CALL FOR TESTING: Multi-dhcp6c for multi-WAN IPv6

Started by franco, March 04, 2026, 04:54:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 04, 2026, 04:54:09 PM
Hello,

This builds on 26.1.3 and the previous topic https://forum.opnsense.org/index.php?topic=50401.0 and is mainly intended for multi-WAN users with multiple DHCPv6 WAN configurations, because there are some downsides to using only one daemon for all WANs.

This requires the 26.1.3 version to apply cleanly.

# opnsense-patch https://github.com/opnsense/core/commit/c5cb86b

(and reboot)

Why do this? When you have two WANs that both get IPv6 information via DHCPv6 they are currently merged into a single configuration. If one of the two interface is being reconfigured the only dhcp6c process gets a SIGHUP to restart wich restarts IPv6 connectivity for both WANs instead of only the right one. It will at least remove side effects from multi-WAN environments on this level.

The other addition is complete control over prefix association as described in the linked ticket: https://github.com/opnsense/core/issues/7647

This may at least make a few AT&T users happy.  :)

Things that would be useful to know:

1. Is this a fire and forget change first and foremost or does it introduce compatibility issues?
2. Is the new PD association feature working as intended?
3. Are you still using config file overrides and why?

The plan beyond this is likely to remove the "advanced" configuration mode for DHCPv6. I'm not overly fond of the "override" mode but it seems more useful than advanced so it's likely going to stay. So we can merge more advanced settings into the "basic" configuration. In a mid-term MVC/API world it's easier to hide more advanced settings, too.


Cheers,
Franco
March 07, 2026, 11:28:52 PM #1 Last Edit: March 07, 2026, 11:55:30 PM by jrichey98 Reason: Edit 1, fix hyperlink, 2 = fix error, 3 = succinctness.
Franco,

I recently installed a fresh install of opnsense 26.1 on a router. I have been running dual-wan for years (ATT & Spectrum), but with ISC DHCP for v6/v4, and figured it was time for a fresh config.

The default was DNSMasq, I couldn't get router advertisements to work or see leases (though ipv4 was working, ipv6 was not), so I switched over to KEA / RA. DHCPv4/6 are working well and assigning leases and RA daemon is configured as Managed (A+O) and working great. I get a warning that I should be using a /64 it doesn't seem to effect anything.

I also switched over to the new firewall rules.

My networks are as follows:
WAN1: DHCP / DHCPv6
WAN2: DHCP / DHCPv6
LAN: Static - 172.20.0.1/24 / fd00::1/112
*probably should make it a /120 to match number of addresses, or a /96 so I can 1:1 the values in the last octet to the last group.

** Note: Image tags not working for me, included links **

My Home screen: <link>


NAT is configured manually, and I have the following rules: <link>


I have the following gateways: <link-int> <link-group>



If I wait about couple minutes a link-local IP (fe80 will show up) on WAN1, and I can then manually start the gateway monitor for WAN1_DHCP6: <link>


Firewall: <link1> <link2>



SYSLOG : <link>
Config : <link>
*Password hash removed

I tried the patch and didn't notice any different behavior before.

Post-Patch SYSLOG: <link>

I do have a few opinions on Multi-WAN configs:
- I like using a private range for IPv6 and NAT'ing, because it means IPv4 works exactly the same as IPv6 which makes it simple to manage.
- When traffic is being redirected to different gateways, tracking an interface seems problematic.
- Defaulting to a net in the private IP space (fc00/7), and doing a One-to-One NAT, is probably the best solution when using multiple WAN/Gateways (I personally just NAT to the interface address, but you have the IPs with v6 so might as well use them).

These are just my opinions, but IMHO IPv6 keeps pretending they engineered all the use-cases away for translation, but I just think they cause more problems trying to throw away the toolbox.

In any case, I'd love to get my router's second ISP (Spectrum) up and working, and both of them without manually intervention (hitting start on the gateway monitor).

This is my home router and not a production system, and i haven't added my lab nets yet so it's pretty barebones. If you want me to test anything let me know.
Today at 04:40:43 AM #2
I applied the patch to 26.1.3. Unfortunately, it doesn't work for me. dhcp6c fails to acquire an address (IA_NA) on the secondary WAN, and sometimes fails completely (no address on both WANs and no prefix delegation on WAN 1).

One thing I noticed in packet captures is that the IAID is now set to 0 for both WAN interfaces. That's not supposed to happen, each interface must have a distinct IAID. Not sure whether this is the root cause, but it's plausible because in my case, both WAN interfaces are served by the same upstream DHCPv6 server.

Without the patch, dhcp6c uses a distinct IAID for each interface. Had to roll back the patch. Happy to test again when unique IAIDs are back.

Config WAN 1:
Code Select
<if>vtnet0</if>
<descr>WAN_GPON</descr>
<enable>1</enable>
<lock>1</lock>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<mtu>1492</mtu>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-ia-pd-len>8</dhcp6-ia-pd-len>

Config WAN 2:
Code Select
<if>vtnet1</if>
<descr>WAN_LTE</descr>
<enable>1</enable>
<lock>1</lock>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-ia-pd-len>none</dhcp6-ia-pd-len>

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions