Messages

I'm surprised, it uses Opnsense behind CNGA Double NAT, I don't understand

Hi everyone, I don't know how Dnsmasq works configuring pltime is not the same as configuring RDNSS
In opnsense, dnsmasq can be used in conjunction with radvd and used explicitly.

interface vlan123 {
  RDNSS 2001:db8:cafe:beef::1 {
    AdvRDNSSLifetime 604800;
  };
};

The problem is that on many devices, when lifetime RDNSS is not configured, the IPv6 DNS disappears, and with an IPv4 and IPv6 connection, the device will only have IPv4 DNS.
It is also recommended to configure in interface, preferred and valid lifetime to avoid disconnections.

interface igc1 {
  prefix 2a01:xxxx:xxxx:xxxx::/64 {
  preferred lifetime 86400
  valid lifetime 108000
  }
}

  dns {
  lifetime 604800
  nameserver {
    2a01:xxxx:xxxx:xxxx::1
  }
  search {
    home.arpa
  }
}

I don't know if it can be changed, can it be done manual

Recursive DNS Server (RDNSS) lifetime in Router Advertisements (RAs) is automatically managed based on the shortest lifetime of the preferred address on the interface. While RDNSS support adheres to RFC 8106, Dnsmasq does not provide a direct configuration option to set an explicit RDNSS lifetime value.

Can't configure AdvRDNSSLifetime in Dnsmasq Opnsense?

This happens to me with iPhones. The default Lifetime configuration in rad.conf is enabled. When the iPhone has been in sleep mode for 40 minutes and then wakes up, it's disconnected from the Wi-Fi network.

The lifetime must be set to a value at least 3 times the value of MaxRtrAdvInterval (which is defined in RFC 4861 as a maximum of 1800 seconds). There is no maximum value defined in the RFC for an RDNSS lifetime. Therefore, for those who care, as long as we set our RDNSS lifetime to more than 5400 seconds, we can guarantee that we are within the specifications of RFC 8106.

Hi everyone, I'm not sure if this will help with disconnections on Android devices, but it also happens with iOS devices. A post mentioned that the solution to the disconnections was to extend the lifetime.

Extend the default RDNSS advertisement lifetime to work around RDNSS expiry bug on macOS / iOS

https://blog.infected.systems/posts/2024-12-18-working-around-macos-and-ios-rdnss-expiry-bug/

My ISP delegates a dynamic 56 prefix, and it hasn't changed since I started using OpenBSD with dhcp6leased.

One of the biggest problems with IPv6 is ISPs, in theory, they should assign a fixed prefix.
The only thing I've noticed with this configuration is that IPv4 DNS is used more. But the faster of the two still works, and it does depend a lot on the client.
NAT in IPv6 isn't from ULA to global, it's global to global, I think.
Forgive me if I've been overly enthusiastic.
Thank you OPNenthu

Well, the problem is that the connection is now IPv4 and IPv6. For me, managing the local network with ULA is easier, just like with IPv4, and offers greater control. If only IPv4 or IPv6 existed, we wouldn't have this problem.
It's easier to reach a host the way it's always been done with IPv4
Having each customer with only one LLA address and two ULA addresses is cleaner

Stateless Address Autoconfiguration (SLAAC, SOII)
MacOS and OpenBSD use Temporary and Semantically Opaque Interface Identifiers by default. Ubuntu Linux uses stable addresses for wired links, and temporary for wireless interfaces. FreeBSD and Alpine Linux use EUI64.
Complicated :)

When using a pool with a prefix, each local client accessing the internet is assigned an address within the pool, each client has a different address. I don't know if you understand the concept.

match out on egress inet6 from (igc1:network:2) to any nat-to 2a01:xxxx:xxxx:xxxx::/64 source-hash 0x1ab50493a660a20f6dbcbe662ee9fd

ftp -o - -V -M https://myipv6.addr.tools/
2a01:xxxx:xxxx:xxxx:f277:1996:89b8:81ce

Thanks to you. It's just an idea, it involves using IPv6 like IPv4. It works well.
Such a configuration does not prioritize IPv4 over IPv6, IPv6 connections are used when a server supports them. This is normal.

Hi everyone, I think this is a good way to use IPv6. I use OpenBSD with this configuration; it's very configurable.
If the prefix changes, it's easy to fix.
I don't know if Opnsense can configure something like that

https://eradman.com/posts/ipv6-strategy.html#:~:text=Use%20rad(8)%20to%20distribute%20the%20stable%20addresses,egress%20inet6%20from%20fd00:51::/64%20nat%2Dto%202603:7081:5506:d885::/64%20source%2Dhash.

The problem is if you use the local interface in Unbound, the GUA local interface listens on port 53
I don't have a GUA in WAN, my local GUA is exposed

Hi, the equivalent is GUA, make sure that in Unbound the interface allows lo0 and lan.

interface: lo0
interface: igc1
private-address: 2a01:xxxx:xxxx:xxxx::/64
access-control: 2a01:xxxx:xxxx:xxxx::/64 allow

redirect for lo0
pass in quick on $lan inet6 proto { udp tcp } from any to any port domain rdr-to lo0 port domain

The problem is that when you configure your local interface, it becomes exposed to the internet.

block in quick on $wan inet6 proto { udp tcp } from any to ($lan) port domain

You can configure the LLA address as the DNS for clients.
access-control: fe80::/10 allow

Hi, static NAT ports for UDP are a godsend for real-time protocols. Anyone who has troubleshooted WebRTC knows this: they're worth their weight in gold. They cost nothing, except to acknowledge that port "randomization" in UDP is not a security feature.

pass out quick on igc0 inet proto udp from igc1:network nat-to (igc0) static-port
pass out on igc0 inet from igc1:network nat-to (igc0)