[Solved] IPv6 PD to downstream router - no respective route created?

[imk82]

Hi all,

just to confirm I am not doing a stupid mistake.

This is my setup:
* I get a /56 delegated from my ISP
* the OPNsense box is directly behind the modem
* box is delegating a /57 to a downstream router

Until that point, all works as desired. What NOT works and I don't find the "why": OPNsense is never creating a route for the delegated /57 to my downstream router via the interface it is connected to. In consequence, IPv6 is not working at all in that network segment.

Is there anything specific I must know here or is this just a bug?

What I found is this: https://forum.opnsense.org/index.php?topic=7719.0 describing exactly my problem. But, I do request a IPv6 address from the downstream router already and it is handed out. But in that case, only a route for the /64 which contains the dhcp pools address range is created, not for the /57 which is delegated.

Thanks in advance
Robert

[imk82]

Found another related discussion: https://forum.opnsense.org/index.php?msg=174073

But not fully sure about Francos comment there relating to the static mapping approach and how this may work with an dynamic prefix from my ISP?

[dseven]

It should be possible to do a static mapping with a dynamic prefix - you'd just specify the suffix part of the address only, e.g. ::0:0:0:abcd - but, so long as you have a pool of addresses available for dynamic leases, that should not be necessary in order for the route to get added.

I've played around with this a bit, and I did get it (prefix route added when using a dynamic lease) to work, but it wasn't exactly straightforward - possibly partly because I already had my prefix delegation configured for a static (not tracking) interface, and cleanup of my old config seemed incomplete.

I'd suggest that, for any interfaces using tracking for IPv6, you check the "Allow manual adjustment of DHCPv6 and Router Advertisements" box, and configure DHCPv6 (and RA) explicitly the way you want - it seems that the automatic mechanism may make some egregious assumptions when it comes to prefix delegation (possible topic for another thread).

Failing that, describe how your interfaces and the DHCPv6 service are configured, and how you're observing that the route is not getting added...

[imk82]

It should be possible to do a static mapping with a dynamic prefix - you'd just specify the suffix part of the address only, e.g. ::0:0:0:abcd - but, so long as you have a pool of addresses available for dynamic leases, that should not be necessary in order for the route to get added.

I've played around with this a bit, and I did get it (prefix route added when using a dynamic lease) to work, but it wasn't exactly straightforward - possibly partly because I already had my prefix delegation configured for a static (not tracking) interface, and cleanup of my old config seemed incomplete.

I'd suggest that, for any interfaces using tracking for IPv6, you check the "Allow manual adjustment of DHCPv6 and Router Advertisements" box, and configure DHCPv6 (and RA) explicitly the way you want - it seems that the automatic mechanism may make some egregious assumptions when it comes to prefix delegation (possible topic for another thread).

Failing that, describe how your interfaces and the DHCPv6 service are configured, and how you're observing that the route is not getting added...

Hi dseven,

thanks for your reply. I did some more investigation as well in the meantime and came across one sentence in the DCPH documentation https://docs.opnsense.org/manual/dhcp.html:

Dynamic DHCPv6 address lease: If an address range is specified in the DHCPv6 service settings and the downstream router requests both an address (IA_NA) and prefix (IA_PD), the prefix will be routed to the leased address.

This was not the case in my configuration because it was (technically) not necessary. The IPv6 address was handed out by the DHCP server without it as well to my downstream router (based on the prefix ID setting in the "Track IPv6 Interface" config of my relevant interface of the OPNsense box). Nevertheless, to match the documentation I added a range and..now the route to my /57 prefix is created automatically targeting the router IP (v6).

Next thing I want to try is the static configuration part mentioned in the documentation as well. But I am unsure how the DUID must look like to be kind of dynamic for the (often) changing prefix. But..next year. :-)

Best regards
Robert

[dseven]

I did some more investigation as well in the meantime and came across one sentence in the DCPH documentation https://docs.opnsense.org/manual/dhcp.html:

Dynamic DHCPv6 address lease: If an address range is specified in the DHCPv6 service settings and the downstream router requests both an address (IA_NA) and prefix (IA_PD), the prefix will be routed to the leased address.

This was not the case in my configuration because it was (technically) not necessary. The IPv6 address was handed out by the DHCP server without it as well to my downstream router (based on the prefix ID setting in the "Track IPv6 Interface" config of my relevant interface of the OPNsense box).

Probably your downstream router was configuring itself with SLAAC before, so it was not actually getting an NA from DHCPv6.

[imk82]

Hi dseven,

I doubt, but cannot proof it in any direction because it is a "production" (multi house hold + we live in home office times) system and I cannot change configs for testing right now.

What I can tell is, that the IP address before and after setting the range was identical.

Nevertheless, even when marking this a solved for now, I will have another look later.

Thanks so far and best regards
Robert