IPv6 prefix shortcut - Where can it be used?

[Mpegger]

I know I'm going to use the wrong terminology, but hopefully the question will be understood.

My ISP (Verizon) designates a prefix for IPv6 addresses, and it is not fixed. So in sections such as "Firewall > Aliases", or "ISC DHCPv6", I need to use the shortened IPv6 address, such as "::aaaa:bbbb:cccc:dddd". But what about sections such as "System > General > DNS Servers"? Is there a list of where the ::x:x:x:x shortcut can be used, or where it can't be used?

[OPNenthu]

Haven't seen such a list where partial IPv6 addresses are accepted but so far I've only seen them used in the same places you listed (DHCP and "Dynamic IPv6 Host" aliases).

Are you trying to use a separate DNS server on your LAN as the system DNS for OPNsense?  You could use ULAs or IPv4, but AFAIK there's no current ability to specify a host with a dynamic prefix.

EDIT: On second thought, it's probably better to use an external DNS there which would be available to OPNsense at all times.  With a LAN-side DNS you might have issues on OPNsense startup before the DNS server is able to reach the internet.  I use Cloudflare (1.1.1.1) as the system DNS, for example.

[Mpegger]

Yes, I run a pair of Pi-holes strictly for ad-blocking, into Unbound on Opnsense with a override list for those systems that have a fixed IP and recursive quieries, and currently use ISC+RA for DHCP/DHCPv6. I'm in the process of (finally) switching over to DNSMASQ for DHCP/DHCPv6/RA, hence why I'm wondering where I can use the partial IPv6 address cause I want to use GUA for all the systems that work with DHCPv6. I had tried ULA, but it didn't seem to play nice on the LAN (systems randomly were inaccessible from one moment to another, Unbound would spam the Pi-holes with thousands of requests a second [infinite loop?]), and it's my understanding that in a mixed IPv4/IPv6 environment, ULAs will pretty much be ignored if a IPv4 or GUA is available in a DNS response. I currently use the LLA address of the Pi-holes for its IPv6 address which seems to work. But if I can make use of partial GUA IPv6 addresses everywhere, I'd rather try to do that.

[OPNenthu]

It sounds like you have a configuration issue somewhere.  There shouldn't be any loops regardless of whether you use GUAs or ULAs, or both.

I edited my reply above to mention that I don't think it's a good idea to use an internal DNS for OPNsense itself (fine for LAN clients).  I feel that OPNsense being the head of the network should not depend on anything downstream of it for its core functions.  Why do you need the OPNsense itself to go over Pi-hole?

You're right the ULA would not be preferred where a GUA or IPv4 is available but unless OPNsense knows about them they wouldn't be used.  Hypothetically, you would just enter the ULA address in the OPNsense config and that's what it would use, but don't quote me on that.  Again, I don't think it's a good idea anyway.

Just my unqualified two cents...

[Mpegger]

OPNsense itself does not go through the Pi-holes since Unbound is active and the option to disable using itself (127.0.0.1) for queiries is disabled (not check marked).

However, pretty much any and every DHCP configuration section(s) that allows you to set a DNS server (besides System > General) will tell you that if a DNS server is not set, it will use the DNS server entries already set in System > General. So one setting should cover any and every other section that could also use that setting, instead of manually configuring each and every entry.

[OPNenthu]

Gotcha.  I think you would still need to specify the DNS in DHCP if you really need to use GUAs because unless you have a static prefix you can't use the System->General configs.

In Dnsmasq you can conveniently use constructors to track the interface.

[meyergru]

This "partial IPv6" (aka dynamic IPv6 alias) is only available as firewall alias and its main purpose is to create firewall rules for IPv6 clients when you have dynamic IPv6 prefixes. BTW: the more general approach would be to use the device's MAC instead, because the EUI-64 is not the only way an IPv6 device can communicate - think of IPv6 privacy extensions. It is no means to specify IPv6 addresses anywhere else.

As for DNS (or any other) services on your network: Keep in mind that you do not need a specific DNSv6 server at all, because IPv6 can be resolved via DNSv4 just fine. So, if you have dual stack on your LAN and have a working DNSv4 server, you are all set.

Thus, you usually do not need to distribute DNSv6 via DHCPv6 at all. Strictly speaking, you do not need DHCPv6 either and with dynamic IPv6 prefixes, you should probably better use SLAAC in the first place. See this for why.

[Mpegger]

BTW: the more general approach would be to use the device's MAC instead, because the EUI-64 is not the only way an IPv6 device can communicate - think of IPv6 privacy extensions.

What exactly do you mean "use the device's MAC instead"? Is it possible to use MAC addresses instead of IPs in OPNsense? Or are you talking about the LLA (fe80:) address?

As for DNS (or any other) services on your network: Keep in mind that you do not need a specific DNSv6 server at all, because IPv6 can be resolved via DNSv4 just fine. So, if you have dual stack on your LAN and have a working DNSv4 server, you are all set.

I thought if a device used the IPv4 address of the DNS server, the DNS server would only give an IPv4, or the client would default to sticking with IPv4. If this is the case that the client will get an IPv6 and use the IPv6, then yes, it really wouln't matter if I just keep the DNS servers with IPv4 addresses.

Thus, you usually do not need to distribute DNSv6 via DHCPv6 at all. Strictly speaking, you do not need DHCPv6 either and with dynamic IPv6 prefixes, you should probably better use SLAAC in the first place. See this for why.

Yes, for those clients that can only use SLAAC (Android and IoT devices being main culprits on my network), I don't bother with DHCPv6 for those devices. But the systems that do support DHCPv6, I setup for SLAAC + a fixed GUA address, as a couple I have open to the WAN via GUA IPv6 addresses.

[nero355]

As for DNS (or any other) services on your network: Keep in mind that you do not need a specific DNSv6 server at all, because IPv6 can be resolved via DNSv4 just fine. So, if you have dual stack on your LAN and have a working DNSv4 server, you are all set.

I thought if a device used the IPv4 address of the DNS server, the DNS server would only give an IPv4, or the client would default to sticking with IPv4.

You thought wrong ;)

You can resolve IPv6 AAAA records via IPv4 without any issue !!

[meyergru]

What exactly do you mean "use the device's MAC instead"? Is it possible to use MAC addresses instead of IPs in OPNsense? Or are you talking about the LLA (fe80:) address?

Yes, via a MAC alias.

I thought if a device used the IPv4 address of the DNS server, the DNS server would only give an IPv4, or the client would default to sticking with IPv4. If this is the case that the client will get an IPv6 and use the IPv6, then yes, it really wouln't matter if I just keep the DNS servers with IPv4 addresses.

That misconception is very common. And wrong, as I wrote.

Yes, for those clients that can only use SLAAC (Android and IoT devices being main culprits on my network), I don't bother with DHCPv6 for those devices. But the systems that do support DHCPv6, I setup for SLAAC + a fixed GUA address, as a couple I have open to the WAN via GUA IPv6 addresses.

As I said: You can do the same via MAC aliases and do not have to rely on the device using any specific EUI-64. If you read my HOWTO, you will also understand why DHCPv6 is completely unneeded:

1. You do not need it to regulate traffic - even more so, you cannot rely any device to use any IPv6 you hand out via DHCPv6. Use MAC-based aliases, if you want to.

2. You also do not need it to make your devices "addressable" with a fixed assigment of a DNS name <-> IPv6, becaus you can do that as well via IPv4.

3. You do not need to distribute a DNSv6 server, because a DNSv4 server can do the same.

[OPNenthu]

What exactly do you mean "use the device's MAC instead"? Is it possible to use MAC addresses instead of IPs in OPNsense? Or are you talking about the LLA (fe80:) address?

Yes, via a MAC alias.

If the question was about System->Settings->General->DNS servers, then I think not.  AFAIK aliases are limited to firewall rules.

@Mpegger, you can use IPv4 there for your DNS server, but keep in mind this is a crutch because of the issue with dynamic IPv6 prefixes.  There are other such cases why it's been suggested to use only IPv4 for DNS for the time being as well (e.g. the "Source Net(s)" field in Unbound->Blocklists).

I think that these gaps will be filled in future OPNsense releases as the developers have been keen to make things better for us residential IPv6 internet subscribers, but it'll take some work.  I think 'hostwatch' is one small step toward that eventuality because with it we could in theory track dynamic IPv6 hosts (including their privacy addresses) for DNS purposes, which is currently lacking even in Dnsmasq.