Can OPNsense delegate an IPv6 prefix to another router/firewall?

[Patrick M. Hausen]

Hi all,

subject says it. Most threads here and the docs are concerned with OPNsense getting a proper prefix delegation from an ISP or an upstream router. Question is: can OPNsense server as an upstream router and delegate an e.g. /62 to another router behind it?

Thanks,
Patrick

[franco]

Yep, DHCPv6 can do that (below pool setting). In fact in the automatic mode (from tracked interface) it tries to also make available a prefix depending on the prefix size constraints on the WAN.

Usually the biggest prefix to delegate is the WAN prefix + 1. So if you want to delegate one /62 you need a /61 on WAN. If you need two /62 it has to be a /60 etc.


Cheers,
Franco

[robgnu]

Yes, it works very well.

Here are our settings:
- RA set to "Assisted"
- DHCPv6 enabled:
 - Range from :: to ::ffff:ffff:ffff:ffff
 - Prefix Delegation Range from ::d0 to ::f0
 -  Prefix Delegation Size: 60
- Firewall rules on your needs. :-)

Best regards
Rob

[Maurice]

It works, but has a few caveats (at least it did last time I tried it):

The downstream router also needs to request an address via DHCPv6, not just a prefix. Reason is that OPNsense uses this address for routing the prefix, not the downstream router's link-local address as one might expect.

Firewall rules for the prefix(es) delegated to downstream need to be configured statically, which can be an issue if you get a dynamic PD from upstream.

Cheers
Maurice

[franco]

Both true but one comment:

> The downstream router also needs to request an address via DHCPv6, not just a prefix. Reason is that OPNsense uses this address for routing the prefix, not the downstream router's link-local address as one might expect.

Nowadays you can use a static mapping as well:

https://github.com/opnsense/core/commit/a73813684721


Cheers,
Franco

[Maurice]

Hi Franco,

Neat, thanks for the hint! Not dynamic yet, but definitely an improvement.

Could we make this work with link-local addresses in the static DHCPv6 mappings? Then you wouldn't have to add ULAs.

Cheers
Maurice

[Patrick M. Hausen]

Thanks for the interesting discussion. For my small home lab I finally decided to just route a /64 statically, but interoperability is always a good thing. As is feature complete IPv6 support. 

[franco]

> Could we make this work with link-local addresses in the static DHCPv6 mappings? Then you wouldn't have to add ULAs.

Sounds useful. Was wondering the same while replying earlier. You want to take a stab at it? Potentially we'd have to throw out the link-locals to make sure DHCPv6 doesn't complain about it.


Cheers,
Franco

[Maurice]

@franco I played around with link-locals in static mappings. dhcpd6 isn't bothered at all. But we have to add the scope when adding the route. What do you think about this approach? Seems to work fine.

https://github.com/maurice-w/core/commit/3b17bd4

Cheers
Maurice

[allan]

One thing that tripped me up was the Prefix Delegation Range "to" value. Unlike DHCP pools, this is the last network block available to delegate - not the last address.

I am delegating /62 and I have the following networks available. I was entering "2603:3018:xxxx:xx3f:ffff:ffff:ffff:ffff" instead of "2603:3018:xxxx:xx3c::", and this prevented dhcpd from starting.

• 2603:3018:xxxx:xx30::/62
• 2603:3018:xxxx:xx34::/62
• 2603:3018:xxxx:xx38::/62
• 2603:3018:xxxx:xx3c::/62