Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsQuicTrying to isolate why my IPv6 isn't working for hosts behind the router.
alavaliant

222 posts

Master Geek

Subscriber

#318960 9-Mar-2025 11:22
Send private message

IPv6 on my network hasn't been working correctly for the last few weeks.  Possibly starting around the time I was moved from the AKL to WGN bng (as per one of my earlier posts) but it might have been a little before then.    However it's something I'm struggling to definitively isolate as a problem on my end or on Quic's.   I'm hoping somebody might have some other ideas I've not thought of?

The symptoms I'm seeing is that while IPv6 traffic from the router itself seems to get a response back.   (e.g. I can ping6 google.com on the router and get a response).    From on host behind the router,  while they get assigned a valid IPv6 address under my assigned prefix.  And I can see the IPv6 traffic from them reach the router and get sent out according to the firewall logs.   There seems to be no IPv6 traffic ever coming back in, in response to the outgoing packets.

While on the surface that would seem to suggest a potential router configuration issue.  ->    My primary router (running opnsense) has had absolutely no configuration setting changes since IPv6 was working on it (and the settings have DHCPv6 enabled as per the quic settings page).    The only thing I have done with it over the last few months is install routine security/feature updates on it.       I have also a secondary old router (running openwrt)  which I was originally using with quic before I got my newer router.    It was turned off and put into storage while I got my new router (so has not had a single configuration change or software update applied to it since it was previously in use with fully working IPv6).   As a test I pulled it back out of storage and plugged it in instead.    The same symptoms occurred with the older router - IPv4 is fine,  IPv6 addresses get assigned to clients, but attempts to use IPv6 seem to result in the packets going out but never coming back in.

Given that I have the same problem with two completely different router hardwares,  running two completely different software stacks.   I can't see how the issue I'm running into would be caused by software configuration (given that both were working previously and one is exactly as it was, when working in the past).    I've tried rebooting and leaving my ONT powered off half an hour.  In case the ONT itself was playing up somehow.  But that's not helped.

I did log a quic problem report with the information above (SUP-260140), asking for quic to check the IPv6 status for my connection.   They reported that the IPv6 provisioning looks normal on their end and they think it's a router configuration issue.   However I'm struggling to think of what else to try to change if two completely different routers.  Both with configurations that match the given quic IPv6 settings and that were working previously.  Are both having the issue...


Other relevant information about my connection;



 

  • I'm on 2gig hyperfibre (Chorus area, so Chorus ONT)
  • Am using dhcp for my connection (rather than pppoe)
  • I've got a static IPv6 prefix.  The quic website connection payload details shows the right prefix being given out.   And addresses using that prefix are what the routers give out to clients behind them.   Only thing I'm not sure about (Don't remember what was assigned in the past),  is that I note that while the LAN interfaces on my router gets assigned an IPv6 address under my assigned static IPv6 prefix.   The WAN interface seems to get an address under a slightly different prefix.    I don't know if that is normal or not? - I don't have another IPv6 connection to cross compare with and I can't recall what was assigned to the WAN interface back when IPv6 was working.
  • My main router has no firewall rules (other than the opnsense default ones, which allow required IPv6 traffic for the IPv6 connection to work).   I for the point of testing also briefly added a firewall rule allowing all incoming traffic.  That didn't help with the IPv6 traffic not coming back in.

Create new topic
michaelmurfy
meow
13255 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3351667 9-Mar-2025 12:11
Send private message

Perhaps missing a masquerade rule?

 

I know @MaxineN has had challenges with getting IPv6 running on OPNSense.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



alavaliant

222 posts

Master Geek

Subscriber

  #3351670 9-Mar-2025 12:38
Send private message

Thanks for the suggestion,   unfortunately that wouldn't explain why I get the exact same issue on openwrt.

MaxineN
Max
1772 posts

Uber Geek

ID Verified
Trusted
Subscriber

  #3351671 9-Mar-2025 12:43
Send private message

Ha, welcome to my hell.

 

 

 

 

 

 

V6 was initially working out of the box with just DHCPv6 and tracking the interface on my Bridge for my LAN yonks ago until the big bang last year, then I have never gotten it to work ever again.

 

I can get V6 on my WAN and to the bridge (and then it thinks it's offline but it still works). Beyond anywhere else to my end points/devices/hosts? Nope!




Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.



fe31nz
1232 posts

Uber Geek


  #3351837 10-Mar-2025 00:04
Send private message

alavaliant:

 

  • I've got a static IPv6 prefix.  The quic website connection payload details shows the right prefix being given out.   And addresses using that prefix are what the routers give out to clients behind them.   Only thing I'm not sure about (Don't remember what was assigned in the past),  is that I note that while the LAN interfaces on my router gets assigned an IPv6 address under my assigned static IPv6 prefix.   The WAN interface seems to get an address under a slightly different prefix.    I don't know if that is normal or not? - I don't have another IPv6 connection to cross compare with and I can't recall what was assigned to the WAN interface back when IPv6 was working.

 

It is normal for the WAN interface IPv6 address to be outside your delegated IPv6 prefix.  The WAN interface is likely getting its global unicast IPv6 address by doing a DHCPv6 request - this is a different DHCPv6 request from the DHCPv6 PD (prefix delegation) request that gets the IPv6 prefix used on your network.  There is actually no need for the router WAN inteface to have a global unicast IPv6 address, as it can talk IPv6 to the next hop IPv6 router using its link local address and will normally use the link local address for that even if it has a global unicast IPv6 address.  If it needs to send global unicast IPv6 packets (to check for updated firmware on its manufacturer's site for example), it can send them from one of its LAN interfaces using the delegated prefix addresses there.

 

I am on 2Degrees, so I can not say what Quic actually does, but if it is anything like 2Degrees, then until it has delegated an IPv6 prefix to your router, it will drop any IPv6 packets from your router that are using global unicast IPv6 addresses.  It expects link local addresses and the special broadcast addresses used for ICMPv6 and DHCPv5 only.  Once the DHCPv6 PD delegation packets have been exchanged, only then will it route IPv6 packets from your delegated prefix global unicast addresses.  So how sure are you that you are actually getting the DHCPv6 PD packets?  Is it possible that your router is just remembering the old delegation and continuing to use it despite it being expired?  Or maybe it is not sending back the final packet that acknowledges receipt of the prefix?

 

The full details of DHCPv6 seem to have been updated now into this one RFC:

 

https://datatracker.ietf.org/doc/html/rfc8415

 

I presume OPNsense has a way of capturing packets on the WAN interface to allow you to debug this.  If you tell it to capture all ICMPv6 packets, you should be able to see exactly what is happening.  If you load that capture into Wireshark, you can then do a display filter for DHCPv6 to see the exact packets you want.

alavaliant

222 posts

Master Geek

Subscriber

  #3352223 10-Mar-2025 15:23
Send private message

Thank you fe31nz   that is very useful information.    I'll do some investigation on that as soon as I have time (am busy during the week, so might have to wait until the weekend).

systemd
32 posts

Geek

Trusted

  #3352276 10-Mar-2025 17:24
Send private message

FWIW, I'm have a similar setup (Static IP, DHCP, OPNsense) and IPv6 is working fine. I am on one of the AKL BNGs however.

 

My settings are as follows:

 

WAN interface:

 

  • IPv6 Configuration Type: DHCPv6
  • DHCPv6 client configuration:

     

    • Configuration Mode: Basic
    • Prefix delegation size: 56
    • Request prefix only
    • Send prefix hint

LAN interface:

 

  • IPv6 Configuration Type: Track Interface
  • Track IPv6 Interface:

     

    • Parent Interface: WAN
    • Allow manual adjustment of DHCPv6 and Router Advertisments

I am simply advertising a default gateway and DNS servers in the Router Advertisements configuration.

 

 

 

Does seem odd that the issue persists across both OPNsense and the Mikrotik however.

Tinkerisk
4228 posts

Uber Geek


  #3352283 10-Mar-2025 17:45
Send private message

MaxineN:

 

Ha, welcome to my hell.

 

 

 

 

 

 

V6 was initially working out of the box with just DHCPv6 and tracking the interface on my Bridge for my LAN yonks ago until the big bang last year, then I have never gotten it to work ever again.

 

I can get V6 on my WAN and to the bridge (and then it thinks it's offline but it still works). Beyond anywhere else to my end points/devices/hosts? Nope!

 

 

Prerequisites:

 

Log in to the OPNsense web interface.
Go to Interfaces > WAN.
In the ‘IPv6 Configuration’ area, set the ‘IPv6 Configuration Type’ to ‘DHCPv6’.
Make sure that ‘Send IPv6 prefix hint’ is activated.
Set the ‘Prefix delegation size’ to 56.
Activate: ‘Use IPv4 connectivity’
Save the changes (don't be surprised, the WAN only gets a prefix and no IPv6 address).

 

Step 1: Configure LAN settings

 

Go to Interfaces > LAN.
In the ‘Track IPv6 Interface’ section, set ‘IPv6 Interface’ to ‘WAN’.
Set the ‘IPv6 Prefix ID’ to 0x01.
Activate ‘Manual configuration’
Save the changes. (Now ping -6 www.google.com from the OPNSense should work)

 

Step 2: Configure DHCPv6 service

 

Go to Services > DHCPv6 > LAN.
Activate the DHCPv6 server.
Set the IPv6 address range, e.g. from ::1000 to ::2000.
In the DNS server, add your IPv6 address to the LAN interface (Interface -> Overview)
Save the settings.

 

Step 3: Configure router advertisements

 

Go to Services > Router Advertisements.
Set the mode to ‘Stateless’.
Set the Router Priority to ‘High’.
Save the changes.

 

Step 4: Update DNS server

 

Go to System > Settings > General.
Add the recommended IPv6 DNS servers:
Google: 2001:4860:4860::8888
Quad9: 2620:fe::fe
Save the changes.

 

Step 5: Customise firewall rules for LAN

 

Go to Firewall > Rules > LAN.
Create or customise a rule to allow outgoing IPv6 traffic.

 

Step 6: Test the connection

 

Go to Diagnostics > Ping.
Set ‘IP Protocol’ to ‘IPv6’ and try to ping a known IPv6 address or hostname, such as google.com.




- NET: FTTH, OPNsense, 10G backbone, GWN APs, ipPBX
- SRV: 12 RU HA server cluster, 0.1 PB storage on premise
- IoT:   thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D:    two 3D printers, 3D scanner, CNC router, laser cutter

 
 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
MaxineN
Max
1772 posts

Uber Geek

ID Verified
Trusted
Subscriber

  #3352284 10-Mar-2025 17:56
Send private message

Tinkerisk:

 

Step 1: Configure LAN settings

 

Go to Interfaces > LAN.
In the ‘Track IPv6 Interface’ section, set ‘IPv6 Interface’ to ‘WAN’.
Set the ‘IPv6 Prefix ID’ to 0x01.
Activate ‘Manual configuration’
Save the changes. (Now ping -6 www.google.com from the OPNSense should work)

 

Step 2: Configure DHCPv6 service

 

Go to Services > DHCPv6 > LAN.
Activate the DHCPv6 server.
Set the IPv6 address range, e.g. from ::1000 to ::2000.
In the DNS server, add your IPv6 address to the LAN interface (Interface -> Overview)
Save the settings.

 

Step 3: Configure router advertisements

 

Go to Services > Router Advertisements.
Set the mode to ‘Stateless’.
Set the Router Priority to ‘High’.
Save the changes.

 

Step 4: Update DNS server

 

Go to System > Settings > General.
Add the recommended IPv6 DNS servers:
Google: 2001:4860:4860::8888
Quad9: 2620:fe::fe
Save the changes.

 

Step 5: Customise firewall rules for LAN

 

Go to Firewall > Rules > LAN.
Create or customise a rule to allow outgoing IPv6 traffic.

 

Step 6: Test the connection

 

Go to Diagnostics > Ping.
Set ‘IP Protocol’ to ‘IPv6’ and try to ping a known IPv6 address or hostname, such as google.com.

 

 

 

 

So, if you read my post I already had working V6 from my bridge network (consider this LAN) and my WAN interface. I can ping and resolve AAAA records from the firewall itself. It's beyond that, that is broken.

 

 

Even making your changes, it changes nothing after a disabling an interface on an end point and bringing it back up.

 

Sanity checking with Debian.

 

 

 

 

 

No v6 addresses.

 

 

 

 

And again... firewall is completely fine.

 

I really want to stress, this setup worked fine with just DHCPv6 and tracking the WAN with 0 manual adjustments before the big bang, and also worked when I was a One NZ customer and staffer. Wouldn't look too deep into my issue as I know DHCPv6 is totally busted and It's being dumped soon.




Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

Tinkerisk
4228 posts

Uber Geek


  #3352285 10-Mar-2025 18:13
Send private message

MaxineN:

 

So, if you read my post I already had working V6 from my bridge network (consider this LAN) and my WAN interface. I can ping and resolve AAAA records from the firewall itself. It's beyond that, that is broken.

 

 

Even making your changes, it changes nothing after a disabling an interface on an end point and bringing it back up.

 

Sanity checking with Debian.

 

No v6 addresses.

 

 

 

And again... firewall is completely fine.

 

I really want to stress, this setup worked fine with just DHCPv6 and tracking the WAN with 0 manual adjustments before the big bang, and also worked when I was a One NZ customer and staffer. Wouldn't look too deep into my issue as I know DHCPv6 is totally busted and It's being dumped soon.

 

 

I have read your post. Whatever your big bang was, I have recently noticed here in Germany that perfect functioning dual stack connections are suddenly causing problems as well. Sometimes IPv6 has completely disappeared, for other customers only IPv4 with CG-NAT and IPv6 works normally, etc. The providers are tinkering with it quite a bit. Especially when parts of other providers have been bought and taken over.




- NET: FTTH, OPNsense, 10G backbone, GWN APs, ipPBX
- SRV: 12 RU HA server cluster, 0.1 PB storage on premise
- IoT:   thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D:    two 3D printers, 3D scanner, CNC router, laser cutter

ratbag359
24 posts

Geek


  #3355395 20-Mar-2025 05:32
Send private message

I joined a day or two.
My testing has found if the router gets a IPV6 address for itself on the wan the routing for the delegated prefix does not work.
If you can set your router/firewall dhcpv6 client to only request a prefix with the hint /56 like I can on a Mikrotik  router the delegated prefix works.

ratbag359
24 posts

Geek


  #3355399 20-Mar-2025 05:42
Send private message

I see you have a separate issue too IPv6 Stateless Address Auto-configuration (SLAAC) is not working.
You also are experiencing the same issue as me.

MaxineN
Max
1772 posts

Uber Geek

ID Verified
Trusted
Subscriber

  #3355404 20-Mar-2025 05:57
Send private message

Well I should update (as last night I managed to get more things working).

 

During the last CHC outage due to power issues(Monday), I decided to move my plans to swap firewalls and also swap for openwrt.

 

I had v6 working in 5 minutes (includes local, and routable public prefixes on end points), custom DNS servers (as I use pihole) a few minutes after and last night after getting some spare time, had a basic web server up and running only on v6 outside to the world.

 

The OPNSense box is still around, haven't wiped it yet so I can look at why my issue happened but I'm pretty happy with openwrt and my new "forbidden router."




Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

alavaliant

222 posts

Master Geek

Subscriber

  #3365101 17-Apr-2025 21:48
Send private message

I've been away so haven't had time to further look at my ipv6 setup state until now.   But rechecking things,   ipv6 seems to now be working fine for my machines.    Haven't changed any settings so it's not really clear as to why it's back to working.   Hopefully it will stay working now,  and at-least if it breaks again I've got a lot more things to check into.     Is making me think I should get onto my incomplete plans to setup ongoing speedtest etc monitoring (including an ipv6 connectivity test). So if there are problems in the future I can tell for sure exactly when they started.

SpartanVXL
1316 posts

Uber Geek


  #3367631 26-Apr-2025 11:55
Send private message

Did anybody have this issue with a Mikrotik? I have had this config setup since joining https://www.geekzone.co.nz/forums.asp?forumid=194&topicid=312692&page_no=1#3273892 which was working, but now the address that is added from pool is getting a duplicate address error.

I am getting a prefix and clients are getting v6 addresses, but connectivity is not working. I was on RouterOS 7.16 but upgraded to 7.18 to take a look at ipv6 fasttrack before I noticed that ipv6 wasn't actually working.

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright