Hi,
Is there a way (either cli or web) to manage the IPv6 flags for the DHCP client on the WAN interface?
When my WAN gets the DHCP config it has A, M and O active, but OPNsense selects the A flag prefix as default and just makes it a nightmare to work with because of my ISP's buggy implementation. I need to disable the A flag.
If not available, how hard is it to implement it?
Update:
After some research, I noticed that the configuration is made through ifconfig(8).
After reading the manual, I wonder if the "auto_conf" flag is what I need to disable.
Should I create a tunable with it's sysctl string to disable the auto_conf ?
Since it is only done in the WAN interface, I don't think it will pose a problem to my internal SLAAC distribution.
Update:
Tried disabling auto configuration using the following command:
ifconfig igb0 inet6 -autoconf
After restarting the interface, it gets overridden by the dhcp script.
Tried disabling accepting RA in the sysctl and tunables. OPNsense doesn't honor that setting.
Still trying to disable it.
Solved:
Found these lines in the files interfaces.inc located under /usr/local/etc/inc/:
/* accept router advertisements for this interface */
set_single_sysctl('net.inet6.ip6.accept_rtadv', '1');
log_error("Accept router advertisements on interface {$realifv6}");
mwexecf('/sbin/ifconfig %s inet6 accept_rtadv -ifdisabled', $realifv6);
The DHCPv6 script calls on them every time it gets run, overwriting any personal configuration or tunable entries. If you change them to the following, you can then set the sysctl variable to 0 and it will effectively disable the auto configuration of the IPv6 in the wan interface.
/* accept router advertisements for this interface
set_single_sysctl('net.inet6.ip6.accept_rtadv', '1');
log_error("Accept router advertisements on interface {$realifv6}");
mwexecf('/sbin/ifconfig %s inet6 accept_rtadv -ifdisabled', $realifv6); */
As I am yet to see if this will have any other effects on the system, proceed with caution.
As of the problem itself, I suggest that a checkbox be made and put in the interface DHCPv6 configuration to enable or disable this configuration.
EDIT: It breaks default routes acquired by the RA. So, not solved.
EDIT 2: If you manually add the default route to the ipv6 gateway, it work.
Follow up:
After some testing and reading of documents, I think that my reasoning is wrong in the way I am approaching this.
The IEEE RFCs states that instead of blocking the RA, I should classify the addresses in the interface. BSD uses ip6addrctl(8) for that, but I don't know about OPNsense.
I tried using the temporary addresses, and it selects the autonomous still. It should use the temp when activating the tunable, but it doesn't.
In the end, I'll have to study a bit more of how OPNsense classify the ipv6 class and work with that.
I don't seem to be able to delete this thread, or close it, since the topic is depleted.
Mod maybe ? :)
Nonetheless interesting to read :-). I still have IPv6 problems as I cannot ping my next (local) gateway via link local from WAN directly from my OPNsense. So something is still wrong with the IPv6 implementation, Firewall states all ICMPv6 as green, so something else is n the way, so this is why I was following your thoughts with interest :-).
With your configuration issue, is IPv6 working (e.g. ping6 to anything on the Internet from OpnSense) for a couple minutes and then fails? That's the problem I have and I'm wondering whether my problem is similar to yours. What I have noticed in my issue is it fails when the NDP table entries get flagged as stale (and this is repeatable if for example I plug a Windows system into the ISPs ONT instead of OpnSense).