Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 prefix delegation to OVPN interfaces

    Scheduled Pinned Locked Moved IPv6
    6 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rudivd
      last edited by

      Hi all,

      I got prefix delegation working for my DSL connection (fritz-> provider (xs4all)). With the setting "follow interface"
      I get clear v6 adresses and subnets on my wired (ie REAL) interfaces. ipv6 works through these interfaces. Now,
      when it comes to OVPN (server) interfaces, I only can set a tunnel network for v6 in the setup. (this is with 2.4.2)

      On 2.2.5 I got this working by selecting a subnet within my v6 block, (in the openvpn settings as tunnel subnet)
      but not used by the real interfaces, and not changing anything else (in other settings apart from ovpn).
      I had v6 through openvpn with a correct v6 ip address on the client (which was within the selected tunnel
      network (as it showed on the internet as well) and had routing to the internet). No problems there.

      Getting the same setup working on 2.4.2, I get the idea that the dhcp6 client on WAN just asks and gets subnets for
      the wired (real) interfaces, and does not request either the full v6 range or the subnets I select for the OVPN server
      in pfsense, as I got outgoing packets from the ovpn client, and can ping6 alle real pfsense interfaces including the WAN
      but not the router (fritz) and beyond. Yes, I have allowed ipv6* on the OVPN interface to * in firewall rules…..

      Any idea here ?! The weird thing is that it looks that the behaviour (either dhcp6c or openvpnd)  has changed
      from 2.2.x -> 2.4.2

      Thanks !
      Rudi

      1 Reply Last reply Reply Quote 0
      • C
        coreybrett
        last edited by

        This may be related…

        https://redmine.pfsense.org/issues/7281https://redmine.pfsense.org/issues/7281

        1 Reply Last reply Reply Quote 0
        • R
          rudivd
          last edited by

          Yes, indeed it might, but still weird. without this proposed change it has worked in 2.2

          I selected a prefix for the tunnel network that was within my (provider)assigned prefix,
          where also the real interfaces IP#s were selected from. Also, yes, it was /64. this worked
          in 2.2, but ceased to work in 2.4.2….

          Grmpf.

          Rudi

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Many, many changes in OpenVPN between 2.2 and 2.4.2_1.

            None of them should preclude IPv6 from working.

            If you have a /64 from a PD that is not in use on a tracked interface and you have verified it is actually being routed to you, that should work as an OpenVPN tunnel interface.

            That is, of course, much more viable if your ISP is honoring your DUID and your prefix isn't changing all the time.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • R
              rudivd
              last edited by

              I might have solved it by changing my (tunnel) subnet in openvpn.
              It was 2001:xxxx:xxxx:FF:: changed it to 2001:xxxx:xxxx:ef:: according
              to my real lan interface that got tracked to 2001:xxxx:xxxx:e4:xxxx:xxxx:xxxx:xxxx

              It might be something weird with subnets :-) still do not understand that it worked before.

              Still I am in favour of the feature request https://redmine.pfsense.org/issues/7281

              Rudi

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Depends on the delegation.

                For :00e4: and :00ff: to be in the same delegation it would have to be a /56.

                :00ef: and :00e4: are in the same /60.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.