Being extremely happy with my OPNSense setup, there's only one thing I couldn't get accomplished and is the single last thing to cover before life is just perfect.....
I'm currently using IPv6 PD over a PPPoE interface and that's working just fine, even RFC4638 (Baby Jumbo's) are supported. But instead of a Link Local address assigned and used for the PPPoE interface (WAN) I want a (static) public routable IPv6 address on this interface from the assigned IPv6 prefix. I'm not covering the use cases here (there are ;-)), I just want to know how this can be done with OPNSense.
It can be done (from the ISP support page for custom installs):
IPv6
NL: IPv6 /48 prefix, toegekend dmv DHCPv6 met Prefix Delegation (PD)
EN: IPv6 /48 prefix assigned by DHCPv6 with Prefix Delegation (PD)
NL: Een WAN ip adres wordt niet expliciet toegekend, indien nodig kan dat uit de toegekende prefix gehaald worden
EN: A WAN IP address is not explicitly assigned, when needed this can be taken from the assigned prefix.
And it has been done:
The standard provider CPE (FritzBox) assigns the first usable prefix at the outside (WAN) and the second at the inside (LAN). So when assigned a XXXX:YYYY:ZZZZ::/48 prefix the WAN interface gets XXXX:YYYY:ZZZZ:0:a:b:c:d/64 and the LAN interface XXXX:YYYY:ZZZZ:1:a:b:c:d/64.
Of course, with an OPNSense router most people are using multiple LAN interfaces instead of just one like the FritzBox, but with a /48 there's room for 65535 OPT interfaces ;-).
To be clear, IPv6 PD with PPPoE works perfectly with OPNSense, I'm looking for a solution to provision something like the XXXX:YYYY:ZZZZ:0::/64 subnet to the WAN / PPPoE interface in OPNSense like the FritzBox example above instead of just a Link Local.
Help is really appreciated.
Just a stab in the dark:
You would need to operate your CPE in bridge-mode or at least use PPPoE pass-through.
Not all CPEs will do bridge-mode.
Quote from: benyamin on November 06, 2021, 12:49:30 AM
Just a stab in the dark:
You would need to operate your CPE in bridge-mode or at least use PPPoE pass-through.
Not all CPEs will do bridge-mode.
Step into the light... ;-)
OPNSense _IS_ the CPE this is about PD and static address assignment configuration, not about PPPoE, but tnx.
Yep, ok...
So, if I'm not mistaken, you're not getting a publicly routable IPv6 address assigned to your WAN, just the assigned prefix.
You might be able to make use of the override script "ported" from pfSense mentioned here (https://forum.opnsense.org/index.php?topic=25211.msg121473#msg121473). It's based on the one shown on NetGate here (https://forum.netgate.com/post/941892).
Normally you would still use your Fritzbox, but perhaps that's not necessary (maybe remove send ia-na 0 and id-assoc na 0 and try). In any case, you would assign your WAN interface to id-assoc pd 0.
I would have thought that there would be a built-in configuration item in OPNsense for this, but maybe not...
Perhaps assign a Virtual IP from the prefix to WAN?
Quote from: Greelan on November 06, 2021, 02:14:37 AM
Perhaps assign a Virtual IP from the prefix to WAN?
Like your thinking 8), but I guess thats IPv4 only...
Enter an IPv6 address, and it will then recognise it as such and allow the larger subnet masks
Quote from: Greelan on November 06, 2021, 04:20:26 AM
Enter an IPv6 address, and it will then recognise it as such and allow the larger subnet masks
I see, been tricked by the UI ;-).
My mindset is/was still at assigning that IP to the interface itself, using a VIP didn't even cross my mind and I'm still not sure if I like it.... But hey, it does exactly what I want, so I should stop whining and give a big Thank You!
So tnx! ;D
Lol. Well, there may be other ways to do it, eg see here: https://docs.opnsense.org/manual/how-tos/IPv6_ZenUK.html
Particularly the bit about static assignment towards the bottom
Quote from: Greelan on November 06, 2021, 05:13:51 AM
Lol. Well, there may be other ways to do it, eg see here: https://docs.opnsense.org/manual/how-tos/IPv6_ZenUK.html
Particularly the bit about static assignment towards the bottom
Yeah, I did read the fine manual ;-). But from my understanding Zen actually provides an interface address through DHCPv6 on the WAN interface (besides the actual /48). I did try a custom dhcp6c.conf with the PD's from my OPNSense LAN interfaces and my desired WAN address as NA, but it looked like I didn't get a prefix at all that way, let alone a interface address.
As stated by my ISP (see quote in first post) that makes sense, they only provide a prefix and nothing else, that's up to you. At least your VIP suggestion gives some configuration flexibility from the OPNSense side, but I still think it's funky 8)
Will play tomorrow with some IPSec tunnel routing over that VIP, if that works without problems I'm happy.
Who is your ISP?
Quote from: Greelan on November 06, 2021, 05:43:33 AM
Who is your ISP?
XS4All in The Netherlands.
BTW, so far so good, created a single v6 tunnel with multiple v4/v6 phase2's (the whole purpose of my wish, having a single phase1) Need more time to understand what OPNSense (and more important, myself ;-) are doing...
Guess the VIP option is the only way to do what I want within the standard OPNSense interface.
Hmmm, I guess what I'm doing is not exactly what OPNSense likes.....
2001:aaaa:aaaa::1 is my static configured VIP on pppoe0 (manually picked from my /48 PD) with a remote IPSec peer 2a01:bbbb:bbbb::1, IPv6 tunnel is succesfull as are my SPD's for the IPv4 networks in the tunnel. As you can see adding the routes fails, but despite that the tunnel _does_ work. Guess the route fail is the reason firewall filters on the IPSec device are bogus (Firewall -> Rules -> IPSec), even with an empty list there's full access between the IPv4 networks over this IPv6 VPN, only a filter on my LAN interface in the 10.51.51.0/24 network is needed.
Probably need to learn some more about BSD routing to really understand what's happening. But for now the IPv6 VIP doesn't function as I like...
2021-11-07T00:45:55 charon[86028] 07[IKE] <con2|3> CHILD_SA con2{6} established with SPIs ccaee3ed_i c22fdb37_o and TS 10.51.51.0/24 === 10.250.250.0/24
2021-11-07T00:45:55 charon[86028] 07[KNL] <con2|3> installing route failed: 10.250.250.0/24 via fe80::xxxx:xxxx:xxxx:xxxx src 10.51.51.254 dev pppoe0
2021-11-07T00:45:55 charon[86028] 07[KNL] <con2|3> adding PF_ROUTE route failed: Invalid argument
2021-11-07T00:45:55 charon[86028] 07[CFG] <con2|3> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
2021-11-07T00:45:55 charon[86028] 07[IKE] <con2|3> maximum IKE_SA lifetime 28484s
2021-11-07T00:45:55 charon[86028] 07[IKE] <con2|3> scheduling reauthentication in 27944s
2021-11-07T00:45:55 charon[86028] 07[IKE] <con2|3> IKE_SA con2[3] established between 2001:aaaa:aaaa::1[2001:aaaa:aaaa::1]...2a01:bbbb:bbbb::1[2a01:bbbb:bbbb::1]
I'm presuming your preference to not make use of your Fritzbox is for the sake of simplicity, and maybe to eliminate a SPoF, but is there any another reason...?
I only ask because it's possible if you do use the overrride script - and leave send ia-na 0 and id-assoc na 0 alone - it's possible your Fritzbox will assign your WAN an IP too (and not just the PD). Is it worth giving it a go?
Quote from: benyamin on November 07, 2021, 05:53:35 AM
I'm presuming your preference to not make use of your Fritzbox is for the sake of simplicity, and maybe to eliminate a SPoF, but is there any another reason...?
Complexity, latency, energy, manageability, security, space, bufferbloat (although the fritz is one of the "better" CPE's). With an OPNSense box orders of magnitude more powerfull than a fritznox there's no benefit.
Quote
I only ask because it's possible if you do use the overrride script - and leave send ia-na 0 and id-assoc na 0 alone - it's possible your Fritzbox will assign your WAN an IP too (and not just the PD). Is it worth giving it a go?
I took the fritzbox example as a "proof of concept" as supported and implemented by my ISP with IPv6 PD, don't understand why you keep refering to it ;-). Besides the fact I don't use a Fritzbox your suggestion is about a dhcp6c client configuration over PPPoE, that is going to my ISP (not to a fritzbox) that _doesn't_ give anything else than a IPv6 prefix. So with or without IA-NA's, that address is not automagicly created by dark matter or forces.
Even more important is that any override scripts breaks the excelent integration of the Track Interface configuration option in the OPNSense GUI, which I use for over 10 interfaces that are getting their /64 from the /48.
The root of the question is a way to configure publicly routable IPv6 addresses on the WAN (pppoe) interface on top of the already excelent support for IPv6 PD with LAN/OPT interfaces. As already mentioned a IPv6 VIP is currently implemented in the system & gui, but it looks like it's usable for various services (like nginx and so) but not for more deeper integration like IPSec VPN. If this is something I missed or oversee, or simply not possible with OPNSense in it's current state is the reason of this forum post.
For VPN etc, just use the address of the LAN(s). Unless it's for some really esoteric reason you do not need an address on the WAN. GUAs are just that, the GUAs on the LAN side are global addresses, not natted in any way.
Quote from: netnut on November 07, 2021, 06:52:06 AM
The root of the question is a way to configure publicly routable IPv6 addresses on the WAN...
That's all I'm trying to address.
Quote from: netnut on November 07, 2021, 06:52:06 AM
Complexity, latency, energy, manageability, security, space, bufferbloat (although the fritz is one of the "better" CPE's). With an OPNSense box orders of magnitude more powerfull than a fritznox there's no benefit.
There is likely some benefit to it operating as a bastion host. There could also be some benefit to it acting as a RG (Residential Gateway), and I am curious as to whether having it act as such would solve your problem (or at least assist with troubleshooting it) as I detail below.
Quote from: netnut on November 07, 2021, 06:52:06 AM
I took the fritzbox example as a "proof of concept" as supported and implemented by my ISP with IPv6 PD, don't understand why you keep refering to it ;-). Besides the fact I don't use a Fritzbox your suggestion is about a dhcp6c client configuration over PPPoE, that is going to my ISP (not to a fritzbox) that _doesn't_ give anything else than a IPv6 prefix. So with or without IA-NA's, that address is not automagicly created by dark matter or forces.
Even more important is that any override scripts breaks the excelent integration of the Track Interface configuration option in the OPNSense GUI, which I use for over 10 interfaces that are getting their /64 from the /48.
Firstly, the Track Interface configuration will not change (provided you are tracking the WAN). You would still need to do this. So you could consider this configuration item completed..
The dhcp6c override script exposes several advanced settings not otherwise in the GUI, including how solicit messages are packaged together. Depending on how the DHCPv6 request is crafted will likely determine how your ISP's BNG will respond.
In your OP, you mention your PoC with the Fritzbox works, i.e. it gets a routable IPv6 address and a PD. It is worth mentioning that your ISP's BNG will most likely treat a PPP request from your CPE - or more correctly, RG - differently depending on what your RG is. It will also treat requests from your subscriber network, i.e. behind the RG, differently too. If you have your Fritzbox setup as your RG doing the PPPoE, and your OPNsense box merely doing a DHCPv6 request via your Fritzbox (or PPPoE if that fails - which is unlikely), your OPNsense box will likely get an IA-NA IPv6 address for your WAN as well as the PD.
Having said all that, on your WAN interface, did you tick
Request only an IPv6 prefix (in standard configuration view), or neglect to tick
Non-Temporary Address Allocation for
Identity Association (which is the IA-NA btw - in Advanced configuration view)...? If so, that would likely be the cause of your problem. I also presume your PPPoE is setup as a "dual-stack" with PPPoE via IPv4 and your
IPv6 Configuration Type set as DHCPv6 (and not Static). Lastly, did you make sure that
Prefer to use IPv4 even if IPv6 is available at
System: Settings: General > Networking > Prefer IPv4 over IPv6 is not ticked (perhaps unrelated).
You could achieve something similar with the override script too. My previous posts were about hacking that up, but I now think that unnecessary. I think you could probably achieve what you want with a standard script setup, specifying your WAN interface in
id-assoc na 0 only if necessary. I still think that could possibly work without your Fritzbox, but I think it is worthwhile checking with it in the mix in bridge or pass-through mode before adding the complexity of PPPoE/DHCP <--> RG <--> BNG interactions.
You could give some of this a go and share what you learn. I leave it up to you.
Quote from: marjohn56 on November 07, 2021, 10:05:10 AM
For VPN etc, just use the address of the LAN(s). Unless it's for some really esoteric reason you do not need an address on the WAN. GUAs are just that, the GUAs on the LAN side are global addresses, not natted in any way.
Yeah, that's exactly what I'm doing now. The wish is to have a single IPv6 tunnel with multiple v4 & v6 phase2's in it. Initiating that from one of the LAN interfaces, makes that segment a little bit more special than the others. Besides the single IPv6 tunnel, there are more IPv4 only tunnels initiated from WAN. So doing everything (VPN like) from WAN for both IPv4 & IPv6 makes it more clean (and IPv4 like).
I also can create a seperate IPv6 LAN interface/segment dedicated for VPN stuff and share that with all the other LAN segments so there's no special from a VPN perspective, but the WAN interface is there already and makes the most sense. That's why I want a IPv6 address there...
Quote from: benyamin on November 07, 2021, 01:31:18 PM
The dhcp6c override script exposes several advanced settings not otherwise in the GUI, including how solicit messages are packaged together. Depending on how the DHCPv6 request is crafted will likely determine how your ISP's BNG will respond.
I already quoted the ISP instructions in the first post, besides the prefix itself there is _no_ response. The WAN ip address assignment should be done by the CPE itself (hence OPNSense). Suggesting pppoe configs (with or without fritzboxes) doesn't help. The answer is already been given, using a VIP, but that creates funky IPSec routing (with IPv4 in IPv6) behaviour as mentioned in my previous post.
Quote from: netnut on November 07, 2021, 05:37:01 PM
I already quoted the ISP instructions in the first post, besides the prefix itself there is _no_ response. The WAN ip address assignment should be done by the CPE itself (hence OPNSense). Suggesting pppoe configs (with or without fritzboxes) doesn't help. The answer is already been given, using a VIP, but that creates funky IPSec routing (with IPv4 in IPv6) behaviour as mentioned in my previous post.
With respect, I disagree. IMHO, using a VIP is a poor solution. It appears you are getting some non-native IPv6 weirdness (6to4 tunnel maybe?).
I'm only suggesting the DHCP config - and perhaps topology - can likely resolve your issue. Address assignment is negotiated with the ISP: they are the one routing it for you. You cannot tell them the way it's going to be.
Maybe if I explain it a different way...
In your Fritzbox PoC, on the Fritzbox itself, did you need to use the
Derive global address using the assigned prefix Connection Settings option in order to get an IP? If so, in the override script, couldn't you just assign PD 0 to WAN...? Just like the Fritzbox?
Did you even try it with the Fritzbox in front of OPNsense and have OPNsense as a pure DHCP client (no PPPoE)?
Did you check those options in my previous post? Namely:
Quote[On] your WAN interface, did you tick Request only an IPv6 prefix (in standard configuration view), or neglect to tick Non-Temporary Address Allocation for Identity Association (which is the IA-NA btw - in Advanced configuration view)...? If so, that would likely be the cause of your problem. I also presume your PPPoE is setup as a "dual-stack" with PPPoE via IPv4 and your IPv6 Configuration Type set as DHCPv6 (and not Static). Lastly, did you make sure that Prefer to use IPv4 even if IPv6 is available at System: Settings: General > Networking > Prefer IPv4 over IPv6 is not ticked (perhaps unrelated).
If you're able to confirm the above, then I'll happily spend my time to help you create a working override script as I know it (my time) isn't being wasted. However, going around in circles won't get either of us anywhere.
Also, perhaps this will give you some insight:
https://community.ui.com/questions/USG-IPv6-XS4all-new-firmware/3fb9d68b-cdea-42f2-a4d3-d21b18cb13c5#answer/b45c1dfa-4f0c-4c3c-afd0-df136c493ed5 (https://community.ui.com/questions/USG-IPv6-XS4all-new-firmware/3fb9d68b-cdea-42f2-a4d3-d21b18cb13c5#answer/b45c1dfa-4f0c-4c3c-afd0-df136c493ed5)