OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: telxoid on May 19, 2016, 09:22:52 pm

Title: ipv6 /60 Delegation
Post by: telxoid on May 19, 2016, 09:22:52 pm
Hi folks:

Pardon if this has been addressed, I can't seem to find my usage scenario via search.

I'm running 16.1 (patched current this week).  I have Comcast in North America, and I can request and receive a /60 delegation (I see the address get assigned in a TCPDump).  My initial problem is that I can't seem to get the opnsense box to apply /64 subnets to more than one internal VLAN interface using a "Track Interface" configuration.  Whichever interface is set to IPv6 Prefix ID "0" seems get an address in the first /64 of the assigned range.

Is there someone that has gotten a configuration like this working on opnsense?  Also, I'd like a way to automatically update unbound so that internal names would have AAAA and A records from DHCP.

Thank folks...so far really liking opnsense.  Should make my life a lot easier long term.
Title: Re: ipv6 /60 Delegation
Post by: bartjsmit on May 20, 2016, 12:20:24 pm
 I went through a very similar IPv6 journey and this is how I did it:

- PPPoE IPv4 connection with authentication. NAT on the firewall, inbound and outbound.
- DHCP6 IPv6 connection with prefix hint for a /56 delegation using IPv4 connectivity.

The internal networks (LAN and OpenVPN) are statically assigned /64 with the firewall configured as an unmanaged, high priority router advertiser for the LAN.

All internal clients get a SLAAC IP correctly with the servers having an additional static IP for easier firewalling.

Let me know which of your bits don't work and I'd be happy to compare notes.

Bart...
Title: Re: ipv6 /60 Delegation
Post by: telxoid on May 20, 2016, 05:38:36 pm
Thanks for the reply.

That looks pretty similar--you get a /56 delegation, vs me getting a /60 via dhcp6, but that shouldn't make too much difference. 

How did you configure your LAN and OpenVPN segments to use the delegated range?  Was it "Track Interface" or something else?  If it is "Track Interface", what did you use for "IPv6 Prefix ID" on your two internal networks?  I can get one network assigned this way, but the second one doesn't seem to work.

How did you do DNS in your environment?  Are you able to serve AAAA records for your SLAAC enabled addresses?  I'm going for complete dual stack, such that functionality isn't different--at least internally--IPv6 or IPv4.
Title: Re: ipv6 /60 Delegation
Post by: bartjsmit on May 21, 2016, 12:02:02 am
The LAN and OpenVPN subnets use static /64 subnets within the /56.

OPNsense runs radvd on the LAN and the OpenVPN server has an advanced option added: push "route-ipv6 2000::/3" to ensure that the clients route their public traffic through OPNsense.

The internal DNS servers are Windows and clients register their A and AAAA records on boot.

Bart...
Title: Re: ipv6 /60 Delegation
Post by: telxoid on May 22, 2016, 05:48:42 pm
Thanks Bart.

I tried manually segmenting the /60 I was issued (creating static /60's), and that does work.  I don't know how often Comcast changes things such that new delegations are issued, so this may break semi periodically, but my IPv4 DHCP based IP seems pretty static.  I was hoping for an automatic way of handling this, and it seems like it's supposed to work and I'm just doing something wrong with the config.

At this point, I just need to figure out my DHCPv6/DNSv6 mapping--I suppose I could try writing a script that would take the IPv6 leases and update the unbound configuration accordingly.  Can anyone suggest a starting point for something like that?  I've been meaning to learn python anyway, so this may be just the excuse I was looking for.

Thanks.
Title: Re: ipv6 /60 Delegation
Post by: bartjsmit on May 23, 2016, 10:57:30 pm
There are an awful great stinking humongous lot of IPv6 addresses :-)

Even though the /60 chunk you get of the address space has 295,147,905,179,352,825,856 IPv6 addresses there is a total of 36,893,488,147,419,103,232 of these /60's available on the public IPv6.

It will take Comcast a wee while before your they run out of their allocation of /60's. Even though you request your delegation through DHCP6, that doesn't mean that it is dynamic. You will keep your address space for the length of your contract with Comcast.

The only problem is that an IPv6 subnet doesn't do classes or CIDR. It is always a /64. The reason Comcast gives you a /60 is that you can segment your home network into four different /64 subnets. E.g. your LAN, a DMZ an OpenVPN and an IPsec tunnel to another network. My ISP is a bit more generous in that it lets me create 256 internal networks. Pretty academic, since I only use two.

Long story short; your IPv6 addresses will not change. Your IPv4 likely will - use a public dynamic DNS provider. The ones supported by OPNsense are under Services, DNS Tools, DynDNS.

As for your DNS, I guess it depends how many servers you have on your network. I have few enough to just use static IP's. You could use Avahi/Bonjour/Zero-conf as an alternative.

Bart...
Title: Re: ipv6 /60 Delegation
Post by: telxoid on May 24, 2016, 12:47:57 am
Thanks Bart:

I'm not worried about running out of addresses, or that Comcast will have to begin recycling their delegated space.  It's more that Comcast will mess with something that will cause all delegations need to be reissued, in which case all my IPV6 stuff will stop working.  It's still not tragic, as everything seems to be gracefully failing back to IPV4, more annoying than anything (if that happens, I'll have to manually recalculate and reissue the subnet space).  As is probably the case with most people doing ipv6 at this point, this is really just a learning exercise--I'm trying to get to the point of being semi-coherent when talking about ipv6, and the best way to do that is to use it.

I believe I can actually have 16 /60's, but it doesn't really matter--I have a use for 3 or 4.

Manual IP'ing and DNS configuration through the opnsense would also likely be fine (using unbound), but it looks like I'm encountering an issue with it--I'll start a new thread on that.