OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: guest19228 on October 23, 2018, 03:16:41 am

Title: provide GUA and ULA IPv6 address via DHCP6
Post by: guest19228 on October 23, 2018, 03:16:41 am

I want to assign both a LUA and a GUA address to the lan/opt interface and want DHCP6 to provide both addresses to the clients. In my openwrt installation this is done very simply. On the interface page I can set an ULA prefix. All internal network interfaces will then pick a subnet from that range and provide it together with the GUA via DHCP/SLAAC to the clients. (see attached pictures).

In opnsense it is not only not that simple, it's impossible. I tried the guides for pfsense from here https://www.reddit.com/r/PFSENSE/comments/3v9oph/ipv6_ula_and_dchpra/ (https://www.reddit.com/r/PFSENSE/comments/3v9oph/ipv6_ula_and_dchpra/) and also read and tried this https://redmine.pfsense.org/issues/5999#change-37363 (https://redmine.pfsense.org/issues/5999#change-37363). But the problem is that in opnsense the DHCP server will only advertise one address either the GUA when not setting an ULA subnet or the ULA subnet when set.

Title: Re: provide GUA and ULA IPv6 address via DHCP6
Post by: franco on October 23, 2018, 10:02:25 pm

SLAAC will do both the real interface IP and any VIP subnets you add. DHCPv6 is more rigid due to its integration into OPNsense currently.

In the end it boils down to which configs you expect for the individual services (in their config format) and comparing them to the actual configs written to the disk:

/var/dhcpd/etc/dhcpdv6.conf
/var/etc/radvd.conf


Cheers,
Franco

Title: Re: provide GUA and ULA IPv6 address via DHCP6
Post by: guest19228 on October 23, 2018, 11:44:58 pm

I just tested again, I set a VIP fd45:5612:5ae5:867::/64 on OPT1 ( Allow manual adjustment of DHCPv6 and Router Advertisements unchecked to disable dhcp6 on that interface) and rebootet the machine.
The inet6 interface settings for OPT 1 are now:

Code: [Select]

vtnet2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 fd45:5612:5ae5:867:: prefixlen 64
        inet6 2002:XXX:d137 prefixlen 64
        inet6 fe80::1:1%vtnet2 prefixlen 64 scopeid 0x3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>Then I started a test machine and let it configure the interface via dhcp. The result is:

Code: [Select]

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd45:5612:5ae5:867::2000/128 scope global dynamic noprefixroute
       valid_lft 7184sec preferred_lft 4484sec
    inet6 fd45:5612:5ae5:867:c3a:a550:9785:575/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::4113:fbcd:b20a:abe0/64 scope link
       valid_lft forever preferred_lft foreverOn the opnsense /var/dhcpd/etc/dhcpdv6.conf is

Code: [Select]

option domain-name "foonet.foo";

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;

subnet6 fd45:5612:5ae5:867::/64 {
  range6 fd45:5612:5ae5:867::1000 fd45:5612:5ae5:867::2000;
  option dhcp6.name-servers fd45:5612:5ae5:867::;
  prefix6 fd45:5612:5ae5:868:: fd45:5612:5ae5:86c::/63;
}

ddns-update-style none;and the /var/etc/radvd.conf

Code: [Select]

interface vtnet2 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvLinkMTU 1500;
        AdvOtherConfigFlag on;
        prefix fd45:5612:5ae5:867::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS fd45:5612:5ae5:867:: { };
        DNSSL heimnetz.netz { };
};
# Generated config for dhcp6 delegation from wan on lan
interface vtnet1 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvLinkMTU 1500;
        AdvOtherConfigFlag on;
        prefix 2002:xxxx::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS 2002:xxxx:4296 { };
        DNSSL heimnetz.netz { };
};So even with SLAAC only the VIP address was advertised.

Title: Re: provide GUA and ULA IPv6 address via DHCP6
Post by: franco on October 24, 2018, 07:13:47 am

Looks like you have this one going on where the VIP is of higher priority than the global IP:

https://github.com/opnsense/core/issues/2189

All we need is time and contributions and time to get it right. ;)

Title: Re: provide GUA and ULA IPv6 address via DHCP6
Post by: guest19228 on October 24, 2018, 12:18:11 pm

Hopefully this will be done soon.
I created a short shell script to change the order of the IP6 addresses if the ULA is  listed before the GUA.

Code: [Select]

#!/bin/sh

#ifconfig vtnet2 inet6 | grep inet6 | awk '{ print $2 }'
IP6a=$(ifconfig vtnet2 | grep inet6 | awk '{print $2}')
ula=false
gua=false
lla=false
for i in $IP6a
do
    case $i in
        "fd45"*)"
            ula_addr="$i"
            ifconfig vtnet2 inet6 "$ula_addr" -alias
            ifconfig vtnet2 inet6 "$ula_addr" prefixlen 64 alias
            exit 1
            ;;
        "200"*)
            exit 2
            ;;
        "fe80"*)
            ;;
        *)
            ;;
    esacWhen I  do the something that requires a rewrite of /var/dhcpd/etc/dhcpdv6.conf and /var/etc/radvd.conf
then the public address become advertised. For me it looks like only the first IP6 address is taken for advertising.
I did a short check with pfsense. There this is already fixed. You can add there additional prefixes in the dhcp6 server settings and all are advertised.

Title: Re: provide GUA and ULA IPv6 address via DHCP6
Post by: franco on October 24, 2018, 12:52:12 pm

Yes, hopefully somebody will work on it. :)


Cheers,
Franco