OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: chris42 on August 15, 2018, 05:15:13 pm
-
Hi there,
I think I managed to setup my IPv6, so that it receives a prefix from my provider and this is distributed into the network.
I am using on my LAN interface the track interface option for IPv6. As I am no IPv6 expert, tracking somewhat would imply for me that Opnsense would know about the IPv6s being used in the network?
Is the prefix distribution handled like an IPv4 DHCP, hence the IPv6 is dished out by the DHCPv6 or is it a mere information service about prefix and DNS and the IP is determined by the client?
If the IPs get dished out, I would expect to see a lease or something similar in Opnsense? If it is not being dished out, is there some sort of monitoring possible? Coming out of an ipv4 world, it feels a bit weird to be blind on the router of what is happening in the LAN.
Regards
Chris
-
Leases from the DHCPc6 server are handed out as they would be using DHCPv4 and they are shown on the Services: DHCPv6: Leases tab - I use DCHPv6 for my LAN and the leases are there for me to see, I gave up trying to use tracking.
-
Yes, IPv6 is a bit tricky in that department. The LAN IPv6 address of a client is set in two ways, SLAAC and DHCPDv6.
When the client tries to get a v6 address, the first thing it does is send out message to see if there are any routers, RADVD will respond and give it the routing prefix, the client then uses that to give itself a v6 address, so you may see a v6 address on the client, but it will not appear in the leases table.
Now dhcpdv6 also gives out addresses when a client sends out a dhcpv6 request, these are usually privacy addresses as for example windows does not usually expose its SLAAC address to the internet, this is for security reasons. However, let me give you the case of my mail server, on that one I have privacy extensions turned off and it gets its IPv6 address from the dhcpdv6 server and it that does appear in the lease table. Other programs may request their own IPv6 address and again this will be given out by dhcpdv6. Hence you can often see two or three v6 addresses on a client.
There's more to it than that, such as managed and assisted modes and it all becomes more complex and good for reading if you are trying to get to sleep.
-
So how does this translate to the Opnsense configuration?
1. On LAN side I can assign a static IPv6 and then activate the DHCPv6 on it (similar to IPv4)? How do I get the prefix assigned by my ISP into this setup? As this could change on a reconnect, I cannot copy and paste it?
Or is that ignored and I create a new local prefix? Then I would need mapping?
2. What is activated if I use the tracked interface option on the LAN? Is it SLAAC or a sort of DHCPv6?
-
It's both, SLAAC and dhcpd6. The prefix is picked up and automagically set, so you can use tracking in auto or manual mode.
Set the LAN to use the WAN as the tracked interface.
At the bottom of the LAN interface page is an option to override the dhcpd6 auto ( default ) and set manual. If you want manual control, check that and save it.
In the services->DHCPD6 menu you will now see the LAN interface.
Click on that and you will be able to set up the dhcpdv6 server, don't forget to click the enable at the top.
For a range all you need to do is enter something like ::1000 to ::2000, what you do not do is enter the prefix part, that is handled automatically. Expand the help, I think it gives enough info.
The manual part is a work in progress, there are further features to be added, but it works and allows further PD to sub routers.
-
Ok, that helps a lot. Thank you!
This then mimics the IPv4 setup. DHCPv6 -> Client: Here is your IPv6 with our current prefix
I guess the idea I had to combine the self-configuration of IPv6 with DHCPv6 was more of
Client -> DHCPv6: What is the current prefix?
DHCPv6 -> Client: This prefix
Client -> DHCPv6: Ok would use this IPv6 with the prefix for x seconds
DHCPv6 -> Client: Ok, noted and added to leases
However that seems to be a concept not existing :-D
It would actually allow to tie together changing prefixes and changing IPv6s (e.g. by privacy extensions), however create heavy strain on dns updates
Also you would have a nice overview on your network topology in your DHCPv6
-
Oh it will be added to the leases table. When you have ipv6 working, you could set the radvd mode to managed, and all addresses would be given out by dhcpdv6 and you'll see the leases appear, however if your using any android device you will have to set radvd mode to assisted, otherwise they dont get an address.
-
OK, I did some configuration with the manual override, enabled DHCPv6 and set a range.
Tried the router advertisement on managed and assisted.
Results were mixed, as some IPv6s got assigned and showed up in leases, but never all. Also it seemed to be very unreliable. After a reboot sometimes clients would show up, sometimes not.
Could get to work, Ubuntu (not always showing in leases) and Android (with DHCP app)
Could not get to work, Debian and Printer
The printer apparently needs assisted, as it does not have a DHCP option. He could get an IP in assissted mode, but would not show up in Leases.
Besides the leases none of the clients could connect via ipv6 to the internet.
Will look into this again next week. If you have any hints or howtos somewhere, it will be much appreciated.
-
Hmm, couple of bugs are about to be squashed in 18.7.1_*, try again when that's released shortly. To be honest, you are better of leaving it in assisted mode. It will never work like dhcp4 whereby you can specify an address in that sense, and unless you have proper statics there is no point anyway. As I said, Android will not work in managed mode and neither will any device that is android based.
As for not connecting, that's odd. I'd need to see what your dhcp6 settings are for dns etc. My test system is set to use dhcp6 and tracking set on two separate LAN interfaces with different sla ID's, both LAN subnets work perfectly fine and I've done nothing special.
-
I can get back to testing some configurations on Monday.
Till then I have two questions. Sorry if they might sound philosophical, but trying to understand the concepts here:
1. When just activating the track interface without any manual override, what is the configuration for DHCP and RADVD? Is it what I see when activating the manual override, or something different?
2. The whole reason I am thinking about this, is one server that is connected on my home connection. Hence to have it reachable from outside I would need dyndns to update the IPv6 in my DNS (not the problem).
But also I need to tell the OPNSense Firewall to open a port to that server running under changing IPv6s. So far I could not see a way to securely know the current IPv6 of that machine. Hence addressing it in the Firewall rule is tough. The stricter and more static I get with DHCPv6, the easier it becomes. However that defeats the idea behind IPv6, that is more distributed, rather than centralized control.
Within the Firewall there are "Aliases", which state a hostnames IP would be periodically updated? What does that mean? Is it connected to OPNSense DNS, DHCP, etc.? Would that work to allow outside connections with changing internal IPs?
EDIT: I found this Issue 2544: https://github.com/opnsense/core/issues/2544
It seems to be the right idea. Then I could fix the suffix with the MAC generated part of the IPv6 (disabling privacy extensions). Pure gold of course would be a Hostname based approach, with realtime resolve
-
Silly question maybe - why do you need DHCPv6? A lot of people from an IPv4 background assume that you need DHCP as a matter of course, but with IPv6 you rarely do. Multicast distributes routing changes to clients through router advertisements which also give out DNS information. You really only need DHCPv6 for things like SIP, SNTP, or PXE.
If you want a client to be reachable from the outside, you can pick an address in your range and set up static DNS. If your provider assigns a dynamic range you can use a dynamic DNS AAAA record or look for a provider that offers a static range ;-)
Bart...
-
Or even use a HE.net IPv6, works well and you do get a static. Better than using a dynamic IPV6 anytime.
-
@bartjsmit: This is exactly what I explained in my posts before. I am trying to figure out the best setup, within my network. You rightly said, the best option would be to honor the flexibility and ideas behind IPv6, by not just copying an IPv4 setup.
The need explained in my post before, that I have one+ machine on a network with dynamic prefix and depending on the configuration, dynamic suffix.
As written, the dynamic dns is not the problem, but using a central Firewall (OPNSense) to allow outside traffic in is the challenge, as this would be needed to be informed about a change as the dyndns.
Of course I can buy static external IPv6s as well, but this is circumventing the problem, not resolving it. I could also deactivate OPNSense Firewall and care on each machine for the Firewall, or go for full DHCPv6 control and deterministic addresses in LAN.
That is why I titled this "understanding...", as I want to understand what OPNSense is capable of (sadly IPv6 examples and documentation is slim) and create a setup that is easy to maintain.
-
A couple of years ago Sky UK started rolling out IPv6 in the UK, a little before that I had started using pfSense. One of the first things we found was that the prefix would change whenever the modem and/or router was disconnected or rebooted. There were two reasons for this, one was the fact the lease was only 60 minutes, thus if you had it disconnected for more than that then bye bye prefix, the other reason was that if you closed the interface or powered down pfSense then dhcp6c would send a release signal... bye bye lease. I modified dhcp6c and added the 'no-release' option, that helped but did not stop it completely, there was something else going on, that something was the DUID, if that changed, and it did if you had /var in assigned to a ram drive, would again cause the ISPs system to give you a new prefix, so I modified pfSense to store the duid in the config. Those changes meant that the prefix now only be likely to change if you went offline for a period. Sky also made their prefixes 'sticky', meaning it could change but generally wouldn't.
The problem was that if you ran a server you do not want it to change at all, and the ability of any firewall to be able to keep track of a prefix change and update all of the clients is not a simple task. There are other issues too, for example I have to specify on my mail server what it's addresses are in its config, I cannot to that dynamically, and it's not just the DNS, it's the rDNS too that has to be kept in step.
The solution would have been for ISP's to just give users a static IPv6, there's enough address space to go around, many however did not and some only give out a /64 which is mean to say the least.
All that being said, the use of a Tunnel broker is fixing the problem not circumventing it and is a perfectly valid and reliable solution, it is in fact what I did at the time for my mail server. The rest of my LAN devices continued to use my ISP assigned addresses. I no longer have the issue at all, since I changed ISP and now have as static /48 PD.