Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - erpomik

Pages1
#1
24.7, 24.10 Production Series / Re: IPv6 router advertisements problems in 24.7/24.1.x
December 20, 2024, 10:06:39 AM
Hello bimbar

Thank you very much for your suggestions and sorry for not getting back before. It seems I do not get notifications on updates to this post.

The "Agent Information" only affects whether option 18 is added to the relay forward packet or not.

According to the key log, I have been able to make Client Classification to work by using a test like this "substring(relay6[-1].option[18].hex,0,9) == 0x766C616E302E313530"

However, I still haven't figured how to make the subnet selection part work, as I get a "Server could not select subnet for this client" error from kea.

I'll get back as soon as I have a new updates on this.

Best regards
Ernst Mikkelsen
#2
24.7, 24.10 Production Series / Re: IPv6 router advertisements problems in 24.7/24.1.x
November 29, 2024, 12:22:25 PM
The subject on this post might be a little bit misleading, as I see it.

We recently migrated most of our branch offices from Cisco ASA to OPNsense (DEC3800 and DEC4200 series). Since the migration, we have struggled with managed IPv6 using ISC DHCP server. The reason for this is, that the OPNsense software puts the link local address into the link-address field in the relay-forward packet. Cisco and apparantly also pfSense however puts their globally scoped unicast address of the receiving interface into the link-address field. This is what both himpie and I are struggling with.

According to RFC 8415 section 19.1.1 it is always recommended, that the relay agent uses the GUA/ULA address of the receiving interface into the link-address field of the relay-forward packet, so that the DHCP server can easily do subnet selection.

There seems to be an alternative to this, if the relay agent adds option 18 (interface-id) to the relay-forward packet. OPNsense does that, but we didn't manage to get this to work with ISC DHCP server, that EOL'ed in 2022. Then we were very happy to see, that - according to the documentation - the ISC Kea DHCP server should be able to do subnet selection using the interface-id information from the relay-forward packet. Unfortunately, we haven't managed to get this to work either.

So it seems, we are left with two options here:

  • We could file a feature request for OPNsense.
  • We could start a support subscription for Kea at ISC and ask them for suggestions.

If anyone reading this have experience with OPNsense / Kea and are willing to share excerpts from a kea-dhcp6.conf with working subnet selection using the interface-id field, I would be very grateful.

Best regards
Ernst Mikkelsen
Pages1