Messages

Tested again - does not work here. I do not get any DNS name as soon as I do not enter any range, regardless what RA mode I have - RA statless or any other mode. Never getting an DNS entry from DHCPv6.

But anyhow - does not matter, my problem is solved.

Regarding the things that would make different modes impossible to use. I do understand that point. However the documentation should really talk about this. By now to much information is just things you actually need to know. This is not good for any product. A little bit broader description in the manual to describe all the different modes and which setting is meant to do what would be great. Esp. as a lot of technologies work quite different in IPv6 than in IPv4 and transfering knowledge from IPv4 to IPv6 does not work very well, as I figured out by myself :-(

That is the whole point of this thread. Yes it should work and it just does not. I have set up RA with stateless and DHCPv6 with no range and DNS Server entry. And the DNS server entry will only propagated via RA, but not via DHCPv6. This still also might be a Windows issue, as in  - if you do not get a lease, then the whole DHCPv6 response will get thrown away.

So the only way to achieve a DNS server entry from DHCPv6 to clients is to actually set it up as assisted, which then really needs ranges.

And that also works then in the full scenario and achieves what I wanted to achieve. (Problem was that I did get a new DNS entry every time the pppoe connection was reset/rebooted. And I wanted to just permanently define the link local interface of OPNsense as DNS server for IPv6).

Yes Windows does support RDNSS as shown in the screenshot of the reddit post.

However it will never use it as long as it has a DNS server entry from DHCP. That is what I wrote. And again - yes I am aware that this is not a real issue on Windows as I anyhow have dual stack and even in single stack this would now work flawless (tested and works).

However to make a fully universal solution you actually should setup both and that inludes a statefull DHCPv6 (assisted) with range AND DNS server.

This is what I have setup now and it works as expected.

Thanks for all the work you put into it and the answers provided. Was really helpful to get myself sorted on this (still new) topic.

I do not want leases ... I do want DNS record to be provided. Is that supposed to work with no range, yes or no?

Hi,

i have setup my pppoe connection for telekom and it works in all aspects.

However trying to troubleshoot an another issue I recognized I cannot ping link local addresses on LAN, as I would expect:

If i try

Code Select Expand

root@firewall:/var/log/dhcpd # ping6 fe80::be24:11ff:febb:b7fc
PING(56=40+8+8 bytes) fe80::6662:66ff:fe21:b957%pppoe0 --> fe80::be24:11ff:febb:b7fc
^C
--- fe80::be24:11ff:febb:b7fc ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

The firewall tries to route the traffic via the pppoe link to the internet gateway - probably default route.

However any fe80 traffic (other than the gateway) should be routed to LAN and not to WAN.

if I specify the interface it works:

Code Select Expand

root@firewall:/var/log/dhcpd # ping6 fe80::be24:11ff:febb:b7fc%igc0
PING(56=40+8+8 bytes) fe80::6662:66ff:fe21:b957%igc0 --> fe80::be24:11ff:febb:b7fc%igc0
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=0 hlim=64 time=0.338 ms
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=1 hlim=64 time=0.206 ms
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=2 hlim=64 time=0.247 ms
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=3 hlim=64 time=0.231 ms
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=4 hlim=64 time=0.409 ms
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=5 hlim=64 time=0.428 ms
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=6 hlim=64 time=0.270 ms
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=7 hlim=64 time=0.238 ms
16 bytes from fe80::be24:11ff:febb:b7fc%igc0, icmp_seq=8 hlim=64 time=0.263 ms
I am still new to IPv6 and have more questions than awnsers, but should the automatic setup with all of that not automatically route any FE80 addresses to LAN instead of at all sending it out of the WAN interface?

Code Select Expand

root@firewall:/var/log/dhcpd # route -6 show fe80::be24:11ff:febb:b7fc
   route to: fe80::be24:11ff:febb:b7fc
destination: default
       mask: default
    gateway: fe80::c203:80ff:fe67:8d43%pppoe0
        fib: 0
  interface: pppoe0
      flags: <UP,GATEWAY,DONE>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1492         1         0

Do I hunt a ghost? Or is there anything I missed?

Please see attached the overview. The default rout for fe80 network points to the WAN interface (pppoe) and not to the LAN interace.

Also what I observed is that the pppoe interface got the physical MAC address of the LAN interface igc0 ... the WAN interface is igc1 and I would have guessed, that the pppoe interface is actually using another one?

So question is? How do I actually get the default route for FE80 to point to LAN? And why is this not the case by default?

Or is this because Telekom is so great to assign a link local address to its gateway and we are communicating over the exact same network externally and internally?

With my knowledge from IPv4 that would be totally confused and not working.

Looking at the offical documentation for DHCP, this is the official wording:

Using DHCPv6
When IPv6 addresses should be provisioned over DHCPv6 the Services‣ ISC DHCPv6 ‣[Interface] is the place to look at. Like in the IPv4 scenario, you can provide a range here, offer settings like default DNS servers and create static assignments based on the clients unique DHCP identifier (DUID).

So that is where it says "you can provide a range" not "you must provide a range". So either documentation is wrong or this is not working as expected.

@SerErris: If you specify "Stateless", the only reason to specify DHCPv6 ranges is a syntactic one - DHCPv6 does not work without it, albeit the adresses are in fact assigned via SLAAC.

I understand that Windows prefers DHCPv4-provided DNS servers over RA-provided ones, yet: both usually point to the same DNS server and - either way - can provide DNS answers for both IPv4 and IPv6. And if you are on IPv6-only, you do not have a conflicting IPv4 DNS server, either.

So why use DHCPv6 in this scenario? I can follow that if your clients cannot handle DNS via RA (RDNSS option), then you would have to use DHCPv6 (again, with IPv6 only). That is not the case for Windows, though and personally, I have never met such clients (more often, old clients do not speak IPv6 at all).

I still think that "Unmanaged" mode is the easiest way to go.

As long as you use unmanaged the IPv6 DHCP will never be used at all for anything in Windows. That is just the fact. It might not be important for the reasons you outlined.

However I do want to get IPv6 DNS propagated as link local, so that it does NOT change. And nothing I do will ever change that correctly. And yes as soon as you do congiure DHCPv6, you need to enter a valid range. No range will just still disable the DHCPv6 - or maybe it just does not answer any requests, because of whatever reason.

So my setup will get both worlds the exact same thing. To manage everything correctly you actually need DHCPv6 to deliver a DNS server entry for IPv6 and this is actually where I stuck, because I was not aware of the range issue.

Now with range in place it does exactly what I want.

The proof is in the configuration.

If I do not enter a range it simply does not work. If you tell me Linux commands for any dhcp-client to verify that, it should not even work on Linux. But I do not know how to just ask a dhcp server and print the information to console vs. using it to actually set an interface.

RA is just disabled to check the DHCPv6 setting ... it does not make any difference if I do enable it or not. As long as DHCPv6 is not sending out DNS server, Windows will ignore everything from RA for name resolution and use DNS server from DHCPv4. That is a Windows problem and I agree that RA should be configured as well (actually both).

But again you can test DHCPv6 on your own. Whatever you enter into DNS server - without anything in Range - DHCPv6 will just not work and I mean at all.

I disabled IPv4 on the Windows Server completely and RA, and I got exactly nothing from the DHCP Server, which I should get.

All in all i think we do have a bug in DHCPv6, that it actually does need a range if you do manual configuration and it just does not check it. The consistent behaviour however should be to apply the default if you do not enter anything, which would be the full available range. That is exactly what DHCPv6 does if you do not manually configure the whole IPv6 part.

However the problem is, you cannot instruct the DHCP Server then to use the link local address, and every time the IPv6 prefix changes the Windows machines will not be able to resolve any name any longer.

It does not really make any difference to RA mode settings. DHCPv6 only works at all if you have a Range entered. As soon as no range is entered, it does not work at all.

I tried with RA modes disabled, stateless and assisted, which all should work with DHCPv6 and do different things for SLAAC but that is not relevant to this part here.

So shouldnt be there an error message if I enable DHCPv6 and enter no range? This should not be possible, because the result is in any configuration that you do not get anything delivered from DHCPv6. Only RA is giving out information.

The reason I discovered that was this thread:
https://forum.opnsense.org/index.php?topic=45868.0

So I had issues with DNS settings on a Windows client with IPv6. I then followed advise from meyergru and used this howto:
https://forum.opnsense.org/index.php?topic=45822.0

And this finally lead to finding out, that DHCPv6 server does not work at all if you do not enter a range (valid of cause). So I am still not sure if that is something very obvious, or if it is something the GUI should capture and error out on save if you enable DHCPv6 AND do not enter a range.

For me it would be logical if it would be handled like any other field, that if you do not enter a range the default is applied (in this case like if you do not use manual override it would use the full available range). However it does not in this case. So if this field is mandatory, there should be error checking on it.

Hi,

I am not sure if we have a bug in DHCPv6 or if that is intended.

If you do not enter a range in DHCPv6 and enable it, it will save the configuration and display in OPNsense GUI, however the DHCPv6 server will not work.

You can test it by entering a manual DNS entry and then save it. Save will work correctly, but it will never get delivered to DHCPv6 client. And if you disable RA at the same time, then you will not get any IPv6 information on your client.

Tested on Windows:
DHCPv6 no Range + manual DNS server entry and enable, RA disabled.

This is how the interface looks like after reset and configuration as above:

Code Select Expand

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . : home.local
   Link-local IPv6 Address . . . . . : fe80::c786:8cfd:d5e1:1dbf%6
   IPv4 Address. . . . . . . . . . . : 192.168.0.179
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

And this is if you setup a Range in DHCPv6:

Code Select Expand

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . : home.local
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
   Physical Address. . . . . . . . . : D8-BB-C1-36-5E-49
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2003:xxxx:xxxx:xxxx::e8a7:6ece(Preferred)
   Lease Obtained. . . . . . . . . . : Mittwoch, 19. Februar 2025 14:07:16
   Lease Expires . . . . . . . . . . : Mittwoch, 19. Februar 2025 16:07:16
   Link-local IPv6 Address . . . . . : fe80::c786:8cfd:d5e1:1dbf%6(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.179(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Mittwoch, 19. Februar 2025 14:05:39
   Lease Expires . . . . . . . . . . : Mittwoch, 19. Februar 2025 16:05:39
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 131644353
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-C2-F1-61-D8-BB-C1-36-5E-48
   DNS Servers . . . . . . . . . . . : fe80::6662:66ff:fe21:b957%6
                                       192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       lab.local
So the second output is how it is supposed to be with no range entered?

This is either a bug, or not described correctly. I would assume you should be able to leave it blank (and get full size range automatically) or you should get an error message if it is not possible to leave blank.

Not sure where my last post vanished..

So for me it works as described but there is some caveat with it.

1. Now I do not get a DHCPv6 addresse reported (which is somehow wanted). Windows 11 prefers the DHCP provided DNS records over RA provided and therefor will forever use IPv4 DNS. If you disable IPv4 it still works, as then the IPv6 address provided by RA is getting used.

However I wanted to define the link local IPv6 address and get it used by Windows (just because I can). So even the above clearly works in any dual stack, because you actually would not need any IPv6 DNS server at all, I wanted to figure out how this could work.

So the problem is clearly on the client side of Windows preferring DHCP DNS entries over RA entries.

This is how it looks like if I manually configure the link local address in RA on Windows end:

Code Select Expand

Ethernet adapter Ethernet 4:

  Connection-specific DNS Suffix  . : home.local
  Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
  Physical Address. . . . . . . . . : D8-BB-C1-36-5E-49
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address. . . . . . . . . . . : 2003:xx:xxx:xxxx:xxxx:xxxx:e8a7:6ece(Preferred)
  Lease Obtained. . . . . . . . . . : Mittwoch, 19. Februar 2025 13:32:44
  Lease Expires . . . . . . . . . . : Mittwoch, 19. Februar 2025 15:32:44
  IPv6 Address. . . . . . . . . . . : 2003:xx:xxx:xxxx:xxxx:xxxx:20ec:3554(Preferred)
  Temporary IPv6 Address. . . . . . : 2003:xx:xxx:xxxx:xxxx:xxxx:fdfb:315f(Preferred)
  Link-local IPv6 Address . . . . . : fe80::c786:8cfd:d5e1:1dbf%6(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.0.179(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Mittwoch, 19. Februar 2025 13:17:46
  Lease Expires . . . . . . . . . . : Mittwoch, 19. Februar 2025 15:13:20
  Default Gateway . . . . . . . . . : fe80::6662:66ff:fe21:b957%6
                                      192.168.0.1
  DHCP Server . . . . . . . . . . . : 192.168.0.1
  DHCPv6 IAID . . . . . . . . . . . : 131644353
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-C2-F1-61-D8-BB-C1-36-5E-48
  DNS Servers . . . . . . . . . . . : 192.168.0.1
                                      fe80::6662:66ff:fe21:b957%6
  NetBIOS over Tcpip. . . . . . . . : Enabled
  Connection-specific DNS Suffix Search List :
                                      lab.local
So we can see the first DNS server entry is the IPv4 address. And there is nothing advertised by the DHCPv6.

Now I changed RA to Stateless and also ticked "Do not send any DNS configuration to clients".
I also enabled DHCPv6 and entered my link local address into the DNS server field.

Result was not as expected:

Code Select Expand

Ethernet adapter Ethernet 4:

  Connection-specific DNS Suffix  . : home.local
  Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
  Physical Address. . . . . . . . . : D8-BB-C1-36-5E-49
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address. . . . . . . . . . . : 2003:xx:xxx:xxxx:xxxx:xxxx:e8a7:6ece(Preferred)
  Lease Obtained. . . . . . . . . . : Mittwoch, 19. Februar 2025 13:32:44
  Lease Expires . . . . . . . . . . : Mittwoch, 19. Februar 2025 15:32:44
  IPv6 Address. . . . . . . . . . . : 2003:xx:xxx:xxxx:xxxx:xxxx:20ec:3554(Preferred)
  Temporary IPv6 Address. . . . . . : 2003:xx:xxx:xxxx:xxxx:xxxx:fdfb:315f(Preferred)
  Link-local IPv6 Address . . . . . : fe80::c786:8cfd:d5e1:1dbf%6(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.0.179(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Mittwoch, 19. Februar 2025 13:17:46
  Lease Expires . . . . . . . . . . : Mittwoch, 19. Februar 2025 15:13:20
  Default Gateway . . . . . . . . . : fe80::6662:66ff:fe21:b957%6
                                      192.168.0.1
  DHCP Server . . . . . . . . . . . : 192.168.0.1
  DHCPv6 IAID . . . . . . . . . . . : 131644353
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-C2-F1-61-D8-BB-C1-36-5E-48
  DNS Servers . . . . . . . . . . . : 192.168.0.1
  NetBIOS over Tcpip. . . . . . . . : Enabled
  Connection-specific DNS Suffix Search List :
                                      lab.local
Now I did not even have any entry left. So I was left scratching my head and did not understand it.

Then I found this post:
https://forum.opnsense.org/index.php?topic=26864.msg156802#msg156802

There was a hint, that you actually do need to enter a range, otherwise DHCPv6 will simply not work.

So I did:
You cannot view this attachment.

Saved it and now that is actually what I wanted to achieve.
Obviously you can also assign the full range (::0:0:0:0 - ::ffff:ffff:ffff:ffff).

The result is this:

Code Select Expand

Ethernet adapter Ethernet 4:

  Connection-specific DNS Suffix  . : home.local
  Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
  Physical Address. . . . . . . . . : D8-BB-C1-36-5E-49
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address. . . . . . . . . . . : 2003:xx:xxx:xxxx::e8a7:6ece(Preferred)
  Lease Obtained. . . . . . . . . . : Mittwoch, 19. Februar 2025 13:32:44
  Lease Expires . . . . . . . . . . : Mittwoch, 19. Februar 2025 15:32:43
  IPv6 Address. . . . . . . . . . . : 2003:xx:xxx:xxxx:9bdd:a6fb:20ec:3554(Preferred)
  Temporary IPv6 Address. . . . . . : 2003:xx:xxx:xxxx:3d90:5292:fdfb:315f(Preferred)
  Link-local IPv6 Address . . . . . : fe80::c786:8cfd:d5e1:1dbf%6(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.0.179(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Mittwoch, 19. Februar 2025 13:17:46
  Lease Expires . . . . . . . . . . : Mittwoch, 19. Februar 2025 15:13:20
  Default Gateway . . . . . . . . . : fe80::6662:66ff:fe21:b957%6
                                      192.168.0.1
  DHCP Server . . . . . . . . . . . : 192.168.0.1
  DHCPv6 IAID . . . . . . . . . . . : 131644353
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-C2-F1-61-D8-BB-C1-36-5E-48
  DNS Servers . . . . . . . . . . . : fe80::6662:66ff:fe21:b957%6
                                      192.168.0.1
  NetBIOS over Tcpip. . . . . . . . : Enabled
  Connection-specific DNS Suffix Search List :
                                      lab.local
So the first change is as expected that I got an address from the range
    IPv6 Address. . . . . . . . . . . : 2003:xx:xxx:xxxx::e8a7:6ece(Preferred)

Second, I do now see the DNS server and also in preferred order and that DNS server will be correct whatever Prefix I will get from my provider.

Code Select Expand

C:\Users\chris>nslookup tinuviel
Server:  firewall.home.local
Address:  fe80::6662:66ff:fe21:b957

Name:    tinuviel.home.local
Address:  192.168.0.179
So I personally think that this is the best setup as it combines advantages of both using RA and DHCPv6 for the reasons mentioned in the howto in the first page.

Thanks again @meyergru for bringing all this together.

BTW:
My example is for Deutsche Telekom consumer fibre with Telekom Modem (not DSL Router). The OPNsense is directly connected to the fibre modem using VLAN7 and PPPoE configuration.

Thanks @meyergru for the howto. Will work through it. I think that should also go into the official documentation (there are other documents as yours in there already).

Let me try it, maybe I have some feedback and I let you know if that works for me.

Okay I need to learn a lot about IPv6. Nothing works how I would assume it works.

So actually the Router Advertisements daemon should handle that advertisement I am looking for - but the documentation does not state where to find it.

In the documentation here https://docs.opnsense.org/manual/radvd.html it suggests that it is configurable under Services like DHCP. However there is no entry for Router Advertisement.

I think I need some more help.

Lets start over. What exactly do I need to configure to get permanent IP adddresses assigned to my local network, so that DHCPv6 will always work? I read in another thread that setting up ULA, but that is the next topic I do not understand at all where to do it and how to do it in OPNsense. And from the documentation it reads that this is for static ip addresses only ... and of cause I do not have a static address.

So I tried to troubleshoot it a little bit more.

So yes, my ISP assigns a new IP/56 range each time I connect. This is telekom private customer connection, so I do not get a fixed IP address/prefix.

This is a fibre line from Deutsche Telekom with PPPOE connection, with a dedicated VLAN (7). And the setup works so far so good.

I followed the IPv6 setup guide here:
https://docs.opnsense.org/manual/how-tos/ipv6_dsl.html

Please see attached my screenshots, how I did set this up.

So yes the problem is, the ISP assigns a new IPv6 range every time I reboot or redial PPPOE. And then Windows does not recognize that it need to reask for a new IPv6 configuration via DHCP. So it will ask the old DHCP server which has a different prefix and which obviously does not work any more.

I now learned that ipconfig /renew6 will actually renew the ipv6 configuration (tried a lot of time ipconfig /renew, which did nothing).

So is there any way I can prevent that happening? For instance put in a manual DHCPv6 configuration that uses the link local IP for the DNSv6 resolution? Something like FE80::something?

Because my default gateway is anyhow fe80::6662:66ff:fe21:b957%6 ... I do have other IPv6 addresses assigned with public routable addresses ... However with my configuration and no explicit DHCPv6 server configuration the dhcpv6 server delivers the public 2003:fb:XX:XXXX:6662:66ff:fe21:b957. Of cause that is exactly what changes every time and if DNS would point to fe80::6662:66ff:fe21:b957 instead, that should better work? But still the local IPv6 would be still wrong as the old prefix is not valid any longer.

So any Telekom customer here with a private contract (vs commercial) that got a good solution around it, that I can replicate?

Okay, thanks will check this. However if we would run into a CPU issue I would expect a kernal panic message at least. Also I do not really understand what the difference is if it is installed on the fly or persistent.