Messages

16

23.7 Legacy Series / Re: DNS Priority, IPv4, IPv6

« on: November 18, 2023, 04:07:15 pm »

In dual-stack networks, there's not a lot the router / firewall can do to enforce one protocol over the other. That's up to the clients. Windows e.g. is known to prefer DNS servers assigned via DHCP over those assigned via RAs. You could enable the DHCPv6 server in stateless mode to work around this specific issue.
Cheers
Maurice

Thanks Maurice, especially for 'Windows e.g. is known to prefer DNS servers assigned via DHCP over those assigned via RAs.' That's what I suspected (as per last sentence of my previous post).

I'm intrigued about what my old Draytek was doing. I know I didn't have DHCPv6 enabled but was pretty sure that Windows reported DNS server addresses with IPv6 at the top of the list.  Perhaps I'm mistaken. I'll check in a week or two when I take OPNsense offline to add an extra NIC.

17

23.7 Legacy Series / Re: DNS Priority, IPv4, IPv6

« on: November 18, 2023, 03:41:45 pm »

DNS doesn't really have a priority.  Generally all of the servers will be hit and the first returned result will be used.  Additionally, DNS servers aren't limited to returning the same IP version.

I don't have IPv6 on my network except for WAN to get IPv6 DNS servers as well as the IPv4 ones, so I can't really answer SLAAC vs DHCP6.

What do you get when you do an nslookup?  You should see both IPv4 and IPv6 results.

Thanks

Yes, its all working fine from that perspective - essentially it's the same DNS server with both iPv4 and IPv6 addresses.  It doesn't matter which address, v4 or v6 I query from, I get both IPv6 and IPv4 address results.

I am just intrigued. By default, both Windows and Mac OSs prefer IPv6 to IPv4, so why aren't they defaulting to the IPv6 address of a DNS server to do a lookup. I would expect nslookup google.com to return something like:

Code: [Select]

C:\>nslookup google.com
Server:  OPNsense.local
Address:  2a02:xxxx:xxxx:xxxx:xxxx:3d3:f56b:6d75  <<<AN IPv6 ADDRESS HERE

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4009:80b::200e
          216.58.212.238

rather than:

Code: [Select]

C:\>nslookup google.com
Server:  OPNsense.local
Address:  192.168.1.1  <<<RATHER THAN THE IPv4 ADDRESS HERE

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4009:80b::200e
          216.58.212.238

I know that turning off Interfaces>WAN 'Allow manual adjustment of DHCPv6 and Router Advertisements' turns on the OPNsense DHCPv6 service and the priority of DNS servers then changes to:

Code: [Select]

DNS Servers . . . . . . . . . . . . .: 2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75 
                                       192.168.0.1
                                       1.1.1.1
Then, a default nslookup is via an IPv6 address rather than IPv4. (I don't want to use DHCPv6 because SLAAC allows Windows IPv6 Privacy extensions to work nicely.)

It's not a big deal but, as said above, modern OSs are meant to prioritise IPv6 over IPv4. I don't know if OPN is able to achieve this IPv6 priority using DHCPv4 and router advertising for IPv6, or whether its something that Windows and Mac do, prioritising DHCPv4 over IPv6 info from SLAAC.

18

23.7 Legacy Series / DNS Priority, IPv4, IPv6

« on: November 18, 2023, 02:57:09 pm »

I'm enjoying OPNsense and getting to grips with IPv6 on my network.

Background
In summary my setup is very simple: OPNsense on a little PC (https://www.aliexpress.us/item/3256805846674072.html - I really like it!), a couple of switches around the house, a UniFi Cloud Key 2 (no DHCP on this - it's all on the OPNsense) with a couple of UniFi access points.

The OPNSense setup is pretty basic. A WAN with both DHCP and DHCPv6 clients connecting to the ISP (Community Fibre London 1Gb symmetric), from which I get a CGNAT IPv4 address and a /56 IPv6.  On the LAN side I run a DHCPv4 service and let SLAAC do IPv6 addressing.

Question 1
In Windows clients on a wired LAN, I get DNS servers showing as follows using ipconfig /all:

Code: [Select]

DNS Servers . . . . . . . . . . . . .: 192.168.0.1
                                       1.1.1.1
                                       2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75

That's all good (IPv4 DNS server addresses are as set in DHCP service, nothing set in Router Advertisement, so using system settings).  My question is, how do I get the IPv6 DNS server address to have priority? Currently, if I do an nslookup it defaults to 192.168.0.1 as the DNS server.

Question 2:
On Wi-Fi, Windows clients don't show the IPv6 DNS server address in ipconfig /all (they do get IPv6 static and temp addresses and gateway):

Code: [Select]

DNS Servers . . . . . . . . . . . . .: 192.168.0.1
                                       1.1.1.1

However, netsh interface ipv6 show dnsservers does show that windows is getting the correct info from RA:

Code: [Select]

Configuration for interface "Wi-Fi"
    DNS servers configured through DHCP:  2a02:xxxx:xxxx:xxxx:xxxx:fcff:fe10:6d75
    Register with which suffix:           Primary only

So what's going on?

Even more curious:

On a couple of iPhones, in Settings>Wi-Fi>'network name'>Info>Configure DNS, all the DNS Servers are shown with the IPv6 DNS address last (just like Windows LAN). But after about 10 minutes following Wi-Fi being turned 'Off and On', the IPv6 DNS server address disappears.

On MacOS on Wi-Fi, it behaves just like Windows on LAN: i.e. Two IP 4 addresses followed by IPv6.

--------------------------------------

I figure the IPv6 info on the clients is just buggy (but I haven't ruled out UniFi as the issue either), but would be interested in peoples thoughts. 

From a strictly OPN perspective, I would ideally like the IPv6 DNS server address to be the highest priority. Is that something that OPNsense can do without enabling DHCPv6?

Thanks in advance

19

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 07:24:24 pm »

@meyergru
@Maurice

Thanks for the explanations. I am beginning to get my head around IPv6.  Probably enough to be a danger to myself. 

20

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 03:48:48 pm »

From this I take it Meyergru gets a /64 from his ISP? Otherwise wouldn't rely on the LAN GUA?

21

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 03:21:58 pm »

Good point.  Thanks

Can the LAN GUA also be used as a source address for OPNsense things like DNS queries, downloading updates, NTP and so on? I didnt see any issues before I turned off 'Request only an IPv6 prefix', but I didn't test updates etc.

22

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 01:48:53 pm »

Thanks again Maurice

Good point - especially for a VPN. I would soon realise that when I come to set one up!  I'll do it now, so I don't forget.

23

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 01:11:48 pm »

Thanks Maurice

Yes, it is a basic config - it just didn't feel it at the time!.

In reality, this was all down to me reading in multiple places that my ISP delegates a /64 which turned out to be untrue (most likely they have changed it over time). Being new to OPN I didn't think about Interfaces: Overview. WAN. Yes, it's /56.

 <<The WAN address is unrelated to the delegated prefix.>>
That is useful to know.  I have actually checked the WAN interface 'Request only an IPv6 prefix' again. I figure the WAN interface doesn't need a global address, and is potentially more secure without one. Please correct me if I'm wrong.

Overall, I am really impressed with OPNsense. Having used several Juniper SRX devices at work, I find it lovely to be using a responsive, well thought out web interface (J-Web is a nightmare you quickly ignore in favour of the CLI and configs). I don't have any issue with incorrect configuration resulting in unexpected behaviour - that's true of most platforms!

Thanks again - now the basics are working well, I can move on to VPNs etc.

24

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 12:05:19 pm »

Just to check if I am receiving a /56 subnet from my ISP, rather than a /64, I turned off ' Request only an IPv6 prefix' and 'Send IPv6 prefix hint' on the WAN interface.

My theory was that if the ISP is issuing a /64 things would break - because the WAN interface would get a global rather than link-local address, and there wouldn't be a subnet for the LAN.

Things didn't break. In the dashboard, my WAN interface gets a very different address to the LAN:

WAN: 100.75.x.x (CGNAT)
xxxx:6b68:0:183::7d

LAN:192.168.0.1
xxxx:6b6c:9800:8e00:yyyy:fcff:fe10:6d75

I don't fully understand it yet, but it works, so I am assuming that I get a 56 from my ISP.

Thanks everyone.

PS: Is there any mileage in me writing up a 'how to' for this ISP? And if so where should I put it?

25

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 11:46:40 am »

Yep, that is a problem, it should be /64.

Could you take a look at Interfaces->WAN, "DHCPv6 client configuration" tab "Advanced" and see what you see under "Prefix Interface Site-Level Aggregation Length"? In your specific case, I think it should be 0 instead of 8, because you cannot strip any more bits for an interface prefix from the 64 bits you have.

Thanks. I just switched WAN 'Prefix delegation size' back to 64 bits amd checked 'Advanced'. All the settings, including Prefix Interface Site-Level Aggregation Length, are blank. I've set it to 0 and when I checked its removed all the IP addresses from radvd.conf:

Code: [Select]

# Automatically generated, do not edit
# Generated RADVD config for manual assignment on lan
interface bridge0 {
AdvSendAdvert on;
MinRtrAdvInterval 200;
MaxRtrAdvInterval 600;
AdvLinkMTU 1500;
AdvDefaultPreference medium;
DNSSL local {
};
};


26

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 11:40:50 am »

Quick update:

I was thinking about the /56 subnet in /var/etc/radvd.conf and, just to play, went to Interfaces>WAN and set the ' Prefix delegation size' to 56 (it was 64 because that is what I believe my ISP issues - and what my old Draytek reports).

With the WAN interface set to 56, the subnet /var/etc/radvd.conf becomes 64 and magically the clients get/generate two IPv6 global addresses and 1 link local, just as I wanted.

So my problem is solved, but I'd love to understand what is going on.  Is it possible my ISP is actually issuing a /56?  And I definitely don't understand why setting a 56 prefix in WAN gives me a /64 in DHCPv6 and radvd.conf.  And vice-versa too - setting a /64 prefix in WAN gives a subnet of 56 in DHCPv6 and radvd.conf.

If someone could enlighten me I'd be really grateful.

Thanks

27

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 17, 2023, 11:21:39 am »

So this morning I have 'turned on 'Allow manual adjustment of DHCPv6 and Router Advertisements' for the LAN( Bridge) interface. I then ensured that Services>DHCPv6>[LANBridge] is not enabled and that Services>Router Advertisements>[LANBridge] Router Advertisements is set to 'Unmanaged'.

What is interesting is that in Services>DHCPv6>[LANBridge] the subnet is 2a02:xxxx:xxxx:8800:: (sounds good?) but the subnet mask says 56 bits (I was expecting this to be 64bits, because Interfaces>WAN>DHCPv6 client configuration has a prefix delegation size of 64 bits)

This is also reflected in /var/etc/radvd.conf which is:

Code: [Select]

# Automatically generated, do not edit
# Generated RADVD config for manual assignment on lan
interface bridge0 {
AdvSendAdvert on;
MinRtrAdvInterval 200;
MaxRtrAdvInterval 600;
AdvLinkMTU 1500;
AdvDefaultPreference medium;
prefix 2a02:xxxx:xxxx:8800::/56 {
DeprecatePrefix on;
AdvOnLink on;
AdvAutonomous on;
};
RDNSS 2a02:xxxx:xxxx:8800:5a9c:fcff:fe10:6d75 {
};
DNSSL local {
};
};

I would have expected 'prefix 2a02:xxxx:xxxx:8800::/64' rather than 56.

In this configuration my clients only get a link-local IPv6 address - no public address

Could the /56 be the issue? And if so, any ideas on how to correct?

Thanks again

28

23.7 Legacy Series / Re: IPv6 on LAN, SLAAC - no temporary addresses

« on: November 16, 2023, 10:24:12 pm »

Thanks for the replies both.

Maurice, yes I tried this as per the link above, so I am assuming I have got something else wrong.

Meyergru, I’ll check and report back. I’m still on the nursery slopes with IPv6 so this is a good learning exercise. It will be interesting to see what address the LAN interface has.  From what I have read the WAN interface should be happy with an fe80 address.

More soon

29

23.7 Legacy Series / IPv6 on LAN, SLAAC - no temporary addresses

« on: November 16, 2023, 04:49:14 pm »

First post - please be gentle

Background
My ISP is Community Fibre (London). The IPv4 bit is CGNAT and working, and I believe I only get a /64 IPv6 subnet (neither ideal).

Using my old Draytek router, I am able to use SLAAC without DHCPv6 and my Windows and Mac clients successfully get/generate an IPv6 address and a temporary IPv6 address as well as an fe80 link local. The only issue is that the Draytek can’t route IPv6 packets quick enough - I only get 300Mbs on a 1Gbs connection (it’s fine on IPv4 which is hardware accelerated). Hence I built an OPNsense box.

All is good on OPNsense IPv4, and I can make IPv6 work too, but I only get one public IPv6 address per client – no temporary one. DHCPv6 is running and seems to be required for this to happen – if I disable the service there are no Ipv6 addresses received via SLAAC. Therefore, I suspect the issue is to do with SLAAC, DHCPv6 and prefixes but I can’t work it out.

The Question
I would like to get IPv6 working in the same way as my Draytek, but faster! I.e. Using SLAAC so that Windows and other clients can create two public addresses – one main one and one temporary. Ideally without DHCPv6, but that would be the icing on the cake.

Is this possible?

My setup
I currently have a WAN interface and a single Bridged LAN interface (3 ports working well). With the following settings I get a single working IPv6 address (plus IPv4 of course)

Interfaces>WAN:
Block private networks – checked
Block bogon networks – checked
IPv4 Configuration Type – DHCP
IPv6 Configuration Type – DHCPv6
MAC address – Spoofing the one my ISP likes

DHCPv6 client configuration:
Basic
Request only an IPv6 prefix – checked
Prefix delegation size - 64
Send IPv6 prefix hint – checked

Interfaces>LanBridge
Block private networks – unchecked
Block bogon networks – unchecked
IPv4 Configuration Type – Static IPv4
IPv6 Configuration Type – Track Interface

Track IPv6 Interface:
IPv6 Interface - WAN
IPv6 Prefix ID – 0x0
Manual configuration – unckecked
(I have previously checked this and tried lots of things. Even after disabling it, the router advertisement config isn’t always cleared – is that a bug?. I end up restoring a backup config)

I have played around with this for hours, so any guidance really appreciated (https://forum.opnsense.org/index.php?topic=27288.msg149991#msg149991 and https://forum.opnsense.org/index.php?topic=36986.0 looked useful, but to no avail)

Thanks in advance.