Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Wrong prefix delegation size
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wrong prefix delegation size (Read 1035 times)
meschmesch
Full Member
Posts: 183
Karma: 5
Wrong prefix delegation size
«
on:
September 27, 2023, 09:58:39 am »
Hello,
until last night IPv6 worked fine. After playing a bit around with CARP and IPv6, I reconfigured everything to the previous setup but now the WAN interface shows the wrong prefix delegation size (which should be 57, but it indicates a 58). Further, non of the interfaces using track interface is showing an IPv6 any more. My first question would be how to force the WAN interface to use the Prefix delegation size actually set in the [WAN] Interfaces setting?
My second more general question is the following: since my ISP rarely changes the prefix, I cannot set a CARP for virtual WAN which corresponds to a real IPv6 GUA but I would have to use someting like fe80::1 or fd00::1. Is that possible? If yes, is there any additional routing required on the side of the ISP router or any NAT in opnsense or whatsoever?
Thanks!!
Logged
franco
Administrator
Hero Member
Posts: 17607
Karma: 1603
Re: Wrong prefix delegation size
«
Reply #1 on:
September 27, 2023, 10:03:43 am »
Hi,
You can send a hint as per the IPv6 setting (extra checkbox) but if the ISP ignores it that's all there is. If they changed something then you can't do much about it.
CARP IPv6 with router advertisements only works on link-local anyway. The GUAs are shuffled to the clients, but the client doesn't route through the firewall using the GUA. But that's for the LAN side. For the WAN side I'm not sure what a CARP GUA would achieve apart from mimicking IPv4. I've never had the need to set this up.
Cheers,
Franco
«
Last Edit: September 27, 2023, 10:05:23 am by franco
»
Logged
meschmesch
Full Member
Posts: 183
Karma: 5
Re: Wrong prefix delegation size
«
Reply #2 on:
September 27, 2023, 02:53:10 pm »
Thanks for the answer Franco! The ISP somehow ignores indeed the hint. I have now set the prefix length in the WAN settings to the prefix length acutally provided to me (which was currently 58). Not a nice solution, but it works for the moment.
Regarding CARP IPv6 I have to explain the background: I cannot configure the Ipv6 HA setup as illustrated in the manual (
https://docs.opnsense.org/manual/how-tos/carp.html
). This is because I have only a quasi static IPv6 which may change from time to time. My idea was to use WAN track interface and have the LAN on firewall 1 assigned a different v6 subnet than LAN on firewall 2. In the above example of the manual: Firewall 1 LAN 2001:db8:1234:
1
::1/64, Firewall 2 LAN 2001:db8:1234:
2
::1/64. Nevertheless, a common virtual CARP address is broadcasted fe80::2 for both LANs.
I assume
that the routing is done via the fe80::2, which is either pointing to firewall 1 in the master mode or to firewall 2 in the backup mode. If yes, this would make use of the less powerful firewall 2 only in exemptional cases (firewall 1 is newer, faster, has more RAM etc).
Is that understanding correct?
Logged
franco
Administrator
Hero Member
Posts: 17607
Karma: 1603
Re: Wrong prefix delegation size
«
Reply #3 on:
September 27, 2023, 03:08:00 pm »
Hmm, doing CARP with different nodes that run on a dynamic DHCPv6 link is a bit tricky. You start to move the same IPv6 clients from one subnet to the next using separate prefix IDs between boxes, but only one box is connected via DHCPv6 so you should really use the same prefix for the same LAN. But I don't know if DHCP(v6) does establish on failover and/or if you really got two separate DHCPv6 links to the provider. From your example it doesn't appear to be the case.
Cheers,
Franco
Logged
meschmesch
Full Member
Posts: 183
Karma: 5
Re: Wrong prefix delegation size
«
Reply #4 on:
September 27, 2023, 04:46:24 pm »
I configured both firewalls to independently acquire their prefixes, no Carp for IPv6. The main firewall just uses RA with higher priority than the backup firewall. This will provide me the IPv6 via the main firewall in case of the main firewall = Master. And in case the main firewall fails, IPv6 will automatically use the backup. It is not seamless I assume, but it should work.
«
Last Edit: September 28, 2023, 12:22:47 am by meschmesch
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Wrong prefix delegation size