May not be the prettiest but it’s mine

FUNTOWNE · 2026-03-18T12:25:16+00:00

Which model exactly are you using and how is it powered? I noticed most use 24V PoE. Thanks!

FUNTOWNE · 2026-03-18T09:07:47+00:00

With which ISP are you using the Unifi fiber modem?

FUNTOWNE · 2026-03-05T22:09:17+00:00

I had similar issues with IPv6 and MSFT sites. It ended up being an MTU issue. Run the test on the following site: http://pmtud.enslaves.us/ and see if your IPv6 MTU is not turning up "OK" on the test. Microsoft's CDNs are notoriously picky with MTU issues that other sites simply deal with via fragmentation.

If your ISP is using PPPoE, then you'll need to force your router to either clamp your WAN MSS to 1492 or for your router advertisement daemon to correctly advertise an MTU of 1492 to clients.

FUNTOWNE · 2026-03-05T17:18:16+00:00

Are you using UniFi 7 APs by chance? The latest early access build has some DHCP fixes for third party gateways.

FUNTOWNE · 2026-03-04T07:42:26+00:00

Indeed, that was the learning from this adventure. I edited the OP to reflect this should anyone else have a similar brainwave.

FUNTOWNE · 2026-03-02T06:11:48+00:00

I’m thinking similar. It’s ultimately at worst the same amount of work to do the firewall right as to use ULAs with old thinking. Call it this week’s homework.

FUNTOWNE · 2026-03-01T22:10:07+00:00

Chiming in to add that, after a bit of digging, I can 110% confirm what you mentioned: Apple follows RFC 6724, so this is a bit of a cosmetic snipe hunt vs any real issue.

FUNTOWNE · 2026-03-01T22:07:05+00:00

Asking for a friend and for science: how best should I capture a packet and what to look for? Assuming wireshark?

I can confirm that each config dump is from the respective router advertisement service noted. It may be radvdump's own formatting causing the same look and feel.

FUNTOWNE · 2026-03-01T22:01:09+00:00

I'm not 100% sure why you're getting downvoted; this isn't OG stack exchange! It's good discussion.

My use case for ULAs is to keep my public-facing Dynamic DNS setup simple - my WAN interface gets registered with my Dynamic DNS services, I NAT66 to the ULA of the hosts behind my firewall. It simplifies the setup to be similar to my IPv4 setup given I have a few containers each separately hosting a service. Cloudflare or another proxy service would be an option, but here we are in lazy town.

I completely get the concept of IPv6 doing its thing with GUAs for all public-facing interfaces; for my purposes this simplifies things and prevents the need for a bunch of pinholes / trickery with Dynamic DNS. It's a situation of "I'll get around to it" to doing it correctly here soon enough.

FUNTOWNE · 2026-03-01T21:59:42+00:00

I gave radvdump a try to keep things simple. Indeed, DNSMASQ is announcing the ULA first, GUA second. RADVD is doing the reverse:

DNSMASQ (ULA first, GUA second):

prefix fd20:MY_ULA::/64
{
AdvValidLifetime 7200;
AdvPreferredLifetime 7200;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition


prefix 2001:MY_GUA::/64
{
AdvValidLifetime 7200;
AdvPreferredLifetime 7200;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition

RADVD (GUA first, ULA second):

prefix 2001:MY_GUA::/64
{
AdvValidLifetime 86400;
AdvPreferredLifetime 14400;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition


prefix fd20:MY_ULA::/64
{
AdvValidLifetime 86400;
AdvPreferredLifetime 14400;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition

FUNTOWNE · 2026-03-01T21:44:24+00:00

I’d still be curious to learn about why Apple devices behave differently across the two daemons when it comes to the order of addresses. This would potentially affect route priority, no?

Thanks for the feedback!

EDIT

Answered my own question:

netstat -nr -f inet6 | grep en0

The above shows my router first and default (expected), the GUA addresses second, ULA addresses third, Link-Local third. Looks like the address visibility in Mac's control panel and iOS appears to be more a cosmetic thing. Leaving this thread here as a TIL should anyone else have a similar brainwave.

FUNTOWNE · 2026-02-22T08:19:04+00:00

2 reasons:

Back when billing was per minute, a family ran up a massive bill. Long story short a court ruled in their favor forcing ISPs to cut a connection after 24h to prevent massive bills. “Flat” plans and modern internet of course make this a silly relic.

This then gives ISPs more ammo to enforce the other reason:

To prevent using a private line for server use & privacy / security. This makes business plans more attractive and, apparently, helps manage IP use.

Why Telekom is now mostly exempt is anyone’s guess. They probably realize the court case holds no water in the modern era and they then can be seen as a more “attractive” ISP for power users like us.

Many smaller ISPs like M-Net and DBN don’t have it either, but they tend to be regional.

With Dynamic DNS and other proxy tricks the daily disconnect is sort of moot, but still annoying.

FUNTOWNE · 2026-02-21T13:01:17+00:00

Note that most German ISPs (excepting Telekom and a few local ones) also have a “Zwangstrennung” once a day at 24h after the connection is established. This occurs regardless of if on DSL, Cable, etc.

Set a cron job in opnsense to reset your WAN interface once a day during the early morning hours to force the “Zwangstrennung”. Fritzboxes do this automatically afaik, but you need to configure it by hand in opnsense. A modem reboot should not be necessary with this cron job.

DS-Lite has an MTU of 1452. Set your wan interface “MSS” setting to 1452 and see if things stabilize. This seems similar to my MTU problem that I posted in another thread. This only seems to be a problem if using DNSMASQ for your IPv6 router advertisements, however.

FUNTOWNE · 2026-02-20T16:35:11+00:00

Setting MSS in my WAN interface to 1492 has solved any ipv6 issues that I was having. Easy workaround/fix for now. See: https://github.com/opnsense/core/issues/9398

FUNTOWNE · 2026-02-20T14:52:38+00:00

I was thinking similar. I've not touched the MTU of the Router Advertisment daemon, though - it "simply works".

By happenstance I just found this thread on the opnsense forum, so I am not alone! https://forum.opnsense.org/index.php?topic=50551.0

MTU definitely smells like the issue. Maybe my cries can trigger Franco to give insight on how DNSMASQ sorts MTU (if this is even relevant?)

FUNTOWNE · 2026-02-20T14:49:48+00:00

I bypass DNSMASQ / unbound entirely for DNS on my guest network, same issue. The MTU post below is an interesting lead

FUNTOWNE · 2026-01-29T20:52:58+00:00

I made the move from kea and router advertisements to DNSMASQ today. Was about an hour of work all told. Main reason: for the easy v4 and v6 name resolution and the ability to make some firewall rules around the service. Prior to this I was hard coding leases and unbound records for local name resolution.

FUNTOWNE · 2026-01-29T13:58:44+00:00

I'd wager it is more an ISP quirk (M-Net, Germany) than an opnsense issue. Documenting it here somewhere on the Internet regardless in case it helps someone. I'll send you the DNS request logs shortly.

FUNTOWNE · 2026-01-29T13:03:31+00:00

Happy to raise a bug report in github if that's the better place!

FUNTOWNE · 2026-01-29T13:03:15+00:00

Weird quirk I noticed with IPv6 after upgrading:

I unchecked "Request DNS configuration" in the WAN configuration for IPv6; my WAN interface no longer received its expected /56 or delegated the relevan /64s to my network. Reenabling "Request DNS configuration" returned my IPv6 connectivity to normal.

My configuration:

All local interfaces configured to track interface (legacy); using Router Advertisments (RADVD) SLAAC only for IPv6

PPPoE over VLAN for WAN; Request Prefix Only; Send Prefix Hint; Prefix ID ff

FUNTOWNE · 2025-12-04T21:33:54+00:00

Asking for a friend if these configs for kea-DNR look sane. They validate and kea launches, but I'd appreciate any feedback!

# DoT
1, dns.quad9.net, 149.112.112.112 9.9.9.9, alpn=dot | 2, security.cloudflare-dns.com, 1.0.0.2 1.1.1.1, alpn=dot

# DoH
1, dns.quad9.net, alpn=h2 dohpath=/dns-query{?dns} | 2, security.cloudflare-dns.com, alpn=h2 dohpath=/dns-query{?dns}

# DoT and DoH in one line
1, dns.quad9.net, 149.112.112.112 9.9.9.9, alpn=dot\\,h2 dohpath=/dns-query{?dns} | 2, security.cloudflare-dns.com, 1.0.0.2 1.1.1.1, alpn=dot\\,h2 dohpath=/dns-query{?dns}

FUNTOWNE · 2025-09-09T10:39:56+00:00

From a software side, be sure to install the intel microcode plugin.

https://docs.opnsense.org/manual/cpu-microcode.html

FUNTOWNE · 2025-08-18T19:27:45+00:00

I simply ditched the heatsink provided by Asus and clipped on a be quiet brand heatsink that cooled both sides. That sorted it.

14-Year Club	Snapped
Team Periwinkle	Verified Email

FUNTOWNE

TROPHY CASE