OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: surly on April 30, 2021, 02:30:01 pm
-
Hi:
I'm fairly new to opn, I was running pf until about a month ago. I'm also fairly new to IPv6. I'm not new to networking in general. I'm running 21.1.4 w/ LibreSSL right now.
In a home setting I'm working through enabling IPv6 on my internal nets in a somewhat structured manner. Right now I'm at my kids/guest VLAN and it's highlighting some shortcomings. This mostly revolves around the DHCPv6 server system not gathering hostnames as part of its work. I've done some searching and reading but no posting on this until now..
I have read that it is not mandatory to collect hostnames and, potentially, ISC dhcpd just doesn't. I've read that people have had success getting hostnames inserted into DNS by configuring "full" dynamic DNS updates to local servers in a more enterprise/advanced homelab setting, with an AD server and that sort of thing. That's not my situation so I don't think that's my solution. I have read that going fully static with everything can result in hostnames being inserted into local DNS.
I am using unbound in non-forwarding mode with a blacklist or two configured. I am running both ntopng and sensei (I'll pick later) and what I really notice is not being able to look at the reporting and tell what is doing what when IPv6 is enabled other than long strings of full v6 IP addresses. I could assign all statics, but it's a lot of devices and there will still always be new or "visiting" devices that won't be covered. I use static IP in some places (infrastructure equipment mostly), DHCP leases in others (backup for the first category, and devices requiring any special port mapping or firewall rules like printers, game consoles), and I'm quite happy with dynamic addressing with lease injection into unbound for all the other stuff...
Is there a fix coming, or a workaround I've overlooked which could improve this area and maybe get this working?
-
ISC DHCP does not support IPv6 hostnames. In IPv4 the hostnames are parsed from the leases file, the v6 leases file does not contain hostname information: https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdleases#THE%20DHCPv6%20LEASE%20(IA)%20DECLARATION (https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdleases#THE%20DHCPv6%20LEASE%20(IA)%20DECLARATION)
The other issue is that Android devices do not even use dhcp, they use SLAAC.
-
ISC DHCP does not support IPv6 hostnames.
The other issue is that Android devices do not even use dhcp, they use SLAAC.
Yep. This confirms what I've read. I actually had a line or two in my original post mentioning my disappointment at some organizations not supporting "optional" things that I feel are pretty sensible (like android and dhcp6) but I took it out. These things hamper adoption of v6 in some places.
I guess I'm wondering if, say, ISC is planning to add that feature, if there's another workaround, if another dhcpd service is considering being made available in opn, community repository tools etc...etc... that I'm unaware of.
Right now, it seems like any benefits from enabling IPv6 are undone by either 1/ not being able to identify any of your clients or 2/ administering static lease information for every device.
-
Having every single IP address in DNS is impossible, especially with modern address assignment methods like SLAAC with privacy extensions. Even when using DHCP you would have to rely on clients to correctly provide their hostname, which many don't.
For everything which actually hosts a service, static DNS records work best. DHCP static mappings are possible, too. But why would you really need(!) a DNS record for e.g. a random phone in a guest network?
Just my 2 Cents.
Maurice
-
Having every single IP address in DNS is impossible, especially with modern address assignment methods like SLAAC with privacy extensions. Even when using DHCP you would have to rely on clients to correctly provide their hostname, which many don't.
For everything which actually hosts a service, static DNS records work best. DHCP static mappings are possible, too. But why would you really need(!) a DNS record for e.g. a random phone in a guest network?
Just my 2 Cents.
Maurice
I have to say I disagree, since I have this for decades with IPv4. Who gets excited about the next great generation when the basic stuff you're losing shouts at you within 10 minutes of starting testing? Remember this is my home, not a shopping mall, and I'm not expecting SLAAC and all that as you imply. Just DHCP, and just like it works with IPv4. I didn't dream up new pie-in-the-sky functionality I was hoping for.
If I look at IDS tools (which are becoming so easy to deploy these days) and see traffic worthy of investigating, I want to know who it was. Oh, that's my son's school-provided Chromebook. Or my daughter's friend's phone. And, precisely because all of these things don't provide services is exactly why I would rather not maintain static leases for all of them (which is even more fun when you have a page of leases on your screen and no idea what is what right from the get go - not even a MAC lookup tool to get a manufacturer since it uses DUIDs).
Honestly, the only reason I looked at putting DHCP6 on this network at all instead of just leaving it with tracking WAN6 and using RA/SLAAC was to be able to identify clients. If this is strictly an ISC thing, and another DHCP server provides this functionality, maybe it's worth a look. Goodness knows we've moved beyond ISC bind for DNS. We have dnsmasq, unbound etc... which offer something different for applications which need something different, like home routers, pihole etc...
Since I'm sensing more of a "you shouldn't want to do that" vibe so far, I'm going to assume there's no anticipated release of ISC dhcpd soon to be incorporated that will do this, or some kind of add on method I've missed.
If I've somehow written this so that it sounds like an attack on OPNsense I apologize. Clearly the shortcomings of ISC and Android aren't this project's responsibility, but I would expect that workarounds or anticipated improvements would be known here.
-
Agreed that better integration of the DHCPv6 and DNS servers would be desirable (it's frequently requested). But speaking from experience with other systems where DNS registration of dynamic DHCPv6 leases works, the results probably wouldn't be what you might expect. Many DHCPv6 clients simply don't send a hostname. And because DHCP is very much optional in IPv6, many devices don't support it all. Not only Android, but also many embedded devices and IoT stuff entirely rely on SLAAC. So unless you are extremely restrictive about what devices are permitted in your networks, DHCPv6-only is rather unrealistic.
At some point many of us probably thought that IPv6 is just IPv4 with longer addresses. Upon realizing that this is not the case and that we'll have to change some old habits, it's probably natural to react with "that's bad because it doesn't work like I'm used to". But most eventually get over it.
Isn't every day you do something new a great day?
No hard feelings and all the best!
Maurice