Messages

You need to assign one of the /64 from HE statically to your LAN as an additional virtual address. To be able to use that /64 for devices to access the Internet you need to set up a tunnel according to HE's documentation.

Alright, great.  I already have the GIF setup, so all that's left is to create a Virtual IP and attach it to the LAN.

But why did you do this in the first place? I though you wanted to use static ULAs in addition to your ISPs GUA. Now you got another set of GUAs - a whole /48 of them - from HE.

I initially planned to use static ULAs, but decided to move to static GUAs because I found that there are some idiosyncrasies with AdGuard Home.

My plan is to configure my AG with a static IPv6 from HE and use it internally as the IPv6 DNS server.

HE gave me a /48 prefix, so I believe I can use it for local IPv6 addresses, right?

Yes, but only one /64 per interface/VLAN/network. You get a /48 so you can address 65536 different networks. Not to put the entire address space on a single LAN.

There is only one prefix length in IPv6 for ethernet type networks: /64. A /64 can address as many hosts as the entire IPv4 Internet - squared! And there are as many /64 networks in total in the IPv6 address space: the entire IPv4 Internet - squared!

Awesome, thanks for confirming!

It's still unclear to me how I should assign this prefix to a specific internal network.  Do I need to create a GIF (I did it anyway, because I assume that otherwise the tunnel won't work)?  A Virtual IP (probably not...)?  After that, do I need to change my current LAN to use the /64 prefix from HE instead of using my ISP's delegated prefix (as it is doing right now)?  Is it possible to have my LAN still use addresses delegated by my ISP, but also give out static IPv6 addresses from the HE /64 network?

I feel like these new concepts got me confused a bit and now I'm trying to untangle the mess in my head.  Thanks for all the help, btw.

Sorry, I'm still a bit confused here.

HE gave me a /48 prefix, so I believe I can use it for local IPv6 addresses, right?

It's still not clear to me how to configure internal address using GUAs provided by HE.  I've created the GIF interface, but I'm not sure if I should tell my LAN interface (where the AG service is connected to) to use the IPv6 network from HE, since I already have valid IPv6 coming from my ISP.  I believe so...?  And if I do that, how can I get a static IPv6 for my AG machine without having to mess with DHCPv6?

Give a static ULA to the device that host the service. You don't need ULA for your clients if they have GUAs.

For your case, if AGH is running on your OPNsense then create a ULA as VIP on loopback interface. Make sure you include that ULA in the .yaml for AGH to bind to, then advertise that ULA through RA - it works for both SLAAC & DHCPv6.

Alright, I created a Virtual IP with a /48 to serve as my ULA for now (until I get the HE tunnel figured out).  Since my AG is running on another machine and inside Docker, I assigned the VIP to the LAN interface where that machine is plugged in.

I then manually set the IPv6 of that machine as static, and assigned an IP from the ULA I'd just created.  I can't make it connect to the internet via IPv6, but I guess that's expected because ULAs aren't supposed to be routable...?  If it's supposed to work, then I have to figure out the gateway to use.

If you have a working prefix from tunnelbroker (HE) then you can use GUAs from that prefix to your services and you don't need to use ULAs at all. The key here is setting up correct routes if you want devices with HE prefix to reach internet.

I will spend some time tomorrow setting up the tunnel here.  Let's see how that goes.

Let me expand my question above.

It's also unclear to me how to configure an ULA and send it to my internal devices.  I'm assuming it's via RA+SLAAC, but given that I want my devices to also have valid IPv6 addresses from my ISP (GUAs), I don't think I should change the IPv6 configuration of the LAN interface, correct?

I believe the same configuration for ULA+GUA will apply for the IPv6 he.net tunnel w.r.t. keeping valid IPv6 addresses from my ISP + offering alternative IPv6 addresses that will only be used internally, but I may be wrong.

Very interesting discussion, thank you, folks!

So it seems like it should be possible to use an ULA for Adguard and still have it work in my internal network.

Out of curiosity, in the thread I linked earlier I saw mentions about actually using an IPv6 he.net tunnel and assign static GUAs to internal machines.  I have a tunnel configured here, but I'm not sure I completely understand how I would go about making the machines assign these IPs?  Just RA + SLAAC?

Huh, I hadn't thought of that.  Thank you for the reply.

However, after a bit of research I found this thread:

https://forum.opnsense.org/index.php?topic=33902.0

which seems to indicate that ULAs are broken and won't work on a dual-stack environment, which is my case.  Could you confirm whether this is applicable, please?

Hello,

My ISP provides me with a /56 dynamic prefix delegation.  Although the addresses don't change very often, they do change sometimes.

I know this topic has probably been covered in many threads, but I couldn't find a consolidated answer to it, so allow me to ask: how do I go about configuring static IPv6 internal addresses given that my assigned PD is dynamic?

My specific use case is having an AdGuard Home instance running in my home network and wanting to force all IPv6 DNS requests to be redirected to it.  I guess I could use also use a proxy to translate the requests to IPv4, but if I could setup fixed IPv6 addresses it would be great.

My current IPv6 setup uses the "Track Interface" feature on each LAN I have available.  I also have the "Allow manual adjustment of DHCPv6 and Router Advertisements" checkbox ticked, although I'm not enabling DHCPv6 on any of my LAN interfaces.  As for RAs, I have "Assisted" mode enabled and "Do not send any DNS configuration to clients" checked (at least while I can't properly configure AdGuard with a static IPv6).

Any help is appreciated.  Thanks!