My ISP provides me with only a /56 prefix, without a separate address for the WAN interface. That /56 is not static, and on top of that the ISP only provides IPv4 connectivity via DS-Lite.
How can I get the WAN interface to track itself, so that I can assign it a /64 from that /56 and have it generate its own address? I really need this to establish the GIF tunnel for DS-Lite.
I tried these workarounds so far, but they are not stable (after a reboot I have to unplug and replug the WAN cable hoping the GIF tunnel actually gets established)
- Creating the GIF tunnel using one of my LAN interfaces that tracks the WAN one: this breaks the tunnel if the interface's LAN cable is unplugged
- Creating an additional loopback interface to use as source for the GIF tunnel, but attempting to have it track the WAN breaks dhcp6c (log mentions invalid configuration) and then no prefix delegation or assignment to any interface happens
- Manually assigning an IP from the allocation to the loopback for the GIF tunnel, this is what I've been using but I think it makes the GIF tunnel break since the system tries to bring it up on boot before the WAN is up - hence the instability. Also, this breaks when the ISP assigns me a different /56
I've been banging my head against a wall for days now - what can I do?
The short answer is: You currently cannot track a WAN interface and have it assign a prefix to itself.
The way OpnSense works is that it uses dhcp6c to request an IPv6 address. Normally, the ISP will give you both an address for the WAN interface and a prefix for local interfaces, but some ISPs do not, they hand out only prefixes, such that you end up with no IPv6 assigned to the WAN interface.
The setting "track interface" and "dhcpv6" are mutually exclusive, such that you cannot use radvd to assign an IPv6 prefix to the same interface it originated from.
Franco tried to implement this in dhcp6c to make it possible, but development has stopped: https://github.com/opnsense/core/issues/5630#issuecomment-1110602631
What you can do is to use any LAN address because IPv6 addresses are arbitrary and do not have to be on the WAN interface at all (see https://forum.opnsense.org/index.php?topic=27483.0). There is a new type of alias for this: https://docs.opnsense.org/manual/aliases.html#dynamic-ipv6-host
As I see, you already did that. The assignment on the loopback interface will not work because radvd needs a MAC address on the interface where it assigns the IPv6 prefix. This was part of the reason that the fix Franco attempted did not work, either.
But why does your LAN interface go down at all? Isn't it connected to a switch? Could you use a bridge on top of it that stays up even when the physical interface is down?
OPNSense already has functionality to spoof an interface's MAC address though (I'm using it right now for my second WAN uplink) - couldn't that be applied to a loopback interface (I know MAC addresses are an Ethernet thing, but a way to set a specific source for EUI64 address selection on other interfaces would be useful, I think)?
EDIT
Actually never mind the above, would it not be possible to just add a way to assign a custom host part for the generated IPv6 on that interface? EdgeOS/VyOS do just that and I could get prefix delegation to propagate on loopback (unfortunately they force one to use an IP address instead of an interface for creating tunnels, so the end result was the same).
As for why I setup the system the way I did, I am running OPNSense on a box with four Ethernet ports: two are for my two ISPs, one is trunked and the last one is an untrunked "rescue" port so I can directly hook up a device for accessing the system if I mess the LAN configuration up.
The IPv6 selection for outgoing connections is very simple: Use the outgoing interface's address if available, otherwise choose a "preferred" address (in OpnSense you can select that, but not with a dynamic prefix) or, as a last resort, choose the lowest routable IPv6 address in the system.
That way, you can actually use the LAN address by just choosing a "track6" prefix for the LAN address as the lowest one for all local interfaces. The lower 64 bits can be chosen via the MAC address.
That is how I do it. Also, I use a DynDNS service that only updates the /56 prefix of the entry with the dynamic prefix. I already know the lower 72 Bits set that manually. Together with dynamic IPv6 prefix aliases in OpnSense, I can reach whatever I like - even LAN clients, the only thing that is different there is the lower 72 Bits.