Basic Router and Opnsense IPV6 issue

I am running an unusual setup. I have a Modem going to a asus router which goes to opnsense. My isp is spectrum. I have DHCP PD running on the Asus router and from other guides opnsense should in theory be running the proper settings. However opnsense does not want to assign ips to the lan devices.

I have theorized that I am being provided a 56 prefix length from my isp. The asus router says it’s lan is using 64, and connecting the opnsense to the asus is asking for 64 which is too much interms of length. My understanding of ipv6 is once you reach 128 you have no more possible addresses. I am not sure though.

Anyone else know?
@PhaseLockedLoop @wendell do you know?

I need more details on your setup however your theory is correct, and you’re likely encountering issues because of a mismatch in the IPv6 prefix delegation and subnetting setup in your network. Heres what I think is basically happening

IPv6 Prefix Delegation from Spectrum probably differs from what you expect. A quick google search tells me Spectrum is likely providing you a /56 prefix, which means you have 256 available /64 subnets (2^(64-56) = 256). However if you arent setup to handle this you wont get a prefix. Also each /64 subnet has 2^64 individual IPv6 addresses.

Also the Asus router appears to allocate a single /64 for its LAN, which is fine for devices connected directly to the Asus router. However, it doesn’t seem to be further delegating additional subnets to downstream devices (like your OPNsense firewall). So you probably need to configure it as a forwarder or slave

Now OPNsense is requesting a /64 prefix for its WAN side, but if the Asus router has already consumed the only available /64, there’s nothing left for OPNsense to assign to its LAN side. So you need to be able to tell opnsense to delegate multiple prefixs or you need to have the asus router defer or relay the dhcp requests to opnsense upstream

IPv6 addressing requires every layer to be configured correctly for PD

The ISP provides a /56.

The Asus router is supposed to delegate a smaller prefix (e.g., a /60 or /62 or /64) to downstream devices like OPNsense.

OPNsense then further splits its allocation for its own LANs. If the Asus router doesn’t support proper PD or doesn’t have the feature enabled, OPNsense won’t receive any usable prefix if the opnsense is downstream of the asus router. If its the other way around. Then you need to configure opnsense properly to do this.

Heres what I suggest you do

Verify the Prefix Delegation Size from Spectrum. Log in to your Asus router and check the IPv6 WAN settings. Look for the exact prefix length Spectrum is delegating (it should show /56 or /64).

Now configure the Asus Router or OPNSense for Prefix Delegation whichever is upstream. You state asus so lets go with that.

In the Asus router settings:

Ensure IPv6 Prefix Delegation is enabled.

Check if it supports allocating smaller subnets to downstream devices (like OPNsense). Some consumer-grade routers don’t allow this, which can be a limitation.

AGAIN i do not know your setup. Im just making the example

Now adjust OPNsense IPv6 Settings

Navigate to Interfaces > WAN > DHCPv6.

Ensure it’s set to request a prefix (PD size should match what the Asus router can provide, like /60).

Navigate to Interfaces > LAN > Track Interface and set the interface to track the WAN prefix.

Now heres the thing. Maybe the asus router is limited… If the Asus router doesn’t delegate prefixes:

Configure OPNsense to operate with a static IPv6 configuration using one of the unused subnets from the /56 that is received by the router and handle your routing manually. Manually assign an unused /64 for OPNsense LAN (e.g., if the Asus router uses 2001:db8:1:0::/64, assign 2001:db8:1:1::/64 to OPNsense).

Make sense?

Also be careful. You could end up DOUBLE NATTING your net

1 Like