical reasons, using the "OpenVPN" interface, I did not assign one manually via Interfaces -> Assignments). LAN boxes get their IPv4 and IPv6 connectivity, and all seems to be OK.

Now, I recently found that the opnsense box itself has no IPv6 connectivity (due to NPT?). Here is what happens:

When I ping6 google.com from a LAN machine I see the following going out (and in) via the vpn interface:
Code: [Select]
# tcpdump -i ovpnc2 icmp6
12:30:00.852675 IP6 X:Y:Z:0:b4f3:a128:d588:5fa6 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 64
12:30:00.863742 IP6 lhr35s07-in-x0e.1e100.net > X:Y:Z:0:b4f3:a128:d588:5fa6: ICMP6, echo reply, seq 1, length 64

However, when I do the same from the opnsenses box, I see:
Code: [Select]
# tcpdump -i ovpnc2 icmp6
12:32:25.379827 IP6 A:B:C::1002 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 0, length 16
12:32:26.442561 IP6 A:B:C::1002 > lhr35s07-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 16

It looks like it takes the external address assigned to the ovpnc2 interface by the server (X.Y.Z::1002), do NPT for that address (which results in the internal A.B.C:: prefix) and then sends it out. Basically, address A.B.C::1002 does not exist anywhere, the ovpnc2 interface has address X.Y.Z::1002.

I appreciate any pointers, how do I debug it further?

Thanks a lot.

1. https://forum.opnsense.org/index.php?topic=6033.0
« Last Edit: October 10, 2017, 11:42:59 pm by Dronov »
Logged

Dronov

  • Newbie
  • *
  • Posts: 12
  • Karma: 2
    • View Profile
Re: IPv6 via OpenVPN + NPT, incorrect source address for the router itself
« Reply #1 on: October 10, 2017, 11:42:09 pm »
Found it :) One should never assemble configuration from bits and pieces over a month.

It was using the same v6 net for the VPN link itself. Once I switched the VPN to use ULA addresses for the link, it all works just fine.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17605
  • Karma: 1603
    • View Profile
Re: [SOLVED] IPv6 via OpenVPN + NPT, incorrect source address for the router itself
« Reply #2 on: October 12, 2017, 08:41:01 pm »
Yay, glad to hear that. :)


Cheers,
Franco
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • [SOLVED] IPv6 via OpenVPN + NPT, incorrect source address for the router itself
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2