[SOLVED][IPv6] Can’t delegate prefix to downstream router

[vasawar]

Hi,

I use Opnsense as my internet router/fw, with only a directly connected Openwrt router as core router. All my subnets and endpoints are behind the core router.
I want to receive a prefix from my isp, keep at least one IPv6 address for Opnsense and delegate at least a /60 prefix to the core router. Despite reading the docs and forum topics, I can't succeed.


Let's try configuring my network like this topic https://forum.opnsense.org/index.php?topic=36517.msg178335#msg178335

My ISP only delegates a /56 prefix, no IPv6 address is provided to the WAN interface.
In the WAN interface, SLA length is 2.
In the LAN interface page, IPv6 Prefix ID=0 and Manual configuration is enabled.

This looks correct :

Code Select Expand

root@fw:/var/etc # cat dhcp6c.conf
interface igb1_vlan832 {
  send ia-pd 0;
//REDACTED
  script "/var/etc/dhcp6c_wan_script.sh";
};
id-assoc pd 0 {
  prefix-interface igb0_vlan600 {
    sla-id 0;
    sla-len 2;
  };
};


On Interfaces>Overview>LAN page, I see :

IPv6 address   2001:0db8:aaaa:aa00:fefe:abcd:fe49:d5b0/58

In the DHCPD6 page, Prefix Delegation Range fields are set :

Code Select Expand

from: ::40:0:0:0:0
to: ::c0:0:0:0:0
Delegation size: 58



Then the core router receives 0:0:0:c0::/58 as delegated prefix !


Indeed, the prefix6 statement is wrong :

Code Select Expand

root@fw:/var/etc # cat ../dhcpd/etc/dhcpdv6.conf
option dhcp6.domain-search "admin.home.arpa";
option dhcp6.rapid-commit;

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;

subnet6 2001:0db8:aaaa:aa00::/58 {
  option dhcp6.name-servers 2001:0db8:aaaa:aa00:fefe:abcd:fe49:d5b0;
  prefix6 0:0:0:40:: 0:0:0:c0::/58;

}

ddns-update-style none;


I also tried to change the PD range as given by Maurice in the other topic :

Code Select Expand

from: ::40
to: ::c0
Delegation size: 58



This changes the prefix6 line in dhcpdv6.conf to :

Code Select Expand

prefix6 2001:0db8:aaaa:aa00:: 2001:0db8:aaaa:aa00::/58;
and errors are logged :

Code Select Expand

2023-12-03T18:18:44 Warning opnsense /services_dhcpv6.php: '::c0' is not a valid prefix range value
2023-12-03T18:18:44 Warning opnsense /services_dhcpv6.php: '::40' is not a valid prefix range value



What did I miss ?




For the record, in the DHCPD6 page, I see

Subnet   2001:0db8:aaaa:aa00::
Subnet mask   58 bits
Available range   2001:0db8:aaaa:aa00:: - 2001:0db8:aaaa:aa3f:ffff:ffff:ffff:ffff
Available prefix delegation size   63 bits

Note the strange size field.

[vasawar]

I want to add that Opnsense behaved in this way for several versions now.

[vasawar]

Hi,

Even with patch from bug report https://github.com/opnsense/core/issues/7046 , the prefix is still wrong.

# opnsense-patch dd92fe4

returns :

Code Select Expand

prefix6 2001:0db8:aaaa:aa00:: 2001:0db8:aaaa:aa00::/58;

[doktornotor]

1/ Do not use the trailing 0s. E.g.

Code Select Expand

from ::10
to ::f0


2/ Use something standard, such as /60.

[Maurice]

Are you sure you actually get a /56 from your ISP? Did you check Interfaces: Overview: WAN: IPv6 prefix?

Cheers
Maurice

[almodovaris]

Agree with doktornotor. See why at https://www.youtube.com/watch?v=Yb7JdIFriKI&t=1010s

[franco]

1/ Do not use the trailing 0s. E.g.

Code Select Expand

from ::10
to ::f0


We've been through this in 2022 and it's not good advice since isc-dhcp will want the trailing zeros in its config (prefix6) anyway. It's a lot safer than giving the configuration a couple of infix bits to deal with which happen to be validated as a full IPv6 "address".


Cheers,
Franco

[doktornotor]

Well, that's all fine when it's safer but not when it just does not work.

[franco]

I simply want to point out that we already this week tried to unfix the help text regarding this. It really doesn't help giving advice that goes against the documentation bug or not. The regression here was unfortunate but not untested and only partially problematic.

Will consider removing the legacy compatibility regarding the input, which was the only reason why it stopped working in the first place.


Cheers,
Franco

[vasawar]

Are you sure you actually get a /56 from your ISP? Did you check Interfaces: Overview: WAN: IPv6 prefix?

Cheers
Maurice

Yes.

[vasawar]

2/ Use something standard, such as /60.

I wanted to show the difference between my case and a previous user that succeeded to achieve exactly what I want to do.

Anyway, with /60 subnets :

I set SLA length to 4
DHCPDv6 set to :

Code Select Expand

from: ::10:0:0:0:0
to: ::f0:0:0:0:0
Delegation size: 60

Result is :
On Interfaces>Overview>LAN page, I see :

IPv6 address   2001:0db8:aaaa:aa00:fefe:abcd:fe49:d5b0/60

DHCPDv6 page :

Subnet   2001:0db8:aaaa:aa00::
Subnet mask   60 bits
Available range   2001:0db8:aaaa:aa00:: - 2001:0db8:aaaa:aa0f:ffff:ffff:ffff:ffff
Available prefix delegation size   61 bits

cat dhcpdv6.conf :

...
subnet6 2001:0db8:aaaa:aa00::/60 {
  option dhcp6.name-servers 2001:0db8:aaaa:aa00:fefe:abcd:fe49:d5b0;
  prefix6 2001:0db8:aaaa:aa00:: 2001:0db8:aaaa:aa00::/60;

}

[vasawar]

Will consider removing the legacy compatibility regarding the input, which was the only reason why it stopped working in the first place.


Cheers,
Franco

Hi Franco, can you please explain what is this legacy compatibility ?

[Maurice]

My ISP only delegates a /56 prefix, no IPv6 address is provided to the WAN interface.
In the WAN interface, SLA length is 2.

For a /56, sla-len should be 8. sla-len 2 indicates an incorrectly configured prefix delegation size in the DHCPv6 client configuration. Did you set this to 56?

[vasawar]

Hi,

OK, setting SLA to 8 fixed my issue ! I've been working on this for so long that I didn't see the error.
I'm now assigning opnsense a GUA in a /64 network and delegating a /57 prefix that the downstream router receives and uses. But there's no route in opnsense to the delegated network, I'm opening another topic. I found the solution to routing in opnsense doc.

2 questions regarding the processing of SLA size in Opnsense:
1) SLA size is used only for assigning a local address, is there any use case where someone would want to assign a local address in a larger than /64 network (against conventions) ? If not, I think SLA size could be automatically set to 64 minus delegated prefix size to avoid dumb errors like mine.

2) SLA size is used only for assigning a local address on the system, why does it have an impact on downstream prefix delegation ?

[Maurice]

Configuring the prefix length / SLA length in the DHCPv6 client settings has three purposes: Requesting a prefix of a specific length (if the ISP allows it), creating subnets for tracking LAN interfaces and calculating prefixes for downstream prefix delegation.

1) dhcp6c needs a static SLA length for creating subnets for tracking LAN interfaces (man dhcp6c.conf).

2) The SLA length is in fact used for downstream prefix delegation (merging the prefix delegated by the ISP with the subnet IDs configured in the DHCPv6 server settings).

It is up to the user to verify that the prefix length / SLA length configured in the DHCPv6 client settings matches the length of the prefix which the ISP actually delegates. A mismatch warning has once been discussed, the result was displaying the delegated prefix in the interfaces overview. That's already a big improvement, this information was previously only available in the logs.

Cheers
Maurice