I will be posting this to /r/opnsense as well for maximum visibility...Let me open by saying my goal is to treat IPv6 as "the next IPv4" in that I want to assign host addresses, break VLANs by "subnet", assign cross-VLAN access, etc.
Goals with IPv6- `host.subnet.domain` should be known to OPNsense as a known entity
- Host has a known IP address, `prefix:subnet identifier::host identifier`
- I should be able to have cross VLAN traffic
- I should be able to block traffic from/to unknown IPv6 entities. I recognize that there are multiple IPv6 addresses per device hence 1 and 2.
I've tried with the old ISC service off and on to little avail but not that dedicated. I'm trying now with the new way and I am running into issues with DNSmasq. I'm beginning to wonder though if maybe I'm working outside the spec.
My Understandings of IPv6 (note: using DNSMasq)- Global addresses are assigned automatically via DHCPv6. These are prefix based according to ISP. This works fine, I cannot set the final range using the `::WXYZ` notation but I can understand this. See point 1.1 for SLAAC.
- If I set RA mode to use only SLAAC in the DHCP ranges screen, I will get the requested IP postfix (is this the right terminology? 🤔) but then I lose registering the hostname and all. I believed that SLAAC, RA-names, RA-stateless I would get the desired effect. Alas, no, I lose host reservations.
- We need better documentation of the RA-modes. Currently there are 7 options via DNSMasq in OPNsense v25.1.9. I'll break down the results of my testing using my MacOS laptop and a DietPi OS Raspberry Pi.
- Default: what is selected if you choose no mode of your own. I tested this one last and it's functionally the same as ra-advrouter.
- ra-only: On the Mac, appears to get two SLAAC address and a DHCPv6 address. I see the DHCPv6 address show up (type is static) in the leases page. No rdnss is set. For the Pi I see a different static lease type set than the DHCPv6 one I set. Further more, the pi doesn't recognize this address when running `ip 6 addr`. Very strange. `ping6` from my Mac won't get to that address either. Trying to `ping6` by hostname or fqdn fails either way (Mac -> Pi or Pi -> Mac).
- slaac: SLAAC and DHCPv6 addresses? Results in an identical setup to ra-only.
- ra-names: register names for SLAAC addresses? In practice, running just ra-names I see the same results as ra-only. The "ghost" DHCPv6 still shows in the leases page for the Pi.
- ra-stateless: SLAAC only address (not confusing at all 🤦🏻�♂️). I recommend that this not be allowed with slaac as this stops DHCPv6.
- ra-names and ra-stateless: results in an identical setup to ra-stateless.
- ra-stateless and slaac: results in an identical setup to ra-stateless.
- ra-names and slaac: results in an identical setup to ra-only.
- ra-names, ra-stateless, and slaac: results very similar to the ra-only setup however, differences exist in the Pi. Now I have that same DHCPv6 address that I've no idea where it comes from. When running `ip 6 addr`I see `scope global dynamic` for that address and `scope global dynamic mngtmpaddr` for the one that always shows up. Both can be `ping6`ed from my Mac.
- ra-advrouter: What is this supposed to do? Mac is the same as ra-only, Pi is the same as ra-stateless. No rsdnss picked up.
- offlink: results in identical behavior as the ra-advrouter setup.
- DUIDs seem arbitrary and pseudo random. What in the bloody heck? 🤬 Why aren't we just using MAC addresses anyway? Why does IPv6 seem such a 💩🎪 after almost 30 years?! I'm not that young but was IPv4 this bad? I'd figure it would be mostly worked out by now!! Okay that out of my system...
- Is there a standardized and correct way to get the DUID from a system that OPNsense and DNSmasq can operate with?
- Where is the DUID shown in the DNSmasq leases page being obtained? This information is totally incorrect. For one, the number of bytes varies wildly per host. For two, it's never worked but getting the information (method seems to vary wildly) from the host and using that does work. Yet, the leases page still shows an incorrect DUID. 🐞 **Correction**: this is under IPv4 leases, maybe we should correct the UI to display N/A or something?
- I should be able to have ULA addresses as opposed to GUA only.
- I want local services on my DMZ that are accessible across VLANs (DNS, plex, etc.)
- I want to allow IoT devices an IP address and ability to talk to each other but no internet (ULA but no GUA).
Where do I go from here?Am I fundamentally misunderstanding IPv6 and its capabilities? In a world with vastly more security threats than the one IPv4 launched into, I can't see it just being more open and less restrict(ed/able) in general! Where am I going wrong?
As I figure this out I am more than willing to help update documentation, just point me in the right direction. Once my kid gets older and I have free time (hahaha good one) I would love to help contribute code, but in the meantime I'll continue to evangelize and work with but maybe I'm just off my rocker on this.... Could Michael W. Lucas write a book on all this already? 😛
Your observations are mostly correct, but if you look at how this is all thought out, it makes more sense - and less sense for many setups.
For example: Some devices do not support DHCPv6 at all, therefore they need RA anyway. That is the main reason why I recommend using RA only (https://forum.opnsense.org/index.php?topic=45822.0). The router advertisement daemon would then announce stateless operation, potentially with assisted DNS settings, which some devices can only get via DHCPv6 (they will get IPs and routes via RA, but their DNS server via DHCPv6). Then again, you should better refrain from that, because if you use dual-stack, then the priority of IPv6 and IPv4 DNS servers is not defined and they probably are the same machine anyway, so IPv4 would be sufficient for that (plus, the IPv4 DNS server can also hand out IPv6 addresses).
It get even more complicated, if your IPv6 prefixes are dynamic (depends on your ISP). Even if you could assign static, foreseeable IPv6s via DUIDs, their prefix would change, so it does not work. You would need ULAs for that, just to have internal naming. For externally resolvable names, you will need DynDNS in that case, anyway. So, it is easier to stay with IPv4 in your LAN, have IPv6 access to the outside via GUA, assigned by RA only and if need be, use a reverse proxy to access services in your LAN via an IPv6 -> IPv4 translation. Doing it this way also allows OpnSense itself to take care of the DynDNS, because there will be only the WAN IPv6 being used.
You can even use IPv6 privacy extensions that way. And if you really need it, you can always access clients via IPv6 by their MAC-derived EUI-64, too, because the OpnSense firewall can use partial IPv6 dynamic host aliases.
That way, you do not have to think about DUIDs or anything.
And BTW: VLAN separation works much the same way as with IPv4: you use different prefixes for each VLAN (usually, your ISP assigns you a /56 prefix, so you can have 256 IPv6 subnets).
There is another thread that you should probably read: https://forum.opnsense.org/index.php?topic=47243.0