USG FLEX 500 behind other firewall - no IPV6 routing

5x5 · June 13

Hi,

I´m trying to set up my USG Flex 500 that is situated behind an OPNsense firewall. I went through several manuals and tutorials but I couldn´t figure out how to set it up right.

The ISP is providing Dual Stack (shared IPv4 + IPv6). The OPNsense is used to provide internet for 2 seperate company branches.
Branch 1 network is directly connected to the OPNsense LAN1 Port - IPv6 works fine.
Branch 2 uses the USG 500 behind the OPNsense LAN2 port.

So far I can use the network tool to perform an IPv6-ping to google.com on WAN1 but not on LAN1.

WAN1
ping6 2001:4860:4860::8888 -n -c 3 -I eth1PING 2001:4860:4860::8888(2001:4860:4860::8888) from 2a02:xxx6:xxx0:5401:daec:e5ff:fed5:9e0d eth1: 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=116 time=12.6 ms

LAN1
ping6 2001:4860:4860::8888 -n -c 3 -I eth3
connect: Network is unreachable
___________________________________________

OPNsense configuration:

WAN
IPv6 Configuration Type: DHCPv6
Prefix delegation size 59
Request Prefix only - no
Send Prefix hint - yes

LAN2
IPv6 Configuration Type - Track Interface
Parent interface - WAN
Assign prefix ID - 0x1
________________________________

Zyxel Configuration:
IPv6 enabled (everywhere: global, WAN1, LAN1)

WAN1
Enable Stateless Address Auto-configuration (SLAAC) - yes
DHCPv6: Client

DUID as MAC - yes
Request Address - yes
Advertised Hosts Get Network Configuration From DHCPv6 - yes

IP Address

SLAAC -- 2a02:xxx6:xxx0:5401:daec:e5ff:fed5:9e0d/64
DHCPv6 Settings LINK LOCAL -- fe80::daec:e5ff:fed5:9e0d/64

LAN1

DHCPv6 Settings
DHCPv6: Server

DHCPv6 Lease Options
DNS_Server 2001:4860:4860::8888
Enable Router Advertisement - yes

Address from DHCPv6 Prefix Delegation
IPv6_Request
::0:0:0:1/56
2a02:xxx6:xxx0:5418::1

IP Address
STATIC -- 2a02:xxx6:xxx0:5418::1/56
LINK LOCAL -- fe80::daec:e5ff:fed5:9e0f/64

Routing

IPV6 Configuration
any - none - any (Excluding Zywall) - any - any - any - any - any - WAN1 - preserve

_______________________________________________________________

So far I tried different kinds of IPV6 Requests, different prefix lengths, enabling/disabling SLAAC, different routing settings… At the moment I can't see the wood for the trees.

My questions at this point:
Is the prefix from the ISP suitable for this kind of routing at all?
Does the OPNsense provide me the right type of IPV6 network/prefix/…?
How should my request look like to enable ?

Can someone please help me and push me into the right direction? Thanks!

Zyxel_Melen · June 13

Hi @5x5,

To test IPv6 on LAN, please use a client to test. The network tool can't ping Internet when you select LAN interface.

Additionally, your LAN v6 configuration seems no problem.

5x5 · June 13

ok, thanks for reply.

I did test the IPv6 connectivity on 2 different clients as well (ping, IPV6 test websites) but I couldn`t get a connection there either :-(

My windows PC does get these 2 IP adresses:

2a02:xxx6:xxx0:5401:f7bf:324b:5f55:80e1
2a02:xxx6:xxx0:5418:28d6:8145:5116:db29

and a fe80 link local address + fe80 standard gateway

name resolution (e.g. ipv6.google.com) from any client works!

Zyxel_Melen · June 19

Hi 5x5

Sorry for the delayed reply since I was having some clarification.

Please note that for USG FLEX WAN and LAN, there are difference interface/subnet. For your OPNSense, it doesn't know how to reach 2a02:xxx6:xxx0:5418::1/64. So, please add static route on OPNSense and the next hop is USG FLEX WAN IP. Also, we suggest you to set static IP for your USG FLEX WAN interface. You may reference this document for more details.

Hope it helps.

USG FLEX 500 behind other firewall - no IPV6 routing

All Replies

Categories

Security Help Center