OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: wbk on March 18, 2023, 11:32:40 pm

Title: DHCP6 static lease advertisements have no effect
Post by: wbk on March 18, 2023, 11:32:40 pm

Hi all,

TL;WR: It's about DHCP6 on my LAN interface. I want stable IP's for either local or global name resolving.

• dynamic leases work
• static leases that exactly match SLAAC assignments work
• static leases that fit my requirements (and the subnet) are ignored

---

Full version:
Am I supposed to be able to create static leases for IPv6 as you'd do for IPv4 in case you like to have stable addresses in your network? I'm quite lousy with BB-code, please bear with me for markup errors!

My goals:

• Being able to set DNS AAAA records pointing to servers in the LAN;
• Being able to reach and recognize devices on the LAN

These things work for their IPv4 counterparts, but I really like to move forward and get started to leave IPv4 behind me (as a part of leaving it behind us and create a better world and all that).

There may be workarounds for those goals, but static DHCP6 seems the cleanest solution with current knowledge. Unfortunately, with current knowledge, I can't get it to work.

Settings overview, please let me know if more is needed for a picture:

• (edit): OPNsense is a clean install on VM of version is 23.1; it just got upgraded to 23.1.4 from 23.1.3.
  
  • ISP:  freedom.nl (sorry, no idea how to create a hyperlink correctly, https://helpdesk.freedom.nl/category-detail/algemene-instellingen-eigen-modem (https://helpdesk.freedom.nl/category-detail/algemene-instellingen-eigen-modem)) (in Dutch)
  • WAN: DHCP6 with PPPoE over VLAN6 behind a copper/fiber media convertor (ISP on fiber --> ISP media convertor --> copper ethernet --> WAN-interface) ; it gives me a /48 prefix;
  • LAN: static IPv6/64, auto detected gateway, no 'use IPv4 connectivity'
  • DHCPv6 server on LAN:
    
    • a /64 subnet within the /48 prefix
    • network like P:P:P:S:I:I:I:I , with P=prefix byte, S=subnet byte, I=interface address byte
    • within this subnet, a tiny range is defined as DHCP6-range, only the last sixteen bits (is that correct? The last four hex values anyway, from 90:: to 90:ffff)
  • Router advertisement:
  • I think I want to use 'assisted'
  • but I tried 'router only', 'managed' and 'stateless' as well
  
  DHCP-assigned IPv6 more-or-less works:
  
  • hosts on the IPv6-part of the Internet are reachable;
  • Quite often, devices in the LAN can be reached at least one of the IPv6 addresses assigned to them
  
  Static leases seem a bridge too far for me. I not only want the (random) lease to be static, I also want it to be an IPv6 that I choose by myself. I don't know how to derive a DUID from time, MAC and whatever, so I let clients get a (for me) random IPv6 on their first lease, and then use the OPNsens GUI (services --> dhcp6 --> leases --> +button behind dynamic lease) to fill out the details with a valid DUID.
  
  I can only get a resemblance of working static leases in one of these two cases:
  
  • I assign the (for me random) SLAAC as fixed IPv6;
  • I use the IPv6 in the static lease definition, but on the client I configure a static IP instead of using a DHCP client
  
  When I define the IPv6 in the lease as per my wishes, I get a curious not working situation:
  
  • The configured IPv6 shows up in the GUI in the list of leases (good!)
  • The client actually uses a random IPv6 from the DHCP6 pool (bad!)
  In that situation I am not able to reach the client without having direct access to it, because there is no way to know which IP it got. OPNsense is not able to reach the client either, because it seems to think it got the IP I configured in the static lease
  
  When I check /var/log/dhcp/latest.log, I notice that on sollicit from the client, first the configured IP is advertised, directly followed by an advertisement of an address from the DHCP pool:
  
  

Code: [Select]

<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="542"] Solicit message from fe80::b2de:ebff:fe5a:2668 port 546, transaction ID 0xA1C85E00
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 75167 - [meta sequenceId="543"] Solicit message from fe80::b2de:ebff:fe5a:2668 port 546, transaction ID 0xA1C85E00
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="544"] Advertise NA: address 2a10:3781:2d49:a:26:3:104:2668 to client with duid 00:01:00:01:28:c1:5c:be:b0:de:eb:5a:26:68 iaid = -346413464 static
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 75167 - [meta sequenceId="545"] Advertise NA: address 2a10:3781:2d49:a:26:3:104:2668 to client with duid 00:01:00:01:28:c1:5c:be:b0:de:eb:5a:26:68 iaid = -346413464 static
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="546"] Sending Advertise to fe80::b2de:ebff:fe5a:2668 port 546
<190>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 75167 - [meta sequenceId="547"] Sending Advertise to fe80::b2de:ebff:fe5a:2668 port 546
<187>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="548"] send_packet6: Permission denied
<187>1 2023-03-18T12:34:09+01:00 vpoort.osba.nl dhcpd 91505 - [meta sequenceId="549"] dhcpv6: send_packet6() sent -1 of 117 bytes
These blocks repeat for configured leases. Another thing you'll notice, are the last two lines: permission denied, I guess on port 546/547. In the live viewer of the firewall log, there are only 'pass' lines for those ports.

The SLAAC-addresses so far are outside of the DHCP6-range I defined, as are the static IP's I assigned client side. The IP's I want to assign via static lease are outside of the DHCP-range as well (as they should; to be sure I understood correctly, I tested creating a static lease with an IP inside of the range, and the GUI gave me an error).

I've been baning my head against this wall for most of a week now, I'm at my wits end.

Thank you for reading my lengthy post, I hope you can give me some pointers!

Title: Re: Trying to set static DHCP6 leases
Post by: YipieKaie on March 19, 2023, 01:13:33 pm

I dont use SLAAC i use managed it works perfect
There is only one problem with to use managed that is
android phones only work in SLAAC mod.

//P

Title: Re: Trying to set static DHCP6 leases
Post by: wbk on March 19, 2023, 02:58:31 pm

Hi Peter,

Thank you for reading and replying :-)

Let me match my config to your screenshots and test a bit before I post back!

Title: Re: Trying to set static DHCP6 leases
Post by: YipieKaie on March 19, 2023, 03:12:58 pm

You also have to set a range in >SERVICES: DHCPV6: [LAN]
that is in your subnet range

""""This is just an example you have to calculate your own""""
Subnet:            2001:9b1:eff:4300::
Avalible range:  2001:9b1:eff:4300:: - 2001:9b1:eff:4300:ffff:ffff:ffff:ffff
Range from:      2001:9b1:eff:4300:192:168:1:100 Range to: 2001:9b1:eff:4300:192:168:1:200


//P

Title: Re: Trying to set static DHCP6 leases
Post by: wbk on March 19, 2023, 09:40:25 pm

Quote from: YipieKaie on March 19, 2023, 03:12:58 pm

You also have to set a range in >SERVICES: DHCPV6: [LAN]
that is in your subnet range

Thanks for the added pointer; DHCP6 works for dynamic assignments within the DHCP6-range:
(https://online.osba.nl/blog/wp-content/uploads/2023/03/ipv6-prefix-subnet-dhcp6-range.png)

It is the static leases that fail. Here is an example of such a static assignment; note the MAC address that is visible in the logging below on the second line from below, for hostname 'test':

(https://online.osba.nl/blog/wp-content/uploads/2023/03/static-dhcp6-assignment.png)

Now when I dhclient -6 the client side, it just hangs in the terminal.

Code: [Select]

root@test:~# hostname -I
172.26.3.107
root@test:~# dhclient
root@test:~# hostname -I
172.26.3.107
root@test:~# dhclient -6
^C
root@test:~# ip a |grep ether
    link/ether 20:08:cc:b0:a8:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
root@test:~# dhclient -6

(nothing for 10+ minutes)

At first there is a bit of activity in tail -f /var/log/dhcp/latest.log on OPNsense (this is from the last command, not the two previous 'dhclient' commands in the box above:

Code: [Select]

<190>1 2023-03-19T21:07:03+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="83"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x520E7F00
<191>1 2023-03-19T21:07:03+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="84"] Picking pool address 2a10:3781:2d49:172:26:90:0:9148
<190>1 2023-03-19T21:07:03+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="85"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:9148 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:07:03+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="86"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:07:05+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="87"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x520E7F00
<191>1 2023-03-19T21:07:05+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="88"] Picking pool address 2a10:3781:2d49:172:26:90:0:9148
<190>1 2023-03-19T21:07:05+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="89"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:9148 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:07:05+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="90"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:07:07+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="91"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x520E7F00
<191>1 2023-03-19T21:07:07+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="92"] Picking pool address 2a10:3781:2d49:172:26:90:0:9148
<190>1 2023-03-19T21:07:07+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="93"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:9148 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:07:07+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="94"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:07:11+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="95"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x520E7F00
<191>1 2023-03-19T21:07:11+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="96"] Picking pool address 2a10:3781:2d49:172:26:90:0:9148
<190>1 2023-03-19T21:07:11+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="97"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:9148 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:07:11+01:00 vpoort.osba.nl dhcpd 89600 - [meta sequenceId="98"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
This behaviour is different than in my opening post (where there would be two simoultanous DHCP6 advertisemnets, one correct followed by one bad). Two things are particular now:

• A pool address is advertised, instead of the static lease
• The client does not accept the lease

By the way, I configured my OPNsense following your screenshots, except for one : " DHCP Static Mappings    v Register DHCP static mappings
If this option is set, then DHCP static mappings will be registered in Unbound, so that their name can be resolved. You should also set the domain in System: General setup to the proper value. "
If I understand correctly, this option is part of the reason for me to jump through these hoops in the first place.

Title: Re: Trying to set static DHCP6 leases
Post by: wbk on March 19, 2023, 09:57:46 pm

On closer inspection, I notice a difference between the DUID in the screenshot of the static lease configuration, and the DUID that is announced in the log:

00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7
00:01:00:01:27:c1:02:55:20:08:cc:b0:a8:b7

Peculiar, because I used the +button on the dynamic lease to create the static lease in the first place.

I now updated the static lease condiguration, and tried again, with no success:

(https://online.osba.nl/blog/wp-content/uploads/2023/03/all-dhcp6-leases.png)

Code: [Select]

<190>1 2023-03-19T21:42:55+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="503"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:42:55+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="504"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:42:55+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="505"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:42:56+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="506"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:42:56+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="507"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:42:56+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="508"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:42:58+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="509"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:42:58+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="510"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:42:58+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="511"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:01+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="512"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0x8CD54000
<191>1 2023-03-19T21:43:01+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="513"] Picking pool address 2a10:3781:2d49:172:26:90:0:2962
<190>1 2023-03-19T21:43:01+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="514"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:2962 to client with duid 00:01:00:01:27:c1:02:55:20:08:cc:b0:a8:b7 iaid = -860837705 valid for 7200 seconds
<190>1 2023-03-19T21:43:01+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="515"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:02+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="516"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:43:02+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="517"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:43:02+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="518"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:10+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="519"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:43:10+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="520"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:43:10+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="521"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:15+01:00 vpoort.osba.nl dhcpd 86487 - [meta sequenceId="522"] DHCPREQUEST for 172.26.79.111 from 1c:cc:d6:41:b7:8b via em0
<190>1 2023-03-19T21:43:15+01:00 vpoort.osba.nl dhcpd 86487 - [meta sequenceId="523"] DHCPACK on 172.26.79.111 to 1c:cc:d6:41:b7:8b via em0
<190>1 2023-03-19T21:43:26+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="524"] Solicit message from fe80::2208:ccff:feb0:a8b7 port 546, transaction ID 0xF05C5E00
<190>1 2023-03-19T21:43:26+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="525"] Advertise NA: address 2a10:3781:2d49:172:26:3:107:0 to client with duid 00:01:00:01:27:58:cc:ce:20:08:cc:b0:a8:b7 iaid = -860837705 static
<190>1 2023-03-19T21:43:26+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="526"] Sending Advertise to fe80::2208:ccff:feb0:a8b7 port 546
<190>1 2023-03-19T21:43:29+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="527"] Solicit message from fe80::f465:9aff:fee0:18e9 port 546, transaction ID 0x7728B000
<191>1 2023-03-19T21:43:29+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="528"] Picking pool address 2a10:3781:2d49:172:26:90:0:a9ef
<190>1 2023-03-19T21:43:29+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="529"] Advertise NA: address 2a10:3781:2d49:172:26:90:0:a9ef to client with duid 00:01:00:01:26:ff:cd:f9:f6:65:9a:e0:18:e9 iaid = -1696589591 valid for 7200 seconds
<190>1 2023-03-19T21:43:29+01:00 vpoort.osba.nl dhcpd 39737 - [meta sequenceId="530"] Sending Advertise to fe80::f465:9aff:fee0:18e9 port 546

Log records and forum viewers are not a fortunate couple, sorry for that. There is a number of times a sollicit message from the updated DUID, followed by an advertisement, and *one* sollicit from the incorrect DUID, followed by an advertisement.

The client just hangs on the dhclient -6 command, and searching the leases overview above for the part of the string that is identical (namely, the MAC of the client) only reveals the one static, inactive, assignment.

I have no clue what causes this behaviour, any idea?