IPv6 weirdness

[jcdick1]

I am running OPNsense in an XCP-NG VM, and I am seeing some genuine weirdness going on.

I have four interfaces labelled WAN, LAN, Management and Storage. 

Some VMs in my environment have only a single interface on the LAN network, others have some combination of the three. Physical devices (PCs, streaming devices, etc) are all on the LAN network.

The Management and Storage networks have firewall rules to keep them isolated - for all intents and purposes, unrouted.

KEA is configured to only have its DHCPv6 server active on the LAN network (only interface with a checkbox in the dropdown).  But its "Leases DHCPv6" page is showing active leases on the "Management" interface.  And on the hosts, those corresponding IPv6 addresses are showing on their LAN-associated interface.  At the same time, some devices on the LAN network cannot get IPv6 addresses.

Even after the latest upgrade, I still have ISC doing the IPv4, as I am fairly dependent on the Unbound relationship for DHCP lease DNS resolution.

This IPv6 stuff is genuinely a headache for me.  But since Matter devices require IPv6, I have to figure this all out.

I'd like to put IPv6 on all my interfaces and then it probably wouldn't matter since there'd be addresses available all over, but I can only get a single /64 from my ISP (AT&T).

Any insight or assistance is appreciated.  Thank you!

[meyergru]

Take a look at the Tutorial section - there is a HowTo for IPv6.

[nero355]

Some VMs in my environment have only a single interface on the LAN network, others have some combination of the three. Physical devices (PCs, streaming devices, etc) are all on the LAN network.

The Management and Storage networks have firewall rules to keep them isolated - for all intents and purposes, unrouted.

But you should still be aware of possible A-symmetric Routing despite the Firewall Rules so make sure to double check on that or at least keep an eye on it !!

KEA is configured to only have its DHCPv6 server active on the LAN network (only interface with a checkbox in the dropdown).
But its "Leases DHCPv6" page is showing active leases on the "Management" interface.
And on the hosts, those corresponding IPv6 addresses are showing on their LAN-associated interface.

At the same time, some devices on the LAN network cannot get IPv6 addresses.

This could be related to the above or simply a case of adjusting local settings/tuning configuration on those hosts.

[jcdick1]

In response to all this - and perhaps some additional weirdness in the hypervisor related to VIF association - I just spun up a new VM and installed a fresh OPNsense.  My install mentioned in the OP has been upgraded version to version for a good number of years.

Now, my NAT rules don't work despite matching my previous install's config (and simply swapping back to the other VM router makes hosted services available again) and the KEA DHCPv6 leases are listing under "WAN" instead of "Management" this time.  I've got some leases going out with no client MAC address listed on the KEA leases page, and still my new TBR for my IoT is still apparently not getting an IP.

I've got one device - a mobile phone - that is getting an IPv4 address, but is generating these Warning log entries in KEA DHCPv6:

Code Select Expand

2026-04-20T00:25:40-05:00 Warning kea-dhcp6WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_CLASSES duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: Failed to allocate an IPv6 address for client with classes: ALL, UNKNOWN

2026-04-20T00:25:40-05:00 Warning kea-dhcp6 WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_NO_POOLS duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: no pools were available for the lease allocation

2026-04-20T00:25:40-05:00 Warning kea-dhcp6 WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: failed to allocate an IPv6 lease in the subnet 2600:1700:7aa0:d7c0::/64, subnet-id 1, shared network (none)
There's a bunch of them, over and over, for that one device.  Other devices that are apparently not getting IPv6 addresses are not showing in the logs at all, when searching for their MACs.

I only have IPv6 on the one LAN interface due to only receiving a single /64 from upstream, that's the only interface KEA DHCPv6 is enabled on, and its all just ... weird.

[nero355]

I've got one device - a mobile phone - that is getting an IPv4 address, but is generating these Warning log entries in KEA DHCPv6:

Code Select Expand

2026-04-20T00:25:40-05:00 Warning kea-dhcp6WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_CLASSES duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: Failed to allocate an IPv6 address for client with classes: ALL, UNKNOWN

2026-04-20T00:25:40-05:00 Warning kea-dhcp6 WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_NO_POOLS duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: no pools were available for the lease allocation

2026-04-20T00:25:40-05:00 Warning kea-dhcp6 WARN [kea-dhcp6.alloc-engine.0x3b7ead86c008] ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET duid=[00:03:00:01:66:f9:0c:e7:b9:a3], [no hwaddr info], tid=0xcaf6d1: failed to allocate an IPv6 lease in the subnet 2600:1700:7aa0:d7c0::/64, subnet-id 1, shared network (none)

00:03:00:01:66 shows as Barracuda Networks and are known for their Firewalls ?!

If this is a mobile phone then it might be using fake MAC Addressing and there is a toggle for that in the KEA DHCP Server Settings.
See my comparison a long time ago : https://forum.opnsense.org/index.php?topic=50536.msg258019#msg258019

Another option is that it's an Android phone that works only with SLAAC in most cases if not all of them!
In that case you need radvd when using KEA.

Please also note that KEA is not the best choice when you have a Dynamic IPv6 Prefix that can change often.
DNSmasqd is the better choice in that case!

[jcdick1]

Another option is that it's an Android phone that works only with SLAAC in most cases if not all of them!
In that case you need radvd when using KEA.

Please also note that KEA is not the best choice when you have a Dynamic IPv6 Prefix that can change often.
DNSmasqd is the better choice in that case!

It is an Android phone.  It shows up in the DHCPv4 just fine.

I will look at converting to DNSMasq, which could also solve the DNS resolution of DHCP clients (ISC->Unbound like).

The TBR getting an IP issue was finally resolved by finding out that it is a 100Mb device, which my primary switch can't do (1-10-40 only). I had to plug it into an older 5-port desktop switch and uplink it.

Thanks all for the info and help!

[Patrick M. Hausen]

Android does not support DHCPv6.

[Bob.Dig]

Android does not support DHCPv6.

Some sites report the newest version should support it. Google themself said it will even support DHCPv6 Prefix Delegation. A somewhat quick test of mine with the latest LineageOS (Android16) though didn't showed any of that working... 

[nero355]

I will look at converting to DNSMasq, which could also solve the DNS resolution of DHCP clients (ISC->Unbound like).

I believe that issue is solved for Dynamic IP Address Clients via the new KEA DDNS function ?!

Before this when using KEA only Static DHCP Mappings based on MAC Address would be registered in Unbound.



Anyway...



I think you will like DNSmasqd more for all of this! :)