OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: brynjolm on April 01, 2022, 11:37:04 am
-
Hello and Good day to everyone! First off, this is my first foray into DIY firewall and some of the concepts are new to me. First off as the title suggests, I need advice on how to have proper ipv6 functionality. I get a dynamic /56 prefix from my isp from that i can (assign?) /57 networks to my interfaces, (if am understanding that properly). The issues im having, as soon as my isp changes the prefix, i loose all ipv6 connectivity. I still have ipv4 fallback so i still have an active connection. Question:
1. What sections or where do i look for problems. Ive read regarding the RA daemon but i dont know where to look for the logs of it.
2. I have segmented my network into multiple VLANS, each with a specific RA mode. i.e Android devices get unmanaged and the rest get managed. That seems to work but again as soon as i have a prefix change i loose ipv6 connectivity. Also only the MAnaged RA's get a DHCP Server
3. What firewall rules do i need to enable or apply? I saw a post the other day that under RA advanced i need to apply advdeprecateprefix? do i just type in yes?
Also a reboot of opnsense fixes everything. I have been troubleshooting this myself for a week now, and have run out of ideas, hence me asking. Also im not an expert, i just do this because i enjoy my hobby. Hence very hesitant on posting direct here. I have PTSD from the other forums. ;D
-
/56 leaves 8 bits for subnets (64-56), hence you can have 256 possible subnets. Can you tell me what you mean with "as soon as my isp changes the prefix"?.
1. Basic IPv6-knowledge will help you a lot. One of the books I really liked is "IPv6 Essentials" by Silvia Hagen published by O'Reilly. Yes, a plain old book :o
2. Your isp will provide you with a prefix. That prefix can be used hand out IPv6-ranges to vlans. You could use the "track interface" option to do this dynamically, so that if the prefix changes, the vlans get a new range also.
3. For IPv6-address assignments to clients, everything should work right out of the (OPNsense) box.
Hope this (partially) answers your questions. Happy hunting. There's nothing wrong with wanting to learn stuff! ;)
-
Hi! thanks for replying. I dont know if make sense, i think i jumbled it up. But as far as i understand, i get a static prefix and a dynamic subnet id(?). Which changes daily or every few hours. once it changes, i need to reboot and then i could have an ipv6 connection again. Now, if i just leave the RA to unmanaged or assisted, everything is fine and dandy. But if i put RA into Managed mode + enable DHCPv6 i have to reboot opnsense once or twice a day. Unmanaged is as far as i understand SLAAC only mode? Yes? What would you say is the main Advantage of having say DHCPv6 against SLAAC?
-
Happy to help. Hmmm, not sure what you mean by static prefix and dynamic subnet id. The way it usually works is that you get a(n automatically assigned) prefix from your isp like: 2001:0DB8::/48 (using the IPv6 range reserved for documentation purposes here). Knowing that an IPv6 address is 128 bits, the first 64 are used to identify the network and the last 64 are used for the host. The prefix tells you how many networks you can create and in what range they have to be.
So looking at the prefix, you have 2001:0DB8:: which can also be written as 2001:0DB8:0000:0000. If you look at the /48 (which is 3 times 16), you have 16 bits left to be used for creating your own IPv6 (OSI layer 2) networks. In case of the previously mentioned prefix, you can create networks in the range from 2001:0DB8:0000:0000 - 2001:0DB8:0000:FFFF, a whopping 65536 networks. Of course you can create all those networks by hand, but you can also use mechanisms that help you with that. When using the "Track interface" IPv6 configuration type in combination with an IPv6 prefix ID, that ID is used to complete the prefix and add an IPv6 address to the interface. Let's say the IPv6 prefix ID = 1234, in this case the interface would get an IPv6 network part of 2001:0DB8:0000:1234 to which a host part is appended.
Notice that up until now we only talked about networks. So what about hosts? The last 64 bits of an IPv6 address are the host-part. There are different mechanisms like SLAAC and DHCPv6 so hosts in a network can configure themselves as being part of an IPv6-network. I will not go into the details now, because I could literally write a book about that. Most important thing is that with IPv6 there are enough mechanisms available which allow for some kind of autoconfiguration of the host. Normally, if you have configured one or more IPv6 networks, the hosts in that network will automagically configure themselves in one way or another and using OPNsense you'll see that normally no extra configuration is required.
Now to hopefully answer your question ... DHCPv6 is a lot like DHCP and is a service that has to run on a network. SLAAC is a mechanism that all IPv6 capable hosts can use to configure themselves. No DHCP required here. You can use one or the other or even both. They are not mutually exclusive. The main advantage (if you want to use that word) of using DHCPv6 is that it is stateful where SLAAC is stateless. But if that really is an advantage depends on what you want. I suggest you read material like: https://thirdinternet.com/slaac-stateless-address-autoconfiguration/ and make up your own mind.
Best regards.
-
Just to be clear, in case it is not already from the other answers: you should only be allocating /64 networks to internal interfaces out of your /56 prefix. Not /57, not /32, etc
-
Thanks for all the replies. Was busy at work so unable to reply sooner. Im going to make an example, since i still cant seem to wrap my head around the concept. My ISP should give out like a: 2a02:0000:0000:a2(XX). As far as i understand that should be the whole prefix (/56) from my isp and the XX at the end should be whatever Prefix id i set under interfaces? Also under DHCPv6 i just put a range like ::a000-::b0ff. Would that be ok? Zeroes should just be befor that :: no?
-
That's essentially right.
Tho a /64 gives you 18,446,744,073,709,551,616 IPs - why pick such a measly DHCPv6 range?!
And consider whether you really need DHCPv6. SLAAC works just fine in most use cases. Note also that DHCPv6 does not work with Android devices.
-
Thanks! That was just for testing to better see the scope. I cant find the problem if the ip's are all over the place. Still i wanted to just setup my pihole properly/adguard for ipv6. And one of my probable solutions was to just set a static ipv6 for the pihole using dhcpv6. That didnt work out quite what i expected. Might just try using the link local address. Or might just go back to SLAAC since managing dhcpv6 seems to be a pita.
-
For addressing within your network, ULAs are a good idea. Then you know your (ULA) prefix for those addresses will never change. And SLAAC will give you essentially a static IP unless the MAC of the relevant host changes. Set up internal DNS records for those SLAAC ULAs that you need to reference regularly, and all is easy