IPv6 (PD) addressing and user specified DNS

[opns-sc0]

Hi,
I'm running 22.7.6 and have been playing with IPv6 for the last few days.

I get a PD /56 from my ISP.
When I leave the local IPv6 assignment to OPNsense (unselect " Allow manual adjustment of DHCPv6 and Router Advertisements") then the IP assignment to my clients work.

It will also send the 2 DNS server IP addresses (1*IPv4 + 1*IPv6 link-local) which are configured in System: Settings: General to the clients as expected. However in addition to that it also sends the LAN Interface IPv6 (2a02...) to the clients. This is undesirable because it will prevent my Adguard from being the only nameserver for my clients and also allow unbound to serve clients.

Is there a way to prevent this behaviour?

I've tried to mannually configure IPv6 behaviour (checkbox on " Allow manual adjustment of DHCPv6 and Router Advertisements"). However in my setup with LAN and DMZ networks on OPNsense I simply can't get IPv6 address asignment to work properly. I've tried Managed and Assisted modes but have seen all kind of weird behaviour including the assingment of an IPv6 that was not in the PD scope at all). I'm really frustrated with this and believe the manual options must be buggy.

Any help will be much appreciated!

thanks,
Tino

[jjelliott]

I do this with a PiHole.  You need to use Unique Local Addressing - ULA - (not link local) for your local IPv6 addressing.

- Under "Interfaces/Virtual IPs/Settings". assign a ULA to your LAN port, something like FDB1:ABCD:ABCD:ABCD::1/64. (You will want to randomize the address - it should start with FC or FD (I use FD), but the rest of the characters should be randomly selected from 0-9/A-F.)

- Under "Services/DHCPv6/LAN" check the "Enable DCHPv6 server" box, and enter the ULA prefix (in this example, FDB1:ABCD:ABCD:ABCD::  ) in the "From" and "To" fields of the "Prefix Delegation Range", and set the "Prefix Delegation Size" to 64

- Save

- Under "Services/Router Advertisements/LAN", set "Router Advertisements" to Assisted (this is important)

- Save

Then your Adguard box should pick up a full ULA IPv6 address (via SLAAC), something that will look like FDB1:ABCD:ABCD:ABCD:xxxx:xxxx:xxxx:xxxx. (To see what address my pihole gets, I log into my pi and issue "ifconfig" - that gives me a list of the addresses my box has, and one of those is the full ULA.)

That full ULA is what you use as the DNS server advertised by your router.

- Under "Services/DHCPv6/LAN", set the DNS server to the full ULA of your Adguard DNS server, Save

- Under "Services/Router Advertisements/LAN", set the DNS server to the full ULA of your Adguard DNS server, Save

(Yes, set it in two places.  By setting it in Router Advertisements, your computers will receive it as the IPv6 address of the DNS server, and all IPv6 DNS queries will go directly to your Adguard box)

When I was getting started with OPNsense it took me a while to figure it out.  That first step - assigning a virtual IP to the LAN port - is essential.

Good luck!

[Edit]
I forgot to mention, I also use a static IPv4 address for my pihole (set in /etc/dhcpcd.conf on the pihole server).  On OPNsense, under Services/DHCPv4/LAN/RANGE, I set a limited range of IPv4 addresses to be assigned to my clients, and then set the pi's static address outside that range.  Then I put the pi's static IPv4 address in the Services/DHCPv4/LAN/DNS Server field.

This way, I basically have static addresses for both IPv6 and IPv4, and these get sent to my devices either by DHCP (IPv4) or Router Advertisements (IPv6).

[opns-sc0]

thanks for the very comprehensive description of your setup.

I basically got it running in a very similar way. What I do want however, is to take the public IPv6 Prefix Delegation of a 2a02...  /56 Network and subnet that into smaller /64 networks and assign each /64 to LAN and DMZ. So every device get's a (temporary) public IPv6 (not ULA).

This all works ok as long as I don't  set "Allow manual adjustment of DHCPv6 and Router Advertisements" and change DHCP parameters or SLAAC settings from "Router Advertisements". I can also fill in the Link-local of the DNS into the DHCPv6 and "Router Advertisements" sections. My devices pick up the DNS and work.

However If I do all of that, some clients (Synology NAS) on the DMZ will either not get an IPv6 address or as I can show from a capture, does get one outside of the /56 PD from OPNsense. See capture attached where the fe80 hands out two IPv6 subsequently which are not in the same /56 at all. So when manually configuring DHCPv6 and "Router Advertisements" something breaks. I guess that is a completely seperate IPv6 networking subject though.

If I stay away from this manual config, it works with the exception that I can't influence the DNS server sent to the clients. It does send always the IPv6 LAN address of the OPNsense in addition to my configured DNS servers. And that's the easier to solve problem I hope. I simply would like an option not to send the LAN or DMZ local interface on which unbound runs to the clients.

Hope I could make a more clear?

[lilsense]

I do this with a PiHole.  You need to use Unique Local Addressing - ULA - (not link local) for your local IPv6 addressing.

- Under "Interfaces/Virtual IPs/Settings". assign a ULA to your LAN port, something like FDB1:ABCD:ABCD:ABCD::1/64. (You will want to randomize the address - it should start with FC or FD (I use FD), but the rest of the characters should be randomly selected from 0-9/A-F.)

- Under "Services/DHCPv6/LAN" check the "Enable DCHPv6 server" box, and enter the ULA prefix (in this example, FDB1:ABCD:ABCD:ABCD::  ) in the "From" and "To" fields of the "Prefix Delegation Range", and set the "Prefix Delegation Size" to 64

- Save

- Under "Services/Router Advertisements/LAN", set "Router Advertisements" to Assisted (this is important)

- Save

Then your Adguard box should pick up a full ULA IPv6 address (via SLAAC), something that will look like FDB1:ABCD:ABCD:ABCD:xxxx:xxxx:xxxx:xxxx. (To see what address my pihole gets, I log into my pi and issue "ifconfig" - that gives me a list of the addresses my box has, and one of those is the full ULA.)

That full ULA is what you use as the DNS server advertised by your router.

- Under "Services/DHCPv6/LAN", set the DNS server to the full ULA of your Adguard DNS server, Save

- Under "Services/Router Advertisements/LAN", set the DNS server to the full ULA of your Adguard DNS server, Save

(Yes, set it in two places.  By setting it in Router Advertisements, your computers will receive it as the IPv6 address of the DNS server, and all IPv6 DNS queries will go directly to your Adguard box)

When I was getting started with OPNsense it took me a while to figure it out.  That first step - assigning a virtual IP to the LAN port - is essential.

Good luck!

[Edit]
I forgot to mention, I also use a static IPv4 address for my pihole (set in /etc/dhcpcd.conf on the pihole server).  On OPNsense, under Services/DHCPv4/LAN/RANGE, I set a limited range of IPv4 addresses to be assigned to my clients, and then set the pi's static address outside that range.  Then I put the pi's static IPv4 address in the Services/DHCPv4/LAN/DNS Server field.

This way, I basically have static addresses for both IPv6 and IPv4, and these get sent to my devices either by DHCP (IPv4) or Router Advertisements (IPv6).

why not just go into the DHCPv6 and add a manual entry by providing DUID of the device and assign a ::1234 for the IPv6 DNS server address. then just provide that.

[jjelliott]

opns-sc0 - You said your router is still handing out its own IPv6 LAN address as one of the DNS servers.  Have you looked at the  DNS options under "Router Advertisements"?  I don't have the answer - time to experiment?

[Edit] I actually have multiple LAN segments (hanging off an APU), some configured with Cloudflare and some configured with my pihole, and I just noticed that the ones with Cloudflare show my router's LAN address as the primary DNS (Cloudflare as secondary).  The ones with the pihole show only the pihole.  As far as I can tell every other setting with these segments is the same, so I have some digging to do.  If I find something I'll let you know.

lilsense - I haven't looked into using the DUID to create the address.  For me, using ULA/SLAAC to create a static address for the pi "just worked", and I stopped looking for other approaches.  But yours is an interesting idea I'll take a look at - thanks for suggesting it.

[jjelliott]

I found the issue on my system that was causing one network segment to get both predefined IPv6 DNS addresses (Cloudflare 2606:4700:4700::1111 / ::1001) and my router's LAN address as a DNS server - on that LAN segment, I had inadvertently left Services/Router Advertisements/Router Advertisements (the first drop down) set to "Disabled".  When I set it to "Assisted", the router stopped sending out the LAN address as a DNS server, and only advertised the Cloudflare addresses I entered into the DNS Servers field.  So maybe that helps you, opns-sc0?

[lilsense]

lilsense - I haven't looked into using the DUID to create the address.  For me, using ULA/SLAAC to create a static address for the pi "just worked", and I stopped looking for other approaches.  But yours is an interesting idea I'll take a look at - thanks for suggesting it.

I think I see your point now with ULA, since my ISP just gave me a another set of IPv6 and looks like these are not permanent addresses so yeah I think you'd best ULA with DUID to create a solid address that you'd know.

[opns-sc0]

I found the issue on my system that was causing one network segment to get both predefined IPv6 DNS addresses (Cloudflare 2606:4700:4700::1111 / ::1001) and my router's LAN address as a DNS server - on that LAN segment, I had inadvertently left Services/Router Advertisements/Router Advertisements (the first drop down) set to "Disabled".  When I set it to "Assisted", the router stopped sending out the LAN address as a DNS server, and only advertised the Cloudflare addresses I entered into the DNS Servers field.  So maybe that helps you, opns-sc0?

As I tried to explain above. Doing all settings in a manual way completely srews up things for me because on the DMZ Interface I either don't get an IP address at all, or some IP that is outside the PD scope from my ISP. No idea how that would even be possible. Pls see my post with the wireshark capture for the proof.

[opns-sc0]

I think I see your point now with ULA, since my ISP just gave me a another set of IPv6 and looks like these are not permanent addresses so yeah I think you'd best ULA with DUID to create a solid address that you'd know.
[/quote]

As far as I can tell it does not matter if you use link-local or unique-local as long as the client is in the same subnet. of course the link-local won't be transported accross subnet boundries. But you automatically get a LL address which should be stable and good enough for the purpose of DNS resolution. But of course either would work.

[ATL]

- Under "Services/Router Advertisements/LAN", set the DNS server to the full ULA of your Adguard DNS server,

I've nearly the same setup, thank you for sharing this steps. So I could compare and know, that my setup is valid. But one question: Make it a difference, if I activate in "Services/Router Advertisements/LAN" the DNS option "Use the DNS configuration of the DHCPv6 server" instead of enter the IPv6 of the Adguard DNS Server? The advantage of mine maybe, that there's only one location to configure the custom DNS server.

[jjelliott]

Make it a difference, if I activate in "Services/Router Advertisements/LAN" the DNS option "Use the DNS configuration of the DHCPv6 server" instead of enter the IPv6 of the Adguard DNS Server?

Honestly, I have wondered the same thing. It isn't obvious (to me, anyway) what the "Use the DNS configuration of the DHCPv6 server" setting does.  So I usually just do both - enter the address of my PiHole as the DNS server that gets advertised, and check the "Use the DNS configuration of the DHCPv6 server".  It wouldn't be hard to experiment and find out if there's a difference - I just haven't bothered to try it out.