IPV6 RA/DHCP DNS Issue

[samfty]

Hi,
I was wondering if someone can help with the following...

I have IPv6 configured with with interface tracking enabled to enable delegation of the PD prefix received from my ISP.

I have enabled "Allow manual adjustment of DHCPv6 and Router Advertisements " and entered a DNS server into the RA/DHCPv6 configuration in OPNsense.
RA is enabled and in managed mode.

The issue i have come across is that the DNS server that is set in RA/DHCPv6 is sent to the client correctly and is what I'd expect,  after 10mins or so the dns server that i have set in the dhcpv6 / RA config disappears and the v6 address of the OPNSense appliance appears as a DNS server on the client. Seems to be happening for all devices on my network.

Have i missed configured something that could be causing this?
Can't seem to get my heard around why this would be happening.

Thanks,
Sam!

[samfty]

Forgot to include, Unbound / DNSMasq is disabled.

[franco]

Maybe DHCPv6 server (prefix only) sends different values than Router Advertisements (SLAAC only)

It's a good idea to check both configuration files.

/var/dhcpd/etc/dhcpdv6.conf
/var/etc/radvd.conf


Cheers,
Franco

[samfty]

I've checked through the dhcpv6 and radvd configuration and the dns server that clients are seeing isn't there. Configuration seems as expected.

I've attached the configs with my IP addresses anonymized.

Also attached a picture from my phone of the behavior.

Thanks Sam!

[Maurice]

Code: [Select]

subnet6 2403:xxxx:xxxx::/48

Code: [Select]

prefix 2403:xxxx:xxxx::/48
That's odd. When using interface tracking, the LAN should always get configured with a /64 prefix length.

Code: [Select]

option dhcp6.name-servers 2403:xxxx:xxxx::1e1,2403:xxxx:xxxx::1e1;

Code: [Select]

RDNSS 2403:xxxx:xxxx::1e1 2403:xxxx:xxxx::1e1
Why do these have the same server twice?

Not sure what's going on here, but something seems really fishy. Could you share screenshots of your LAN and WAN interface configuration? And maybe Interfaces: Overview, too?

Cheers
Maurice

[samfty]

My ISP hands out a /48 for customer PD.


those two are there because i set the same dns server twice in both dhcpv6 / RA. I have since removed them and only put one.


But here is the interface configuration.

[Maurice]

My ISP hands out a /48 for customer PD.

The lengths of the delegated prefix and the LAN interface prefix are unrelated. As you can see in the interfaces overview, the LAN gets configured correctly with a /64. Not sure why radvd advertises the entire /48. You may have hit a bug there. I'll try to replicate (later). This would also break SLAAC (not an issue in this case since you only use DHCPv6).

those two are there because i set the same dns server twice in both dhcpv6 / RA. I have since removed them and only put one.

Got it.

The interface configuration and status looks good.

Regarding your original issue: Are these by any chance all Apple devices? @eddy recently reported that MacOS automagically adds the IPv6 default router to its list of DNS servers. That's a client issue.

Cheers
Maurice

[samfty]

MacOS / iPhone and windows, I'm seeing the behavior on. Which is what I'm running at home.

[Maurice]

Okay. Don't have any Apple devices, but have never seen this on Windows. Next thing I would try is do a packet capture directly on one of the affected clients and filter for DHCPv6 and Router Advertisements. If the unwanted DNS server address doesn't show up, it's a client issue. If it does show up, we can investigate further.

[samfty]

Done the packet capture from my windows machine and seeing the opnsense devices as the DNS server. I've attached a screenshot of the packet capture.

[Maurice]

I've configured my test setup with the settings you shared here and can't reproduce any of the issues. Prefix lengths in dhcpdv6.conf and radvd.conf are correctly set to /64 and the LAN interface address is not advertised as a DNS server.

So unfortunately no idea what's going on. Anything special with your setup? What's the history? New install or has this worked before? Any other routers / DHCPv6 servers on the network?

Cheers
Maurice

[samfty]

This is a new install / setup. I previous had this setup with a Fortinet Gateway and worked ok. There is no other router setup on my local network. The dhcpv6 packet is sourcing from the mac address from the opnsense firewall.

Cheers,
Sam

[samfty]

I have factory reset my opnsense config and configured from scratch again...
seems the issue has gone away and no longer sending the extra dns server.

[Maurice]

Good to hear. Do you have a backup of the old config? Might be interesting to do a diff with the new config.