OPNsense Forum
English Forums => General Discussion => Topic started by: sergiodj on March 19, 2024, 10:34:43 pm
-
Hello,
My ISP provides me with a /56 dynamic prefix delegation. Although the addresses don't change very often, they do change sometimes.
I know this topic has probably been covered in many threads, but I couldn't find a consolidated answer to it, so allow me to ask: how do I go about configuring static IPv6 internal addresses given that my assigned PD is dynamic?
My specific use case is having an AdGuard Home instance running in my home network and wanting to force all IPv6 DNS requests to be redirected to it. I guess I could use also use a proxy to translate the requests to IPv4, but if I could setup fixed IPv6 addresses it would be great.
My current IPv6 setup uses the "Track Interface" feature on each LAN I have available. I also have the "Allow manual adjustment of DHCPv6 and Router Advertisements" checkbox ticked, although I'm not enabling DHCPv6 on any of my LAN interfaces. As for RAs, I have "Assisted" mode enabled and "Do not send any DNS configuration to clients" checked (at least while I can't properly configure AdGuard with a static IPv6).
Any help is appreciated. Thanks!
-
You can deploy static ULAs (virtual IPs) in addition to the dynamic GUAs. Then advertise the ULA of your DNS resolver.
Cheers
Maurice
-
Huh, I hadn't thought of that. Thank you for the reply.
However, after a bit of research I found this thread:
https://forum.opnsense.org/index.php?topic=33902.0
which seems to indicate that ULAs are broken and won't work on a dual-stack environment, which is my case. Could you confirm whether this is applicable, please?
-
I skimmed through that thread real quick and it seems what they are concerned about is deploying only ULAs and translating them to GUAs (NPT) for Internet access. But that's not what I recommend at all. Instead, use GUAs and ULAs simultaneously. GUAs for Internet access, ULAs for the Intranet only. I don't see an issue there, this is common practice.
-
No, the point is that when a DNS request is sent, and there are 3 answers:
- GUA
- IPv4
- ULA
they are prioritized in that order.
Which means, since you will not be using plain IPv6 addresses, that if you use IPv4 and IPv6 ULA, your ULA will never be used. Thus, rendering them useless.
Better use IPv4 for internal addressing. Or don't use IPv4 at all.
There are uses for ULA, but they are very rare and must be planned well.
-
RFC 6724 is only about source address selection.
I have this setup at my homelab:
- DNS Server (Adguardhome) has GUA, ULA and IPv4 addresses, but only listens to its ULA & IPv4.
- DHCP Server is configured to push DNS server's ULA and IPv4 to clients.
- Clients obtain GUA and IPv4 addresses from DHCP, also DNS server's ULA & IPv4 addresses.
This setup works because when a client performs DNS lookup it sources the address from its GUA because of IPv6 precedence and DNS server's ULA is a valid IPv6 address.
I don't like using ULA as much as everybody else, but when my dynamic prefix gets changed it will take some time to propagate the new prefix to my whole network, so by giving my DNS server an ULA (this is the only ULA I use in my network) I can avoid a down time for DNS queries.
-
Very interesting discussion, thank you, folks!
So it seems like it should be possible to use an ULA for Adguard and still have it work in my internal network.
Out of curiosity, in the thread I linked earlier I saw mentions about actually using an IPv6 he.net tunnel and assign static GUAs to internal machines. I have a tunnel configured here, but I'm not sure I completely understand how I would go about making the machines assign these IPs? Just RA + SLAAC?
-
Let me expand my question above.
It's also unclear to me how to configure an ULA and send it to my internal devices. I'm assuming it's via RA+SLAAC, but given that I want my devices to also have valid IPv6 addresses from my ISP (GUAs), I don't think I should change the IPv6 configuration of the LAN interface, correct?
I believe the same configuration for ULA+GUA will apply for the IPv6 he.net tunnel w.r.t. keeping valid IPv6 addresses from my ISP + offering alternative IPv6 addresses that will only be used internally, but I may be wrong.
-
It's also unclear to me how to configure an ULA and send it to my internal devices. I'm assuming it's via RA+SLAAC, but given that I want my devices to also have valid IPv6 addresses from my ISP (GUAs), I don't think I should change the IPv6 configuration of the LAN interface, correct?
Give a static ULA to the device that host the service. You don't need ULA for your clients if they have GUAs.
For your case, if AGH is running on your OPNsense then create a ULA as VIP on loopback interface. Make sure you include that ULA in the .yaml for AGH to bind to, then advertise that ULA through RA - it works for both SLAAC & DHCPv6.
If you have a working prefix from tunnelbroker (HE) then you can use GUAs from that prefix to your services and you don't need to use ULAs at all. The key here is setting up correct routes if you want devices with HE prefix to reach internet.
-
Give a static ULA to the device that host the service. You don't need ULA for your clients if they have GUAs.
For your case, if AGH is running on your OPNsense then create a ULA as VIP on loopback interface. Make sure you include that ULA in the .yaml for AGH to bind to, then advertise that ULA through RA - it works for both SLAAC & DHCPv6.
Alright, I created a Virtual IP with a /48 to serve as my ULA for now (until I get the HE tunnel figured out). Since my AG is running on another machine and inside Docker, I assigned the VIP to the LAN interface where that machine is plugged in.
I then manually set the IPv6 of that machine as static, and assigned an IP from the ULA I'd just created. I can't make it connect to the internet via IPv6, but I guess that's expected because ULAs aren't supposed to be routable...? If it's supposed to work, then I have to figure out the gateway to use.
If you have a working prefix from tunnelbroker (HE) then you can use GUAs from that prefix to your services and you don't need to use ULAs at all. The key here is setting up correct routes if you want devices with HE prefix to reach internet.
I will spend some time tomorrow setting up the tunnel here. Let's see how that goes.
-
The IPv6 tunnel services used to give out prefixes, but those are now mostly, if not completely, defunct due to the general availability of IPv6.
-
Sorry, I'm still a bit confused here.
HE gave me a /48 prefix, so I believe I can use it for local IPv6 addresses, right?
It's still not clear to me how to configure internal address using GUAs provided by HE. I've created the GIF interface, but I'm not sure if I should tell my LAN interface (where the AG service is connected to) to use the IPv6 network from HE, since I already have valid IPv6 coming from my ISP. I believe so...? And if I do that, how can I get a static IPv6 for my AG machine without having to mess with DHCPv6?
-
HE gave me a /48 prefix, so I believe I can use it for local IPv6 addresses, right?
Yes, but only one /64 per interface/VLAN/network. You get a /48 so you can address 65536 different networks. Not to put the entire address space on a single LAN.
There is only one prefix length in IPv6 for ethernet type networks: /64. A /64 can address as many hosts as the entire IPv4 Internet - squared! And there are as many /64 networks in total in the IPv6 address space: the entire IPv4 Internet - squared!
HTH,
Patrick
-
HE gave me a /48 prefix, so I believe I can use it for local IPv6 addresses, right?
Yes, but only one /64 per interface/VLAN/network. You get a /48 so you can address 65536 different networks. Not to put the entire address space on a single LAN.
There is only one prefix length in IPv6 for ethernet type networks: /64. A /64 can address as many hosts as the entire IPv4 Internet - squared! And there are as many /64 networks in total in the IPv6 address space: the entire IPv4 Internet - squared!
Awesome, thanks for confirming!
It's still unclear to me how I should assign this prefix to a specific internal network. Do I need to create a GIF (I did it anyway, because I assume that otherwise the tunnel won't work)? A Virtual IP (probably not...)? After that, do I need to change my current LAN to use the /64 prefix from HE instead of using my ISP's delegated prefix (as it is doing right now)? Is it possible to have my LAN still use addresses delegated by my ISP, but also give out static IPv6 addresses from the HE /64 network?
I feel like these new concepts got me confused a bit and now I'm trying to untangle the mess in my head. Thanks for all the help, btw.
-
You need to assign one of the /64 from HE statically to your LAN as an additional virtual address. To be able to use that /64 for devices to access the Internet you need to set up a tunnel according to HE's documentation.
But why did you do this in the first place? I though you wanted to use static ULAs in addition to your ISPs GUA. Now you got another set of GUAs - a whole /48 of them - from HE.
-
You need to assign one of the /64 from HE statically to your LAN as an additional virtual address. To be able to use that /64 for devices to access the Internet you need to set up a tunnel according to HE's documentation.
Alright, great. I already have the GIF setup, so all that's left is to create a Virtual IP and attach it to the LAN.
But why did you do this in the first place? I though you wanted to use static ULAs in addition to your ISPs GUA. Now you got another set of GUAs - a whole /48 of them - from HE.
I initially planned to use static ULAs, but decided to move to static GUAs because I found that there are some idiosyncrasies with AdGuard Home.
My plan is to configure my AG with a static IPv6 from HE and use it internally as the IPv6 DNS server.
-
I then manually set the IPv6 of that machine as static, and assigned an IP from the ULA I'd just created. I can't make it connect to the internet via IPv6, but I guess that's expected because ULAs aren't supposed to be routable...? If it's supposed to work, then I have to figure out the gateway to u
Your machine should have GUA if you want it to reach internet. Leave the network setting as it used to and configure an additional static ULA to the interface, consult its OS how to do it.
Also make sure that ULA is reachable from clients, you might want to setup a route to the ULA via link local or assign a helper ULA to OPNsense LAN interface.
I initially planned to use static ULAs, but decided to move to static GUAs because I found that there are some idiosyncrasies with AdGuard Home.
Let just focus on making it work from now on =)