Routed IPv6 on internal bridge with virtualized OPNsense router

Question

I'm struggling with adding IPv6 to the internal bridge of my setup, here is what I have:

           ┌───────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
           │                                                                                                               │
           │                                        Virtualization Host (Proxmox)                                          │
           │                                                                                                               │
           │                            ┌───────────────────────────────────────────────┐     ┌─────────────────────────┐  │
           │                            │                                               │     │                         │  │
           │                            │                       OPNsense                │     │          VM01           │  │
           │                            │                                               │     │                         │  │
Public     │  vmbr0 - 2a01:...::2/64    │ vtnet0 - 2a01:...::3/64       vtnet1 - XXX/YY │     │ eth0 - 2a01:...::10/64  │  │
───────────┼────────────────────────────┼────────                                ───────┼─────┼──────                   │  │
           │                            │                                               │     │                         │  │
           │                            └───────────────────────────────────────────────┘     └─────────────────────────┘  │
           │                                                                                                               │
           └───────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

I have a Virtualization Host (Proxmox) which is connected to the public internet. The IP-address 2a01:...::2/64 is assigned to the public interface vmbr0 and the host is reachable.

Here is the interface configuration excerpt for vmbr0 from /etc/network/interfaces:

iface vmbr0 inet6 static
        address 2a01:...::2/64
        gateway fe80::1

I have installed OPNsense in a VM which is connected with one interface to the public bridge vmbr0 and with a second interface to an internal bridge vmbr1. The WAN interface vtnet0 of the OPNsense router has an IPv6 address 2a01:...::3/64 assigned and is reachable from the public internet.

What I want to achieve: An IPv6 DHCP Server on the internal interface vtnet1 of the OPNsense router should provide IPv6 addresses with the global prefix (let's say 2a01:...::10/64 to 2a01:...::100/64) to the internal VMs (VM01 in this example) with a static assignment, so that public IPv6 communication is possible but of course controlled with Firewall rules.

My current questions / issues:

How should I configure the internal interface vtnet1 of the OPNsense router? Static IPv6 or SLAAC?
What address or prefix should be assigned to the LAN interface of the OPNsense router? An address with the global 2a01: prefix or a link local address?
How do I configure the IPv6 DHCP server? Especially, how do I configure the gateway and DNS servers to be assigned correctly?

I hope I was able to make my setup and my goals clear. I have obviously some lack of understanding regarding this IPv6 router setup and I can't find a guide or reference setup, so any help on this is greatly appreciated.

For a business network, the `/64` network is typically a transit network, and you will get a delegated `/48` prefix from which you can derive 65,536 `/64` networks for use in your internal network. Then you just route on your WAN router. — Ron Maupin, Jun 20 '22 at 16:53
I have received a `/64` **IPv6** network from my hosting provider (Hetzner, see: https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#main-address). It would be fine to me to further split this network and only route a smaller network to the **OPNsense** firewall / internal network if this would make things easier. — Andreas Piening, Jun 20 '22 at 18:41
The recommendation is that a `/48` prefix should be assigned to a site. See _[RFC 6177, IPv6 Address Assignment to End Sites](https://datatracker.ietf.org/doc/html/rfc6177)_, s you ISP is not following the recommendations. Also, you really do not want to subnet a `/64` network because using network sizes other than `/64` will break some IPv6 features. See [this answer](https://networkengineering.stackexchange.com/a/34172/8499) about that. You may want to find a better ISP that is more up to date with IPv6. — Ron Maupin, Jun 20 '22 at 19:24
I can only get `/64` networks from the provider. But they do offer multiple `/64` networks in case of need. My requirement is just having the existing `/64` network routed to the internal `vtnet1` interface so that I can assign `IPv6` addresses from this network to the VMs. Is this possible? — Andreas Piening, Jun 21 '22 at 10:09

Dylan · Answer 1 · 2022-06-20T16:08:50.760

0

This could be what you are looking for: https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

In reply to your comment:

Bridges can be chained like switches.
DHCPv6 or SLAAC is already provided from the network outside the host because host's vmbr0 and the OPNsense's WAN got an IPv6 configuration independently from the DHCPv6 server in OPNsense. If OPNsense acts as a bridge between its WAN/LAN interfaces, then the VMs in LAN will get an IPv6 the same way the WAN interface got its own.
I see no IPv4-specifc configuration.

Ideally, you should not split a /64 network, it should stay a single network, meaning all hosts share the same broadcast domain without router in-between.

To use the /64 network for the VMs, I would entirely dedicated this network to the LAN side of the OPNsense box. You do not have to use 2a01::1/64 on the upstream gateway, 2a01::2/64 on the host, ::3/64 on the WAN side of OPNsense. You can use link local addresses for that.

edited Jun 20 '22 at 16:08

answered Jun 20 '22 at 14:24

Dylan

441
2
6

The title **Transparent Filtering Bridge** does sound like that's what I need. However I'm not able to adopt the steps from this guide to my setup for various reasons: * The guide suggests to create a bridge in `OPNsense`, but my `OPNsense` box is behind a bridge already. * I don't want to disable `DHCP` on the internal interface. * The guide seems to be written for `IPv4` only. I can't figure out to reach my goals or solve my issues based on this. – Andreas Piening Jun 20 '22 at 15:35
I updated the answer according to your comment. – Dylan Jun 20 '22 at 16:09
Unfortunately there is no **DHCPv6** server running on the public side. I had to assign the address **2a01:...::2/64** statically in the interfaces configuration file of the Proxmox host. That's why I want to run a **DHCPv6** server on the internal interface **vtnet1** of the **OPNsense** router. I've added the static configuration for **vmbr0** to my question. – Andreas Piening Jun 20 '22 at 18:35

Routed IPv6 on internal bridge with virtualized OPNsense router

1 Answers1