Show Posts
1
23.1 Legacy Series / IPv6, prefix delegation, and undocumented default behavior
« on: February 10, 2023, 05:05:50 pm »
I'm running a Comcast Business connection with a static /29.. which also comes with a IPv6 /56.
I have multiple DMZs.. and a transit connection (VLAN 3000) from the OpnSense 23.1 firewall to a Cisco 3560G. The 3560G acts as a core router for multiple other VLANs.
In my case, I migrated from pfSense. So I already had a semi-working configuration in which the Cisco 3560 requested a prefix delegation from the firewall, and then assigned two of the /64 from the delegation to two subnets.
Using OSPFv3 to advertise IPv6 between the C3560 and the Firewall.
I'll like to note that OpnSense appears to spin up a DHCPv6 server on all interfaces that Track a prefix delegation.
The [invisible] OpnSense DHCPv6 server then appears to take a block of IPv6 subnets from the delegation it received from the ISP (Comcast) and then further delegates them as /63.
Question: Where is the code that creates the invisible DHCPv6 server ? I'd like to change the default delegation from /63 to /62 or /61
---
prefix delegation received by WAN interface (IPv6 DHCP) was 2001:db8:1:5280::/59
WAN IPv6 set to DHCPv6
WAN DHCPv6 client configuration
. Configuration Mode - basic
. Request only an IPv6 prefix - checked (prefix delegation is not requested without this box checked; bug?)
. Prefix delegation size - 59 (irrelavant, doesnt change the delegation received; comcast router only gives out /59)
. Send IPv6 prefix hint - checked
. Use IPv4 connectivity - unchecked
. Use VLAN Priority - Disabled
LAN IPv6 set to track interface WAN
. Track IPv6 Interface set to WAN
. Allow manual adjustment of DHCPv6 and Router Advertisement - unchecked (if checked, kills the invisible/default/unconfigurable DHCPv6 server) ( if checked, you can manually add a prefix delegation(s) for downstream routers; assuming they are within the /59 or /60 block received by the firewall.)
[ be aware, there do appear to be multiple bugs in the UI for IPv6. If you attempt to use Configuration Mode Advanced on the WAN IPv6 DHCPv6 client configuration section, then it's a bear to get it to start requesting the prefix delegation again (as observed using tcpdump) ]
FRR (os-frr) plugin is installed; OSPFv3.
----
option dhcp6.domain-search "home.net";
option dhcp6.rapid-commit;
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet6 2001:db8:1:5281::/64 {
range6 2001:db8:1:5281::1000 2001:db8:1:5281::2000;
prefix6 2001:db8:1:5290:: 2001:db8:1:5298::/63;
}
ddns-update-style none;
I have multiple DMZs.. and a transit connection (VLAN 3000) from the OpnSense 23.1 firewall to a Cisco 3560G. The 3560G acts as a core router for multiple other VLANs.
In my case, I migrated from pfSense. So I already had a semi-working configuration in which the Cisco 3560 requested a prefix delegation from the firewall, and then assigned two of the /64 from the delegation to two subnets.
Using OSPFv3 to advertise IPv6 between the C3560 and the Firewall.
I'll like to note that OpnSense appears to spin up a DHCPv6 server on all interfaces that Track a prefix delegation.
The [invisible] OpnSense DHCPv6 server then appears to take a block of IPv6 subnets from the delegation it received from the ISP (Comcast) and then further delegates them as /63.
Question: Where is the code that creates the invisible DHCPv6 server ? I'd like to change the default delegation from /63 to /62 or /61
---
prefix delegation received by WAN interface (IPv6 DHCP) was 2001:db8:1:5280::/59
WAN IPv6 set to DHCPv6
WAN DHCPv6 client configuration
. Configuration Mode - basic
. Request only an IPv6 prefix - checked (prefix delegation is not requested without this box checked; bug?)
. Prefix delegation size - 59 (irrelavant, doesnt change the delegation received; comcast router only gives out /59)
. Send IPv6 prefix hint - checked
. Use IPv4 connectivity - unchecked
. Use VLAN Priority - Disabled
LAN IPv6 set to track interface WAN
. Track IPv6 Interface set to WAN
. Allow manual adjustment of DHCPv6 and Router Advertisement - unchecked (if checked, kills the invisible/default/unconfigurable DHCPv6 server) ( if checked, you can manually add a prefix delegation(s) for downstream routers; assuming they are within the /59 or /60 block received by the firewall.)
[ be aware, there do appear to be multiple bugs in the UI for IPv6. If you attempt to use Configuration Mode Advanced on the WAN IPv6 DHCPv6 client configuration section, then it's a bear to get it to start requesting the prefix delegation again (as observed using tcpdump) ]
FRR (os-frr) plugin is installed; OSPFv3.
----
option dhcp6.domain-search "home.net";
option dhcp6.rapid-commit;
default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet6 2001:db8:1:5281::/64 {
range6 2001:db8:1:5281::1000 2001:db8:1:5281::2000;
prefix6 2001:db8:1:5290:: 2001:db8:1:5298::/63;
}
ddns-update-style none;