OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: IsaacFL on April 13, 2018, 05:33:21 pm
-
I just installed OpnSense so trying to figure out a few things.
I get a dynamic /56 prefix from my isp and I have opnsense working with /64 subnets set up and everything can access the web via ip6 and in their proper subnet. But how do I get these ipv6 hosts into the dns? It appears only slaac is an option, which is ok, but need a method to get the hosts into dns.
Prior to using opnsense, I would enable dhcp6 and slaac at the same time, so each host got 3 ip6 addresses, and the dhcp6 provided address would automatically get in the dns.
So is there a way to add them in the dns automatically, when prefix can change?
-
Hi,
I've the same question :)
My provider gives me a new prefix when I restart my modem. It works fine with DHCPv6, but how should I configure client-based firewall rules when the address is changing periodically?
Thank you
Jas Man
-
It depends what DNS you want to give your clients. If you enable Dnsmasq or Unbound your clients will get the OPNsense IP to do DNS automatically. But it may not be what you desire?
Cheers,
Franco
-
Hey,
my desire is to set up an IPv6-only VLAN for testing.
My OPNsense get an dynamic /64 prefix for delegation from the ISP router.
The LAN IF of my IPv6-only VLAN is configured as tracking IF. The delegation works fine. All clients get an IPv6 address in the range of the delegatet prefix.
Unbound is also working fine. It resolve the external addresses like ipv6.google.com.
What I want to do now:
- To access the clients in my IPv6-only VLAN I would like to use the internal DNS names of them. But Unbound can't resolve them.
- I would like to set up some client-based firewall rules (e.g. client A is allowed to access HTTP(S), client B only FTP). How can I do this when the delegated prefix is changing periodically, and therefore the client addresses too?
As I understand I must configure static DHCPv6 addresses for both cases to register them in Unbound, and to use them in the firewall rules or in alias objects. But to activate DHCPv6 I must configure an static IPv6 address for the LAN IF. And when I do this, the delegation is not working anymore.
Maybe I'm thinking to much in IPv4-style, and the solution for my issues is an completly different.
Thank you.
Jas Man
-
1. Where would these internal names come from? If they only exist on a piece of paper you need add them to the Unbound Host Overrides. You can also enable "Register DHCP leases in the DNS Resolver", but that would require said static DHCPv6 server which you can't use with the tracking setup yet.
2. I don't know. It's part of the problem of IPv6 without NAT. Maybe someone else has solved this?
Cheers,
Franco
-
1. My main goal is or was to allow dynamic DNS registrations by the clients. In my opinion this would also solve the firewall problem because then I could work with the DNS names.
2. This was not what I want to hear. :( On the other side it means that I've understood this part of IPv6 :)
That means in conclusion OPNsense is not usable as firewall and/or internal DNS server on connections with dynamic prefixes at the moment. The workaround would be to use NATv6. But than I will lost all advanteges of IPv6.
-
Would it be possible to add an variable for the IPv6 prefix of client addresses in aliases or firewall rules, which updates itself when the prefix has changed?
Like
$NAME_OF_LAN_IF$:00:11:22:33:44
-
You can also enable "Register DHCP leases in the DNS Resolver", but that would require said static DHCPv6 server which you can't use with the tracking setup yet.
I couldn't get that to work even with a static prefix. My guess would be that currently only DHCPv4 leases are being processed by this feature.
I don't know. It's part of the problem of IPv6 without NAT.
It's a problem of dynamic IPv6 prefixes. Those are harmful for anything but the most basic home networks. ISPs know that and (ab)use them for justifying the higher prices of business plans (with static prefixes).
Maybe someone else has solved this?
Some (closed source) firewalls solved this by allowing the use of interface identifiers instead of full IPv6 addresses when creating firewall rules, static DNS records, DHCPv6 reservations and so on. The dynamic prefix will then be added automatically. Pretty much like JasMan suggested in the last post. But it seems OPNsense does not support that yet.
That means in conclusion OPNsense is not usable as firewall and/or internal DNS server on connections with dynamic prefixes at the moment.
I'm afraid I have to agree. Static prefix or other firewall it is.
The workaround would be to use NATv6.
You really don't want to go there.
-
The workaround would be to use NATv6.
You really don't want to go there.
Yep, I don't want to :)
For me this is only a test of IPv6 in my privat LAN. It would be nice to use unique IPv6 addresses for all my clients, but it's not mandatory. I think it's also a question of time until OPNsense can handle dynamic prefixes.
-
You can also enable "Register DHCP leases in the DNS Resolver", but that would require said static DHCPv6 server which you can't use with the tracking setup yet.
I couldn't get that to work even with a static prefix. My guess would be that currently only DHCPv4 leases are being processed by this feature.
Works perfectly well with statics on my system, and yes, I have a proper ISP who allocates a /48 static IPv6 prefix and a /64 static on the WAN side too, and it's a domestic plan.
My servers are all accessible using DNS IPv6 as they are added to my upstream DNS records, it will still resolve to my server inside my LAN.
The solution if your ipv6 prefix provision is DHCP6 is probably to use an IPv6 dynamic DNS service.
-
Are you sure we are talking about the same thing? franco mentioned "Register DHCP leases in the DNS Resolver" which is an unbound setting. If this is set, A and PTR records are created when clients request a DHCPv4 lease. This does not work for DHCPv6 leases in my setup.
(Not to be confused with "Enable registration of DHCP client names in DNS" which is a DHCP setting.)
-
We can look at all these things and gradually improve. Best thing as Maurice did is open issues on GitHub to discuss bug as well as small and big additions.
There are several small additions what should be worked on before we are going to address dynamic prefix for "static" DHCP servers. One of the issues is that we don't even have a static definition of a dynamic prefix yet, but this is one of those steps to make that happen:
https://github.com/opnsense/core/issues/1993
Cheers,
Franco