Messages

You are all excellent. Every one of you should be proud of yourselves.

I have resolved my own issue with the "DHCP register firewall rules" option and I agree this method works perfectly and is very good. The clients keep their old slasc address so that still works but gain in addition another DHCP address.

RA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.

Hello, I have tried to configure this but have an issue. The router advertisements seem to be working to a degree because clients get the DHCP6 options I set (such as 23 - dns servers) correctly via RA. If I change the DNS servers they then receive the new values, however the DHCP range seems to not be 100%.

Under the leases tab I see (as an example):
<see image>

But the client does not get the ipv6 address 2607:f2c0:f00e:3512::18e5 as I would expect.

I have as you mentioned slaac and ra-names in DHCP range. If the client does not accept the ipv6 address Im not clear how this service helps resolve names?

Kind regards,
P

So the answer is yes, they conflict.

One more question, if I follow this guide: https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples

And enable slaac in Services ‣ Dnsmasq DNS & DHCP ‣ General - must I then disable Router advertisements on that interface under Services ‣ Router Advertisements? Are these 2 services in conflict?

-P

Interesting, thanks everyone. Based on the above Im going to simply create AAAA records for servers I want to access by name and see if after 1 year any ipv6 addresses changed. If they did I will just statically assign them an ipv6 address. This is very easy to do anyway. I would probably  just statically assign them going forward but want to see if they ever change out of interest.

If your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.

Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.

Seems like neither my ubuntu boxes or windows boxes have FFFE in the addresses so guess they all use private ip's.

However they also never seem to change ever. I have had many opportunities for them to change with things down for various changes and they seem to always get the exact same address always.

Is an override in unbound the same as setting an aaaa record? Am I right to assume the ipv6 wont change on clients?

Since slaac unmanaged addresses never change on the clients, the client always chooses the same ipv6 address, can I also use a strategy where I just create AAAA on unbound for computers I need to dns resolve to? Is this correct?

I should note I have a /56 static from my provider.

I am using dnsmasq with SLAAC and RA-NAMES.  This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address.  I find this to be very convenient.  It doesn't help with privacy addresses, but I generally don't need to reference those clients by name anyway.

How do I configure this option?

Many thanks
P

If you configure slaac unmanaged how does the search list option work exactly?

For example if you set in the field the domain to be "workgroup.internal" and a slaac client has a hostname "client1" how does name resolution work/supposed to work?

If I ping -6 "client1.workgroup.internal" it does not work. Is there a missing piece here, do I need to configure something on unbound? How would a slaac client register its hostname?

I'm not sure whether this qualifies as a tip or a question, since I couldn't find a way to do this through the web interface.

While debugging an issue with the new firewall logs, I noticed that reverse lookups of my local IPv6 addresses were taking between 800 and 1500 ms each. The reason is that, because my clients use privacy extensions, each lookup (almost never cached) causes Unbound to query my ISP — which owns the address space and hosts the corresponding PTR records.

To address this, I created a file named 1-custom.conf in /usr/local/etc/unbound.opnsense.d with the following content:

Code Select Expand

server:
    # Authoritative reverse zone for my /56
    local-zone: "d.c.b.a.8.b.d.0.1.0.0.2.ip6.arpa." static
This tells Unbound that this prefix is part of my local network, preventing it from trying to resolve those reverse lookups externally.

I couldn't find a way to configure this via the web interface, but it seems like a useful feature to have. My ISP assigns a /56, and it has been stable; however, if your ISP frequently changes your prefix, you could apply the same approach to their /48 or even /32 aggregate. In most cases, you won't get meaningful reverse lookups from your ISP for those addresses anyway.

This does seem useful, I would encourage you to open a feature request on github as this would then be tracked and possibly implemented.

Thanks. So I am the one a bit out of touch and old fashioned. It's been a while since I did systems integration for really large enterprises. More than 10 years. Back then all of them were heavily invested into AD.

Kind regards,
Patrick

Eh I wouldnt say you can become out of touch. Its just different now than it was before but same first principles basically apply. Kind of like the questions I am asking about ipv6 vs v4. Sure ok now we dont really use dhcp. Ok fine. So everyone is more private I guess and we just instead vlan off different 'kinds' of groups and they get their router advertisements and can either apply them or not its up to them. Sure it sounds different but its also kind of the same with just different ways of doing it. Also I would say SME is small medium not really large. I guess in another 10 years we will be back to how things were 10 years ago because seems like as soon as we start doing it this new way people want to go back how it was before to become 'more agile'. Sure whatever you want :) - as long as someone pays me I will build it whichever way you like basically. I still think using sharepoint to store files is weird but thats how they like it now. Sure in 10 years they will hate it again.

How large and probably more relevant how OLD is that company?

Well we used to deploy DC's but they just stoped being useful over time and there are other options like sharepoint or Azure files now. I work for an msp so its the SME market of 10-200 or so users per company. Companies really look to save money so if its not needed, its killed off and removed from what I see in the work we do.

In an enterprise setup you will in most cases have a Windows domain and Active Directory so all clients running Windows can do authenticated and trustworthy dynamic DNS updates.

You can still run OPNsense as your frontmost recursive DNS, just create forwarding entries for the internal zones pointing to your domain controllers.

Interesting, we just use azure ad now and intune, so domain controllers are not deployed and clients dont join a domain, they just are intuned via the "join work or school account" under settings. Phones just use MAM policies to secure work apps.

That's not possible, by design. When enabling SLAAC, most clients use privacy extensions, meaning they randomise their interface identifier (lower 64 bits of the IPv6 address) for outbound connections.

If you really need to identify individual clients, you have to disable SLAAC and use stateful DHCPv6 (which is not supported by all clients).

You could look into identifying clients by their MAC address, but many randomise that, too.

If you need certain rules for certain groups of clients, it makes more sense to assign them to separate (V)LANs.

This is an interesting problem, because as you say, some clients like android only do SLAAC. So this seems kind of unintuitive in terms of an enterprise setup to just abandon knowing anything about clients that connect through your firewall. I can imagine this causing abuse problems if I was that way inclined to steal from the rich and democratize the poor. A most interesting development.