Possible Bug with IPv6 prefix delegation on pppoe with vlan

Started by i.schmidt, May 23, 2025, 07:08:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 23, 2025, 07:08:41 PM
Hi folks

Today i realized, my WAN connection does not get a prefix delegated from my ISP
I'm on 25.1.2 community and my WAN Setup works in principle.

Logical connection is like this: igc0 -> igc0_vlan7 -> pppoe0 -----> Telekom Deutschland Fibre

However, i noticed, i get a public IPv6 address, but no delegated prefix.
igc0 is not assigned, igc0_vlan 7 is not assigned, pppoe0 is, as WAN Interface with the typical config:
IPv4 -> pppoe
IPv6 -> DHCPv6
Prefix delegation size: 56
Request prefix only: true
Send prefix hint: true

On dialin i see the IPv4 Address, and an IPv6 Address, however DHCPv6 seems to fail. The log says:
Code Select
<13>1 2025-05-23T18:01:13+02:00 OPNsense.localdomain dhcp6c 69030 - [meta sequenceId="8"] RTSOLD script - Sending SIGHUP to dhcp6c
<27>1 2025-05-23T18:01:13+02:00 OPNsense.localdomain dhcp6c 55977 - [meta sequenceId="9"] transmit failed: Can't assign requested address
<13>1 2025-05-23T18:01:13+02:00 OPNsense.localdomain dhcp6c 82153 - [meta sequenceId="11"] RTSOLD script - Sending SIGHUP to dhcp6c
<27>1 2025-05-23T18:01:13+02:00 OPNsense.localdomain dhcp6c 55977 - [meta sequenceId="14"] transmit failed: Can't assign requested address
<13>1 2025-05-23T18:01:15+02:00 OPNsense.localdomain dhcp6c 62732 - [meta sequenceId="47"] dhcp6c_script: REQUEST on pppoe0 executing
<13>1 2025-05-23T18:01:15+02:00 OPNsense.localdomain dhcp6c 66725 - [meta sequenceId="48"] dhcp6c_script: REQUEST on pppoe0 renewal

I found, that every interface that is involved, gets the same IPv6 link local address.
Code Select
root@OPNsense:~ # ifconfig igc0
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG>
        ether 00:d0:b4:01:a3:af
        inet6 fe80::2d0:b4ff:fe01:a3af%igc0 prefixlen 64 scopeid 0x1
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

root@OPNsense:~ # ifconfig igc0_vlan7
igc0_vlan7: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=4000000<MEXTPG>
        ether 00:d0:b4:01:a3:af
        inet6 fe80::2d0:b4ff:fe01:a3af%igc0_vlan7 prefixlen 64 scopeid 0x8
        groups: vlan
        vlan: 7 vlanproto: 802.1q vlanpcp: 0 parent interface: igc0
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

root@OPNsense:~ # ifconfig pppoe0
pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1492
        description: Telekom_WAN_VLAN7_pppoe (opt6)
        options=0
        inet 93.225.175.117 --> 62.155.243.104 netmask 0xffffffff
        inet6 fe80::2d0:b4ff:fe01:a3af%pppoe0 prefixlen 64 scopeid 0xf
        inet6 fe80::2d0:b4ff:fe01:a3b1%pppoe0 prefixlen 64 scopeid 0xf
        inet6 2003:db:xxxx:xxxx:xxxx:xxxx:fe01:a3af prefixlen 64 autoconf pltime 1800 vltime 14400
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

This might be, because all the interfaces share the same MAC address, so the algorithm for deriving the link local address might generate the same address for these interfaces. But, could it be, that this is a bug and having the same address on multiple interfaces prevents dhcp6c from sending the dhcpv6 requests?
I can't see ANY communication on port 547 or 546 happening on pppoe0 on dialin.

I tried to change the mac address of pppoe0 but then i get no connection established. I tried to remove the suspicious IPv6 link local address from pppoe0, but it gets reassigned as soon as i dailup the connection again, still no prefix delegation.

Is this known? Maybe I'm doing something wrong here?
Should I report this as a bug?

Any advice would be appreciated.
May 23, 2025, 07:58:43 PM #1 Last Edit: May 23, 2025, 08:02:30 PM by meyergru
The interesting question is not what link-local addresses your lower layer interfaces have, but what GUA gets assigned to pppoe0.

And as it seems, it got an IPv6 GUA, namely 2003:db:xxxx:xxxx:xxxx:xxxx:fe01:a3af/64, so all seems right.

When you do it like this (which is the way, I prefer it, too), the WAN interface gets an IP out of the delegated prefix, which you would see here:


2003:db:xxxx:xxPP:xxxx:xxxx:fe01:a3af/64

How come? Well, those PP bits are the lower 8 bits of the 64 bit network part, the upper 56 bits are the /56 prefix that T-Online gives you.

The PP value comes from the value from the "prefix hint" input field. It must be different from the "Assign prefix ID" of all local interfaces (e.g. LAN) in which you use "Track Interface" for the IPv6 setting. So their PP values must differ from the one on the WAN interface and any other (V)LAN.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 23, 2025, 08:26:50 PM #2
Oh thats interesting. Thank you!

So if I understand you correctly: I get a GUA, which is part of my delegated prefix and i can derive my delegated prefix from my GUA?
And the DHCPv6 communication on dialup might then simply be missing, because no DHCPv6 is involved?

This is really confusing because that's almost too easy 😅, but alright. I will do some testing with this.

Just for some clarification:
Given my GUA might be 2003:db:477f:b4ff:::fe01:a3af/64
This would suggest, 2003:db:477f:b4 is my delegated prefix and i can use 2003:db:477f:b400... to 2003:db:477f:b4ff... for publicly accessible adresses?
Nice!

May 23, 2025, 09:27:12 PM #3
Correct. Each of the single /64 prefixes will be useable by one interface/subnet. By using "request prefix only", you use one of the prefixes for WAN. Some ISPs can only do it that way, others could use another, single IP for WAN (called IA_NA).

By using the IA_PD prefix, you could have OpnSense update a dynamic DNS service with the same /56 prefix that all interfaces use. Of course, that still requires the DynDNS service to be able to supply the lower 72 bits for a specific entry from the account settings and only using the upper 56 bits from the originating IPv6.

OpnSense can also put the /64 prefix from any (V)LAN into a DynDNS update request, though.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 24, 2025, 01:23:22 PM #4
Ah great! Thanks!

Thats really what I want to do. I have some services running, which are accessible to the world via IPv4, but i want to also make them available via IPv6.
I guess next, I will have to figure out, how to setup DDNS with IPv6 correctly on netcup.


Updating DynDNS seems to be somewhat straight forward, since the DDNS Service can build the new addresses automatically from the prefix.
But I can't quite wrap my head around on how to handle the dynamic addresses on my internal hosts. How to get a new IPv6 prefix on my VMs and Containers, when my public net changes? Is this done via DHCPv6, some neighbor discovery or something?
Are you aware of some good comprehensive documentation on this?
May 24, 2025, 02:04:58 PM #5
Yes. Basically - you do not make them directly available via IPv6. As for why, see this current discussion: https://forum.opnsense.org/index.php?topic=47243

Here is how you setup IPv6, but not for inbound access: https://forum.opnsense.org/index.php?topic=45822.0

You should a reverse proxy like Caddy or HAproxy for inbound access, there are articles on how to do both in the tutorial section, as well.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions