Messages

As upstream routers for testing, I mostly use OPNsense VMs (radvd, ISC DHCPv6 etc.) as well as MikroTik RouterOS VMs (they have free VM images for testing and offer some features which OPNsense doesn't have, like a PPPoE server).

Cheers
Maurice

OPNsense does the partition and file system adjustments automatically, for both UFS and ZFS. You trigger this by creating a "magic file":

• touch /.probe.for.growfs
• Shutdown OPNsense and expand the disk image (qemu-img resize / Resize-VHD / qm resize / ...)
• There is no step 3. When OPNsense boots, the rc script performs its magic.

Cheers
Maurice

@franco If you need a DHCPv6 server which offers this option for testing, you can simply use OPNsense's ISC DHCPv6 server with a custom config:

Code Select Expand

echo "option dhcp6.aftr-name test.aftr.example.com;" > /usr/local/etc/dhcpd6.opnsense.d/aftr.conf
I've done this before and it works just fine.

Cheers
Maurice

@franco Nice! That's just the foundation though, correct? The dhcp6c_script doesn't do anything with this information yet, or does it?

Option 64 is the AFTR FQDN for DS-Lite. OPNsense doesn't support configuring DS-Lite automatically using this option, but dhcp6c should just ignore it - unless it's indeed malformed. I'd perform a packet capture to confirm.

Cheers
Maurice

Since it seems you're not using OPNsense for DNS at all, this is more likely an issue with your DNS servers. While OPNsense advertises the DNS server addresses (using DHCP / RAs), DNS requests are sent from the clients to the DNS servers, not to OPNsense.

Cheers
Maurice

@xpendable

https://github.com/opnsense/hostwatch/issues/13

Then the code in dhcp6c repo wasn't pulled correctly?

Pulled, compiled and installed correctly.

Or are you using the "no release" option, too?

Nope.

But I now made the next step and switched to opnsense-devel (26.1.b_143). ifconfig now shows pltime and vltime for the GUA on the tracking LAN interface. So it seems devel is indeed required for this to work.

Did not apply the multi-dhcp6c patch yet, maybe tomorrow.

Great new radvd features by the way, like PREF64! 👍

Cheers
Maurice

Hey everyone,

Inspired by the recent hostwatch experience, I wanted to start a bit of a meta discussion about the Development / Community / Business versions of OPNsense and when to use which. It was my understanding that Development is for public testing, Community is ready for production (although a bit bleeding edge) and Business is extra stable for critical use cases.

From what I see on GitHub and the forum and from my own experience, hostwatch is still in the development phase. For example, a serious issue was reported a month ago and is still open. Nonetheless, it was now moved to the Community version and enabled by default. This feels like a beta test, which I was under the impression you needed to opt-in for by switching to the Development version.

Not blaming anyone, just interested in your opinions about what level of maturity you (can) expect in which version.

Development = beta, Community = stable, Business = extra stable?
Or Development = alpha, Community = beta, Business = stable?

Personally, I mostly use the Community version and occasionally switch to Development when I really need a feature which has not yet been released.

Cheers
Maurice

No it sounds to me that the dhcp6c service wasn't restarted.

I did reboot.

For the WAN interface, ifconfig only shows the addresses configured on the interface itself (obviously), not the delegated prefix. So no lifetime information for IA_PD there:

Code Select Expand

~ # ifconfig -L vtnet0
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
        description: WAN_GPON (wan)
        options=ec07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS>
        ether 00:15:5d:2a:fe:16
        inet6 fe80::215:5dff:fe2a:fe16%vtnet0 prefixlen 64 scopeid 0x1
        inet6 2001:db8:5812:800::2 prefixlen 128 pltime 209 vltime 239
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
For the tracking LAN interface, ifconfig doesn't show lifetimes:

Code Select Expand

~ # ifconfig -L vtnet2
vtnet2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN_IPv6 (lan)
        options=ec07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS>
        ether 00:15:5d:2a:fe:02
        inet6 fe80::215:5dff:fe2a:fe02%vtnet2 prefixlen 64 scopeid 0x3
        inet6 fd03:2148:cea2:1::1 prefixlen 64
        inet6 2001:db8:5812:801::1 prefixlen 64
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
What does work is that the GUA gets removed from the tracking LAN interface when the valid lifetime of the prefix delegation expires. It just seems you can't see that lifetime anywhere.

Cheers
Maurice

You can do that, absolutely. I've been using the "tracking loopback interface" workaround for getting dynamic subnets into NPT for quite a while now and it works fine.

Be aware though that for your use case, NPT has limited use. As long as the WireGuard clients also have an IPv4 address, NPT will only be used when they need to access hosts which only have a GUA (no ULA, no IPv4).

Cheers
Maurice

Oh, I probably have to perform 2. (switch to development branch and apply patch) to see the IA_PD lifetime?

you can see configured lifetimes in ifconfig and with -L switch you can see how much is left

On the WAN interface, ifconfig shows the lifetime of the interface address (IA_NA). But where do I see the lifetime of the prefix (IA_PD)? On the tracking LAN interface, ifconfig does not show a lifetime.

NA was setting vltime and pltime correctly

I can confirm this. IA_NA pltime is lower than vltime: inet6 2001:db8:6490:5d00::2 prefixlen 128 pltime 270 vltime 300

from my testing so far dhcp6c renews far more frequently than pltime

From my testing, dhcp6c renews after half of vltime. So as long as pltime > vltime/2, no problem.

The key thing here is that we want to see the ifconfig -L times so we can actually distinguish which prefix was the last one assigned and use that as the primary one for e.g. radvd. Some ISPs renew with a new prefix but having the first one stick around and no way to distinguish because they both do not expire was suboptimal and at some point the old one disappears but there is no renew triggering a radvd reload so then the prefix stops working for clients.

Excellent! This has plagued me a lot and the workarounds I had to implement are nightmare fuel.

I was a bit surprised to find all these related bugs for just trying to do what the standard intended.

Unfortunately, I'm not surprised at all.

Cheers
Maurice

Hey Franco,

Multi-WAN IPv6 user here. :) WAN1 requests address + prefix, WAN2 only requests an address.

I performed 1. and don't see any immediate issues after the reboot.
Can we see the (remaining) lifetime somewhere? It doesn't seem to be reflected in the prefix lifetime advertised by radvd on tracking LAN interfaces.

If there aren't any issues in the next two days or so, I'll go ahead and test 2., too.

Cheers
Maurice

OPNsense 25.7.11 aarch64 packages and sets released. Includes hotfix 25.7.11_1.