I have a local network with a bunch of hosts composed of linux, windows and android clients. I'm trying to have ipv6 working locally with DNS resolution. i.e., I want to be able to e.g. go to local-computer.local-domain.com, and have the DNS server resolve its IPv6 address, and access using it. Because of android, I am forced to use, or at least support, SLAAC.
My current setup:
- OPNsense
- Unbound - I am open to use any other DNS server if that solves the problem
- I have a /56 IPv6 DYNAMIC prefix from my ISP, no possibility to make it static (also, I don't want to change everything if I change ISP)
- Multiple VLANs, with ipv6 configured via tracking interface
- I have static ipv4 addresses for most hosts of my network via DHCPv4, which also assigns a hostname, correctly and automatically registered in unbound
What works:
- DNS IPv4 resolution in the local network
- Every host have (at least one) an ipv6 address
- Hosts can use ipv6 locally: they can ping, ssh, whatever
- Hosts can access the internet with ipv6: when going to google.com it resolves to the ipv6 address and it works
What doesn't work:
- Hosts accessing the local network with hostnames and ipv6
What I have tried:
- After reading a lot , I think that one solution is to set ULA for the VLANS.
- I have set virtual IPs with an ULA for each VLAN, in fd::. It works, meaning that the hosts get at least one ULA address. However, I don't know what to do with it. Honestly I haven't tried to set up firewall rules with them, but if I set them using them, would it work, considering they also have more addresses? I mean, if I put a rule that says "hosts with address fdULA:address:of:IOT:VLAN" cannot comunicate with "hosts with address fdULA:address:of:IOT:MANAGEMENT", wouldn't they be able to send things to MANAGEMENT since they have other addresses not related to ULA?
- In any case, despite having ULA addresses, I don't know what to do with it, or how it solves my problem. I cannot set static ULA addresses in DHCPv6 because they are "virtual" addresses, and it complains about "A valid range must be specified."
- I think I would have the same DNS problem as before, the addresses won't be registered in the DNS server.
What I'm trying:
- Apparently mdns is an important thing with IPv6. However, I would like to keep using a normal DNS server, because I might have things (usually IoT things) that don't understand mdns. What I thought was to let the mdns devices send their multicast, and have the DNS server get them and register them, so it will answer to normal DNS requests. However it seems that that's quite a weird thing to do and it's not supported anywhere, so if I go with that route, I would have to do a script or something.
- I have found this thing that looks it could help: http://www.dns-sd.org/ , but I have no idea what to do with it, or how to implement it.
Other possibilities:
- Use only ULA for the internal network, and use NPT for translating it to the external prefix. However, AFAIK OPNsense doesn't support dynamic prefixes in NPT, making it useless.
- Use IPv4 internally, but allow hosts to have IPv6 addresses for communicating with the exterior. The more I try things, and the more I learn about IPv6, the more I like this solution. I don't see how can I implement it, though, it looks that is either IPv6 for everything, or for nothing. I would have to force the DNS server to give only IPv4 addresses internally, or something.
I'm a bit surprised that I haven't found anything on the internet about this, it seems like a quite basic thing to do. Here are some links I've read and haven't helped. I have read way more things, but I cannot find them right now:
https://www.reddit.com/r/OPNsenseFirewall/comments/gnsa1t/multiple_ipv6_prefixes_per_interface/
https://forum.opnsense.org/index.php?topic=15529.0
You can use IPv4 internally, but that is pretty much the same as using ULA internally. The ULA you would configure the same as the internal IPv4, only as a virtual IP on the internal interface.
Not sure if you are aware but to configure DHCPv6 and radvd parameters you need to check "Manual configuration" in the interface.
Quote from: bimbar on October 10, 2021, 08:00:09 PM
You can use IPv4 internally, but that is pretty much the same as using ULA internally. The ULA you would configure the same as the internal IPv4, only as a virtual IP on the internal interface.
Well, it's not the same. As I explained, I can use ULAs with virtual IPs, but I cannot configure them with DHCPv6 because they aren't the "main" address and it shows an "valid range" error. And it doesn't work with slaac anyway.
Quote from: bimbar on October 10, 2021, 08:00:09 PM
Not sure if you are aware but to configure DHCPv6 and radvd parameters you need to check "Manual configuration" in the interface.
I am aware of that, I couldn't have tried to use DHCPv6 if I weren't .
Quote from: juantxorena on October 10, 2021, 08:37:42 PM
Quote from: bimbar on October 10, 2021, 08:00:09 PM
You can use IPv4 internally, but that is pretty much the same as using ULA internally. The ULA you would configure the same as the internal IPv4, only as a virtual IP on the internal interface.
Well, it's not the same. As I explained, I can use ULAs with virtual IPs, but I cannot configure them with DHCPv6 because they aren't the "main" address and it shows an "valid range" error. And it doesn't work with slaac anyway.
Quote from: bimbar on October 10, 2021, 08:00:09 PM
Not sure if you are aware but to configure DHCPv6 and radvd parameters you need to check "Manual configuration" in the interface.
I am aware of that, I couldn't have tried to use DHCPv6 if I weren't .
I couldn't make sense out of which address range the DHCPv6 server chooses to display if the interface has multiple prefixes.
I use ULAs for all local IPv6 communications. OPNsense advertises ULA prefixes and capable local devices get ULAs via SLAAC (as well as GUAs via SLAAC)
I have a separate box running pihole and unbound for DNS. Pihole listens on an IPv4 local (RFC1918) address and an IPv6 ULA. OPNsense gives out those addresses as DNS servers to all local clients via DHCP and RA/RDNSS (and in fact I have OPNsense force the use of those addresses). The pihole has local DNS entries configured for various local hosts, configured to return their IPv4 local address and IPv6 ULA