PPPoE IPv6 Prefix Delegation with Static WAN Assignment

[netnut]

Being extremely happy with my OPNSense setup, there's only one thing I couldn't get accomplished and is the single last thing to cover before life is just perfect.....

I'm currently using IPv6 PD over a PPPoE interface and that's working just fine, even RFC4638 (Baby Jumbo's) are supported. But instead of a Link Local address assigned and used for the PPPoE interface (WAN) I want a (static) public routable IPv6 address on this interface from the assigned IPv6 prefix. I'm not covering the use cases here (there are ;-)), I just want to know how this can be done with OPNSense.

It can be done (from the ISP support page for custom installs):

IPv6
NL: IPv6 /48 prefix, toegekend dmv DHCPv6 met Prefix Delegation (PD)
EN: IPv6 /48 prefix assigned by DHCPv6 with Prefix Delegation (PD)

NL: Een WAN ip adres wordt niet expliciet toegekend, indien nodig kan dat uit de toegekende prefix gehaald worden
EN: A WAN IP address is not explicitly assigned, when needed this can be taken from the assigned prefix.

And it has been done:

The standard provider CPE (FritzBox) assigns the first usable prefix at the outside (WAN) and the second at the inside (LAN). So when assigned a XXXX:YYYY:ZZZZ::/48 prefix the WAN interface gets XXXX:YYYY:ZZZZ:0:a:b:c:d/64 and the LAN interface XXXX:YYYY:ZZZZ:1:a:b:c:d/64.

Of course, with an OPNSense router most people are using multiple LAN interfaces instead of just one like the FritzBox, but with a /48 there's room for 65535 OPT interfaces ;-).

To be clear, IPv6 PD with PPPoE works perfectly with OPNSense, I'm looking for a solution to provision something like the XXXX:YYYY:ZZZZ:0::/64 subnet to the WAN / PPPoE interface in OPNSense like the FritzBox example above instead of just a Link Local.

Help is really appreciated.

[benyamin]

Just a stab in the dark:

You would need to operate your CPE in bridge-mode or at least use PPPoE pass-through.

Not all CPEs will do bridge-mode.

[netnut]

Just a stab in the dark:

You would need to operate your CPE in bridge-mode or at least use PPPoE pass-through.

Not all CPEs will do bridge-mode.

Step into the light... ;-)

OPNSense _IS_ the CPE this is about PD and static address assignment configuration, not about PPPoE, but tnx.

[benyamin]

Yep, ok...

So, if I'm not mistaken, you're not getting a publicly routable IPv6 address assigned to your WAN, just the assigned prefix.

You might be able to make use of the override script "ported" from pfSense mentioned here. It's based on the one shown on NetGate here.

Normally you would still use your Fritzbox, but perhaps that's not necessary (maybe remove send ia-na 0 and id-assoc na 0 and try). In any case, you would assign your WAN interface to id-assoc pd 0.

I would have thought that there would be a built-in configuration item in OPNsense for this, but maybe not...

[Greelan]

Perhaps assign a Virtual IP from the prefix to WAN?

[netnut]

Perhaps assign a Virtual IP from the prefix to WAN?

Like your thinking  , but I guess thats IPv4 only...

[Greelan]

Enter an IPv6 address, and it will then recognise it as such and allow the larger subnet masks

[netnut]

Enter an IPv6 address, and it will then recognise it as such and allow the larger subnet masks

I see, been tricked by the UI ;-).

My mindset is/was still at assigning that IP to the interface itself, using a VIP didn't even cross my mind and I'm still not sure if I like it.... But hey, it does exactly what I want, so I should stop whining and give a big Thank You!

So tnx! 

[Greelan]

Lol. Well, there may be other ways to do it, eg see here: https://docs.opnsense.org/manual/how-tos/IPv6_ZenUK.html

Particularly the bit about static assignment towards the bottom

[netnut]

Lol. Well, there may be other ways to do it, eg see here: https://docs.opnsense.org/manual/how-tos/IPv6_ZenUK.html

Particularly the bit about static assignment towards the bottom

Yeah, I did read the fine manual ;-). But from my understanding Zen actually provides an interface address through DHCPv6 on the WAN interface (besides the actual /48). I did try a custom dhcp6c.conf with the PD's from my OPNSense LAN interfaces and my desired WAN address as NA, but it looked like I didn't get a prefix at all that way, let alone a interface address.
As stated by my ISP (see quote in first post) that makes sense, they only provide a prefix and nothing else, that's up to you. At least your VIP suggestion gives some configuration flexibility from the OPNSense side, but I still think it's funky 

Will play tomorrow with some IPSec tunnel routing over that VIP, if that works without problems I'm happy.

[Greelan]

Who is your ISP?

[netnut]

Who is your ISP?

XS4All in The Netherlands.

BTW, so far so good, created a single v6 tunnel with multiple v4/v6 phase2's (the whole purpose of my wish, having a single phase1) Need more time to understand what OPNSense (and more important, myself ;-) are doing...

Guess the VIP option is the only way to do what I want within the standard OPNSense interface.

[netnut]

Hmmm, I guess what I'm doing is not exactly what OPNSense likes.....

2001:aaaa:aaaa::1 is my static configured VIP on pppoe0 (manually picked from my /48 PD) with a remote IPSec peer 2a01:bbbb:bbbb::1, IPv6 tunnel is succesfull as are my SPD's for the IPv4 networks in the tunnel. As you can see adding the routes fails, but despite that the tunnel _does_ work. Guess the route fail is the reason firewall filters on the IPSec device are bogus (Firewall -> Rules -> IPSec), even with an empty list there's full access between the IPv4 networks over this IPv6 VPN, only a filter on my LAN interface in the 10.51.51.0/24 network is needed.

Probably need to learn some more about BSD routing to really understand what's happening. But for now the IPv6 VIP doesn't function as I like...

Code: [Select]

2021-11-07T00:45:55 charon[86028] 07[IKE] <con2|3> CHILD_SA con2{6} established with SPIs ccaee3ed_i c22fdb37_o and TS 10.51.51.0/24 === 10.250.250.0/24
2021-11-07T00:45:55 charon[86028] 07[KNL] <con2|3> installing route failed: 10.250.250.0/24 via fe80::xxxx:xxxx:xxxx:xxxx src 10.51.51.254 dev pppoe0
2021-11-07T00:45:55 charon[86028] 07[KNL] <con2|3> adding PF_ROUTE route failed: Invalid argument
2021-11-07T00:45:55 charon[86028] 07[CFG] <con2|3> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
2021-11-07T00:45:55 charon[86028] 07[IKE] <con2|3> maximum IKE_SA lifetime 28484s
2021-11-07T00:45:55 charon[86028] 07[IKE] <con2|3> scheduling reauthentication in 27944s
2021-11-07T00:45:55 charon[86028] 07[IKE] <con2|3> IKE_SA con2[3] established between 2001:aaaa:aaaa::1[2001:aaaa:aaaa::1]...2a01:bbbb:bbbb::1[2a01:bbbb:bbbb::1]

[benyamin]

I'm presuming your preference to not make use of your Fritzbox is for the sake of simplicity, and maybe to eliminate a SPoF, but is there any another reason...?

I only ask because it's possible if you do use the overrride script - and leave send ia-na 0 and id-assoc na 0 alone - it's possible your Fritzbox will assign your WAN an IP too (and not just the PD). Is it worth giving it a go?

[netnut]

I'm presuming your preference to not make use of your Fritzbox is for the sake of simplicity, and maybe to eliminate a SPoF, but is there any another reason...?

Complexity, latency, energy, manageability, security, space, bufferbloat (although the fritz is one of the "better" CPE's). With an OPNSense box orders of magnitude more powerfull than a fritznox there's no benefit.

I only ask because it's possible if you do use the overrride script - and leave send ia-na 0 and id-assoc na 0 alone - it's possible your Fritzbox will assign your WAN an IP too (and not just the PD). Is it worth giving it a go?

I took the fritzbox example as a "proof of concept" as supported and implemented by my ISP with IPv6 PD, don't understand why you keep refering to it ;-). Besides the fact I don't use a Fritzbox your suggestion is about a dhcp6c client configuration over PPPoE, that is going to my ISP (not to a fritzbox) that _doesn't_ give anything else than a IPv6 prefix. So with or without IA-NA's, that address is not automagicly created by dark matter or forces.
Even more important is that any override scripts breaks the excelent integration of the Track Interface configuration option in the OPNSense GUI, which I use for over 10 interfaces that are getting their /64 from the /48.

The root of the question is a way to configure publicly routable IPv6 addresses on the WAN (pppoe) interface on top of the already excelent support for IPv6 PD with LAN/OPT interfaces. As already mentioned a IPv6 VIP is currently implemented in the system & gui, but it looks like it's usable for various services (like nginx and so) but not for more deeper integration like IPSec VPN. If this is something I missed or oversee, or simply not possible with OPNSense in it's current state is the reason of this forum post.