Hello,
I just came from pfSense, and configured my WAN interface the same way. DHCP & DHCPv6 with a /56 prefix for IPv6. However, no matter what I do unless I check "Request only an IPv6 prefix" I get no IPv6 information on the WAN. Same NIC in my router, everything else is the same. Even got the same IPv4 address. Any suggestions on where to look and what you need to help me?
Quote from: smccloud on November 04, 2023, 10:24:13 PM
Hello,
I just came from pfSense, and configured my WAN interface the same way. DHCP & DHCPv6 with a /56 prefix for IPv6. However, no matter what I do unless I check "Request only an IPv6 prefix" I get no IPv6 information on the WAN. Same NIC in my router, everything else is the same. Even got the same IPv4 address. Any suggestions on where to look and what you need to help me?
You had the same config at pfsense?
You are the dev who creates the script for transfer from pfsense to opnsense?
Sent from my SM-S918B using Tapatalk
Quote from: alexkgr on November 04, 2023, 11:13:34 PM
Quote from: smccloud on November 04, 2023, 10:24:13 PM
Hello,
I just came from pfSense, and configured my WAN interface the same way. DHCP & DHCPv6 with a /56 prefix for IPv6. However, no matter what I do unless I check "Request only an IPv6 prefix" I get no IPv6 information on the WAN. Same NIC in my router, everything else is the same. Even got the same IPv4 address. Any suggestions on where to look and what you need to help me?
You had the same config at pfsense?
You are the dev who creates the script for transfer from pfsense to opnsense?
Sent from my SM-S918B using Tapatalk
Yes, I'm the one working on the program. Settings should work fine but I get the following in my logs
2023-11-04T17:31:16-05:00 Notice dhcp6c reset a timer on igb0, state=SOLICIT, timeo=23, retrans=128544
2023-11-04T17:31:16-05:00 Notice dhcp6c send solicit to ff02::1:2%igb0
2023-11-04T17:31:16-05:00 Notice dhcp6c set IA_PD
2023-11-04T17:31:16-05:00 Notice dhcp6c set option request (len 4)
2023-11-04T17:31:16-05:00 Notice dhcp6c set elapsed time (len 2)
2023-11-04T17:31:16-05:00 Notice dhcp6c set identity association
2023-11-04T17:31:16-05:00 Notice dhcp6c set client ID (len 14)
Even when using the same hardware, your DUID will change when installing OPNsense. If your ISP is picky about this, copying the DUID from pfSense might work.
Cheers
Maurice
Quote from: smccloud on November 04, 2023, 10:24:13 PM
However, no matter what I do unless I check "Request only an IPv6 prefix" I get no IPv6 information on the WAN.
I do not quite understand this, please explain - the opposite should be true. Normally, one should be able to get both a WAN IPv6 and an IPv6 prefix that can be used on LAN interfaces via "Track Interface".
But some ISPs only hand out an IPv6 prefix and some do this only when only that prefix is being requested (by checking the "request an IPv6 prefix only box") - mine does this: if I request a WAN IPv6, I will get no addresses at all.
However, if you check that box, you should get exactly an IPv6 prefix - but that can only be assigned to LAN interfaces, not on the WAN interface itself. There has been an attempt do enable that feature by @Franco ("track interface" on WAN itself), but it was abandoned. I know for sure that Fritzbox can so something like this and possible pfSense can as well (I don't know), so this may be your problem if I interpret it right.
You can check on your pfSense by examining LAN va. WAN IPv6s closely and see if they are in the same /56 subnet. They would not if both types of addresses are provided by your ISP.
My current solution is to assign an IPv6 to the LAN interface, which is perfectly fine to allow outbound IPv6 traffic from OpnSense itself.
Quote from: Maurice on November 05, 2023, 12:37:44 AM
Even when using the same hardware, your DUID will change when installing OPNsense. If your ISP is picky about this, copying the DUID from pfSense might work.
Cheers
Maurice
And I have no good way to get the DUID from pfSense. It is not stored in the backup config file.
OPNsense only stores the DUID in the config if you explicitly enter one. Otherwise, dhcp6c uses the DUID it generated itself, which is stored in /var/db/dhcp6c_duid.
Might be the same in pfSense.
Quote from: Maurice on November 05, 2023, 04:35:18 AM
OPNsense only stores the DUID in the config if you explicitly enter one. Otherwise, dhcp6c uses the DUID it generated itself, which is stored in /var/db/dhcp6c_duid.
Might be the same in pfSense.
Probably is, my config file from pfSense shows <dhcp6-duid></dhcp6-duid> and at this point I can't get the DUID from pfSense.
So, I decided to restore my pfSense install to get its DUID today. Copied that to OPNsense. OPNsense says it is not a valid DUID, what do I do now? It is a 16 byte DUID, which OPNsense doesn't recognize as valid according to any format.....
A 16 byte DUID is indeed unusual. What type is it (first four bytes)? The default is LLT which is typically 14 bytes.
First four bytes are "0e:00:00:01"
Can you try spoofing a new MAC on the WAN, and save the changes (but don't yet apply them). Then go to Interfaces/Settings and change the DHCP Unique Identifier, just use the options to generate a new random one. Save the changes and shutdown OPNsense. Then unplug/reboot your ISP modem.
Plug the modem or ONT back in and let it come back online. Once the modem or ONT is back online, power OPNsense back up. It will boot with the new WAN MAC and DUID that was generated above. This should get you a new IPV4 and IPV6 address.
I've seen issues where a provider won't issue a new DHCPv6 prefix when the DUID changes but the MAC stays the same. I'm wondering if that's what is occurring here. Doing the above steps always works for me to get DHCPv6 back up and running.
I could just change my WAN NIC from igb0 to igb3 as well, or em0. I do have multiple NICs to specify.
0e:00:00:01 makes no sense. This is probably a LLT (00:01:00:01) with an extra two byte prefix for some reason. Try entering the DUID in OPNsense without the "0e:00:".
Yes, the pfS GUI decodes the DUID incorrectly, adding those bogus two bytes.
And removing the 0e:00 from the front of the DUID did not help. Still not working. I can get a prefix fine, but that doesn't propagate to my LAN.
As someone else noted, some ISPs just do not provide anything but the prefix. Some ISPs provide a separate /64 for WAN. Some provide a separate /64 with routing broken.
Quote from: meyergru on November 05, 2023, 02:36:27 AM
But some ISPs only hand out an IPv6 prefix and some do this only when only that prefix is being requested (by checking the "request an IPv6 prefix only box") - mine does this: if I request a WAN IPv6, I will get no addresses at all.
However, if you check that box, you should get exactly an IPv6 prefix - but that can only be assigned to LAN interfaces, not on the WAN interface itself. traffic from OpnSense itself.
Check with your ISP.
I will check with them, but given the settings are the same between pfSense and OPNsense it should just work. DHCPv6, /56 prefix, DUID, all the same.
Interfaces->Settings->IPv6 DHCP Log Level - set to Debug.
Just the following over and over with different times.
2023-11-05T18:13:55-06:00 Notice dhcp6c reset a timer on igb0, state=SOLICIT, timeo=30, retrans=109080
2023-11-05T18:13:55-06:00 Notice dhcp6c send solicit to ff02::1:2%igb0
2023-11-05T18:13:55-06:00 Notice dhcp6c set IA_PD
2023-11-05T18:13:55-06:00 Notice dhcp6c set IA_PD prefix
2023-11-05T18:13:55-06:00 Notice dhcp6c set option request (len 4)
2023-11-05T18:13:55-06:00 Notice dhcp6c set elapsed time (len 2)
2023-11-05T18:13:55-06:00 Notice dhcp6c set identity association
2023-11-05T18:13:55-06:00 Notice dhcp6c set client ID (len 14)
Quote from: smccloud on November 06, 2023, 12:39:16 AM
I will check with them, but given the settings are the same between pfSense and OPNsense it should just work. DHCPv6, /56 prefix, DUID, all the same.
Depending on how you define and / or created "the same" configuration, this may or may not work. The settings seem to differ a lot in detail between pfSense and OpnSense, especially when you look at the advanced settings. There may be defaults on pfSense that are different on OpnSense.
Here's the WAN XML from my pfSense config file. I see nothing that makes it so it shouldn't work.
<wan>
<enable></enable>
<if>igb0</if>
<blockbogons></blockbogons>
<descr><![CDATA[WAN]]></descr>
<spoofmac></spoofmac>
<alias-address></alias-address>
<alias-subnet>32</alias-subnet>
<blockpriv></blockpriv>
<ipaddr>dhcp</ipaddr>
<dhcphostname></dhcphostname>
<dhcprejectfrom></dhcprejectfrom>
<adv_dhcp_pt_timeout></adv_dhcp_pt_timeout>
<adv_dhcp_pt_retry></adv_dhcp_pt_retry>
<adv_dhcp_pt_select_timeout></adv_dhcp_pt_select_timeout>
<adv_dhcp_pt_reboot></adv_dhcp_pt_reboot>
<adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_backoff_cutoff>
<adv_dhcp_pt_initial_interval></adv_dhcp_pt_initial_interval>
<adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
<adv_dhcp_send_options></adv_dhcp_send_options>
<adv_dhcp_request_options></adv_dhcp_request_options>
<adv_dhcp_required_options></adv_dhcp_required_options>
<adv_dhcp_option_modifiers></adv_dhcp_option_modifiers>
<adv_dhcp_config_advanced></adv_dhcp_config_advanced>
<adv_dhcp_config_file_override></adv_dhcp_config_file_override>
<adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-duid></dhcp6-duid>
<dhcp6-ia-pd-len>8</dhcp6-ia-pd-len>
<dhcp6-ia-pd-send-hint></dhcp6-ia-pd-send-hint>
<dhcp6usev4iface></dhcp6usev4iface>
<dhcp6withoutra></dhcp6withoutra>
<adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface>
/</wan>
And I just got done chatting with my ISP, their "solution" was to use their router. Nor would they reprovision my modem when I asked them to.
On OpnSense, the resulting dhcp6c configuration is in /var/etc/dhcp6c.conf, you can check if it is like the one on your pfSense.
For LAN interfaces with RA enabled, you can check if /var/etc/radvd.conf contains the correct definitions (you did configure the router advertisements, did you?).
The order is:
1. get a delegated prefix on WAN of the correct size (in your case, /56) - regardless if the WAN itself gets an IPv6,
2. assign a part of it to each of your LAN interfaces via a different prefix ID (at most 8 bits) and
3. have that prefix advertised via RA or DHCPv6.
The problem is, to get it visible in pfSense I have to reload my router. Which means everything is down for a while :(
I wonder if I can restore the config file in a VM just so I can look at that file.
> /var/db/dhcp6c_duid
Late to the party but you could just copy the file from the old install to the new. I don't think dhcp6c has an issue with a file it created itself.
Cheers,
Franco
Quote from: meyergru on November 06, 2023, 02:05:36 AM
On OpnSense, the resulting dhcp6c configuration is in /var/etc/dhcp6c.conf, you can check if it is like the one on your pfSense.
For LAN interfaces with RA enabled, you can check if /var/etc/radvd.conf contains the correct definitions (you did configure the router advertisements, did you?).
The order is:
1. get a delegated prefix on WAN of the correct size (in your case, /56) - regardless if the WAN itself gets an IPv6,
2. assign a part of it to each of your LAN interfaces via a different prefix ID (at most 8 bits) and
3. have that prefix advertised via RA or DHCPv6.
I haven't tried to configure RA yet since I don't have an IPv6 on the WAN yet. As for /var/etc/dhcp6c.conf, the only difference is pfSense has
interface igb0 {
send ia-na 0; # request stateful address
send ia-pd 0; # request prefix delegation
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
prefix ::/56 infinity;
prefix-interface igb1 {
sla-id 6;
sla-len 8;
};
prefix-interface igb2 {
sla-id 7;
sla-len 8;
};
};whereas OPNsense has
interface igb0 {
send ia-na 0; # request stateful address
send ia-pd 0; # request prefix delegation
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
prefix-interface igb2 {
sla-id 7;
sla-len 8;
};
prefix-interface igb1 {
sla-id 6;
sla-len 8;
};
};
All this advanced troubleshooting and we all forgot the most basic item. Firewall -> Settings -> Advanced -> Allow IPv6 :(
If you'll excuse me, I'm going to go find some crow to eat. Works fine now.
Whew, glad you figured it out :)
Cheers,
Franco