Messages

So if I wan't to have multiple VLANs with different assigned prefixes, I need Kea.

No. Dynamically assigning a /64 prefix to an interface is done by dhcp6c (via the Track Interface / Identity Association feature) and unrelated to downstream prefix delegation.

Or basically my current setting can be replaced by switching from track interface to Identity Association and from switching from ICE to Kea?

You can switch to Identity Association, but will then have to manually configure Router Advertisements and DHCPv6.
Kea requires a static prefix, so if you have a dynamic prefix and need stateful DHCPv6, you'll have to switch to Dnsmasq or stick with ISC (which imho is the best option for the time being).

I switched from Track Interface to Identity Association and from ISC DHCPv4 to Kea DHCPv4, but keep using radvd and ISC DHCPv6.

Can you choose a different ISP that operates on their network and get one that way ?

Sure. Deutsche Telekom, Vodafone, o2, 1&1 will happily sell you the very same ONT with a slightly customized enclosure and their own logo slapped on it. :)

https://hack-gpon.org/ont-sercomm-fg1000b/#other-brand-names

As long as you do not have a rate > 1 Gbps, you can use a GPON ONT, because XGS-PON is mostly downwards-compatible.

A GPON ONT can't talk to an XGS-PON OLT, they even use different wavelengths.

The router would be one level up and to the very WEST. So kind of nightmarish, no matter it CAT6/7 or fiber.

It shouldn't come as a surprise that in-house infrastructure is a responsibility that comes with house ownership. You can always pay someone to do it for you.

Extra question: How deep does Der Gilb dig outside the house? Still 80cm something at least? No microtrenching or so?

That's really something you need to discuss with them. Often, they don't dig a trench at all, but "drill a tunnel".

Maybe I should ask for an ONT to be placed direct at my network-equipment

The ONT is placed by yourself wherever you want. The demarcation point is the passive optical outlet (Gf-TA) installed by Deutsche Telekom. You can ask them to install it in a location of your choice, but will have to prepare a conduit if that's not close to where the fiber enters the building.

first floor, so the fiber would be on the OUTSIDE of the house, before entering through the wall

You can always ask. They sometimes even install the Gf-AP (box where the external fibers end and the fiber going to the Gf-TA starts) on the outside.

@meyergru Deutsche Telekom does not give you a free ONT. You have to buy or rent one.

In single family homes, Deutsche Telekom by default installs the optical outlet ("Glasfaserteilnehmeranschlussdose" in prototypical Telekom speech) in the basement - for free.

If you want it elsewhere in the house, you can prepare a conduit yourself and they will use it to run up to 20 meters of fiber inside the house (also for free).

If you decide to have the optical outlet in the basement, you can then either run your own fiber from there to wherever your network gear is and place the ONT there, or you can place the ONT in the basement and run twisted pair from there to your router.

Cheers
Maurice

In automatic mode ("Allow manual adjustment of DHCPv6 and Router Advertisements" not enabled), ISC DHCPv6 has always been active and RAs have always been set to assisted. This is not new.

We are not talking about prefix delegation on the WAN, right?

No, this is about downstream prefix delegation - OPNsense delegating prefixes to DHCPv6 clients in the LAN. Dnsmasq doesn't support this at all, Kea only with static prefixes.

Cheers
Maurice

You can keep using the existing phone line / DSL, these won't get shut down anytime soon.

Deutsche Telekom sells two types of basic ONTs for about the same price: The "Glasfaser-Modem 2" with a 2.5 Gig Ethernet port and an SFP module named "Glasfasermodem Digitalisierungsbox" (actually a Zyxel PMG3000-D20B). Both are known to work just fine. There are some reports about compatibility issues with the SFP in certain NICs, but it works fine for me in a MikroTik device.

I'd highly recommend getting your home connected. Even if you don't currently need the speed, it's more reliable than DSL, upload speed is 50% of download, power consumption is lower. And if the fiber itself is from Deutsche Telekom, you can typically get contracts from Vodafone, o2, 1&1 etc., too. Just like with DSL.

Cheers
Maurice

The generic approach to layer 2 over layer 3 is a VXLAN:
https://docs.opnsense.org/manual/other-interfaces.html#vxlan

You'll have to evaluate whether that's a good solution for your use case.

Cheers
Maurice

Ja, einen praktischen Unterschied sollte es nicht machen. Mich würde nur interessieren wo die Fehlinformation herkommt, dass man 192.168.100.1/24 eintragen muss / soll. Aus der Doku jedenfalls nicht.

This only works with the native backend and I'm not aware of a workaround.

Cheers
Maurice

Steht eigentlich alles in der Doku (https://docs.opnsense.org/manual/kea.html)...

1. Aktiviert das optionale REST API, wird z. B. für HA benötigt.
2. Du trägst in der Tat das Subnet ein, also z. B. 192.168.100.0/24. Wie kommst Du auf die Schnittstellen-Adresse?
3. 'Auto collect option data' deaktivieren, dann kannst Du das manuell eintragen.

Grüße
Maurice

1. Correct. Not every OPNsense update includes a new kernel + base.
2. Yes. These commits will be in a future version (26.1.3 or later).
3. Updating from 26.1.1 to 26.1.2 will not modify the installed kernel + base, so nothing to do.
4. Correct.
5. If an update includes a new kernel + base, there will be a src tag with the same version as the core tag (which determines the version used in the UI, release notes etc.). If an update doesn't include a new kernel + base, there's simply no new src tag.

Cheers
Maurice

A stable-privacy interface identifier (RFC 7217) is only stable as long as the prefix is stable, but then you wouldn't need dynamic DNS.
If your prefix is dynamic, you indeed have to use EUI-64 or a token (which most devices still do).

ISC DHCPv6 allows static mappings without an address range for dynamic leases. RA flags are configured independently (in radvd).
Kea does not (yet) support dynamic prefixes, so that's probably not an option.
Not sure about dnsmasq.

Please share your setup configuration with us :)

Just normal "bind service to loopback interface" stuff. :)

- Interfaces: Devices: Loopback, add two interfaces ('Loopback_Unbound', 'Loopback_BIND').
- Interfaces: Assignments, assign the interfaces and configure them with static /32 / /128 IP addresses (should not be within subnets used elsewhere).
- Services: Unbound DNS: General, set 'Network Interfaces' to 'Loopback_Unbound'.
- Services: BIND: Configuration, enter the IP addresses of 'Loopback_BIND' as 'Listen IPs' / 'Listen IPv6'.
- Now you can advertise the 'Loopback_Unbound' addresses to some clients and the 'Loopback_BIND' addresses to others, using a method of your choice (DNS servers setting in Kea / ISC / radvd / Dnsmasq).

Should work for any service which allows binding to specific interfaces or IP addresses. I do the same for e. g. the Web UI and downstream DNS-over-HTTPS (both on port 443).

Cheers
Maurice

You don't need DHCPv6 for that. SLAAC addresses are static, too. Devices may create temporary privacy addresses for outbound connections, but the primary SLAAC address uses a static interface identifier and is always available for inbound connections.

If your prefix changes, you can still use Dynamic DNS. The OPNsense DynDNS client allows combining a dynamic prefix with a static interface identifier.

Cheers
Maurice