OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: cclloyd on January 14, 2019, 11:18:12 am
-
I have my WAN configured to use DHCPv6 to request only a /64 prefix, and have DHCPv6 server configured to dish out addresses with the entire /64 subnet.
But when I try to renew the DHCP lease for the WAN to actually obtain a prefix, it doesn't seem to grab one.
Running dhcp6c manually to see what happens yields the following: (em0 is WAN interface, em1 is LAN)
root@opnsense:/var/etc # dhcp6c -Df em0
Jan/14/2019 05:14:39: extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:23:cf:17:58:1c:c1:de:06:d7:70
Jan/14/2019 05:14:39: cfparse: fopen(/usr/local/etc/dhcp6c.conf): No such file or directory
Jan/14/2019 05:14:39: reset a timer on em0, state=INIT, timeo=0, retrans=891
Jan/14/2019 05:14:39: Sending Solicit
Jan/14/2019 05:14:39: a new XID (c0b30) is generated
Jan/14/2019 05:14:39: set client ID (len 14)
Jan/14/2019 05:14:39: set elapsed time (len 2)
Jan/14/2019 05:14:39: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:39: reset a timer on em0, state=SOLICIT, timeo=0, retrans=1091
Jan/14/2019 05:14:41: Sending Solicit
Jan/14/2019 05:14:41: set client ID (len 14)
Jan/14/2019 05:14:41: set elapsed time (len 2)
Jan/14/2019 05:14:41: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:41: reset a timer on em0, state=SOLICIT, timeo=1, retrans=2083
Jan/14/2019 05:14:43: Sending Solicit
Jan/14/2019 05:14:43: set client ID (len 14)
Jan/14/2019 05:14:43: set elapsed time (len 2)
Jan/14/2019 05:14:43: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:43: reset a timer on em0, state=SOLICIT, timeo=2, retrans=3982
-
I went through some similar issues here:
https://forum.opnsense.org/index.php?topic=10915.0
and got them solved by obtaining WAN address and prefix from my service provider with DHCPv6 and setting the prefix size properly (in my case, /59). Then setting LAN to track the WAN interface for its address. Check the link for the details.
If your setup is similar enough and you have questions beyond what's in those posts, I can try to answer them from my working config.
-
I don't exactly know which prefix size comcast gives me. Its a gigabit home connection. I know they give me at least a /64 prefix because when I originally had it set to track interface on LAN, and had the WAN DHCPv6 request an ip and not just a prefix, it worked, and clients configured with SLAAC with comcast as the DHCP.
-
Try looking at your Comcast Gateway WAN Status. For me (Comcast Business Gateway, so it might be different for you) the 8th line was "Delegated prefix (IPv6)" which showed a /56, which I now believe is what's assigned to the wan interface of the Comcast Gateway, not what will be passed down to my firewall in a delegation. What works for me is to request a /59 delegation. Other sizes seem to break prefix delegation, although I don't know why.
Also, strangely, if I request a prefix delegation size of /64 then when I look at Interfaces\Overview, it shows my LAN interface having a /59 prefix but neither routing nor SLAAC works. So, perhaps if you request a /64 then look at your LAN interface status in Interfaces\Overview, you can use the prefix length you see there for the length you should really request in your WAN interface settings.
-
Only info I can see on the Interfaces > Overview page on WAN is that the Gateway IPv6 is fe80::259:dcff:fe79:2422. I don't see anything about it hinting at what I should be requesting. The DHCPv6 server fails to start currently because it isn't fetching a prefix.
-
Earlier, you stated "I have my WAN configured to use DHCPv6 to request only a /64 prefix". You may need to change this by clearing that "Request only an IPv6 prefix" checkbox for the DHCP process to work.
-
Yea I guess that makes sense. Just request the address anyway and use the prefix.
But now when I do that, it's using the prefix I previously had (starts with 2601) instead of the one comcast just gave me (2001). Tried rebooting, etc. Why wont the lan update to the new prefix?
Edit: After going back to my old config just to test a few things (DHCPv6 WAN with track interface LAN, no DHCPv6 on lan), comcast gave my router an IP starting with 2001, but all my clients are still getting IPs that start with 2601 (my old prefix). Why are they doing that?
And is it possible to have clients that are configured with SLAAC still be registered in the local DNS so that I can resolve them using 'asdf.lan6.example.com'?
Also an issue Im having is that using Track Interface for lan, it doesn't seem to be clearing the previous settings, thus why it's using the wrong prefix. How can I clear this?
-
Edit: I misunderstood your post, so I'm re-replying after re-reading.
Your clients should be creating their own IP addresses based on the RAs (router advertisements) from your OPNsense router through NDP (neigbor discovery protocol). The RAs should be based on the router's LAN address they are seeing on their LAN (or VLAN). If they are constructing their IPv6 with SLAAC starting with 2601, then that's probably the advertisement they are getting from OPNsense. Is OPNsense's LAN address starting with 2601 or 2001? If that's what you meant at the end where you said "Track Interface" was obtaining the old prefix of 2601, then maybe this will help:
I think I remember reading somewhere you can work around DHCP issues somehow by changing the "IPv6 Prefix ID" field on the LAN Interface settings. Usually you would just leave it at 0. But depending on how many /64s you can get out of your prefix delegation, you can change it to select the 2nd /64 prefix, or the 3rd, etc. going up by integers in hex. So I've got a /59. That means there are 5 bits left for subnetting, giving me 2^5 or 32 subnet/prefix IDs. So I can have anything between 0 and 1F there for prefix ID (if my hex math is right). The idea is this: if you change your prefix ID, you can get the service provider's DHCP server's attention when somehow before you were not.
You also could try toggling your LAN IPv6 settings between "None" and "Track Interface" to try to clear it that way.
Regarding DNS, that would be handled via DHCPv6 or static configuration on the host. As far as I know, SLAAC doesn't do DNS. Maybe someone else could chime in on this one.
-
I tried siwtching it between none and track. It worked at the time.
Also didn't know that THAT is what the prefix ID is for, and why when I changed it I got a different prefix that still started with 2601. The last 4 of the prefix were different, which means comcast is probably giving me at least a /48 prefix, right?
And yes, 2601 was the LAN ip, which seems to be correct in that that's whats being dished out by the ISP, and I can access the router using both its LAN ip (2601) and WAN IP (2001)
And if SLAAC can't do DNS at all, what would the best method be for syncing them to DNS records? Currently my v4 network tracks all DHCP clients (including static leases) as {hostname}.lan.example.com, and I want all ipv6 clients to be mapped in {hostname}.lan6.example.com. (I use unbound DNS for this). When I used DHCPv6, my servers weren't grabbing an IP address at all (seemed like dhclient wasn't running on the servers, all ubuntu 18.04).
-
I tried siwtching it between none and track. It worked at the time.
Awesome!
Also didn't know that THAT is what the prefix ID is for, and why when I changed it I got a different prefix that still started with 2601. The last 4 of the prefix were different, which means comcast is probably giving me at least a /48 prefix, right?
Did all four hex characters in the fourth quartet change? If so, then I would think so. But your PD (prefix delegation) would be specified in your Comcast Gateway's configuration pages and in your account on their website.
And if SLAAC can't do DNS at all, what would the best method be for syncing them to DNS records?
That's an area I haven't delved into yet. You may want to start a new thread for that.