My ISP recently made IPv6 available and I’m trying to figure out how to make it work with my network. The setup I have is an OPNsense box connected to my ISP’s router and I’m using it to isolate my homelab from the rest of the network. However, the machines on my OPNsense LAN aren’t being assigned IPv6 addresses that allow them to connect to the internet.

I can ping IPv6 sites from my OPNsense box and I see that it’s being assigned a /64 prefix from the ISP router. If I use my laptop to connect to my ISP’s router, I can visit IPv6 sites just fine as well. My devices in the OPNsense LAN also have IPv6 addresses and can ping each other using IPv6 but not the internet.

Are there special settings that I need to set for OPNsense to make this setup work? I’ve tried reading up on the different modes like SLAAC but I’m not quite grasping the concepts.

Toes♀
link
fedilink
English
15M

Hey I just had another thought. Do you have your ISP provided router in bridge mode? That would help if you’re not using it for anything else.

Toes♀
link
fedilink
English
25M

Confirm the ipv6 addresses your clients in the LAN are being assigned an ipv6 address within the scope of what your ISP is assigning.

If you are check default routes and firewall rules.

If you aren’t, investigate “router advertisement”.

cakeofhonor
creator
link
fedilink
English
15M

I did forget to mention that. The IP addresses of the devices on the LAN do not share the same first half of the address as the IP on the ISP router. I have the OPNsense LAN set to track WAN interface, but the DHCP server is stuck saying “No available address range for configured interface subnet size.”. I also noticed that my WAN for OPNsense has a global routable IP starting with 2402 as well as a LLA starting with fe80 but my LAN only has a LLA.

Which routes and firewall rules should I be checking?

Toes♀
link
fedilink
English
45M

If your lan devices only have a fe80, your clients are not receiving a proper router advertisement.

Which routes and firewall rules should I be checking?

Since the OPNsense device is getting a ipv6 address and is able to ping ipv6 devices on the internet.

It sounds like you don’t have ipv6 configured for the LAN. Try enabling “Assisted” mode.

https://docs.opnsense.org/manual/radvd.html

Domi
link
fedilink
English
1
edit-2
5M

I’m no expert on IPv6 but here’s how I did it on my OPNsense box:

  • Activate IPv6 on your WAN interface (probably already done)
  • Activate IPv6 on the LAN interface, use Track interface on IPv6, track the WAN interface and choose a prefix ID like 0x1
  • Activate DHCPv6 under Services -> ISC DHCPv6 for your LAN interface (you can shorten the range like ::eeee to ::ffff, you don’t have to type the full IP)
  • Activate Router advertisments under Services -> Router Advertisments for your LAN interface (set Advertisments to Managed and Priority to High

After that your DHCP server should serve public IPv6 addresses inside of your prefix and clients should be able to connect to the internet.

A few notes:

  • Don’t forget to add an allow rule for IPv6 on your LAN as well if you only have one for IPv4
  • Repeat the steps above for every VLAN you have, always use a different prefix ID
  • You don’t have to use NAT rules with IPv6 anymore and can just directly add a regular firewall rule to WAN with the target IP and port and you are done
  • Make sure you don’t have any of the various “Disable IPv6” toggles enabled, there’s a few in the firewall settings and general settings for example
cakeofhonor
creator
link
fedilink
English
15M

I’ll try this when I get a chance. Off the top of my head, why did you set the prefix to 0x1? I was under the impression that it only needs to be set if there are multiple vlans and what are your rules for the WAN side of the firewall? My LAN interface is only getting an LLA so maybe it’s being blocked from communicating with the ISP router.

Prefix ID of 0x1 means “Use the first prefix available in the block as a /64 for the LAN”. Essentially your ISP probably gave you a /48, /56, or /60. The firewall is giving prefix IDs to all of the /64s you can fit inside of one of these and allocating them numbers 1 through whatever. Each LAN you have can have its own prefix ID. A /60 has 16 /64 networks that you can subnet it into.

Domi
link
fedilink
English
1
edit-2
5M

Off the top of my head, why did you set the prefix to 0x1? I was under the impression that it only needs to be set if there are multiple vlans

I have multiple VLANs, 0x1 is my LAN and 0x10 is my DMZ for example. I then get IP addresses abcd:abcd:a01::abcd in my LAN and abcd:abcd:a10::bcdf in my DMZ.

However, I get a /56 from my ISP wich gets subnetted into /64. I heard it’s not ideal to subnet a /64 but you might want to double check what you really got.

what are your rules for the WAN side of the firewall?

Only IPv4 + IPv6 ICMP, the normal NAT rules for IPv4 and the same rules for IPv6 but as regular rule instead of NAT rule.

My LAN interface is only getting an LLA so maybe it’s being blocked from communicating with the ISP router.

If you enable DHCPv6 in your network your firewall should be the one to hand out IP addresses, your ISP assigns your OPNsense the prefix and your OPNsense then subnets them into smaller chunks for your internal networks.

It is possible to do it without DHCPv6 but I didn’t read into it yet since DHCPv6 does exactly what I want it to do.

@Decronym@lemmy.decronym.xyz
bot account
link
fedilink
English
3
edit-2
5M

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
IP Internet Protocol
NAT Network Address Translation

[Thread #813 for this sub, first seen 18th Jun 2024, 10:55] [FAQ] [Full list] [Contact] [Source code]

@chronicledmonocle@lemmy.world
link
fedilink
English
0
edit-2
5M

If you’re getting a /64 from your ISP via DHCPv6, you likely need to send a prefix hint. I’d guess /60. Then you’ll have multiple /64s to work with on your inside interfaces.

Who is the ISP?

cakeofhonor
creator
link
fedilink
English
2
edit-2
5M

If it’s any use, here are the WAN IPv6 options (auto, manual, or IPv6CP Extension) for the ZTE-ZXHN-F670, it’s set to auto right now:

And these are the available LAN settings:

cakeofhonor
creator
link
fedilink
English
15M

I’m located in Vietnam; the ISP is Viettel (probably not useful information, but hey, why not).

Is it possible to send the hint from OPNsense itself? I mentioned in the original post that OPNsense is behind the ISP router (ZTE-ZXHN-F670) which I kind of don’t want to touch due to the fact that the terminology is quite different and that the ISP people come over to run tests on it whenever there are service issues. Either way, I’ve already tried to search through the settings and couldn’t find any options for setting the prefix hint on the WAN side. I’m open to digging though those settings again if you’re familiar with the router.

Is it possible to send the hint from OPNsense itself?

Yes, to me it sounds like you’re already getting a big enough prefix from your ISP (all devices getting a /64), but you’ll have to request a bigger prefix from OPNsense. I believe it should give you the options to do this when you set the IPv6 mode to DHCPv6 on OPNsense, but I can’t say if your ISP router will handle it.

Matt The Horwood
link
fedilink
English
25M

not tested this, but you might want to look at DHCPv6 Relay to get an IP from your ISP router

If you’re allocated DHCPv6-PD with a subnet, you don’t use a relay.

Matt The Horwood
link
fedilink
English
15M

noted

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 126 users / day
  • 421 users / week
  • 1.16K users / month
  • 3.85K users / 6 months
  • 1 subscriber
  • 3.68K Posts
  • 74.2K Comments
  • Modlog