opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.36k stars 753 forks source link

No IPv6 Default gateway, no IPv6 internet when manually assigned. #5474

Closed zombielinux closed 2 years ago

zombielinux commented 2 years ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

DHCPv6 is not populating the IPv6 default gateway when using pfatt to bypass AT&T RGW. IPv4 is unaffected and LAN clients receive valid IPv6 addresses via SLACC.

The correct IPv6 default gateway can be manually populated, but internet connectivity over IPv6 is not functional. Partial traceroutes succeed but do not exit the AT&T address space.

rtsol -d -D $WAN_INTERFACE receives an RA from the upstream IPv6 device. This RA matches the default gateway address that the original AT&T RGW acquires.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce

Steps to reproduce the behavior:

  1. Follow IPv6 instructions here: https://github.com/MonkWho/pfatt/blob/supplicant_OPNsense_testing/README.md
  2. Ignore the part about checking "Do not wait for a RA", the checkbox no longer exists as the option is enabled by default.
  3. No Default Gateway is defined for WAN IPv6 or displayed on main Dashboard.
  4. Enter CLI and enter: rtsol -d -D $WAN_INTERFACE
  5. Use the line that says rtsol: received RA from $IPv6_address on $WAN_INTERFACE, state is 2
  6. Manually enter $IPV6_address in System -> Gateways -> Single -> WAN_DHCP6 -> IP Address in place of "Dynamic"
  7. Attempt traceroute6 route-server.ip.att.net

Expected behavior

Default IPv6 Gateway is populated with appropriate routes and IPv6 internet access.

Describe alternatives you considered

I attempted to use the static IPv6 address method, with no success, and manually populating the gateway IP.

Additional context

I suspect there are two problems here.

1) A Gateway population issue. 2) An IPv6 route population issue.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 21.7.7 (amd64, OpenSSL). Intel® Xeon™ E3-1225 3.1Ghz Quad Core

xabix commented 2 years ago

Hello I have similar issue since I upgraded to 22.1.

PING6(56=40+8+8 bytes) 2a01:XXXX:3ba:cb90::2 --> fe80::YYYY:8fff:fe6a:95d ping6: sendmsg: No route to host ping6: wrote fe80::YYYY:8fff:fe6a:95d 16 chars, ret=-1

I used to work well

image

Any idea of why there is no route on my LAN interface?

Thanks XabiX

OPNsense-bot commented 2 years ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

tiagofreire-pt commented 2 years ago

Same situation here. IPv6 public IPs delivered to all clients, but "no route" or "destination net unreachable".

LIONNNNNN commented 2 years ago

Same here

icsy7867 commented 1 year ago

Also running into this

fichtner commented 1 year ago

I don’t know about pfatt and if everyone is having the exact same issue. Normally the issue arises because no proper RA is received and the ISP won’t send solicitations after one connects using the opportunistic try (which resembles do not wait for RA). An answer from the RA server does not equate to a mandatory use of that sending address as a router…

and I know I’ve helped @xabix with the issue reported, which had nothing to do with pfatt… it was about link-local behaviour change in FreeBSD 13.1 update.

That being said OPNsense 23.1 will add a SLAAC fallback router if the ISP is willing to offer one. We already know it doesn’t help all who reported a missing gateway, but that is mostly for ISP policy, e.g. no solicit before DHCP v4 is bound.

Cheers, Franco