Messages

1

16.1 Legacy Series / Re: DNS Override for ipv6 Issue

« on: May 27, 2016, 08:15:01 pm »

Maybe, I haven't thoroughly researched the RFC's to understand which are in scope.  Looks like 2136 and 3007 may both be relevant.

Basically, I want my clients' ipv6 IP's to be automatically registered in my internal DNS.  My preference would be for it to happen server side so I don't have to trust and configure the clients, but that creates a problem when doing SLAAC (as the server doesn't issue the IP). 

I tried running Managed DHCPv6, but it looks like many of my clients don't support it (and I'm not sure if it even sends hostname in the DHCP requests).  So I thought of using NDP, and combining that data with ipv4 DHCP lease data.  That would largely work in a dual stack environment, but quits when you turn off IPv4.  Possibly an acceptable compromise for now.

Thoughts?

2

16.1 Legacy Series / Re: DNS Override for ipv6 Issue

« on: May 25, 2016, 06:30:17 pm »

Wow, thanks Franco.  That fixes the display and configuration missing problems?

As far as using bind goes, was hoping to avoid it.  I'm guessing that would mess with the config backups that you guys have set up unless there is a 'nice' way to make changes in the backend.

Also, was thinking of building something to enable a poor-man's DDNS for ipv6.  Was thinking that I could combine the DHCPv4 lease information, with the NDP cache information (using MAC as the common point).  How would I add something like that so it gracefully updates unbound?  If there is docs you can refer me to, that's fine.  I haven't found the right starting point.

So far really liking opnsense--I jumped from openbsd.  Rolling your own is sometimes more flexible, but using something like opnsense makes the tedious parts of a firewall easy, allowing you to create more advanced problems

Thanks!

3

16.1 Legacy Series / Re: DNS Override for ipv6 Issue

« on: May 25, 2016, 04:34:39 pm »

Seems like this was a feature added fairly recently--has no one tested ipv6?
https://github.com/opnsense/core/pull/519

I typically don't log bug reports as I usually cause my own problems, but that doesn't seem the case this time.  Should I be logging a bug?

What would it take to add a NSD daemon, even if I have to manage the config via the shell?  Is there a better way to be doing what I want (internal IPv6 resolution)?

4

16.1 Legacy Series / Re: Forward public DNS resolution to internal server

« on: May 24, 2016, 08:58:51 pm »

That then would be a One-to-One rule.  However, if that's your only routable IP (the one you get via DHCP from your ISP), I could see that being problematic, if it's even allowed, especially if there are other LAN hosts.

I've seen some commercial products that do something like this (calling it a DMZ Host or something).  To be honest, this isn't something I've tried or would try.

Can anyone else assist here?

5

16.1 Legacy Series / Re: Forward public DNS resolution to internal server

« on: May 24, 2016, 07:55:07 pm »

That sounds like a port forward to me. 

Under Firewall-->NAT-->Port Forward in the WebGUI.  For simplicity sake, enable Add Associated Filter Rule, which should create the required firewall rule for you.

6

16.1 Legacy Series / Re: Forward public DNS resolution to internal server

« on: May 24, 2016, 04:54:50 pm »

Let's clarify.

You have an internal DNS or DMZ based DNS server that serves public records?  Does it have its own public IP, or do you only have one routable IP?  Do you want any machine to be able to query it, or just one (or a couple)?

Thanks.

7

16.1 Legacy Series / DNS Override for ipv6 Issue

« on: May 24, 2016, 04:44:29 pm »

Hi folks:

Curious if anyone else has tried this.  I'm patched current on 16.1.

Using DNS Resolver (unbound, I believe), I've tried to add manual override AAAA records.  This works for A records, and nicely adds PTR records as well, but when I try to add AAAA overrides nothing happens.  The interface seems to be buggy in that it displays AAA instead of AAAA, and it doesn't show the IP.  If I check in the /var/unbound/host_entries.conf file, there are no AAAA records apart from localhost.

Attached a screenshot showing the summary view.  Happy to provide more info if it is helpful.

8

16.1 Legacy Series / Re: ipv6 /60 Delegation

« on: May 24, 2016, 12:47:57 am »

Thanks Bart:

I'm not worried about running out of addresses, or that Comcast will have to begin recycling their delegated space.  It's more that Comcast will mess with something that will cause all delegations need to be reissued, in which case all my IPV6 stuff will stop working.  It's still not tragic, as everything seems to be gracefully failing back to IPV4, more annoying than anything (if that happens, I'll have to manually recalculate and reissue the subnet space).  As is probably the case with most people doing ipv6 at this point, this is really just a learning exercise--I'm trying to get to the point of being semi-coherent when talking about ipv6, and the best way to do that is to use it.

I believe I can actually have 16 /60's, but it doesn't really matter--I have a use for 3 or 4.

Manual IP'ing and DNS configuration through the opnsense would also likely be fine (using unbound), but it looks like I'm encountering an issue with it--I'll start a new thread on that.

9

16.1 Legacy Series / Re: ipv6 /60 Delegation

« on: May 22, 2016, 05:48:42 pm »

Thanks Bart.

I tried manually segmenting the /60 I was issued (creating static /60's), and that does work.  I don't know how often Comcast changes things such that new delegations are issued, so this may break semi periodically, but my IPv4 DHCP based IP seems pretty static.  I was hoping for an automatic way of handling this, and it seems like it's supposed to work and I'm just doing something wrong with the config.

At this point, I just need to figure out my DHCPv6/DNSv6 mapping--I suppose I could try writing a script that would take the IPv6 leases and update the unbound configuration accordingly.  Can anyone suggest a starting point for something like that?  I've been meaning to learn python anyway, so this may be just the excuse I was looking for.

Thanks.

10

16.1 Legacy Series / Re: ipv6 /60 Delegation

« on: May 20, 2016, 05:38:36 pm »

Thanks for the reply.

That looks pretty similar--you get a /56 delegation, vs me getting a /60 via dhcp6, but that shouldn't make too much difference. 

How did you configure your LAN and OpenVPN segments to use the delegated range?  Was it "Track Interface" or something else?  If it is "Track Interface", what did you use for "IPv6 Prefix ID" on your two internal networks?  I can get one network assigned this way, but the second one doesn't seem to work.

How did you do DNS in your environment?  Are you able to serve AAAA records for your SLAAC enabled addresses?  I'm going for complete dual stack, such that functionality isn't different--at least internally--IPv6 or IPv4.

11

16.1 Legacy Series / ipv6 /60 Delegation

« on: May 19, 2016, 09:22:52 pm »

Hi folks:

Pardon if this has been addressed, I can't seem to find my usage scenario via search.

I'm running 16.1 (patched current this week).  I have Comcast in North America, and I can request and receive a /60 delegation (I see the address get assigned in a TCPDump).  My initial problem is that I can't seem to get the opnsense box to apply /64 subnets to more than one internal VLAN interface using a "Track Interface" configuration.  Whichever interface is set to IPv6 Prefix ID "0" seems get an address in the first /64 of the assigned range.

Is there someone that has gotten a configuration like this working on opnsense?  Also, I'd like a way to automatically update unbound so that internal names would have AAAA and A records from DHCP.

Thank folks...so far really liking opnsense.  Should make my life a lot easier long term.