HI all,
I've recently changed my ISP and they have native IPv6. My customer
premises equipment, which is a GPON, supports both stateless as DHCPv6
on it's LAN interface. I want to put a OpenBSD firewall between this CPE
and my internal network. I'm using OpenBSD 5.7 stable. My CPE receive a
/64 prefix delegation from my ISP. Unfortunately, this is a dynamic
prefix, so I can't configure anything manually.
I've managed to get wide-dhcp6 working and requesting the prefix to
be delegated to my internal network. After that, all I needed to do was
to run rtadvd on my internal interface, and my internal LAN machines
began to be autoconfigurated getting ip's from the delegated prefix.
The OpenBSD firewall has 2 ipv6 addresses. One on the WAN interface
and another on the LAN interface. If I use ping6 to ping any ipv6 host
from my firewall, I can ping them with no problems. But, If I ping
setting the source to be the ipv6 address from the internal interface,
it won't work. Also, no machine from my LAN can connect to any host
through ipv6.
I've inspected the traffic with tcpdump, and I can see the packets
leaving my network and getting on the destination. The problem is the
packets never gets back. My CPE equipment keeps asking for neighbour
solicitation asking who has the ipv6 address, but the OpenBSD firewall
never replies, so the packts get dropped. I'm currently with PF
disabled. But I had the same problem with it enabled and with the
default firewall configuration. I'm trying first to get ipv6
connectivity working to after filter the packets. Anyone had a similar
issue?
Cheers,
Giancarlo Razzolini