"
I will be posting this to /r/opnsense as well for maximum visibility...
Let me open by saying my goal is to treat IPv6 as "the next IPv4" in that I want to assign host addresses, break VLANs by "subnet", assign cross-VLAN access, etc.
Goals with IPv6
I've tried with the old ISC service off and on to little avail but not that dedicated. I'm trying now with the new way and I am running into issues with DNSmasq. I'm beginning to wonder though if maybe I'm working outside the spec.
My Understandings of IPv6 (note: using DNSMasq)
Where do I go from here?
Am I fundamentally misunderstanding IPv6 and its capabilities? In a world with vastly more security threats than the one IPv4 launched into, I can't see it just being more open and less restrict(ed/able) in general! Where am I going wrong?
As I figure this out I am more than willing to help update documentation, just point me in the right direction. Once my kid gets older and I have free time (hahaha good one) I would love to help contribute code, but in the meantime I'll continue to evangelize and work with but maybe I'm just off my rocker on this.... Could Michael W. Lucas write a book on all this already? 😛
Let me open by saying my goal is to treat IPv6 as "the next IPv4" in that I want to assign host addresses, break VLANs by "subnet", assign cross-VLAN access, etc.
Goals with IPv6
- `host.subnet.domain` should be known to OPNsense as a known entity
- Host has a known IP address, `prefix:subnet identifier::host identifier`
- I should be able to have cross VLAN traffic
- I should be able to block traffic from/to unknown IPv6 entities. I recognize that there are multiple IPv6 addresses per device hence 1 and 2.
I've tried with the old ISC service off and on to little avail but not that dedicated. I'm trying now with the new way and I am running into issues with DNSmasq. I'm beginning to wonder though if maybe I'm working outside the spec.
My Understandings of IPv6 (note: using DNSMasq)
- Global addresses are assigned automatically via DHCPv6. These are prefix based according to ISP. This works fine, I cannot set the final range using the `::WXYZ` notation but I can understand this. See point 1.1 for SLAAC.
- If I set RA mode to use only SLAAC in the DHCP ranges screen, I will get the requested IP postfix (is this the right terminology? 🤔) but then I lose registering the hostname and all. I believed that SLAAC, RA-names, RA-stateless I would get the desired effect. Alas, no, I lose host reservations.
- We need better documentation of the RA-modes. Currently there are 7 options via DNSMasq in OPNsense v25.1.9. I'll break down the results of my testing using my MacOS laptop and a DietPi OS Raspberry Pi.
- Default: what is selected if you choose no mode of your own. I tested this one last and it's functionally the same as ra-advrouter.
- ra-only: On the Mac, appears to get two SLAAC address and a DHCPv6 address. I see the DHCPv6 address show up (type is static) in the leases page. No rdnss is set. For the Pi I see a different static lease type set than the DHCPv6 one I set. Further more, the pi doesn't recognize this address when running `ip 6 addr`. Very strange. `ping6` from my Mac won't get to that address either. Trying to `ping6` by hostname or fqdn fails either way (Mac -> Pi or Pi -> Mac).
- slaac: SLAAC and DHCPv6 addresses? Results in an identical setup to ra-only.
- ra-names: register names for SLAAC addresses? In practice, running just ra-names I see the same results as ra-only. The "ghost" DHCPv6 still shows in the leases page for the Pi.
- ra-stateless: SLAAC only address (not confusing at all 🤦🏻�♂️). I recommend that this not be allowed with slaac as this stops DHCPv6.
- ra-names and ra-stateless: results in an identical setup to ra-stateless.
- ra-stateless and slaac: results in an identical setup to ra-stateless.
- ra-names and slaac: results in an identical setup to ra-only.
- ra-names, ra-stateless, and slaac: results very similar to the ra-only setup however, differences exist in the Pi. Now I have that same DHCPv6 address that I've no idea where it comes from. When running `ip 6 addr`I see `scope global dynamic` for that address and `scope global dynamic mngtmpaddr` for the one that always shows up. Both can be `ping6`ed from my Mac.
- ra-advrouter: What is this supposed to do? Mac is the same as ra-only, Pi is the same as ra-stateless. No rsdnss picked up.
- offlink: results in identical behavior as the ra-advrouter setup.
- DUIDs seem arbitrary and pseudo random. What in the bloody heck? 🤬 Why aren't we just using MAC addresses anyway? Why does IPv6 seem such a 💩🎪 after almost 30 years?! I'm not that young but was IPv4 this bad? I'd figure it would be mostly worked out by now!! Okay that out of my system...
- Is there a standardized and correct way to get the DUID from a system that OPNsense and DNSmasq can operate with?
- Where is the DUID shown in the DNSmasq leases page being obtained? This information is totally incorrect. For one, the number of bytes varies wildly per host. For two, it's never worked but getting the information (method seems to vary wildly) from the host and using that does work. Yet, the leases page still shows an incorrect DUID. 🐞 **Correction**: this is under IPv4 leases, maybe we should correct the UI to display N/A or something?
- I should be able to have ULA addresses as opposed to GUA only.
- I want local services on my DMZ that are accessible across VLANs (DNS, plex, etc.)
- I want to allow IoT devices an IP address and ability to talk to each other but no internet (ULA but no GUA).
Where do I go from here?
Am I fundamentally misunderstanding IPv6 and its capabilities? In a world with vastly more security threats than the one IPv4 launched into, I can't see it just being more open and less restrict(ed/able) in general! Where am I going wrong?
As I figure this out I am more than willing to help update documentation, just point me in the right direction. Once my kid gets older and I have free time (hahaha good one) I would love to help contribute code, but in the meantime I'll continue to evangelize and work with but maybe I'm just off my rocker on this.... Could Michael W. Lucas write a book on all this already? 😛
