IPV6 RA/DHCP DNS Issue

samfty · August 12, 2022, 12:36:55 PM

Hi,
I was wondering if someone can help with the following...

I have IPv6 configured with with interface tracking enabled to enable delegation of the PD prefix received from my ISP.

I have enabled "Allow manual adjustment of DHCPv6 and Router Advertisements " and entered a DNS server into the RA/DHCPv6 configuration in OPNsense.
RA is enabled and in managed mode.

The issue i have come across is that the DNS server that is set in RA/DHCPv6 is sent to the client correctly and is what I'd expect, after 10mins or so the dns server that i have set in the dhcpv6 / RA config disappears and the v6 address of the OPNSense appliance appears as a DNS server on the client. Seems to be happening for all devices on my network.

Have i missed configured something that could be causing this?
Can't seem to get my heard around why this would be happening.

Thanks,
Sam!

samfty · August 12, 2022, 12:37:40 PM

Forgot to include, Unbound / DNSMasq is disabled.

franco · August 12, 2022, 02:11:34 PM

Maybe DHCPv6 server (prefix only) sends different values than Router Advertisements (SLAAC only)

It's a good idea to check both configuration files.

/var/dhcpd/etc/dhcpdv6.conf
/var/etc/radvd.conf

Cheers,
Franco

samfty · August 13, 2022, 04:14:36 AM

I've checked through the dhcpv6 and radvd configuration and the dns server that clients are seeing isn't there. Configuration seems as expected.

I've attached the configs with my IP addresses anonymized.

Also attached a picture from my phone of the behavior.

Thanks Sam!

Maurice · August 13, 2022, 05:52:04 PM

Code Select

subnet6 2403:xxxx:xxxx::/48

Code Select

prefix 2403:xxxx:xxxx::/48

That's odd. When using interface tracking, the LAN should always get configured with a /64 prefix length.

Code Select

option dhcp6.name-servers 2403:xxxx:xxxx::1e1,2403:xxxx:xxxx::1e1;

Code Select

RDNSS 2403:xxxx:xxxx::1e1 2403:xxxx:xxxx::1e1

Why do these have the same server twice?

Not sure what's going on here, but something seems really fishy. Could you share screenshots of your LAN and WAN interface configuration? And maybe Interfaces: Overview, too?

Cheers
Maurice

samfty · August 14, 2022, 04:29:58 AM

My ISP hands out a /48 for customer PD.

those two are there because i set the same dns server twice in both dhcpv6 / RA. I have since removed them and only put one.

But here is the interface configuration.

Maurice · August 14, 2022, 01:49:38 PM

Quote from: samfty on August 14, 2022, 04:29:58 AM
My ISP hands out a /48 for customer PD.

The lengths of the delegated prefix and the LAN interface prefix are unrelated. As you can see in the interfaces overview, the LAN gets configured correctly with a /64. Not sure why radvd advertises the entire /48. You may have hit a bug there. I'll try to replicate (later). This would also break SLAAC (not an issue in this case since you only use DHCPv6).

Quote from: samfty on August 14, 2022, 04:29:58 AM
those two are there because i set the same dns server twice in both dhcpv6 / RA. I have since removed them and only put one.

Got it.

The interface configuration and status looks good.

Regarding your original issue: Are these by any chance all Apple devices? @eddy recently reported that MacOS automagically adds the IPv6 default router to its list of DNS servers. That's a client issue.

Cheers
Maurice

samfty · August 14, 2022, 02:01:37 PM

MacOS / iPhone and windows, I'm seeing the behavior on. Which is what I'm running at home.

Maurice · August 14, 2022, 02:13:11 PM

Okay. Don't have any Apple devices, but have never seen this on Windows. Next thing I would try is do a packet capture directly on one of the affected clients and filter for DHCPv6 and Router Advertisements. If the unwanted DNS server address doesn't show up, it's a client issue. If it does show up, we can investigate further.

samfty · August 14, 2022, 03:33:00 PM

Done the packet capture from my windows machine and seeing the opnsense devices as the DNS server. I've attached a screenshot of the packet capture.

Maurice · August 15, 2022, 11:49:55 PM

I've configured my test setup with the settings you shared here and can't reproduce any of the issues. Prefix lengths in dhcpdv6.conf and radvd.conf are correctly set to /64 and the LAN interface address is not advertised as a DNS server.

So unfortunately no idea what's going on. Anything special with your setup? What's the history? New install or has this worked before? Any other routers / DHCPv6 servers on the network?

Cheers
Maurice

samfty · August 16, 2022, 09:48:30 AM

This is a new install / setup. I previous had this setup with a Fortinet Gateway and worked ok. There is no other router setup on my local network. The dhcpv6 packet is sourcing from the mac address from the opnsense firewall.

Cheers,
Sam

samfty · August 17, 2022, 03:14:14 PM

I have factory reset my opnsense config and configured from scratch again...
seems the issue has gone away and no longer sending the extra dns server.

Maurice · August 17, 2022, 03:19:43 PM

Good to hear. Do you have a backup of the old config? Might be interesting to do a diff with the new config.

IPV6 RA/DHCP DNS Issue

samfty

August 12, 2022, 12:36:55 PM

samfty

August 12, 2022, 12:37:40 PM #1

franco

August 12, 2022, 02:11:34 PM #2

samfty

August 13, 2022, 04:14:36 AM #3 Last Edit: August 13, 2022, 04:16:07 AM by samfty

Maurice

August 13, 2022, 05:52:04 PM #4

samfty

August 14, 2022, 04:29:58 AM #5

Maurice

August 14, 2022, 01:49:38 PM #6

samfty

August 14, 2022, 02:01:37 PM #7

Maurice

August 14, 2022, 02:13:11 PM #8

samfty

August 14, 2022, 03:33:00 PM #9

Maurice

August 15, 2022, 11:49:55 PM #10

samfty

August 16, 2022, 09:48:30 AM #11

samfty

August 17, 2022, 03:14:14 PM #12

Maurice

August 17, 2022, 03:19:43 PM #13