Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Some IPv6 questions.
« previous
next »
Print
Pages: [
1
]
Author
Topic: Some IPv6 questions. (Read 749 times)
lss4
Newbie
Posts: 5
Karma: 0
Some IPv6 questions.
«
on:
March 19, 2023, 05:03:06 am »
I only started using OPNsense recently, and I'm having some IPv6 related questions...
1. The maximum possible prefix problem
My OPNsense device is connected to another OpenWrt-powered router that is connected directly to internet, with an IPv4 address and a /60 IPv6 prefix given. On the OpenWrt side I've configured the port on which the OPNsense device is connected as a separate, isolated interface, and gave both the port for OPNsense and the rest of the LAN each a /61 prefix.
However, on OPNsense side I can only at best configure the interface that would be used as WAN to get a /62 prefix when configured this way. Trying to let it get the whole /61 prefix was not successful.
I wonder if it's even possible to hand over the entire prefix to a single device per respective IPv6 specifications...
My IPv6 addresses and prefixes are dynamic, so there's no way I could use static configurations...
2. Problems with dhcpd6 and Track Interface
I've made 4 of my 6 LAN interfaces of the OPNsense device set to Track Interface against WAN (since I can only make WAN get a /62).
However, it seems with this configuration, dhcpd6 would go down whenever something wrong happens on the upstream router or the WAN side of the OPNsense device (usually due to a change to the dynamic IPv6 addresses and prefixes), and I cannot bring it back up without doing a manual reload of WAN interface.
Although the loss of IPv6 connectivity does not completely disable my systems from accessing the Internet, it can affect stability to some extent, as in my place, IPv6 is more stable than IPv4. I wonder if it's possible to make a trigger that whenever dhcpd6 goes down (or fails to start), force WAN to reload (preferrably only the IPv6 address), and repeat this once in a while until dhcpd6 is brought back up successfully, so the issue can be handled all by itself.
LATE EDIT:
I'm updating my OPNsense device's system software as time goes. It's currently running 23.7 but so far everything remained the same as when I was writing this thread. To avoid bumping this thread (as 23.1 is now EOL) I'm editing this directly and will be starting a new thread on the 23.7 forum for more questions.
The 1st question (regarding maximum prefix) may not be valid as I noticed something odd when I tinkered the settings on the OpenWrt side, that I've now given the entire /60 to the interface connecting to the OPNsense device (the rest of the LAN on the OpenWrt side will no longer have IPv6 as a result).
I then tried modifying the OPNsense device to let it get /61 and set the interfaces that previously had its IPv6 turned off to Track Interface, but it did not work -- The WAN is still getting /62, even after rebooting both this device and the upstream OpenWrt router several times, as well as releasing/reloading/renewing the WAN DHCP several times. Eventually, I released the WAN DHCP, rebooted OPNsence without renewing (so that WAN was still down), and now it finally gets a /61 as desired, and all my interfaces can obtain IPv6.
Maybe it was always possible to let my device get /61 prefix with the upstream OpenWrt IPv6 having either /60 or /61. It was just the lingering memories of the previously delegated /62 prefix that was preventing it when I initially tried changing the setting on the OPNsense side from /62 to /61.
As for the fragile dhcpd6 "Track Interface" issue... it's still there across all the versions. I'm not sure if the "Prevent Release" option would help somehow. I've just turned it on and see how it looks for the next few days. There's no fixed pattern on when and how dhcpd6 would go down -- sometimes everything could be fine for several days, while other times it would not last for even a single hour.
ANOTHER LATE EDIT:
I was wrong. While I was able to manage to get /60 or /61 when I allocated the entire /60 on the OpenWrt side, I simply can only get up to /62 when I split the prefix as two /61s. I wonder if there's a way to diagnose why I'm not getting the desired prefix length...
«
Last Edit: October 30, 2023, 02:26:36 pm by lss4
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 574
Re: Some IPv6 questions.
«
Reply #1 on:
March 19, 2023, 01:40:45 pm »
All directly connected ethernet like interfaces must use /64 in IPv6.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
lss4
Newbie
Posts: 5
Karma: 0
Re: Some IPv6 questions.
«
Reply #2 on:
March 19, 2023, 04:17:59 pm »
> All directly connected ethernet like interfaces must use /64 in IPv6.
I'm aware. All interfaces on the device, including WAN itself (which connects directly to the specific port on my OpenWrt router), have a /64 address for its own usage.
The problem is the prefix delegation. I don't know if it's even possible to let the WAN interface claim the entire /61 block I assigned on the OpenWrt side (which is half of the /60 given by the ISP), so I could then get eight /64 ranges.
So far I can only make the OPNsense device's WAN get a /62 prefix range which means I have only four /64 ranges. Attempts to let it get a /61 prefix have so far failed. As such, I can only enable IPv6 on four of all my interfaces (which track against WAN).
(PS: I've six LAN interfaces on the OPNsense device, which consists of five ethernet ports and one wireless adapter in AP mode. Each LAN interface has its own subnet, and I've necessary firewall rules to manage cross-subnet accesses.)
Not to mention the Track Interface function is rather fragile. If something happens on the WAN side or the upstream (OpenWrt side), dhcpd6 would go down and requires a manual reload of WAN before I could bring up dhcpd6 again (in order to restore IPv6 connectivity).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Some IPv6 questions.