Hi,
we have a strange problem with IPv6 prefix delegation range. OPNsense seems to randomly delegate a block, although we need to have a specific range delegated out to our secondary router.
We want 4 subnets delegated, starting with subnet 8. Subnets 0-7 are used by opnsense.
Expected: 2a02:1234:1234:bb38 - 2a02:1234:1234:bb3b delegated to sub router.
Result: sometimes 2a02:1234:1234:bb38:/62 is delegated, but sometimes (release) 2a02:1234:1234:bb30:/62, 2a02:1234:1234:bb34:/62 2a02:1234:1234:bb3c:/62 etc is delegated.
OPNsense: 22.10 business (DEC3850)
provider: Vodafone (Germany)
provider assigned dynamic prefix: 2a02:1234:1234:bb00::/58
relevant opnsense config:
[WAN] - uplink
interface IPv6 config type: DHCPv6
interface status: IPv6 delegated prefix 2a02:1234:1234:bb30::/60
[igb1] - sub router link interface
interface IPv6 config: track interface
IPv6 Prefix ID: 0x8
[igb1] DHCPv6 Server
DHCPv6 (info) available prefix delegation size: 61bits
DHCPv6 prefix delegation range: ::8:0:0:0:0 to ::c:f:f:f:f*
DHCPv6 prefix delegation size: 62 bits
*Note: entering "::b:f:f:f:f" as range end (which seemed logical to me) will break the DCHPv6 server to start.
[igb1] Router Advertisements
disabled
Questions:
1. What is the correct "prefix delegation range" setting for our goal?
2. Why would entering "::b:f:f:f:f" break the DHCPv6 server?
Also, it would be awesome to see some more range examples, especially for dynamic prefixes.
Best & thanks,
stefan.-
What's ::b:f:f:f:f? I suppose you mean ::b:ffff:ffff:ffff:ffff ... but the help text states:
"When using a tracked interface then please only enter the range itself, i.e. ::xxxx:0:0:0:0. For example, for a /56 delegation from ::100:0:0:0:0 to ::f00:0:0:0:0. Also make sure that the desired prefix delegation size is not longer than the available size shown above."
So I suppose you would need to set ::b:0:0:0:0, but I haven't checked the subnet math for /62 here and if you don't either then DHCPv6 will not start.
Note this behaviour changed with 22.7 and now you do configure it like you normally configure your DHCP server manually so all the examples on the Internet for isc-dhcp prefix syntax apply...
Cheers,
Franco
Hi Franco,
Thanks for the fast reply :)
However, entering ::b:0:0:0:0 will cause the server to break too.
According to the calculation, the range seems right:
https://www.internex.at/de/toolbox/ipv6/ip6=1234:1234:1234:bb38::/prefix=62 (https://www.internex.at/de/toolbox/ipv6/ip6=1234:1234:1234:bb38::/prefix=62)
(Click the button on the site to calculate again)
Really strange to me.
BTW: what will be the business edition equivalent to 22.7? Just ask because I ordered my second DEC which arrives tomorrow - those two will be linked, replacing an old Mikrotik router.
Aha, if you want "b" in a /62 it's actually "3" because that's all the bits you get ;)
https://www.internex.at/de/toolbox/ipv6/ip6=::3:0:0:0:0/prefix=62
Cheers,
Franco
PS: Current business is 22.10 based on 22.7.6. The new devices are not yet flashed with 22.10, however, as Suricon was last week and most of us were there.
Hi Franco,
it was confusing but I found the solution:
The only working setup is
Prefix Delegation Range from ::8:0:0:0:0
Prefix Delegation Range to ::8:0:0:0:0
Prefix Delegation Size 62
this reliably delegates ::bb38/62 (and nothing else) to the sub router. I now have ::bb38, ::bb39, ::bb3a and ::bb3b available.
According to the documentation that seems strange. However, it works ;-)
That's not what prefix6 docs say about the configuration, see https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html
# Prefix range for delegation to sub-routers
prefix6 2001:db8:0:100:: 2001:db8:0:f00:: /56;
as you can see the start and end are supposed to be different, which is also what the help text says.
I'm not sure about the fact that it works correctly now but I hope it does stay that way.
Cheers,
Franco
Hi Franco,
I did some deeper research about isc dhcpdv6, it's documentation, source code and examples. The config stated above is indeed correct. I have compiled the explanation and some detailed examples below, which will be hopefully be useful as a reference for users.
Overview
[OPNsense values]
from and
to represent the first and last delegated prefixes,
not network boundaries. ISC dhcpv6 config divides this given range into smaller blocks (CIDR networks) in the size of the desired mask ([OPNsense value]
Prefix Delegation Size). ISC dhcpv6 then picks any of the generated blocks / prefixes and delegates it to sub routers. See (1).
The behavior of OPNsense and isc-dhcpdv6 is correct. The problem is documentation and value naming, which may lead some users to misunderstanding.
According to dhcpd.conf(5), the prefix6 statement syntax is
prefix6 low-address high-address / bits;Given this syntax,
high-address is the last prefix delegated - not the upper boundary of a network. Thats' the most important part to understand. Unfortunately, dhcpd.conf(5) in it's current version is a bit unclear here as well (2).
As a result, when only delegating 1 prefix so a sub router, the start and end address must be the same.
The administrator must assure that the network address range is actually available, up to the range resulting from the last prefix. See examples below.
Also note that according to isc documentation and source code (1), the delegated prefix range is allowed to start within the interface subnet (overlap) or may be outside of it.
Summary
When delegating prefixes with DHCPDv6, enter the first and last starting address of the prefix as first/last values. Do not confuse with resulting network boundaries.
Detailed Examples
using OPNsense current syntax ("from", "to", "Prefix Delegation Size")
(A) Example used in (3) and current OPNsense help textPremise:2001:db8::/52 being a dynamic prefix
= total /64 networks available: 4096
= mask ::/52
= total available network range (expanded): 2001:db8:0000:0000:0000:0000:0000:0000 to 2001:db8:0fff:ffff:ffff:ffff:ffff:ffff
Setup:
| Prefix Delegation "from": | ::100 |
| Prefix Delegation "to": | ::f00 |
| Prefix Delegation Size: | 56 |
Result:
- 15 delegated prefixes in the size of /56. The Server decides which one to pick.
- up to 15 sub routers possible as clients
- network range delegated to sub routers (expanded): 2001:db8:0100:0:0:0:0:0 to 2001:db8:0fff:ffff:ffff:ffff:ffff:ffff
- /64 networks available to sub routers: 15 * 256 = 3840
available prefixes, full list:
2001:db8:0100::/56
2001:db8:0200::/56
2001:db8:0300::/56
2001:db8:0400::/56
2001:db8:0500::/56
2001:db8:0600::/56
2001:db8:0700::/56
2001:db8:0800::/56
2001:db8:0900::/56
2001:db8:0a00::/56
2001:db8:0b00::/56
2001:db8:0c00::/56
2001:db8:0d00::/56
2001:db8:0e00::/56
2001:db8:0f00::/56
Note that the last used prefix is 2001:db8:0f00::/56. 0f00 is not the boundary of the delegated networks, it's 0fff with a /56 mask. (B) Smaller network delegationPremise:2001:db8:cafe:bb30::/60 being a dynamic prefix
= total /64 networks available: 16
= mask ::/60
= total available network range (expanded): 2001:db8:cafe:bb30:0:0:0:0 to 2001:db8:cafe:bb3f:ffff:ffff:ffff:ffff
(B.1) delegating 8 /64 networks in 2 prefixesSetup:
| Prefix Delegation "from": | ::8 |
| Prefix Delegation "to": | ::c |
| Prefix Delegation Size: | 62 |
Result:
- 2 delegated prefixes in the size of /62. The Server decides which one to pick.
- 2 sub routers possible as clients
- network range delegated to sub routers (expanded): 2001:db8:cafe:bb38:0:0:0:0 to 2001:db8:cafe:bb3f:ffff:ffff:ffff:ffff
- /64 networks available to sub routers: 8
available prefixes, full list:
2001:db8:cafe:bb38::/62
2001:db8:cafe:bb3c::/62
(B.2) delegating 8 /64 networks in 1 prefixSetup:
| Prefix Delegation "from": | ::8 |
| Prefix Delegation "to": | ::8 |
| Prefix Delegation Size: | 61 |
Result:
- 1 delegated prefix in the size of /61
- 1 sub router possible as client
- network range delegated to sub router (expanded): 2001:db8:cafe:bb38:0:0:0:0 to 2001:db8:cafe:bb3f:ffff:ffff:ffff:ffff
- /64 networks available to sub routers: 8
- Note: since delegating only 1 prefix, first and last prefix address must be the same
available prefixes, full list:
2001:db8:cafe:bb38::/61
(B.3) delegating 4 /64 networks in 1 prefixSetup:
| Prefix Delegation "from": | ::8 |
| Prefix Delegation "to": | ::8 |
| Prefix Delegation Size: | 62 |
Result:
- 1 delegated prefix in the size of /62
- 1 sub router possible as client
- network range delegated to sub router (expanded): 2001:db8:cafe:bb38:0:0:0:0 to 2001:db8:cafe:bb3b:ffff:ffff:ffff:ffff
- /64 networks available to sub routers: 4
- Note: the remaining range bb3c-bb3f can be used on dhcpv6 servers bound to other interface(s)
available prefixes, full list:
2001:db8:cafe:bb38::/62
Notes
Address syntax notes:
Prefix Addresses can be shortened, eg ::4 equals ::4:0:0:0:0
Notes for current OPNsense implementation (business 22.10, community 22.7):
The help text of "Services:DHCPv6[interface]:Prefix Delegation Range" may be a bit misleading and should be clarified. Also, it could be easier for users to understand if "from" and "to" field description is replaced by "first" and "last" or similar. See corresponding bug report #6143 https://github.com/opnsense/core/issues/6143 (https://github.com/opnsense/core/issues/6143).
References:
(1) isc-dhcpd server confpars.c source code at https://github.com/isc-projects/dhcp/blob/31e68e5e3b863a4859562e0bb808888d74af7497/server/confpars.c#L4302 (https://github.com/isc-projects/dhcp/blob/31e68e5e3b863a4859562e0bb808888d74af7497/server/confpars.c#L4302)
(2) https://linux.die.net/man/5/dhcpd.conf (https://linux.die.net/man/5/dhcpd.conf)
(3) https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html (https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html)
(4) generated isc dhcpd config file on current OPNsense host: /var/dhcpd/etc/dhcpdv6.conf
(5) IPv6 calculator at https://www.internex.at/de/toolbox/ipv6 (https://www.internex.at/de/toolbox/ipv6)