Topics

1

19.1 Legacy Series / Interface link changes IPv6 of other interface

« on: May 20, 2019, 02:10:21 pm »

Hi

I saw a weird issue with opnsense 19.1.8 and IPv6. I have three interfaces (WAN, DMZ, LAN). I request a prefix with DHCPv6 on WAN. On LAN and DMZ I use track interface to configure the dynamic IPv6.

When I plug-in a device at the DMZ interface it gets an IPv6 address with a new prefix. This also changes the currently existing IPv6 address on LAN. This breaks all devices behind that interface as they now have IPv6 addresses based on multiple prefixes configured and opnsense doesn't invalidate the old prefixes.

Config of WAN:
- IPv6 Configuration Type: DHCPv6
- DHCPv6 client configuration
- Configuration Mode: Basic
- Request only an IPv6 prefix: No
- Prefix delegation size: /48
- Send IPv6 prefix hint: Yes
- Directly send SOLICIT: Yes
- Prevent release: No
- Enable debug: Yes
- Use IPv4 connectivity: No

Config of LAN (re1_vlan34) / DMZ (re2)
- IPv6 Configuration Type: Track Interface
- Track IPv6 Interface
- IPv6 Interface: WAN
- IPv6 Prefix ID: 0x34 (LAN), 0x35 (DMZ)
- Manual configuration: No

I'm not sure about the prevent release option. I tried turning that on but after setting it and a reboot I haven't received any prefix at all. (Maybe I have reached the maximum allowed prefixes from the provider).

Is that expected behavior?
Where can I find the dhcp-pd debug logs? -> clog /var/log/system.log | grep dhcp6

Code: [Select]

clog /var/log/system.log | grep -E 're2|re1_vlan34|dhcp6c'
May 18 13:04:14 opnsense kernel: re2: link state changed to DOWN
May 18 13:04:14 opnsense dhcp6c[52690]: restarting
May 18 13:04:15 opnsense dhcp6c[52690]: Sending Solicit
May 18 13:04:16 opnsense dhcp6c[52690]: Sending Request
May 18 13:04:16 opnsense dhcp6c[52690]: Received REPLY for REQUEST
May 18 13:04:16 opnsense dhcp6c[52690]: add an address 2001:DB8:d65c:35:xxxx:xxxx:xxxx:xx6/64 on re2
May 18 13:04:16 opnsense dhcp6c[52690]: add an address 2001:DB8:d65c:34:xxxx:xxxx:xxxx:xx5/64 on re1_vlan34
May 18 13:04:16 opnsense dhcp6c[52690]: add an address 2001:DB8:xxxx:xx::30/128 on re0
May 18 13:04:16 opnsense dhcp6c: dhcp6c REQUEST on re0
May 18 13:04:16 opnsense dhcp6c: dhcp6c REQUEST on re0 - running newipv6
May 18 13:15:27 opnsense kernel: re2: link state changed to UP
May 18 13:15:28 opnsense dhcp6c[52690]: restarting
May 18 13:15:28 opnsense dhcp6c[52690]: Start address release
May 18 13:15:28 opnsense dhcp6c[52690]: Sending Release
May 18 13:15:28 opnsense dhcp6c[52690]: remove an address 2001:DB8:xxxx:xx::30/128 on re0
May 18 13:15:28 opnsense dhcp6c[52690]: Start address release
May 18 13:15:28 opnsense dhcp6c[52690]: Sending Release
May 18 13:15:28 opnsense dhcp6c[52690]: failed to remove an address on re2: Can't assign requested address
May 18 13:15:28 opnsense dhcp6c[52690]: remove an address 2001:DB8:d65c:34:xxxx:xxxx:xxxx:xx5/64 on re1_vlan34
May 18 13:15:28 opnsense dhcp6c[52690]: Received REPLY for RELEASE
May 18 13:15:28 opnsense dhcp6c[52690]: status code: success
May 18 13:15:28 opnsense dhcp6c: dhcp6c RELEASE on re0
May 18 13:15:28 opnsense dhcp6c: dhcp6c RELEASE on re0 - running newipv6
May 18 13:15:29 opnsense opnsense: /usr/local/etc/rc.newwanipv6: Warning! services_radvd_configure(auto) found no suitable IPv6 address on re2
May 18 13:15:29 opnsense opnsense: /usr/local/etc/rc.newwanipv6: Warning! services_radvd_configure(auto) found no suitable IPv6 address on re1_vlan34
May 18 13:15:29 opnsense kernel: re2: link state changed to DOWN
May 18 13:15:30 opnsense opnsense: /usr/local/etc/rc.linkup: Warning! services_radvd_configure(auto) found no suitable IPv6 address on re2
May 18 13:15:30 opnsense opnsense: /usr/local/etc/rc.linkup: Warning! services_radvd_configure(auto) found no suitable IPv6 address on re1_vlan34
May 18 13:15:34 opnsense dhcp6c[52690]: restarting
May 18 13:15:34 opnsense dhcp6c[52690]: Sending Release
May 18 13:15:34 opnsense dhcp6c[52690]: Received REPLY for RELEASE
May 18 13:15:34 opnsense dhcp6c[52690]: status code: success
May 18 13:15:34 opnsense dhcp6c: dhcp6c RELEASE on re0
May 18 13:15:34 opnsense dhcp6c: dhcp6c RELEASE on re0 - running newipv6
May 18 13:15:35 opnsense opnsense: /usr/local/etc/rc.newwanipv6: Warning! services_radvd_configure(auto) found no suitable IPv6 address on re2
May 18 13:15:35 opnsense opnsense: /usr/local/etc/rc.newwanipv6: Warning! services_radvd_configure(auto) found no suitable IPv6 address on re1_vlan34
May 18 13:15:40 opnsense dhcp6c[52690]: Sending Solicit
May 18 13:15:40 opnsense dhcp6c[52690]: XID mismatch
May 18 13:15:41 opnsense dhcp6c[52690]: Sending Request
May 18 13:15:41 opnsense dhcp6c[52690]: Received REPLY for REQUEST
May 18 13:15:41 opnsense dhcp6c[52690]: add an address 2001:DB8:d65d:35:xxxx:xxxx:xxxx:xx6/64 on re2
May 18 13:15:41 opnsense dhcp6c[52690]: add an address 2001:DB8:d65d:34:xxxx:xxxx:xxxx:xx5/64 on re1_vlan34
May 18 13:15:41 opnsense dhcp6c[52690]: add an address 2001:DB8:xxxx:xx::31/128 on re0
May 18 13:15:41 opnsense dhcp6c: dhcp6c REQUEST on re0
May 18 13:15:41 opnsense dhcp6c: dhcp6c REQUEST on re0 - running newipv6


[EDIT]
Added dhcp6c and link status logs and interface names.

2

18.1 Legacy Series / [Solved] IPv6 Track Interface doesn't advertise subnet

« on: February 10, 2018, 12:09:08 am »

Hi

I have an IPv6 connection with DHCPv6-PD from my ISP. IPv6 on WAN is configured with DHCPv6, Prefix delegation size and prefix hint enabled.
LAN is configured with Track Interface WAN and a prefix id.

With that configured, my LAN clients don't receive any prefix information in the router advertisements. After I run

Code: [Select]

/var/etc/rtsold_intX_vlanY_script.shmanually, the clients receive prefix information and IPv6 works.

As a workaround I added the line into a shellscript in

Code: [Select]

/usr/local/etc/rc.syshook.d
I run 18.1.2_2-amd64 on a APU. The issue already was in 15.7: https://forum.opnsense.org/index.php?topic=1950.msg6072#msg6072.

Is there something I can change so I don't need the workaround?

3

16.1 Legacy Series / Hurricane Electric and policy routing

« on: May 20, 2016, 10:24:49 pm »

Hi

I wanted to use a Hurricane Electric IPv6 tunnel for a separate interface. I followed the steps from here https://forum.opnsense.org/index.php?topic=1992.0, but didn't choose the gif interface as default gateway because I already have an IPv6 default gateway.
In the ruleset for the separate interface I chose the GIF interface as gateway for the allow rules.

With tcpdump I can now see the traffic going through the GIF interface and replying traffic comes back. But the replying traffic gets blocked on the gif Interface. In pfstate I can see NO_TRAFFIC:SINGLE as state. It seems that the firewall can't find the already opened stateful connection for the traffic.

Is there a fix for this?

Regards
Marcel

Btw. NPT doesn't work. It just shows this error.

Code: [Select]

/usr/local/etc/rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:60: syntax error - The line in question reads [60]: binat on $HENETV6 from any to prenatprefix::/64 -> postnatprefix::/64

4

16.1 Legacy Series / IPv6 issues (DHCP-PD, Null-Route)

« on: January 02, 2016, 09:23:31 pm »

Hi

I have the following issues with the IPv6 implementation in Opnsense (15.7.23-amd64):

DHCPv6
After a reboot it doesn't ask the providers DHCPv6 server for a prefix delegation, therefore my provider (Init7) doesn't route my static IPv6 /48 range to my box. Manually invoking

Code: [Select]

/var/etc/rtsold_[...].sh fixes this until next reboot.
The issue https://github.com/opnsense/core/issues/47 and post https://forum.opnsense.org/index.php?topic=1533.0 seem related.

Null-Route
Because I have a /48 range and don't use every possible /64 subnet from it, there is a routing loop between my box and the ISP.
I can create a null route for my IPv6 /48 subnet, but it doesn't get applied.
How to reproduce:

• System/Routes/All: Create a route for 2001:1111:1111::/48 to Null6 - ::1
• Check System/Routes/Status - no route for 2001:1111:1111::/48 is visible there

Also a traceroute to this destination shows that the default route will be used. In the routing log only this message is visible:

radvd[73122]: sendmsg: Permission denied

In my opinion opnsense should automatically create a null-route for a received PD with a subnet with less than 64 bits, or at least provide an option for this.