Static IPv6: Back routing from WAN /64 to LAN /65 does not work

[alex1702]

Important notices

Our forum is located at https://forum.opnsense.org , please consider joining discussions there in stead of using GitHub for these matters.

Before you ask a new question, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

We have an OPNsense in the data center in the rack. This has a /64 prefix from the operator 2001:-----:dead:-----::/64. The gateway from the data center is 2001:-----:dead:-----::1

WAN: I have given the OPNsense the static 2001:-----:dead:-----::2/64. And selected WANv6 as the gateway.

I have a manually added WANv6 gateway with the following configuration:

Name: WANv6
Interface: WANMyLOC
Address family: IPv6
Adresse: 2001:-----:dead:-----::1
Upstream gateway: [x]
Remote gateway: [ ]
Disable gateway monitoring: [ ]
Disable Host Route [ ]
Minitor-IP: 2a00:1450:400e:810::200e
Mark gateway as Inactive: [ ]
Priority: 255

This is also displayed as online.

On the LAN interface I have static IPv6 with the following address: 2001:-----:dead:-----:8000::1/65

A ping on the firewall itself to any IPv6 address works. A ping from a client in the LAN network goes out and arrives at the destination, but the response does not come back to the client. The client has the IP 2001:-----:dead:-----:8000::5/65

ip a excerpt:

2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:8e:9a:d7 brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    inet 192.168.168.95/24 brd 192.168.168.255 scope global ens18
       valid_lft forever preferred_lft forever
    inet6 2001:----:dead:----:8000::5/128 scope global dynamic noprefixroute 
       valid_lft 4704sec preferred_lft 2004sec
    inet6 fe80::250:56ff:fe8e:9ad7/64 scope link 
       valid_lft forever preferred_lft forever

ip -6 r excerpt:

2001:----:dead:----:8000::/65 dev ens18 proto ra metric 1024 expires 86091sec pref medium
2001:----:dead:----:8000::/65 via fe80::21a:8cff:fe16:da98 dev ens18 proto ra metric 1024 expires 1491sec pref medium
fe80::/64 dev ens18 proto kernel metric 256 pref medium
default proto ra metric 1024 expires 1491sec mtu 1500 pref medium
    nexthop via fe80::21a:8cff:fe16:da98 dev ens18 weight 1 
    nexthop via 2001:----:dead:----:8000::1 dev ens18 weight 

fe80::21a:8cff:fe16:da98 and 2001:----:dead:----:8000::1 is from the OPNsense of the LAN side.

tcp dump from ping destination:

12:50:47.542897 IP6 2001:-----:dead:-----:8000::5 > 2a01:-----:-----:-----::2: ICMP6, echo request, seq 2498, length 64
12:50:47.542966 IP6 2a01:-----:-----:-----::2 > 2001:-----:dead:-----:8000::5: ICMP6, echo reply, seq 2498, length 64

In the firewall I have allowed all ICMPv6 traffic from everywhere to everywhere. Once as a floating rule, in the WAN and also in the LAN.

[fichtner]

I'd avoid using anything other than /64.

[alex1702]

I can fully understand that and I wouldn't prefer it either. But it's just what I have from the provider at the moment and it should actually work, shouldn't it?

[fichtner]

If the goal is to get a single /64 to work use /64 on your LAN and /128 on your WAN?

[alex1702]

With /128 on the WAN and /64 on the LAN it does not work either. In addition, OPNsense says “Misconfigured Gateway IP” under Gateways for the v6 gateway. I assume this is because the 1 no longer fits into the /128? I have also tried it with a /126 on the WAN. Then the gateway is online again, but the client still doesn't get a reply.

Do I have to set /128 and a manual route? What would that look like?

[fichtner]

Sorry, I can't help with a moving goal post in a community support case more than I already have.

[alex1702]

Ok. We now have a completely new /56 from the provider. Gateway is the 2001:----:----:100::1 Network is: 2001:----:----:100::/56 First /64 on the WAN interface: 2001:----:----:100::2/64 And the next one on the LAN: 2001:----:----:101::1/64

A client has an IP address via SLAAC: 2001:----:----:101:250:56ff:fe8e:9ad7

A tcpdump (tcpdump -n -i em1 ip6) on the WAN interface results in the following messages:

13:36:53.496899 IP6 2001:----:----:100::1 > ff02::1:ff8e:9ad7: ICMP6, neighbor solicitation, who has 2001:----:----:101:250:56ff:fe8e:9ad7, length 32

Why is the OPNsense not responding to the other gateway?

I hope you or someone else can help me with this information.

[alex1702]

Seems to be working now. The ISP must have done something else on request.