Messages

31

General Discussion / Re: Strange behavior with IPv6 on PPPoE [was: DynDNS for IPv6 not working]

« on: April 23, 2019, 08:28:50 pm »

As I already mentioned this is not only related to SLAAC, even configuring a static IPv6 incorrectly assigns that address to the parent interface.

However, this problem does no persist permanently because registration the IPv6 address of the pppoe interface currently works fine.

Any ideas?

32

19.1 Legacy Series / Re: How to disable IPv6

« on: April 10, 2019, 10:02:02 pm »

It is not possible to prevent reception of IPv6 packets. The only solution is to filter and ignore such packets sent by your ISP.

- set IPv6 configuration to none on WAN interfaces
- filter IPv6 traffic in the firewall (Firewall -> Settings -> Advanced -> Allow IPv6)

33

General Discussion / Re: Strange behavior with IPv6 on PPPoE [was: DynDNS for IPv6 not working]

« on: April 10, 2019, 09:35:35 pm »

A friend has the following cascade "ix0" -> "ix0_vlan7" -> "pppoe0" and has tested to assign a static IPv6 to the interface "pppoe0".

Again, on his opnsense installation the IPv6 address is also assigned to the parent interface of "pppoe0" which is "ix0_vlan7".

34

General Discussion / Re: DynDNS for IPv6 not working.

« on: April 09, 2019, 09:00:04 pm »

Maybe the issue does not rely in the DynDNS plugin because I saw some more strange behavior regarding IPv6. As already mentioned the ethernet interface "ix0" is parent of the virtual ppp interface "pppoe0".

• SLAAC is working fine for pppoe0 (uses the offered prefix by my ISP via PPP configuration)
• Switching from SLAAC to Static IPv6 on "pppoe0" shows strange behavior
• The static IPv6 is assigned to "ix0" instead of "pppoe0" (checked with ifconfig)
• Console overview after SSH login show that the static IPv6 is assigned to "ix0" and "pppoe0" 
• Using DHCPv6 is not working at all, no DHCPv6 request packets seen on wire
• rtsold is watching on "ix0": Is that correct?

Maybe opnsense has problems to distinguish "pppoe0" from "ix0"?

Any ideas or hints?

35

General Discussion / Re: DynDNS for IPv6 not working

« on: April 06, 2019, 09:01:21 am »

I have created a bug report in github: https://github.com/opnsense/plugins/issues/1296

36

General Discussion / Re: DynDNS for IPv6 not working

« on: April 03, 2019, 08:48:45 pm »

Do you mean "privacy extensions" with "secure IPv6" addressing? I tested first without privacy extensions and afterwards with, no difference.

But I did a test with ifconfig on the console. I removed all public IPv6 addresses from interface "pppoe0" and added one of the previously assigned public IPv6 addresses to the ethernet interface "ix0" (parent interface of "pppoe0"). Afterwards, I forced a DynDNS update for the "Custom v6" profile, which successfully registered the public IPv6 address of "ix0"

This shows that the DynDNS client tries to extract the publich IPv6 from the wrong interface (parent interface of "pppoe0" instead of "pppoe0" itself).

Additionally: Adding a second alias to "ix0" (and in a second try an additional link local address) showed that the first non link local address is extracted and used for DynDNS registration.


Edit:
With "Use IPv4 connectivity" I understand, that the IPv6 configuration is done over IPv4 or PPP-config. Maybe there is a misunderstanding. "saw no difference in network communication" means that IPv6-SLAAC is still done via IPv6 multicast.

37

General Discussion / Re: DynDNS for IPv6 not working

« on: April 03, 2019, 08:20:04 pm »

My configuration:

Interface PPP (PPPoE) on top of ix0 (Ethernet):


Block private networks:yes
Block bogon networks: yes
IPv4 Configuration Type: PPPoE
IPv6 Configuration Type: SLAAC
Use IPv4 connectivity: no


I have also tested the option "Use IPv4 connectivity: yes" but saw no difference in network communication (wireshark)

38

General Discussion / Re: DynDNS for IPv6 not working

« on: April 03, 2019, 07:35:06 pm »

I use plugin version 1.13 (under Opnsense 19.1.4). So, the fix is already in place.

39

General Discussion / Re: IPv6 privacy extensions for WAN interface

« on: April 02, 2019, 10:38:18 pm »

I have to do some further checks like lifetime of the temporary address and regeneration in case of prefix change.

Edit:
But we should keep possible problems (as franco mentioned) in mind (e.g. establishing IPsec connections which needs some more testing)

40

General Discussion / Re: IPv6 privacy extensions for WAN interface

« on: April 02, 2019, 09:54:17 pm »

I have enabled the following two options:

• net.inet6.ip6.use_tempaddr
• net.inet6.ip6.prefer_tempaddr

Now, the pppoe interface gets an additional temporary address when using SLAAC. Basic tests shows that this address is used for Internet communication via opnsense's proxy.

We should consider that this kind of addresses should not be used for DynDNS registrations because the binding gets invalid in case the temporary address changes.

Edit:
The temporary address is not shown in the GUI (possibly a bug?) but is shown with ifconfig. You can also verify using websites like http://ipv6-test.com/ or https://www.whatismyip.com/

41

General Discussion / Re: DynDNS for IPv6 not working

« on: April 02, 2019, 09:43:51 pm »

PPPoE (pppoe0) interface is a virtual one on top of ethernet (ix0)

The DynDNS configuration "Custom v6" tries to gather the ipv6 address from the ix0 interface instead of pppoe0 if I understand the logfiles correctly.

Has anybody successfully running DynDNS with "Custom v6" profile?

42

General Discussion / Re: DHCP on WAN with public IP via RFC1918?

« on: April 02, 2019, 06:21:52 pm »

It is not a usual setup because it can conflict with private networks using the same shared address space. But, I had the same situation years ago with telefonica backend for my DSL.

43

General Discussion / Re: IPv6 privacy extensions for WAN interface

« on: March 29, 2019, 08:04:33 pm »

I also did some research and figured out that FreeBSD supports privacy extensions which can be controlled by syscontrols

• net.inet6.ip6.use_tempaddr
• net.inet6.ip6.prefer_tempaddr

I'll test this the next days. Adjusting the syscontrols is already included in opnsense's system tunables (System -> Settings -> Tunables).

44

General Discussion / Re: IPv6 privacy extensions for WAN interface

« on: March 28, 2019, 06:13:11 pm »

I know that /64 is a single subnet. Because my internal network is still IPv4 only, I do not need to request a delegation prefix. Thus, the subnet offered by my ISP is correct.

Related to privacy extensions clients are responsible to randomize their host id. But, please consider the opnsense machine also as a client due to its services (proxy, ntpd etc.). So, the firewall should also randomize its own IPv6 address when using SLAAC.

Clients in my LAN (IPv4) use the proxy to access IPv6 ressources in the Internet.

45

General Discussion / Strange behavior with IPv6 on PPPoE [was: DynDNS for IPv6 not working]

« on: March 27, 2019, 07:39:30 pm »

Hello,

I have problems to register the IPv6 address of the firewalls WAN interface to my DynDNS operator. I got the following results:

• Registering the IPv4 address using the built-in DynDNS client (Custom) works fine
• Registering the IPv6 address using the built-in DynDNS client (Custom v6) fails
• Triggering the IPv6 registration URL via command line using curl works fine

A packet capture shows that the DynDNS client does not communicate with the server, but the log file shows the following error message, even though the WAN interface has a public IPv6 address assigned:

opnsense: /services_dyndns_edit.php: Dynamic DNS (<hostname>) There was an error trying to determine the public IP for interface - wan(ix0). Probably interface is not a WAN interface.

Update URL: https://update.spdyn.de/nic/update?hostname=xxxx&myip=%IP%&user=xxxx&pass=yyyy

Does anybody has similar problems?