Just sharing my experience, has dual-stacked my home previously except for Wireguard until now
Below are some of the backstories and what are the problems faces and the steps to overcome it. Solution might be janky, but it works for me now.
ISP: Starhub 5Gbps Plan
Router OS: OPNSense 25.1.8_1 (Running on Taobao N100 Mini PC bought 2 years back)
Write Up #1: Recently lost "IPv6" after dual-stacking my Wireguard, IPv6 was working fine when I whenever I check it until recently.
Block private networks:
Checked
Block bogon networks:
Unchecked
IPv6 Configuration Type:
DHCPv6
Prefix delegation size:
64
Request prefix only:
Unchecked
Send prefix hint:
Unchecked
With this settings it is supposed to be working, but no matter what I am not able to get an IPv6.
Have restarted router and modem multiple times.
So did a packet inspection for WAN,
I did see Solicit, Advertise and Request... but no reply from Starhub issuing me IPv6.
So I thought Starhub was down, so I waited for another day, but nothing changes, still no IPv6
Afterwards I tried generating MAC Address and set it on my WAN Interface. Voila and it works, I am getting a IPv6 address. Problem solved.
Next, I tried removing the custom MAC address, I lost the IPv6 again. Then I generate another MAC address, this time it doesn't work anymore until I used back the first MAC address, I had generated previously
For now, I am leaving it this way. Leaving this here so that it might be able to help someone out as well as to see anyone has insight on this.
Write Up #2: Wireguard with IPv6
Backstory
Since setting up it as dual-stack last year, I have the following:
LAN Interface:
IPv6 Configuration Type:
Track Interface
Parent Interface:
WAN
Assign prefix ID:
0
Manual Configuration: [Checked] Allow manual adjustment of DHCPv6 and Router Advertisements
In Router Advertisements:
Router Advertisements:
Stateless
Router Priority:
Normal
Source Address:
Automatic
DNS options:
Use the DNS configuration of the DHCPv6 server:
Unchecked
Do not send any DNS configuration to clients:
Unchecked
With this IPv6 is working perfectly as it should be able to browse public IPv6.
However, I do realised that if I set my DNS to the GUA IPv6 address of my Pihole, it will fail once I get a new prefix from starhub. So I looked into ULA, and given myself a ULA adding it in Interfaces/Virtual IPs:
Will explain why I didn't use the link local fe80 IP address later on.
Mode:
IP Alias
Interface:
LAN
Network / Address:
[My generated LAN IPv6 ULA prefix]
Now with the this, all of my devices will get a 'Local' IPv6 address. ULA, my local IPv6 is fixed. Locally my IPv6 is working as it should.
Dual-Stacking Wireguard but... no public IPv6 access
1. Generate another ULA Network Address for my Wireguard
2. Everything work as it is, include DNS over IPv6, I realised I can't use the fe80 IP address to connect to my DNS server back home. Cause fe80 is link local, it doesn't support routing. Thus, the ULA address I have set up previously come into play.
Now the issue is without a Globally routed IPv6, I am not able to surf Public IPv6.
So, I am left with two choices. (Don't flame me for using NAT in IPv6, it's more like an experiment that I want to try, but also I am left with no other choice..
NAT-ing my Wireguard IPv6 Stateful vs Stateless
1. NAT66, so all my outgoing Wireguard to the public will use my WAN Interface IPv6. - This is tested to be working, but decided not to use it since it is stateful.
2. NPTv6 - This basically rewrites the prefix of my Wireguard ULA to my WAN IPv6 Prefix
NPTv6 rewriting the wrong address
Under firewall > NAT > NPTv6 Add a Rule
Interface:
WAN
Internal IPv6 Prefix (source):
[Internal Wireguard IPv6 Prefix]
External IPv6 Prefix:
[Leave it Empty] (Since my public IPv6 prefix is dynamic, the idea to leave it empty is so that it will grab the prefix of my Global IPv6 prefix.
Track Interface: LAN
When I got to here... NPTv6 is working but no IPv6 public internet. Upon checking my logs...
NPTv6 is has replace my Wireguard IPV6 with the LAN IPv6 Prefix that I have created earlier.
But if i remove my Virtual IP temporarily, then add back my LAN ULA in Virtual IP. My Wireguard is able to surf IPv6 publicly.
However, feeling that this will not solve the problem, once reboot, I am afraid NPTv6 will pick my LAN prefix again.
Updating NPTv6 with Monit and Custom Script
Have to make use of Monit, OPNSense API and some custom script to update the NPTv6 settings.
Two scripts needed (At the bottom of this post)
1. check_ipv6_prefix.sh
2. update_nptv6.sh
In Services > Monit > Settings > Service Tests Settings (Add New):
Name: WAN_IPv6_Changes
Condition:
status != 0
Action:
Start
In Services > Monit > Settings > Service Settings (Add New):
Enable service checks: Ticked
Name:
wan_ipv6_prefix_check
Type: Custom
Path:
/path/to/check_ipv6_prefix.sh
Start:
/path/to/update_nptv6.sh .
Test: WAN_IPv6_Changes (The Service Test Created Earlier)
If only Starhub gives us a prefix larger than /64
As of now this is the best I could think of to overcome this, it's janky, but it works for me for now. Do let me know if you have another solution. It would be good if Starhub don't just assign /64 IPv6 to us... then I could assign another IP range to another dummy interface and track that instead without conflicting with my Local ULA.
Scripts
Do review it before using it, not going to lie but made it up with the help of ChatGPT
check_ipv6_prefix.sh
https://pastebin.com/PJWg5aR9
update_nptv6.sh
https://pastebin.com/Scf88Ftp
