Messages

This appears to work properly with the prefix delegation setup, and all the usual IPv6 tests pass, but this is usually the point where more learned individuals tell me that I'm being an idiot, so let's see what they have to say.

Sounds sensible to me, sent you a pm asking for details cause I'm interested to try to replicate your setup.

[client]

> 1. Will the option "Track interface (legacy)" stay and is the (legacy) just meant to tell that's the "old" way, or is this expected to disappear  some time in the future?

It will likely disappear when ISC-DHCP plugin will be removed, but that's not before 2027/28 in any case unless something more serious happens that would mean to prohibit use of the EoL ISC-DHCP but I doubt it.

> 2. I was under the assumption that GigaNetz and/or most ISP use dynamic prefixes? Or am I wrong here and basically "The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea" is enough here.

That's sadly true. We'll tinker with Kea more now that we don't have ISC-DHCP to worry about as much. Probably changes and improvements coming for 26.7 and beyond. We try to cluster our work nowadays which seems to be more effective in terms of long term gains. That's why Kea was put on the backseat for Dnsmasq.

> It will likely disappear when ISC-DHCP plugin will be removed

Is that because of the usage of ISC DHCP client here (option DHCPv6 I use for WAN) that has be be removed as well due to EOL? Would using dhcpcd as a replacement work? I'm asking that because in my setup the ISC-DHCP plugin is already uninstalled so why there's the need to remove "Track interface (legacy)" in the first place - if not for the EOL of the client as well? I also don't yet get the (technical) difference between "Track interface (legacy)" and "Identity Association".

With that info I guess I'll stay on Dnsmasq+Track interface (legacy) for now then. It would be great if you could somehow release a tutorial / short howto then on how to configure these things for regular ISP usage then, as in "Configuration for just replacing my ISP Fritz!Box with OPNsense" as it's really hard to puzzle together everything, especially in this kind of constellations where things and certain combinations don't work at all.

Thanks for your patience to answer all my unskillful probably confusingly stated questions.

Simple. The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea. In Kea there is no integration for dynamic prefixes. Dnsmasq does not support it at all.

Thanks for the explanation, I was happy that I got things working in the first place so my networking knowledge sadly really doesn't go very deep, especially for IPv6 so two follow up questions:

1. Will the option "Track interface (legacy)" stay and is the (legacy) just meant to tell that's the "old" way, or is this expected to disappear  some time in the future?
2. I was under the assumption that GigaNetz and/or most ISP use dynamic prefixes? Or am I wrong here and basically "The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea" is enough here.

My WAN looks like:


and for HOME/GUEST:



So nothing that fancy I guess, it's working great like that with these settings and Dnsmasq, I just don't want to end up hitting a wall with a future update. So any advice on what and how to change is very welcome.

Seeing the same thing, with the same setup. I had gone with dnsmasq per the migration suggestions at the time, but it seems as if Kea is the only option now for this particular ISP setup.

Looking forward to see what you figure out and hope you can share it here, I just noticed in the Kea documentation: https://docs.opnsense.org/manual/kea.html#prefix-delegation-ia-pd "Dynamic prefixes common with most residential ISPs are not supported." so I'm totally confused, maybe staying on Dnsmasq+Track interface (legacy) will be the best - and only working(?) solution for now hoping that "Track interface (legacy)" won't be removed some time in the future?

This is probably the bug: https://github.com/opnsense/core/issues/8838

Edit:

To tackle this:
You must Tick "Allow manual adjustment of DHCPv6 and Router Advertisements ", then Disable ISC DHCP6 for the interface. After that, you can enable Identity association.

That workaround worked for me as well, thanks. I'm was now able to switch from "Track interface" to "Identity Association", however I don't seem to get any IPv6 connection to outside on my networks (home & guest - test of: https://test-ipv6.com/ fails with "No IPv6 address detected) now where WAN (IPv6 Configuration Type: DHCPv6) works well, I can ping for example google.de with IPv6 from the diagnostics. Is it because I (have to) use Prefix delegation on my WAN interface due to my ISP? Or will be, because of:

> One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.

switching over to Kea allow me to have a future proof setup with working prefix delegation? I don't think my ISP (GigaNetz) supports/offers something else.

Sorry, I meant "Defaults", not "History".

"dhcpdv6." configuration key is specifically for ISC DHCPv6, nothing else.

Ah thanks! I have nothing to select in regards to the ISC DHCPv6 / dhcpdv6. here:



probably I need to reinstall the plugin beforehand? Searching for the "dhcpdv6" key in my config export I can see:

Code Select Expand

  <dhcpdv6>
    <opt1>
      <enable>-1</enable>
    </opt1>
    <lan>
      <enable>-1</enable>
    </lan>
  </dhcpdv6>
So I guess I could also remove that part manually and import the config again.

[AND]

Thanks for all the helpful feedback.

I think this to be a bug, as I believe you'll find that you can't set the IPv6 Configuration Type to 'None' on the affected interface, either. In short, you're pretty much stuck with whatever settings that interface has at the moment, it seems.

Correct, I'm also unable to set the interface to 'None'.

I came across the same issue with the warning message about DHCP server being active. The way to resolve it is to temporarily install the ISC plugin, (DHCPv6 I think was active on the LAN), then you can make the changes. It seems the wrong way round, but must be a bug, when done of course ISC plugin can be removed.

This worked for me, hoe it helps you too.

Thanks, I'm pretty sure I've disabled the checkbox on on ISC for the networks also tried to switch to "Identity Association" before removing the plugin, but will try your suggestion as well.

If you are sure you don't need the ISC-DHCPv6 anymore you can run this from the command line

# pluginctl -f dhcpdv6.<interfaceid>

where <interfaceid> is lan or opt1, etc.

If you are sure you're not using DHCPv6 at all you can also drop the whole DHCPv6 configuration from System: Configuration: History: Components.

I guess I can be pretty sure in this case as I've already uninstalled the plugin?

> pluginctl -f dhcpdv6.<interfaceid>

Will try that, thanks.

> If you are sure you're not using DHCPv6 at all you can also drop the whole DHCPv6 configuration from System: Configuration: History: Components.

If Dnsmasq doesn't do anything here, as in if "not using DHCPv6" means "either ISC DHCP or Kea" AND this doesn't apply to my WAN interface having "IPv6 Configuration Type: DHCPv6" then this is true for me.

However I can't find the "Components" under History you've mentioned, the menu path only goes as deep as System: Configuration: History for me where I can view the diffs and download, remove backups and so on. But I can't find anything related to "Components".

[and Dnsmasq]

To accommodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups. Dnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box. One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.

I'm trying to figure out what I've to change in my setup related to the statements above. When it was first mentioned that ISC-DHCP will be deprecated I already moved my stuff over to using "Dnsmasq DNS & DHCP" like the DHCP ranges for my home and guest vlans as well as the reservations / host overrides. So after updating to 26.1 today I uninstalled the os-isc-dhcp plugin, so far so good, things still appear to work as intended. However when trying to change the "IPv6 Configuration Type" in either my home or guest vlan/interface from "Track Interface (legacy)" to  the new "Identity association" and try to save the changes I get an error message:

The following input errors were detected:

The DHCPv6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.

which makes me wonder what the actual problem is since "Track Interface (legacy)" works without any issue, is it because I use "Dnsmasq DNS & DHCP"? I can't seem to find an option to do what I'm instructed by "disable the DHCPv6 Server service on this interface first" like in only use Dnsmasq DNS & DHCP for IPv4, like there was for ISC-DHCP and probably also is for Kea with its two separate Kea DHCPv4 & Kea DHCPv6 services to enable/disable. But that would somehow contradict to the statement of

[...] to allow better interoperability with Kea and Dnsmasq setups

On another more or less unrelated note, some parts of the release notes are harder to read/understand for me than they maybe could be, for example:

One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.

"the upstream software": which one? supposedly Dnsmasq? Why not call it by it's name?
"Use another DHCPv6 server in this case": when Dnsmasq doesn't work in this case and Kea is the new alternative to the now deprecated ISC-DHCP, why not just write "Use Kea DHCPv6" in this case? Or doesn't Kea work here as well, or are there too many other alternatives to mention them?

And another thing I was kind of scared is because the talk is all about DHCP and IPv6, I was afraid that removing the ISC plugin would also remove the option for the WAN interface to select "DHCPv6" in its "IPv6 Configuration Type" option, so a small mention that it doesn't touch that part and/or that they're completely unrelated and this option will stay would've probably been reassuring as well.

I've upgraded to 18.1 and now my internal networks can't reach the internet via a configured PPPoE dial-in connection via IPv4. IPv6 connectivity still works fine. The connection itself is up and running, my WAN interface got an IPv4 address and via the Interface - Diagnostics - Ping I can also ping IPv4 hosts without any problems as long as I choose Default as the source, when I choose one of my configured networks I'm unable to ping any IPv4 host.

The System - Gateway tab looks fine as well. Before the upgrade it worked fine, I didn't do any configuration changes since then, just the upgrade to 18.1.

Any help would be highly appreciated.