OPNsense Forum

Hi

I've been able to migrate to dnsmasq but there are some IPv6 settings I'm confused about.

I have been assigned a /48 IPv6 address by my ISP, it's segmented this into various /64s for each interface in OpnSense.  Each interface is configured with IPv6 Configuration Type of "Track Interface"  WAN as the parenjt address.
I used to use Router Advertisements, but I've been able to stop using that with the use of dnsmasq ranges, see below.

(about:invalid)

The question is, what setting do I need on each network interface for IPv6 Configuration Type, testing reveals I can disable it, but I'm not sure if that is correct.

Thanks for your help

The official guide (https://docs.opnsense.org/manual/ipv6.html) for IPv6 goes through setting up exactly what you are doing. What exactly are you struggling with?

Hi

Basically, if I'm using dnsmasq ipv6 RA modes to assign ipv6 addresses, do I need the setting enabled on the network interface to track the WAN and what should it be?

ATM each client is getting 2 ipv6 addresses, one seems to be from dnsmasq and the other appears be from the network interface

thanks

Is the second one the privacy address? They both appear to be on the same /64.

Edit: it appears you are using DHCPv6 to send out client IPs as well as SLAAC. You should only use DHCPv6 for prefix delegation and maybe DNS server information.

Thanks, I think it's because I followed the instructions and used slaac,ra-names in dnsmasq.

In the end I've reverted to snapshot, I can't figure out the required IPv6 DHCP settings if not using ISC and RA.

Hopefully I can continue using ISC until I can get it working in a lab and then put into my system

Either you configure the IPv6 statically, or you use track interface and use the dnsmasq constructor, pointing each DHCPv6 range to the interface it should construct the RAs from.

E.g. this example works when having LAN on "Track Interface" /or/ a static IPv6 address

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements

You can use the following guide as an additional source:

https://homenetworkguy.com/how-to/migrate-from-isc-dhcp-to-dnsmasq-or-kea-dhcp-in-opnsense/

I'm studying the migration right now as I'll be moving to dnsmasq in the following days.

Thanks, I did follow this guide

I'll be interested to hear how your migration goes, specifically around the interface IPv6 settings (tracking vs dhcp vs slaac) and the dnsmasq IPv6 dhcp ranges and their RA modes. Also whether you were able to completely remove ISC and dependancy on the seperate Router Advertisement service, as it's built into dnsmasq.
If you'd be willing to share how you went it would really be appreciated.  After spending too many hours researching, implementing and testing I wasn't able to get IPv6 working without duplicate addresses being assigned and Testipv6 failing so just reverted.

thanks

Right here is an update on the second migration attempt...

I have IPv4 working
IPv6 addresses are being assigned from the interfaces, which are set to track the wan. 
However, there are no IPv6 leases being registed in dnsmasq.  The only way I am able to get the leases registed is if I enter start and end IPv6 addresses, which adds an EXTRA IPv6 address to each device.

here are the settings on the DHCP range that I'm applying (can't seem to include an image for some reason?)

start address ::3000
end address ::4000
constructor - same as Interface
RA Mode slaac, ra-names
Domain Type - Interface

With the above configured, I get  the IPv6 address registed which looks something like this - xxxx:xxxx:c3ca:dd30::33cc

on the client I have the following now

DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address. . . . . . . . . . . : xxxx:xxxx:c3ca:dd30::33cc(Preferred)        EXTRA IPv6 Address  ************
  Lease Obtained. . . . . . . . . . : Friday, 7 November 2025 11:28:33 AM
  Lease Expires . . . . . . . . . . : Friday, 7 November 2025 11:33:33 AM
  IPv6 Address. . . . . . . . . . . : xxxx:xxxx:c3ca:dd30:1a5d:5283:b231:d91a(Preferred)
  Link-local IPv6 Address . . . . . : xxxx::xxxx:xxxx:f53a:fe3d%3(Preferred)
  IPv4 Address. . . . . . . . . . . : 10.0.30.2(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Friday, 7 November 2025 11:30:25 AM
  Lease Expires . . . . . . . . . . : Friday, 7 November 2025 11:35:24 AM
  Default Gateway . . . . . . . . . : xxxx::xxx:xxxx:fe01:82c6%3
                                      10.0.30.1
  DHCP Server . . . . . . . . . . . : 10.0.30.1
  DHCPv6 IAID . . . . . . . . . . . : 194570051
  DHCPv6 Client DUID. . . . . . . . :
  DNS Servers . . . . . . . . . . . : xxxx:xxxx:c3ca:dd30:2e2:59ff:fe01:82c6
                                      10.0.30.1
                                      xxxx:xxxx:c3ca:dd30:2e2:59ff:fe01:82c6
  NetBIOS over Tcpip. . . . . . . . : Enabled

Does anyone know how to resolve the IPv6 address registration issue and remove the extra address?

thanks

Two addresses is what you configured - one SLAAC address and one DHCPv6 address.

If you want only DHCPv6, remove 'slaac' from RA Mode.

If you want only SLAAC, remove 'slaac', add 'ra-stateless' and remove start / end address.

Hi Maurice

Thanks for the help.

I'd like to remove all dependancies on the old ISC, so I've removed DHCP6 from the interface.  I'm now only left with the dnsmasq config.
I've tried the suggestions you've given me, but I don't get an IPv6 address on that interface anymore.

Just to clarify, I specifiy the same interface for the constructor?
And should the WAN interface still be set to DHCPv6 and if it changes what should I set it to SLAAC?  My ISP supports slaac and I currently get a /48 via DHCPv6.
thanks

Quote from: OzziGoblin on November 07, 2025, 06:27:13 AMI don't get an IPv6 address on that interface anymore.

The interface itself doesn't get an IPv6 address? That would be unrelated to the Dnsmasq settings.
Or clients connected to that interface don't get IPv6 addresses? Then Dnsmasq isn't configured correctly. Did you enable Router Advertisements in its general settings?

Quote from: OzziGoblin on November 07, 2025, 06:27:13 AMAnd should the WAN interface still be set to DHCPv6

Yes. That's the DHCPv6 client, unrelated to the Dnsmasq DHCPv6 server.

Unfortunately I'm not having any success with this.

Router Advertisements in general settings is enabled, although I didn't believe this was required if configured on each interface, when reading the help for the setting.
WAN interface IPv6 is set to DHCPv6
LAN Interface IPv6 configuration is set to none, so no entry available for ISC DHCPv6 or Router Advertisements.

Re the DNSMASQ RA configuration I've tried all the options and no IPv6 address is assigned to the client.

I'm starting to think that dnsmasq is incapable of assigning an ipv6 address to the clients.

Where am I going wrong?

Quote from: OzziGoblin on November 08, 2025, 01:11:38 AMLAN Interface IPv6 configuration is set to none, so no entry available for ISC DHCPv6 or Router Advertisements.

The LAN interface obviously must track the WAN, otherwise it won't have an IPv6 address and Dnsmasq can't construct a range.

that would mean I can't remove isc dhcpv6 or the router advertisement service as it's enabled when tracking is enabled.

So it would seem that dnsmasq is not able to completely replace ISC yet?

Services: ISC DHCPv6: [LAN interface]: uncheck 'Enable'
Services: Router Advertisements: [LAN interface]: set Router Advertisements to 'Disabled'

Yip, they are configured exactly like that :-)

But then dnsmasq isn't assigning the ipv6 address is it?

... and?

sorry I don't mean to appear rude, but wasn't the point of migrating to dnsmasq to remove dependancy on ISC so it can be removed at the next major update?

thanks

I don't get your point, sorry.

Quote from: Maurice on November 08, 2025, 01:55:04 AMServices: ISC DHCPv6: [LAN interface]: uncheck 'Enable'

This disables ISC DHCPv6. It stops the service. So there is no more dependency.

ok, thanks for all your patience with me Maurice, you've been a big help

Hi OzziGoblin, as we talked earlier I'm reporting my still ongoing migration from ISC DHCP 4 and 6 to Dnsmasq.
I made a first try today and it didn't work as expected. I couldn't make DHCPv6 working as it is with ISC DHCPv6.

My setup is somewhat weird because my OPNSense is behind the ISP router already acting as NAT router with a configured DMZ pointing to OPNSense WAN.
The ISP doesn't allow me to use bridge mode, so this is what I have.

The rare thing is the way I could get IPv6 to work. The ISP assigns a single /64 IPv6, no PD, no nothing. So I'm doing NATv6 and DHCPv6 assigns /80 addresses to local PCs. I chose /80 because I have some VLANs and I had to create different subnets for each one.

This way I have IPv6 /80 networks on each VLAN and it works perfect. Is not the ideal situation because I'm NATing IPv6, but I didn't find a single problem yet in the daily use.

THE MIGRATION:
I could make work the IPv4 part, but I couldn't make DHCPv6 assign an address. It doesn't work. The Dnsmask log says "dnsmask no address range available for DHCPv6".
I tried different RA flags, and even external radvd in assisted mode as the docs says, but still nothing.
One thing I noted is that I can't select other prefix than 64. Higher numbers throws an "integer" error on the GUI and lower values makes Dnsmask to abort at start telling that the prefix has to be at least 64. So the only choice is 64.

With ISC DHCPv6 I have /80 configured as prefix for the assigned addresses on each VLAN.

Well... that's all for now. I'll keep trying...

Cheers

Quote from: muchacha_grande on Today at 04:11:21 AMThe ISP assigns a single /64 IPv6, no PD, no nothing.

Is this /64 on-link on the ISP router's LAN interface? Then I'd recommend trying the new os-ndp-proxy-go plugin. It allows you to use the same /64 for the OPNsense LANs and you won't need NAT.

Cheers
Maurice

Hi Maurice.

Quote from: Maurice on Today at 12:53:46 PMIs this /64 on-link on the ISP router's LAN interface?

Yes it is. I saw this plugin recently. I've tested NDP proxy in the past. The no "go" version, and it worked fine on a test router. I'll give this a try.
Do you know if this works fine when there are multiple subnets?

ndp-proxy-go was developed from scratch by OPNsense OG @Monviech. It's way ahead of ndproxy. And yes, you can use it for multiple LANs. They will all share the same /64, the proxy can handle this.

Please also read the documentation:
https://docs.opnsense.org/manual/ndp-proxy-go.html

Quote from: Monviech (Cedrik) on Today at 01:31:32 PMPlease also read the documentation:
https://docs.opnsense.org/manual/ndp-proxy-go.html (https://docs.opnsense.org/manual/ndp-proxy-go.html)

Excellent, thank you, I will.


About, my failed Dnsmask DHCPv6 migration attempt. Do you know have an idea of what could be wrong?

I couldn't make DHCPv6 assign an address on any VLAN. Neither a reserved address nor a dynamic one.

What you have been doing wrong is simple. /64 is the smallest possible prefix. Do not try to fight well established IPv6 standards with assumptions like using /80 is fine.

I suppose that I'm misunderstanding some basic concept here.

I'm using /80 because I've configured a different subnet for each VLAN. The first 16 bits after the 64 bits prefix are the subnet, so I set each VLAN interface with a /80 address and I ask DHCPv6 to assign each PC an address inside the range of the VLAN it is connected to.

As my ISP doesn't assigns a larger prefix, how could I divide a network into smaller subnets?