IPv6 and Firewall settings

Moving to ipv6. I have a router that’s sending out RA messages and the local SUSE interface (eth0) is generating ipv6 addresses locally with the firewall set to Trusted for the interface. All as expected. I can ping with the -6 option external addresses like www.google.com.

Moving to a custom firewall configuration and rebooting I don’t get any local ipv6 addresses other that the Unicast (I think I have the right term here) address, beginning fe80:… I can no longer ping external addresses. I presume I need open a service. So far tried dhcpv6-client but no luck.

To check addresses i have been using:

ip -6 address

Any ideas or suggestions?

Should have added that I am not using DHCPV6 in the configuration so it should all be SLAAC.

OK, solved but not sure why. I had IPv4 masquerading set. Would really be interested in why that would mess up SLAAC.

Only half solved. I now know that masquerading is messing up SLAAC to obtain my IPv6 address but for various reasons I need to have NAT enabled so incoming VPN connections have access to all of my network. After a bit of digging I found the “Basic Networking” documentation and section 13.7 covers setting up a router which is exactly what I want. My /etc/sysctl.conf now looks like this:

# net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1  
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.enp0s3.accept_ra = 2
net.ipv6.conf.enp0s3.autoconf = 0

But it’s still not generating local IPv6 address. Everything else works. Any ideas anyone?

Do you need ipv6 forwarding?
If not, try

Thanks for the idea. Yes, had tried that an it still didn’t work.

Tried adding net.ipv6.conf.all.accept_ra = 2 and still no joy.

Just as a random idea I added another interface and used the default “trusted” non-NATed zone for the new interface. The new interface didn’t get an IPv6 generated address. Kind of looks like enabling NAT/Masquerading or any interface kills IPv6 SLAAC!

OK. Now actually solved. This is what worked for me:

net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.enp0s3.accept_ra = 2
net.ipv6.conf.enp0s3.autoconf = 1
autoconf = 1 seems to be needed which is not what the documentation says.