IPv6 on LAN, SLAAC - no temporary addresses

Started by macklij, November 16, 2023, 04:49:14 PM

Previous topic - Next topic
If you can't get a WAN address, a LAN interface address works, too. It has some caveats though. What if the LAN interface is down etc.? I see no reason not to use a WAN address if you can easily get one (which seems to be the case for @macklij).

There have been some requests to allow the WAN interface to track its own delegated prefix to create a WAN address. That would be a good solution for ISPs like @meyergru's.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

Yup, we discussed that and Franco tried to make it work, but it was more difficult than expected.

Luckily, my LAN interface is always up, so I can live with that. I would use it only in a pinch, however.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+

From this I take it Meyergru gets a /64 from his ISP? Otherwise wouldn't rely on the LAN GUA?

Quote from: Maurice on November 17, 2023, 03:28:20 PM
If you can't get a WAN address, a LAN interface address works, too. It has some caveats though. What if the LAN interface is down etc.? I see no reason not to use a WAN address if you can easily get one (which seems to be the case for @macklij).

There have been some requests to allow the WAN interface to track its own delegated prefix to create a WAN address. That would be a good solution for ISPs like @meyergru's.

For those addresses you should use loopback interfaces, not physical ones.

@macklij No. As mentioned, the WAN address typically is outside of the delegated prefix and assigned by the ISP independently (via DHCPv6 IA_NA or SLAAC). The size of the delegated prefix is unrelated to this. But some ISPs only offer a prefix and no WAN address at all (luckily not yours). In such a case, one can use the delegated prefix to create a WAN address (which is then inside the delegated prefix). Unfortunately, OPNsense doesn't support this (yet).

@bimbar A loopback interface with track6 configuration? Interesting idea. Could work.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

Quote from: macklij on November 17, 2023, 03:48:48 PM
From this I take it Meyergru gets a /64 from his ISP? Otherwise wouldn't rely on the LAN GUA?

No, I get /56, but only an IPv6 prefix, no IPv6 GUA on the LAN interface. OpnSense has no means (yet) to assign a prefix to the WAN interface. Usually the DHCPv6 client tries to get both a prefix for delegation (IA_PD) and a WAN IPv6 (IA_NA). My ISP does not hand out anything at all if I ask for that, so by using the setting "Request only an IPv6 prefix", I get a /56 prefix only and make do by using the LAN IPv6 GUA instead.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+

@meyergru
@Maurice

Thanks for the explanations. I am beginning to get my head around IPv6.  Probably enough to be a danger to myself.  :D

Quote from: bimbar on November 17, 2023, 03:50:02 PM
For those addresses you should use loopback interfaces, not physical ones.

I now tried this and it doesn't work. Loopback interfaces don't have a MAC address, so EUI-64 isn't possible. As a result, setting a loopback interface to "Track Interface" mode entirely breaks dhcp6c:


Notice dhcp6c link layer address is too short (lo1)
Notice dhcp6c failed to get default IF ID for lo1
Error dhcp6c failed to parse configuration file
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

I must be missing the grand idea behind turning a perfectly working setup into a collection of completely unneeded broken hacks.

You do NOT need GUA on WAN. Just move on.

Quote from: Maurice on November 18, 2023, 12:52:55 AM
Quote from: bimbar on November 17, 2023, 03:50:02 PM
For those addresses you should use loopback interfaces, not physical ones.

I now tried this and it doesn't work. Loopback interfaces don't have a MAC address, so EUI-64 isn't possible. As a result, setting a loopback interface to "Track Interface" mode entirely breaks dhcp6c:


Notice dhcp6c link layer address is too short (lo1)
Notice dhcp6c failed to get default IF ID for lo1
Error dhcp6c failed to parse configuration file


You probably need a static prefix for that, but it would be the right way to do it, if it is possible.