OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: chaispaquichui on January 12, 2019, 11:47:08 pm
-
Hi everyone, sorry but english is not my native language, I will try my best :)
I'm currently using Pfsense but I've a problem with IPv6. In my country (Belgium), all the ISP allocate dynamic IPv6 prefix. If I reboot Pfsense for exemple, I receive a new prefix and all my LAN is renumbered. It's boring because I need to change the DNS records each time it happens.
The ISP is doing this on purpose, I need to pay more if I want a static IPv6 prefix
I asked for a solution on the Pfsense forum but they told me to change of ISP (but all the major ISP are doing that in Belgium) or to use a TunnelBroker (which cause problem with netflix and add latency on the line). Pfsense support static NPTv6 but they don't want implement dynamic NPTv6 (refresh the rules automatically if the ISP give a new prefix). I'm not the only one with this problem but they don't seems to care.
Is there any chance for OPNsense to implement this feature one day ?
Thx !
-
Hi,
We already have a ticket: https://github.com/opnsense/core/issues/2544
I can see how it's difficult to implement with the old code base, but we've replaced firewall rules generation code and it's worth fixing this on top of the more flexible code since shifting prefixes are still a common thing.
"19.7" is our wish list target, but I cannot guarantee that this will not shift back further.
The more help and prodding that is given by the community the more likely is that we'll be able to deliver. :)
Cheers,
Franco
-
There is a feature (which was developed by Marjohn56) on both pfsense and opnsense that may help in your situation. It's called "Do not allow PD/Address release" on pfsense and "Prevent release" on opnsense. It works the same on both. It will prevent either from sending a release unless you specifically release the interface. Depending on how your ISP allocates leases, it may help.
-
Thx for your answer ! It's nice to see you acknowledge the problem and are working on it ;D
I'm going to look at opnsense to replace pfsense, I prefer the atmosphere of this forum
bimmerdriver, I'm already using this option. It help but unfortunately, if pfsense reboot, the prefix change :(
-
I'm actually no friend of Network Prefix Translation. What use would it have?
It would let you use ULAs (Unique Local Address) for your home network. Thus, yes, preserving the complete IPv6 address and you could use "full static internal addresses".
But then, you would just do the same sh** that we wanted to overcome with IPv6, namely NAT in any form. We want globally unique addresses, end to end. (btw static addresses and end to end principle are two different things)
NPTv6 is no good and no correct solution. Instead, look what IPv6 has to offer us: Link Local Addresses.
EVERY IPv6 interface ALWAYS has a link local address. So as long as your DNS server is on the same link you always can talk to him using his link local address, which always has a static prefix. So you could make your dns server use fe80::D for example and it is easily reminded.
If you need your dns server available locally above vlan borders you should assign your DNS server a ULA, which is also static locally. If you add another ula with the same prefix to an interface on the pfsense/opnsense the router will also be able to route correctly.
So please, consider getting to know IPv6 a little more and don't try to adapt IPv4 solutions onto IPv6. If you do it this way, you can configure everything today without having to wait for a NPTv6 feature.
:-)
And always remember, since we live in the IPv6 times - Every interface can have as many IPv6 addresses as they wish and need. Which address is used in the end depends on the scope. This is a major difference to IPv4 where multiple IP addresses are possible, but less often used.
-
"So please, consider getting to know IPv6 a little more and don't try to adapt IPv4 solutions onto IPv6."
Don't worry, I know IPv6 very well, it's just that we don't share the same opinion ;D
I'm not saying you should always do NPT with IPv6, far from it ! But NPT has some uses cases
You want to do IPv6 multihoming without BGP ? You can use NPT
You want to be able to leave your ISP without having to renumbered your LAN ? You can use NPT
You want a workaround to greedy ISP who gives you dynamic prefix ? You can use NPT
And I said "can", not "should" ;) NPT is just another tool in the IPv6 box
"Instead, look what IPv6 has to offer us: Link Local Addresses."
LLA addresses can't be routed :) And yes, I've VLAN in my network :)
"If you need your dns server available locally above vlan borders you should assign your DNS server a ULA, which is also static locally. If you add another ula with the same prefix to an interface on the pfsense/opnsense the router will also be able to route correctly."
I know, I currently use ULA and GUA in my network. But I've a bug with pfsense, if I configure a static ULA to an interface, Pfsense doesn't use the delegate prefix anymore... Don't know why. I need to try this with opnsense :)
-
Well, OPNsense won't use the provider's prefix either when a manual static ip address is configured. I think it will still take some time until sophisticated IPv6 configuration support is around everywhere.
-
It would also be good to improve the virtual ip feature for ipv6 as well, so I can assign multiple addresses to an interface.
-
Agreed :) It would allow tu use ULA and GUA at the same time
-
@chaispaquichui
There's a solution already for at least that. I didn't find it first because it is less intuitive.
If you go to Firewall - VirtualIPs - Settings you may add an IP-Alias. Although the dropdown
states you can only add IPs with a /32 prefix, you can just insert a v6 address into the corresponding text field.
Afterwards you are allowed to choose up to /128.
-
I just tried and it doesn't work well :s
If I add the ULA after the autoconfiguration of the GUA, it's working
But if opnsense reboot, the system only use the ULA :(
-
Oh yes, I see. I can reproduce it. There is no interface tracking anymore when ULA is in place. That makes it unusable for me as well :-(