Hello guys. I want to know if there is any way that I could stop OPNsense from sending RA's with lifetime 0. I tried different stuff but none of it worked or it worked only for the shutdown process but not for the bootup process too.
OPNsense, if left in its default state, will send at least two RA's with lifetime 0 during a reboot process: one of them during the shutdown stage and the other one durng the startup stage.
In my opinion any router out there, should be sending RA's with lifetime 0 only during a shutdown command, not during a reboot command and not right at the start of the bootup.
Best open an issue on github.
No need to, since it is already available. See this (https://forum.opnsense.org/index.php?msg=238858).
Quote from: meyergru on June 15, 2025, 08:47:22 PMNo need to, since it is already available. See this (https://forum.opnsense.org/index.php?msg=238858).
Tahnks for the link but why do you say that it is not needed? I need it because my Android devices lose IPv6 connectivity after OPNsense sends an RA with lifetime 0.
I replied to Patrick - I meant there is no Github issue needed, since the option already exists.
Quote from: meyergru on June 15, 2025, 09:57:53 PMI replied to Patrick - I meant there is no Github issue needed, since the option already exists.
Ok, but, once again, is there any way that I can stop OPNsense from sending RA's with lifetime 0? I have not seen an answer to my question.
The answer to your question is literally in the first sentence of the message I already linked above (https://forum.opnsense.org/index.php?msg=238858).
When you read that thread, you will see further discussion on the feature because the 0 lifetime RA has both advantages and disadvantages.
Quote from: meyergru on June 15, 2025, 10:05:43 PMThe answer to your question is literally in the first sentence of the message I already linked above (https://forum.opnsense.org/index.php?msg=238858).
When you read that thread, you will see further discussion on the feature because the 0 lifetime RA has both advantages and disadvantages.
AdvDeprecatePrefix is set to off on my device but OPNsense still sends RA's with lifetime 0. It really has no influence.
Then you would need a GUI option to create a RemoveAdvOnExit and probably, also RemoveRoute (https://man.freebsd.org/cgi/man.cgi?query=radvd.conf&apropos=0&sektion=5&manpath=FreeBSD+14.2-RELEASE+and+Ports&arch=default&format=html) directive in /var/etc/radvd.conf.
In that case, you will need to open a Github issue.
The scope in the original message is entirely unclear to me. Also the fact that the WAN type plays a big role here. As a downstream router the system eventually deprecates a prefix it is no longer entitled to hold even if it's just due to intermittent connectivity that could be the case during a startup with PPPoE for example.
Cheers,
Franco
Quote from: franco on June 16, 2025, 09:41:02 AMThe scope in the original message is entirely unclear to me. Also the fact that the WAN type plays a big role here. As a downstream router the system eventually deprecates a prefix it is no longer entitled to hold even if it's just due to intermittent connectivity that could be the case during a startup with PPPoE for example.
Cheers,
Franco
Thanks for your answer. My scope is pretty straight forward: I want to stop OPNsense from sending RA's with lifetime 0 because my Android devices lose their v6 route and refuse to restore it after they received an RA with lifetime 0. This results in the fact that those Android devices are unable to use IPv6 anymore because they lost their router, their default gateway and then they refused to restore it. I was unable to find a way to make them restore their route automatically, I had to manually disconnect and reconnect my android devices to the network. Or, to be more specific, I want to be able to have full control over the RA's with lifetime 0 that OPNsense sends out, I want it to only send them out when I tell it to send them out.
You could try out the alternative RA implementation that exists in the form of dnsmasq and see if the same behavior happens there too.
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements
@franco: This is all a problem of ISPs not handing out static IPv6 prefixes as they should.
So, with dynamic IPv6 prefixes as ubiquitous as they are now, RADVD hands out RAs with a lifetime of zero in different scenarios. This is done in order to inform clients of the deprecated prefix as early as possible, because otherwise, those clients would still use the old prefix. This becomes even more evident with DHCPv6, where some client hold true to their leases for the whole lifetime.
Alas, there is a section in some obscure RFC that mandates that such an RA with lifetime 0 is to be taken as "do not use this prefix ever again", which becomes a problem when ISPs hand out the same prefix after a reconnection. This was discussed in the other thread (https://forum.opnsense.org/index.php?topic=44435.0).
Some clients seem to honor that intended behavior, so that affected clients do not work with IPv6 any more.
RADVD has a means to not issue 0 lifetime RAs when it receives a reload by setting "DeprecatePrefix off", which can be had via the GUI already.
As it seems, it will still issue 0 lifetime RAs on exit (i.e. also on restart), but there are two more options (https://forum.opnsense.org/index.php?msg=240053) to even suppress prefixes and routes with a 0 lifetime on RADVD exit. These are not build into the GUI yet.
@meyergru You seem to know what you are talking about and yes, not handing out static IPv6 prefixes can become a pain in certain scenarios such as the one you mentioned. Fortunately, I do have a static IPv6 prefix from my ISP and I heard from someone that one of the causes of RA with lifetime 0 can be the fact that one of the LAN interfaces is set to track the WAN interface which means that whenever a change happens on that LAN interface, OPNsense will issue an RA with lifetime 0 to all other LAN interfaces.
As @Monviech told you: You could try DNSmasq, which has RAs built into it, to see if it uses 0 lifetime RAs as well. Matter-of-fact, it is not OpnSense that chooses to send these RAs, but the respective RA daemon, if so configured.
And yes, you should at least use "DeprecatePrefix off" with these pseudo-static scenarios, but obviously that does not help with stop and start of RADVD. Lease prolongations usually are recognized even with "Track Interface" on LAN, such that there will be no 0 lifetime RA if the prefix does not change. You will most probably only see problems when you reboot your OpnSense or change configurations that cause a RADVD restart.
I get lucky, because I do not use clients that have that (IMHO braindead, but RFC-compliant) behaviour and accept another RA with the same prefix afterwards - why wouldn't you? Actually, the router should know what prefixes are valid and there is no other fix for deprecated prefixes than a 0 lifetime RA.