[Solved] Randomize ipv6 WAN address

[vividou]

Hello,

My opnsense is configured for ipv6 as follow:

GUI:

Code Select Expand

Interfaces > WAN >  IPv6 Configuration Type = DHCPv6
                    Prefix delegation size = 56

But the WAN ipv6 contains the MAC address.

Shell:

Code Select Expand

# ifconfig
wan:
    inet6 xxxx::xxff:fexx:xxxx prefixlen 64 autoconf pltime 7200 vltime 21600


Is there a way to make it more random, without the MAC address?

Thanks

[meyergru]

You can set another MAC on the WAN interface.

Or, you can use the "request prefix only" setting, together with an "Optional prefix ID" unequal to any other track interface prefix ID and then set "Optional interface ID" to your liking.

That way, the WAN IPv6 will be taken from the IPv6 delegated prefix range (IA_PD) instead of IA_NA.

[mooh]

I think what you're looking for is IPv6 privacy extensions. See https://forum.opnsense.org/English_Forums/General_Discussion/IPv6_privacy_extensions_for_WAN_interface

Not sure if that still correct as the article is quite old by now.

[vividou]

Hello,

Thanks for the information.

Defining "Optional prefix ID" and "Optional interface ID" allows creating a second ipv6 but unfortunately the one with the MAC is still used on internet.


Configuring in System -> Settings -> Tunables:

Code Select Expand

net.inet6.ip6.use_tempaddr = 1
net.inet6.ip6.prefer_tempaddr = 1

effectively creates a random ipv6 used on internet.

Thanks

[meyergru]

I do not see that. For me, there is no second MAC-based IPv6, just the one with the interface ID.

Maybe you were seeing that because you already had the first IPv6 before you changed the settings. That should be cleared up by a reboot.

On the other hand, the IPv6 privacy settings do not work for me, maybe either because I use the specified settings or maybe because my WAN is pppoe.

BTW: These IPv6 privacy extensions only affect outgoing connections from OpnSense itself, not from your clients. You would have to enable privacy extensions on all of them to hide their identities.

[mooh]

BTW: These IPv6 privacy extensions only affect outgoing connections from OpnSense itself, not from your clients. You would have to enable privacy extensions on all of them to hide their identities.

That's an important point. From my experience, most devices do use privacy extensions by default. Then again, I avoid windows wherever possible. Privacy extensions where developed to make tracking of devices across networks harder. That's why I don't mind too much that my router has a mac in its public address.

[schnipp]

I think what you're looking for is IPv6 privacy extensions. See https://forum.opnsense.org/English_Forums/General_Discussion/IPv6_privacy_extensions_for_WAN_interface

Not sure if that still correct as the article is quite old by now.

It still works like a charme :-)

[schnipp]

[...]
On the other hand, the IPv6 privacy settings do not work for me, maybe either because I use the specified settings or maybe because my WAN is pppoe.

In the past (before switching away from DSL) I did not encounter any problems using IPv6 privacy extensions together with PPPoE

[schnipp]

I think what you're looking for is IPv6 privacy extensions. See https://forum.opnsense.org/English_Forums/General_Discussion/IPv6_privacy_extensions_for_WAN_interface

Not sure if that still correct as the article is quite old by now.

It still works like a charme :-)

I have restructured my network (Fritzbox acted as the WAN Gateway in front of the Opnsense and now moved behind the Opnsense in a dedicated VLAN). This is the first time the IPv6 privacy extensions do not work anymore.

• If only an IPv6 prefix is requested via DHCPv6 and the public WAN address is derived from that prefix, IPv6 privacy will not work. It is not clear to me why the WAN address is generated from the MAC address in this case. The subnet technically allows WAN addresses to be derived via SLAAC.
• When requesting an IPv6 prefix and IPv6 address via DHCPv6, IPv6 privacy also does not work because the prefix length of the public IPv6 address is 128 (no available subnet).