IPv6 and Firewall settings

Moving to ipv6. I have a router that’s sending out RA messages and the local SUSE interface (eth0) is generating ipv6 addresses locally with the firewall set to Trusted for the interface. All as expected. I can ping with the -6 option external addresses like www.google.com.

Moving to a custom firewall configuration and rebooting I don’t get any local ipv6 addresses other that the Unicast (I think I have the right term here) address, beginning fe80:… I can no longer ping external addresses. I presume I need open a service. So far tried dhcpv6-client but no luck.

To check addresses i have been using:

ip -6 address

Any ideas or suggestions?

Should have added that I am not using DHCPV6 in the configuration so it should all be SLAAC.

OK, solved but not sure why. I had IPv4 masquerading set. Would really be interested in why that would mess up SLAAC.

Only half solved. I now know that masquerading is messing up SLAAC to obtain my IPv6 address but for various reasons I need to have NAT enabled so incoming VPN connections have access to all of my network. After a bit of digging I found the “Basic Networking” documentation and section 13.7 covers setting up a router which is exactly what I want. My /etc/sysctl.conf now looks like this:

# net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1  
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.enp0s3.accept_ra = 2
net.ipv6.conf.enp0s3.autoconf = 0

But it’s still not generating local IPv6 address. Everything else works. Any ideas anyone?

Do you need ipv6 forwarding?
If not, try
net.ipv6.conf.all.forwarding=0

Thanks for the idea. Yes, had tried that an it still didn’t work.

Tried adding net.ipv6.conf.all.accept_ra = 2 and still no joy.

Just as a random idea I added another interface and used the default “trusted” non-NATed zone for the new interface. The new interface didn’t get an IPv6 generated address. Kind of looks like enabling NAT/Masquerading or any interface kills IPv6 SLAAC!

OK. Now actually solved. This is what worked for me:

net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.enp0s3.accept_ra = 2
net.ipv6.conf.enp0s3.autoconf = 1
autoconf = 1 seems to be needed which is not what the documentation says.