ipv6: Interface Identifier equal on LAN and WAN

Started by bringha, August 19, 2022, 10:54:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 19, 2022, 10:54:59 AM
Hi all,

A while ago I changed my config and use a Draytek Vigor 167 directly connected to my opnsense. My provider ist Deutsche Telekom and I have a SuperVectoring connection. I configured a pppoe interface on vlan7 on WAN. Moreover, I created another interface on WAN called Modem to access the Vigor if needed. I get a ipv6 prefix from my supplier and the sense builds the corresponding ipv6 interface identifier (IID) out of the MAC addresses for the full ipv6 address. I have my LAN assigned to igb0 (Mac address Xc:XX:XX:XX:21:ce) and my WAN assigned to igb1 (Mac address Xc:XX:XX:XX:21:cf). So far all is fine and running.

However when looking into the dashboard and the interface overview, it is since then obvious that my LAN and WAN interface have an identical IID. Both IIDs are derived from the LAN MAC address. As a consequence, LAN and WAN have:

  • the same link local address: fe80:XeXX:efff:XXXX:21ce
  • the same IID for the public ipv6 address: 2003:<prefix_WAN>:XeXX:efff:XXXX:21ce resp 2003:<prefix_LAN>:XeXX:efff:XXXX:21ce
This looks weird to me. Is there an intention for this ipv6 address building logic? If not is there a need to get this corrected and if so I am wondering whether something could be wrong in my config? Is opnsense supporting privacy extensions for ipv6 meanwhile?

Looking forward to your reply.

Br br
August 19, 2022, 02:13:42 PM #1
PPPoE creates a virtual interface which doesn't have a MAC address, so it borrows the MAC address of the first physical interface to create its interface identifier. I don't use PPPoE, but have observed the same behaviour with other virtual interfaces.

Technically, there is nothing wrong with multiple interfaces having the same identifier. The address will always be unique because of different prefixes (GUA / ULA) or different scope (link-local). If it really bothers you, just swap the interface assignment (WAN = igb0, LAN = igb1).

Enabling privacy extensions should be possible by setting these tunables:

net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
August 19, 2022, 04:19:39 PM #2
Thanks a lot for this answer!

Will try the tuneables and see what happens
Print
Go Up Pages1
User actions