Messages

1

18.1 Legacy Series / DHCPv6 handing out /128 addresses

« on: April 29, 2018, 01:41:47 am »

I've been experimenting with different ways of configuring IPv6 on my router. Yesterday I thought I would take the DHCPv6 service for a spin.

I configured my LAN port with a static /64 address, then configured the DHCPv6 service on that port and configured a "test" device on the local LAN to request it's IPv6 config via DHCP.

The IPv6 address that was sent to the test device by the DHCPv6 service on the router had a /128 subnet mask, instead of the /64 mask I was expecting. Am I missing some configuration step, or is DHCPv6 broken? Surely it's not expected that DHCPv6 will force all local LAN traffic to be tromboned via the router.

(I'm also a bit bemused by the fact that you can't configure DHCPv6 for a port that is tracking a WAN port, but I see that is being discussed elsewhere.)

2

17.7 Legacy Series / Yaay!! I *finally* got IPv6 prefix delegation working...

« on: October 29, 2017, 02:47:47 am »

Since (a) this has been driving me nuts all weekend, (b) everything Google offered up to help was no use at all, and (c) I finally fixed the problem, I thought I'd share...

The problem was: I couldn't configure my OPNsense box to successfully pull down an IPv6 prefix delegation from my ISP over my PPPoE connection. So none of the devices on my network got a global IPv6 address, they couldn't route IPv6 packets out onto the Internet, etc.

I did all the stuff that Google tells you:
- Set "IPv6 Configuration Type" on the WAN interface to "DHCPv6"
- Tick "request only a IPv6 prefix" (which allegedly may or may not help, depending on what your ISP expects);
- Tick "Use IPv4 connectivity" (because PPPoE...)

But I still wasn't getting the PD. Messing around with the other Interface settings didn't help.

To cut a long and frustrating story short, it turns out that the firewall was blocking the DHCPv6 responses for from the ISP. The firewall log was showing traffic coming from ff02::1:2, with a proto type of "options", being blocked.  FF02::1:2 is a "well known" IANA multicast address for DHCPv6.

So I set up an "allow" rule on the WAN interface; initially (and for diagnostic purposes only) allowing all IPv6 traffic in. And yet the firewall was *still* blocking the traffic. Just to add insult to injury, the log files were referencing the "allow" rule that I'd just put in as the reason for blocking it!!

Then, after much digging around, I found, hidden at the bottom of the "advanced" options for the firewall rule, a field named "State Type". By default, this is set to "keep type". It appears that "keep type" is a Bad Thing(tm) for this kind of traffic. I set it to "none", saved everything, rebooted the OPNsense box and IPv6 sprung fully to life.

Yaay!!!

(I went back and tightened up the allow rule, of course. It's now only allowing multicast traffic (ff00::/8) in.)

YMMV, of course. But somebody might find this helpful.