USG FLEX 500 behind other firewall - no IPV6 routing

5x5

Hi,

I´m trying to set up my USG Flex 500 that is situated behind an OPNsense firewall. I went through several manuals and tutorials but I couldn´t figure out how to set it up right.

The ISP is providing Dual Stack (shared IPv4 + IPv6). The OPNsense is used to provide internet for 2 seperate company branches.
Branch 1 network is directly connected to the OPNsense LAN1 Port - IPv6 works fine.
Branch 2 uses the USG 500 behind the OPNsense LAN2 port.

So far I can use the network tool to perform an IPv6-ping to google.com on WAN1 but not on LAN1.

WAN1
ping6 2001:4860:4860::8888 -n -c 3 -I eth1PING 2001:4860:4860::8888(2001:4860:4860::8888) from 2a02:xxx6:xxx0:5401:daec:e5ff:fed5:9e0d eth1: 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=116 time=12.6 ms

LAN1
ping6 2001:4860:4860::8888 -n -c 3 -I eth3
connect: Network is unreachable
___________________________________________

OPNsense configuration:

WAN
IPv6 Configuration Type: DHCPv6

Prefix delegation size 59
Request Prefix only - no
Send Prefix hint - yes

LAN2
IPv6 Configuration Type - Track Interface
Parent interface - WAN
Assign prefix ID - 0x1
________________________________

Zyxel Configuration:
IPv6 enabled (everywhere: global, WAN1, LAN1)

WAN1
Enable Stateless Address Auto-configuration (SLAAC) - yes
DHCPv6: Client

DUID as MAC - yes
Request Address - yes
Advertised Hosts Get Network Configuration From DHCPv6 - yes

IP Address

SLAAC -- 2a02:xxx6:xxx0:5401:daec:e5ff:fed5:9e0d/64
DHCPv6 Settings LINK LOCAL -- fe80::daec:e5ff:fed5:9e0d/64

LAN1

DHCPv6 Settings
DHCPv6: Server

DHCPv6 Lease Options
DNS_Server 2001:4860:4860::8888
Enable Router Advertisement - yes

Address from DHCPv6 Prefix Delegation
IPv6_Request
::0:0:0:1/56
2a02:xxx6:xxx0:5418::1

IP Address
STATIC -- 2a02:xxx6:xxx0:5418::1/56
LINK LOCAL -- fe80::daec:e5ff:fed5:9e0f/64

Routing

IPV6 Configuration
any - none - any (Excluding Zywall) - any - any - any - any - any - WAN1 - preserve

_______________________________________________________________

So far I tried different kinds of IPV6 Requests, different prefix lengths, enabling/disabling SLAAC, different routing settings… At the moment I can't see the wood for the trees.

My questions at this point:
Is the prefix from the ISP suitable for this kind of routing at all?
Does the OPNsense provide me the right type of IPV6 network/prefix/…?
How should my request look like to enable ?

Can someone please help me and push me into the right direction? Thanks!

Zyxel_Melen

Hi @5x5,

To test IPv6 on LAN, please use a client to test. The network tool can't ping Internet when you select LAN interface.

Additionally, your LAN v6 configuration seems no problem.

5x5

ok, thanks for reply.

I did test the IPv6 connectivity on 2 different clients as well (ping, IPV6 test websites) but I couldn`t get a connection there either :-(

My windows PC does get these 2 IP adresses:

2a02:xxx6:xxx0:5401:f7bf:324b:5f55:80e1
2a02:xxx6:xxx0:5418:28d6:8145:5116:db29

and a fe80 link local address + fe80 standard gateway

name resolution (e.g. ipv6.google.com) from any client works!