IPv6 Prefix Delegation with TWO WAN Interfaces

Started by tabacha, May 01, 2020, 10:35:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 01, 2020, 10:35:29 AM
Hadware: PC Engines APU.4D4
Version: OPNsense 20.1.6-amd64

Hi,

I have problems with IPv6 Prefix delegation.

I want to replace my (slow) Linux router with OPNsense router.

I have two WAN interfaces with two (one for each WAN) fritzbox DSL as primary router.
I know that this is not the best solution. In the future I want to replace the fritzbox with a DSL Modem and make NAT on then OPNsense, but for the first step I want to replace the linux router.

On the old linux router I have one wide-dhcp6c.conf with the attached config (I shortend it a bit, because there are much more interfaces):

eth0.2 WAN1 get Prefix ia-pd 0
eth0.3 WAN2 get Prefix ia-pd 1

eth0.1 Assign ia-pd 1 sla-id 1
eth0.5 Assign ia-pd 0 sla-id 5
eth0.11 Assign ia-pd 0 sla-id 11 and ia-pd 1 and sla-id 11
eth0.51 Assign ia-pd 0 sla-id 6
eth0.199 Assign ia-pd 1 sla-id 19

This setup works on my linux router, I have to restart radvd and modify some policy bases routes when the prefix is changing, but thats it.

I can connect to the internet via IPv6 on eth0.11 even if WAN1 or WAN2 is down.


Here is a sniplet of my Interfaces today:

Code Select
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 200x:x:f71d:3b00:200:5eff:fe00:202/64 scope global mngtmpaddr dynamic
       valid_lft 7121sec preferred_lft 1147sec
    inet6 fe80::200:5eff:fe00:202/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 200x:x:f708:f800:200:5eff:fe00:203/64 scope global mngtmpaddr dynamic
       valid_lft 6947sec preferred_lft 916sec
    inet6 fe80::200:5eff:fe00:203/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.5@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 200x:x:f71d:3be5:200:5eff:fe00:205/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5eff:fe00:205/64 scope link
       valid_lft forever preferred_lft forever
9: eth0.11@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 200x:x:f71d:3beb:200:5eff:fe00:211/64 scope global
       valid_lft forever preferred_lft forever
    inet6 200x:x:f708:f8eb:200:5eff:fe00:211/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5eff:fe00:211/64 scope link
       valid_lft forever preferred_lft forever


When I configure only one WAN Interface for Prefix Delegation, OPNsene work.

But when I configure both interfaces

See Screenshots: WAN-Interface-Config.png (both WAN-Interfaces are configured the same)

Name: WANAbbiUte ibg3
Name: WAN_Svelke ibg1

LAN1-Config.png ibb2_vlan12
LAN2-Config.png igb0_vlan12

I rebooted the system, to make sure everything is like it is configured.


1. I can not configure to different prefixes to one LAN Interface
2. I get errors and prefx delegation is not working at all.


less +F /var/log/system.log
I see:
Code Select
May  1 10:02:51 OPNsense kernel: pflog0: promiscuous mode disabled
May  1 10:02:51 OPNsense kernel: pflog0: promiscuous mode enabled
May  1 10:02:51 OPNsense opnsense: plugins_configure vpn (,opt3)
May  1 10:02:51 OPNsense opnsense: plugins_configure vpn (execute task : ipsec_configure_do(,opt3))
May  1 10:02:51 OPNsense opnsense: plugins_configure vpn (execute task : openvpn_configure_do(,opt3))
May  1 10:02:51 OPNsense opnsense: plugins_configure newwanip (,opt3)
May  1 10:02:51 OPNsense opnsense: plugins_configure newwanip (execute task : dyndns_configure_do(,opt3))
May  1 10:02:51 OPNsense opnsense: plugins_configure newwanip (execute task : ntpd_configure_defer())
May  1 10:02:51 OPNsense opnsense: plugins_configure newwanip (execute task : opendns_configure_do())
May  1 10:02:51 OPNsense opnsense: plugins_configure newwanip (execute task : openssh_configure_do(,opt3))
May  1 10:02:51 OPNsense opnsense: plugins_configure newwanip (execute task : unbound_configure_do(,opt3))
May  1 10:02:51 OPNsense opnsense: plugins_configure newwanip (execute task : vxlan_configure_interface())
May  1 10:02:51 OPNsense opnsense: plugins_configure newwanip (execute task : webgui_configure_do(,opt3))
May  1 10:02:58 OPNsense kernel: OK
May  1 10:02:59 OPNsense kernel: SHA256 QS6FxG1uM3v/uzL5sUNlZvXHMUgQIiscKJZ+iPuVJLw (ECDSA)
May  1 10:03:03 OPNsense dhcp6c[75732]: Sending Solicit
May  1 10:03:03 OPNsense dhcp6c[33283]: unexpected interface (2)
May  1 10:03:34 OPNsense dhcp6c[75732]: Sending Solicit
May  1 10:03:34 OPNsense dhcp6c[33283]: unexpected interface (2)
May  1 10:04:37 OPNsense dhcp6c[75732]: Sending Solicit
May  1 10:04:37 OPNsense dhcp6c[33283]: unexpected interface (2)
May  1 10:06:29 OPNsense dhcp6c[75732]: Sending Solicit
May  1 10:06:29 OPNsense dhcp6c[33283]: unexpected interface (2)
May  1 10:08:33 OPNsense dhcp6c[75732]: Sending Solicit
May  1 10:08:33 OPNsense dhcp6c[33283]: unexpected interface (2)
May  1 10:10:24 OPNsense dhcp6c[75732]: Sending Solicit
May  1 10:10:24 OPNsense dhcp6c[33283]: unexpected interface (2)
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Waiting for data... (interrupt to abort)


Here some diagnostic I have done:

Code Select
root@OPNsense:~ # ps aux |grep dhcp6c
root    33283   0.0  0.1 1057796  2820  -  Ss   10:02    0:00.01 /usr/local/sbin/dhcp6c -D -c /var/etc/dhcp6c_opt3.conf -p /var/run/dhcp6c_igb3.pid igb3
root    75732   0.0  0.1 1057796  2824  -  Ss   10:02    0:00.02 /usr/local/sbin/dhcp6c -D -c /var/etc/dhcp6c_opt1.conf -p /var/run/dhcp6c_igb1.pid igb1
root    48110   0.0  0.1 1058012  2816  0  S+   10:06    0:00.01 grep dhcp6c
root@OPNsense:~ # cat /var/etc/dhcp6c_opt3.conf
interface igb3 {
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt3_script.sh"; # we'd like some nameservers please
};
id-assoc pd 0 {
  prefix ::/63 infinity;
  prefix-interface igb2_vlan12 {
    sla-id 1;
    sla-len 1;
  };
};
root@OPNsense:~ # cat /var/etc/dhcp6c_opt1.conf
interface igb1 {
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt1_script.sh"; # we'd like some nameservers please
};
id-assoc pd 0 {
  prefix ::/63 infinity;
  prefix-interface igb0_vlan12 {
    sla-id 0;
    sla-len 1;
  };
};
root@OPNsense:~ # /sbin/ifconfig
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 00:0d:b9:55:63:08
        hwaddr 00:0d:b9:55:63:08
        inet6 fe80::20d:b9ff:fe55:6308%igb0 prefixlen 64 scopeid 0x1
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 00:0d:b9:55:63:09
        hwaddr 00:0d:b9:55:63:09
        inet6 fe80::20d:b9ff:fe55:6309%igb1 prefixlen 64 scopeid 0x2
        inet6 200x:x:f71d:3b00:20d:b9ff:fe55:6309 prefixlen 64 autoconf
        inet 192.168.2.15 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 00:0d:b9:55:63:0a
        hwaddr 00:0d:b9:55:63:0a
        inet6 fe80::20d:b9ff:fe55:630a%igb2 prefixlen 64 scopeid 0x3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether 00:0d:b9:55:63:0b
        hwaddr 00:0d:b9:55:63:0b
        inet6 fe80::20d:b9ff:fe55:630b%igb3 prefixlen 64 scopeid 0x4
        inet6 200x:x:f708:f800:20d:b9ff:fe55:630b prefixlen 64 autoconf
        inet 192.168.3.44 netmask 0xffffff00 broadcast 192.168.3.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: enc
pflog0: flags=100<PROMISC> metric 0 mtu 33160
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        groups: pfsync
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
igb2_vlan12: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:0d:b9:55:63:0a
        inet6 fe80::20d:b9ff:fe55:630a%igb2_vlan12 prefixlen 64 scopeid 0x9
        inet6 200x:x:f708:f8df:20d:b9ff:fe55:630a prefixlen 64
        inet 192.168.12.1 netmask 0xffffff00 broadcast 192.168.12.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 12 vlanpcp: 0 parent interface: igb2
        groups: vlan
igb0_vlan12: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:0d:b9:55:63:08
        inet6 fe80::20d:b9ff:fe55:6308%igb0_vlan12 prefixlen 64 scopeid 0xa
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 12 vlanpcp: 0 parent interface: igb0
        groups: vlan

I have replaced some parts of IPv6 addresses by x for privacy.

Any help would be appreciated. Please be kind with me, it is my first post and I am an BSD / OPNsense Newbie.

Sven
May 01, 2020, 10:54:19 AM #1
I have killed both dhcp6c processes on command line and started a new one:

Code Select

/usr/local/sbin/dhcp6c -D -c /var/etc/dhcp6c_many.conf -p /var/run/dhcp6c_many.pid igb1 igb3


Code Select

interface igb3 {
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt3_script.sh"; # we'd like some nameservers please
};
id-assoc pd 0 {
  prefix ::/63 infinity;
  prefix-interface igb2_vlan12 {
    sla-id 1;
    sla-len 1;
  };
};
interface igb1 {
  send ia-pd 1; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt1_script.sh"; # we'd like some nameservers please
};
id-assoc pd 1 {
  prefix ::/63 infinity;
  prefix-interface igb0_vlan12 {
    sla-id 0;
    sla-len 1;
  };
};


Now IPv6 addresses will be assigned to the LAN Interfaces. I did not test routing at the moment.
Is there a way to make this setup permanent?
May 02, 2020, 06:05:35 PM #2
IPv6 multi WAN support is still work in progress, so if you're switching from a manually configured Linux router you will hit some bumps in the road. There is an open pull request for dhcp6c multi WAN support: https://github.com/opnsense/core/pull/3934

OPNsense is all about the Web GUI. Making manual changes to configuration files persistent is difficult because they get routinely recreated on restarts and configuration changes.

So, if you have the time and skills, the best option is to participate on GitHub. The good thing about OPNsense is that the core developers are quite open to community contributions.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
May 02, 2020, 06:59:08 PM #3
At the Moment it is posible to create two WAN Interfaces with Prefix Delegation in the GUI, but then prefix Delegation will not work. Thats not good. I would suggest to disable that or print a warning?

The Pull-Request looks old, and no one merged it in february, is there a chance to speed up a merge? Has opnSense a bug bounty programm where I can spend some money for a pizza and a drink?

Best Regards

Sven
May 03, 2020, 04:49:14 PM #4
Dual IPv6 via DHCP is slowly coming into fashion. You see, the system once had issues with DHCP from multiple IPv4 sources. It has similar issues now, which simply need to be fixed when enough people have the use case to be able to confirm it works fine.

We might be in luck for 20.7 when Martin's work progresses as planned.


Cheers,
Franco
May 03, 2020, 06:57:26 PM #5
Hi,
that sounds good. I already follow the github pull requests and looking forward to be one of the first to test this.

May the code be with you

Sven

May 13, 2020, 08:09:15 PM #6
Hi Sven,

Multi WAN dhcp6c is ready for testing and Martin posted instructions here:
https://forum.opnsense.org/index.php?topic=9661.msg78179#msg78179

I'm sure feedback would be very appreciated.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
May 14, 2020, 02:44:15 PM #7
For patch related issues it may be more practical to wait for 20.1.7 and then just switch to development release type for testing the additions as a whole.


Cheers,
Franco
Print
Go Up Pages1
User actions