Opnsense configuration and performance questions

[jmrickerby]

Hi there,

Apologies, but I'm new to IPv6, so please be patient with me.

I'm a personal internet user, ISP is IPv4 only obviously, configuring an existing Opnsense 23.1.11 firewall with Tunnel Broker. I used the following links for instructions for this process:
https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html
https://medium.com/swlh/ipv6-on-opnsense-router-599a9198aaed

With 3 internal networks, I have a Tunnel Broker Routed /48 prefix, which I have allocated into 4 subnets. There is an Internet accessible server on one of the LANs.

Testing wise, https://test-ipv6.com seems happy with me 10/10, but https://ipv6-test.com/ gives inconsistent results.

Question 1 – ICMPv6 access to LAN(s)?
If I am understanding correctly, ICMPv6 is important to a properly functioning IPv6 network. In Opnsense, the "Firewall - Rules - TunnelBroker [interface]" has default rules for passing inbound ICMPv6 packets to internal interfaces. However, as these rules do not include an Echo type, I am unsure how to test that ICMPv6 is working. Is it advisable/necessary to have a "Firewall - NAT - Port Forward" rule to allow TunnelBroker inbound ICMPv6 to the internal interfaces, or will that just create an unnecessary security hole?

Question 2 – DHCPv6 and IPv6 addresses?
If I want to advertise and configure an internal NTP server, does this mean I'm required to use DHCPv6, or should I rely on Router Advertisements and SLAAC to configure IPv6 interfaces? If so, how do I configure clients to use the NTP server? The server LAN interfaces are all manually configured with an IPv6 general address (within a subnet from the Tunnel Broker /48 range). I assume I shouldn't use link-local addresses for internal DNS? If I ever switch to an IPv6 providing ISP, I assume I will be re-addressing my servers and re-configuring DHCPv6? If my ISP provides a /64 prefix, I will have to adopt unique local addresses and use NPTv6 to have separate internal networks? (Is it normal that an ISP will provide a /62 or other non /64 prefix?) Should I adopt unique local addresses and NPTv6 now to avoid re-addressing interfaces in the future? Is it correct that I should ignore link-local addresses with any configuration I am considering, like internal DNS, etc.?

Question 3 – Overall Tunnel Broker performance and gaming?
Pinging sites with IPv4 and IPv6 indicates about 3 times the latency using Tunnel Broker. However, latency is still reasonable. However, I notice with some web pages (e.g. bbc.com), content loads in chunk, almost as if in phases. Not sure what specifically would be causing this phenomenon. Another example is on the Opnsense Dashboard, there is a "Telemetry Status" widget for proofpoint. Without Tunnel Broker, this widget updates immediately when accessing the Opnsense Dashboard page. However, with Tunnel Broker IPv6 active, this widget can take ~30 seconds to display.

Something that is interesting is that Fallout 76 takes MUCH longer to sign-in with Tunnel Broker than IPv4. "MUCH" meaning, click sign-in then go grab a snack from the kitchen. Fallout 76 may have signed in by the time you get back, assuming you took your time getting that snack. While IPv6 latency is higher, it still seems reasonable, so I'm not sure what is happening?

Pinging bethesda.net [2600:9000:2377:b600:2:82e9:3a00:93a1] with 32 bytes of data:
Reply from 2600:9000:2377:b600:2:82e9:3a00:93a1: time=30ms

Pinging bethesda.net [108.138.94.44] with 32 bytes of data:
Reply from 108.138.94.44: bytes=32 time=9ms TTL=248

While I can live with this Fallout 76 sign-in inconvenience, I have other family members that are annoyed. I have tried creating a Firewall - Rule that Rejects IPv6 traffic for the ports used by Fallout 76, hopefully forcing the game to IPv4, but this doesn't seem to have worked/made any difference. It could be there are other ports that Fallout 76 is using that I am unaware of. Once signed in, the game appears to run normally.

Thank you for reading this far. Any advice would be appreciated.