Issue with internal IPv6 testing network

[DustinHarp]

Hi!

This may be rather unorthodox and the result of myself doing something incorrectly but still might be worth a try anyway.

Running two OPNSense 24.1 virtual machines under KVM with virtio nics to assist in development and lab scenarios.

My current challenge is in simulating an IPv6 network. With VM #1 having a /48 prefix assigned to its LAN interface, delegating /56 prefixes to client routers using DHCPv6-PD. VM #2 in this scenario takes the place of the client router and its WAN interface is behind the LAN bridge of VM #1.

Configuration of WAN router (VM #1):

Code Select Expand


LAN interface: Static IPv6: 2001:db8:1::1/48
Prefix delegation range: 2001:db8:1:100:: - 201:db8:1:200::
Prefix delegation size: 56

RA configuration: Managed
Advertise Default Gateway: Enabled


Configuration of LAN client router (VM #2 - its WAN is connected behind VM #1 LAN)

Code Select Expand


WAN interface: DHCPv6
Request only an IPv6 prefix: Enabled
Prefix delegation size: 56
Send IPv6 prefix hint: Enabled


Code Select Expand


LAN interface: Track Interface
Allow manual adjustment of DHCPv6 and Route Advertisements: Enabled
IPv6 Prefix ID: 0x0


The issue is when having configured the WAN router to only delegate prefixes with a link-local default gateway similar to a 'real' ISP attempting to ping the LAN address of the VM #1 from VM #2 takes about 20 seconds to start responding to pings after which it will work for ~10 seconds than fail again and repeat.

Observing the output of

Code Select Expand

route -6n monitor on VM #1 shows a route of the full LAN address of VM #2 being added and deleted in unison with the above described behavior.

[Patrick M. Hausen]

LAN interface: Static IPv6: 2001:db8:1::1/48

This doesn't work. Broadcast ("Ethernet") interfaces always have /64.

[DustinHarp]

Doh. But how best to assign and carve out prefixes to be delegated to client routers?

[Patrick M. Hausen]

I honestly have not yet investigated if OPNsense can do prefix delegation, and if yes, how. Did you check the docs?

[Monviech (Cedrik)]

Could also use static routes to do it just like IPv4. One /64 network becomes the transfer net, and a static route on it will route one or multiple /64 nets to the next router.

On the next hop router, the OPNsense that has the /56 net is the default gateway. On the WAN interface one IPv6 GUA of the transfer net is configured. The static route(s) of the main OPNsense will point to this GUA. Then any additional /64 net that is routed there can be put on the LAN/VPN etc interfaces.

Of course, this needs proper infrastructure... static Prefix.

[DustinHarp]

OK. Think I figured it out. It will take some explaining.

Static mapping: If the DUID of an active prefix lease matches the DUID of a DHCPv6 static mapping, the delegated prefix will be unconditionally routed to the static mapping's IPv6 address. The DHCPv6 service doesn't have to be configured with an address range and the downstream router doesn't have to request an address. The address in the static mapping may be a GUA, ULA or link-local address. This allows downstream prefix delegation to routers which only request a prefix, not an address.

So for the purposes of this exercise VM #1 should have a /64 address assigned to its LAN interface. Under Services->ISC DHCPv6->LAN a prefix delegation range can be configured and for routing a delegated prefix to VM #2 through the LAN link-local address of VM #1 as the default gateway a DHCPv6 static mapping should be defined on VM #1 with the DUID and link-local address of the WAN interface of VM #2. Having tested connectivity between servers accessible from the simulated WAN interface of the VM #1 and behind the LAN interface of VM #2, this configuration works.

Thank you