1
23.1 Legacy Series / DHCP6 static lease advertisements have no effect
« on: March 18, 2023, 11:32:40 pm »
Hi all,
TL;WR: It's about DHCP6 on my LAN interface. I want stable IP's for either local or global name resolving.
Full version:
Am I supposed to be able to create static leases for IPv6 as you'd do for IPv4 in case you like to have stable addresses in your network? I'm quite lousy with BB-code, please bear with me for markup errors!
My goals:
These things work for their IPv4 counterparts, but I really like to move forward and get started to leave IPv4 behind me (as a part of leaving it behind us and create a better world and all that).
There may be workarounds for those goals, but static DHCP6 seems the cleanest solution with current knowledge. Unfortunately, with current knowledge, I can't get it to work.
Settings overview, please let me know if more is needed for a picture:
These blocks repeat for configured leases. Another thing you'll notice, are the last two lines: permission denied, I guess on port 546/547. In the live viewer of the firewall log, there are only 'pass' lines for those ports.
The SLAAC-addresses so far are outside of the DHCP6-range I defined, as are the static IP's I assigned client side. The IP's I want to assign via static lease are outside of the DHCP-range as well (as they should; to be sure I understood correctly, I tested creating a static lease with an IP inside of the range, and the GUI gave me an error).
I've been baning my head against this wall for most of a week now, I'm at my wits end.
Thank you for reading my lengthy post, I hope you can give me some pointers!
TL;WR: It's about DHCP6 on my LAN interface. I want stable IP's for either local or global name resolving.
- dynamic leases work
- static leases that exactly match SLAAC assignments work
- static leases that fit my requirements (and the subnet) are ignored
Full version:
Am I supposed to be able to create static leases for IPv6 as you'd do for IPv4 in case you like to have stable addresses in your network? I'm quite lousy with BB-code, please bear with me for markup errors!
My goals:
- Being able to set DNS AAAA records pointing to servers in the LAN;
- Being able to reach and recognize devices on the LAN
These things work for their IPv4 counterparts, but I really like to move forward and get started to leave IPv4 behind me (as a part of leaving it behind us and create a better world and all that).
There may be workarounds for those goals, but static DHCP6 seems the cleanest solution with current knowledge. Unfortunately, with current knowledge, I can't get it to work.
Settings overview, please let me know if more is needed for a picture:
- (edit): OPNsense is a clean install on VM of version is 23.1; it just got upgraded to 23.1.4 from 23.1.3.
- ISP: freedom.nl (sorry, no idea how to create a hyperlink correctly, https://helpdesk.freedom.nl/category-detail/algemene-instellingen-eigen-modem) (in Dutch)
- WAN: DHCP6 with PPPoE over VLAN6 behind a copper/fiber media convertor (ISP on fiber --> ISP media convertor --> copper ethernet --> WAN-interface) ; it gives me a /48 prefix;
- LAN: static IPv6/64, auto detected gateway, no 'use IPv4 connectivity'
- DHCPv6 server on LAN:
- a /64 subnet within the /48 prefix
- network like P:P:P:S:I:I:I:I , with P=prefix byte, S=subnet byte, I=interface address byte
- within this subnet, a tiny range is defined as DHCP6-range, only the last sixteen bits (is that correct? The last four hex values anyway, from 90:: to 90:ffff)
- Router advertisement:
- I think I want to use 'assisted'
- but I tried 'router only', 'managed' and 'stateless' as well
DHCP-assigned IPv6 more-or-less works:- hosts on the IPv6-part of the Internet are reachable;
- Quite often, devices in the LAN can be reached at least one of the IPv6 addresses assigned to them
Static leases seem a bridge too far for me. I not only want the (random) lease to be static, I also want it to be an IPv6 that I choose by myself. I don't know how to derive a DUID from time, MAC and whatever, so I let clients get a (for me) random IPv6 on their first lease, and then use the OPNsens GUI (services --> dhcp6 --> leases --> +button behind dynamic lease) to fill out the details with a valid DUID.
I can only get a resemblance of working static leases in one of these two cases:- I assign the (for me random) SLAAC as fixed IPv6;
- I use the IPv6 in the static lease definition, but on the client I configure a static IP instead of using a DHCP client
When I define the IPv6 in the lease as per my wishes, I get a curious not working situation:- The configured IPv6 shows up in the GUI in the list of leases (good!)
- The client actually uses a random IPv6 from the DHCP6 pool (bad!)
When I check /var/log/dhcp/latest.log, I notice that on sollicit from the client, first the configured IP is advertised, directly followed by an advertisement of an address from the DHCP pool:
Code: [Select]
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="542"] Solicit message from fe80::b2de:ebff:fe5a:2668 port 546, transaction ID 0xA1C85E00
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 75167 - [meta sequenceId="543"] Solicit message from fe80::b2de:ebff:fe5a:2668 port 546, transaction ID 0xA1C85E00
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="544"] Advertise NA: address 2a10:3781:2d49:a:26:3:104:2668 to client with duid 00:01:00:01:28:c1:5c:be:b0:de:eb:5a:26:68 iaid = -346413464 static
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 75167 - [meta sequenceId="545"] Advertise NA: address 2a10:3781:2d49:a:26:3:104:2668 to client with duid 00:01:00:01:28:c1:5c:be:b0:de:eb:5a:26:68 iaid = -346413464 static
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="546"] Sending Advertise to fe80::b2de:ebff:fe5a:2668 port 546
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 75167 - [meta sequenceId="547"] Sending Advertise to fe80::b2de:ebff:fe5a:2668 port 546
<187>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="548"] send_packet6: Permission denied
<187>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="549"] dhcpv6: send_packet6() sent -1 of 117 bytes
These blocks repeat for configured leases. Another thing you'll notice, are the last two lines: permission denied, I guess on port 546/547. In the live viewer of the firewall log, there are only 'pass' lines for those ports.
The SLAAC-addresses so far are outside of the DHCP6-range I defined, as are the static IP's I assigned client side. The IP's I want to assign via static lease are outside of the DHCP-range as well (as they should; to be sure I understood correctly, I tested creating a static lease with an IP inside of the range, and the GUI gave me an error).
I've been baning my head against this wall for most of a week now, I'm at my wits end.
Thank you for reading my lengthy post, I hope you can give me some pointers!