Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
IPV6 prefix delegation range, please clarify
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPV6 prefix delegation range, please clarify (Read 6652 times)
stefan00
Newbie
Posts: 40
Karma: 2
IPV6 prefix delegation range, please clarify
«
on:
November 16, 2022, 01:21:18 pm »
Hi,
we have a strange problem with IPv6 prefix delegation range. OPNsense seems to randomly delegate a block, although we need to have a specific range delegated out to our secondary router.
We want 4 subnets delegated,
starting with subnet 8
. Subnets 0-7 are used by opnsense.
Expected: 2a02:1234:1234:
bb38
- 2a02:1234:1234:
bb3b
delegated to sub router.
Result: sometimes 2a02:1234:1234:
bb38:/62
is delegated, but sometimes (release) 2a02:1234:1234:
bb30:/62
, 2a02:1234:1234:
bb34:/62
2a02:1234:1234:
bb3c:/62
etc is delegated.
OPNsense: 22.10 business (DEC3850)
provider: Vodafone (Germany)
provider assigned
dynamic
prefix: 2a02:1234:1234:
bb00::/58
relevant opnsense config:
[WAN] - uplink
interface IPv6 config type: DHCPv6
interface status: IPv6 delegated prefix 2a02:1234:1234:
bb30::/60
[igb1] - sub router link interface
interface IPv6 config: track interface
IPv6 Prefix ID: 0x8
[igb1] DHCPv6 Server
DHCPv6 (info) available prefix delegation size: 61bits
DHCPv6 prefix delegation range: :
:8:0:0:0:0
to
::c:f:f:f:f
*
DHCPv6 prefix delegation size: 62 bits
*Note: entering "::b:f:f:f:f" as range end (which seemed logical to me) will break the DCHPv6 server to start.
[igb1] Router Advertisements
disabled
Questions:
1. What is the correct "prefix delegation range" setting for our goal?
2. Why would entering "::b:f:f:f:f" break the DHCPv6 server?
Also, it would be awesome to see some more range examples, especially for dynamic prefixes.
Best & thanks,
stefan.-
«
Last Edit: November 16, 2022, 01:23:05 pm by stefan00
»
Logged
OPNsense Hardware:
DEC3850
DEC750
Custom i5-14600K based System
KVM based VM
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: IPV6 prefix delegation range, please clarify
«
Reply #1 on:
November 16, 2022, 03:54:27 pm »
What's ::b:f:f:f:f? I suppose you mean ::b:ffff:ffff:ffff:ffff ... but the help text states:
"When using a tracked interface then please only enter the range itself, i.e. ::xxxx:0:0:0:0. For example, for a /56 delegation from ::100:0:0:0:0 to ::f00:0:0:0:0. Also make sure that the desired prefix delegation size is not longer than the available size shown above."
So I suppose you would need to set ::b:0:0:0:0, but I haven't checked the subnet math for /62 here and if you don't either then DHCPv6 will not start.
Note this behaviour changed with 22.7 and now you do configure it like you normally configure your DHCP server manually so all the examples on the Internet for isc-dhcp prefix syntax apply...
Cheers,
Franco
Logged
stefan00
Newbie
Posts: 40
Karma: 2
Re: IPV6 prefix delegation range, please clarify
«
Reply #2 on:
November 16, 2022, 05:01:05 pm »
Hi Franco,
Thanks for the fast reply
However, entering ::b:0:0:0:0 will cause the server to break too.
According to the calculation, the range seems right:
https://www.internex.at/de/toolbox/ipv6/ip6=1234:1234:1234:bb38::/prefix=62
(Click the button on the site to calculate again)
Really strange to me.
BTW: what will be the business edition equivalent to 22.7? Just ask because I ordered my second DEC which arrives tomorrow - those two will be linked, replacing an old Mikrotik router.
Logged
OPNsense Hardware:
DEC3850
DEC750
Custom i5-14600K based System
KVM based VM
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: IPV6 prefix delegation range, please clarify
«
Reply #3 on:
November 16, 2022, 08:29:58 pm »
Aha, if you want "b" in a /62 it's actually "3" because that's all the bits you get
https://www.internex.at/de/toolbox/ipv6/ip6=::3:0:0:0:0/prefix=62
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: IPV6 prefix delegation range, please clarify
«
Reply #4 on:
November 16, 2022, 08:30:53 pm »
PS: Current business is 22.10 based on 22.7.6. The new devices are not yet flashed with 22.10, however, as Suricon was last week and most of us were there.
Logged
stefan00
Newbie
Posts: 40
Karma: 2
Re: IPV6 prefix delegation range, please clarify
«
Reply #5 on:
November 17, 2022, 04:45:13 pm »
Hi Franco,
it was confusing but I found the solution:
The only working setup is
Prefix Delegation Range
from ::8
:0:0:0:0
Prefix Delegation Range
to ::8
:0:0:0:0
Prefix Delegation Size
62
this reliably delegates ::bb38/62 (and nothing else) to the sub router. I now have ::bb38, ::bb39, ::bb3a and ::bb3b available.
According to the documentation that seems strange. However, it works ;-)
Logged
OPNsense Hardware:
DEC3850
DEC750
Custom i5-14600K based System
KVM based VM
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: IPV6 prefix delegation range, please clarify
«
Reply #6 on:
November 17, 2022, 07:48:39 pm »
That's not what prefix6 docs say about the configuration, see
https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html
# Prefix range for delegation to sub-routers
prefix6 2001:db8:0:100:: 2001:db8:0:f00:: /56;
as you can see the start and end are supposed to be different, which is also what the help text says.
I'm not sure about the fact that it works correctly now but I hope it does stay that way.
Cheers,
Franco
Logged
stefan00
Newbie
Posts: 40
Karma: 2
Solution - IPV6 prefix delegation ranges, with detail examples
«
Reply #7 on:
November 18, 2022, 11:44:17 am »
Hi Franco,
I did some deeper research about isc dhcpdv6, it's documentation, source code and examples. The config stated above is indeed correct. I have compiled the explanation and some detailed examples below, which will be hopefully be useful as a reference for users.
Overview
[OPNsense values]
from
and
to
represent the first and last delegated prefixes,
not network boundaries.
ISC dhcpv6 config divides this given range into smaller blocks (CIDR networks) in the size of the desired mask ([OPNsense value]
Prefix Delegation Size
). ISC dhcpv6 then picks any of the generated blocks / prefixes and delegates it to sub routers. See (1).
The behavior of OPNsense and isc-dhcpdv6 is correct. The problem is documentation and value naming, which may lead some users to misunderstanding.
According to dhcpd.conf(5), the prefix6 statement syntax is
Code:
[Select]
prefix6 low-address high-address / bits;
Given this syntax,
high-address
is the last prefix delegated - not the upper boundary of a network. Thats' the most important part to understand. Unfortunately, dhcpd.conf(5) in it's current version is a bit unclear here as well (2).
As a result, when only delegating 1 prefix so a sub router, the start and end address must be the same.
The administrator must assure that the network address range is actually available, up to the range resulting from the last prefix. See examples below.
Also note that according to isc documentation and source code (1), the delegated prefix range is allowed to start within the interface subnet (overlap) or may be outside of it.
Summary
When delegating prefixes with DHCPDv6, enter the first and last starting address of the prefix as first/last values. Do not confuse with resulting network boundaries.
Detailed Examples
using OPNsense current syntax ("from", "to", "Prefix Delegation Size")
(A) Example used in (3) and current OPNsense help text
Premise:
2001:db8::/52 being a dynamic prefix
= total /64 networks available: 4096
= mask ::/52
= total available network range (expanded): 2001:db8:0000:0000:0000:0000:0000:0000 to 2001:db8:0fff:ffff:ffff:ffff:ffff:ffff
Setup:
Prefix Delegation "from":
::100
Prefix Delegation "to":
::f00
Prefix Delegation Size:
56
Result:
15 delegated prefixes in the size of /56. The Server decides which one to pick.
up to 15 sub routers possible as clients
network range delegated to sub routers (expanded): 2001:db8:0100:0:0:0:0:0 to 2001:db8:0
fff
:ffff:ffff:ffff:ffff:ffff
/64 networks available to sub routers: 15 * 256 = 3840
available prefixes, full list:
2001:db8:0100::/56
2001:db8:0200::/56
2001:db8:0300::/56
2001:db8:0400::/56
2001:db8:0500::/56
2001:db8:0600::/56
2001:db8:0700::/56
2001:db8:0800::/56
2001:db8:0900::/56
2001:db8:0a00::/56
2001:db8:0b00::/56
2001:db8:0c00::/56
2001:db8:0d00::/56
2001:db8:0e00::/56
2001:db8:0f00::/56
Note that the last used prefix is 2001:db8:0f00::/56. 0f00 is not the boundary of the delegated networks, it's 0fff with a /56 mask.
(B) Smaller network delegation
Premise:
2001:db8:cafe:bb30::/60 being a dynamic prefix
= total /64 networks available: 16
= mask ::/60
= total available network range (expanded): 2001:db8:cafe:bb30:0:0:0:0 to 2001:db8:cafe:bb3f:ffff:ffff:ffff:ffff
(B.1) delegating 8 /64 networks in 2 prefixes
Setup:
Prefix Delegation "from":
::8
Prefix Delegation "to":
::c
Prefix Delegation Size:
62
Result:
2 delegated prefixes in the size of /62. The Server decides which one to pick.
2 sub routers possible as clients
network range delegated to sub routers (expanded): 2001:db8:cafe:bb38:0:0:0:0 to 2001:db8:cafe:bb3f:ffff:ffff:ffff:ffff
/64 networks available to sub routers: 8
available prefixes, full list:
2001:db8:cafe:bb38::/62
2001:db8:cafe:bb3c::/62
(B.2) delegating 8 /64 networks in 1 prefix
Setup:
Prefix Delegation "from":
::8
Prefix Delegation "to":
::8
Prefix Delegation Size:
61
Result:
1 delegated prefix in the size of /61
1 sub router possible as client
network range delegated to sub router (expanded): 2001:db8:cafe:bb38:0:0:0:0 to 2001:db8:cafe:bb3f:ffff:ffff:ffff:ffff
/64 networks available to sub routers: 8
Note: since delegating only 1 prefix, first and last prefix address must be the same
available prefixes, full list:
2001:db8:cafe:bb38::/61
(B.3) delegating 4 /64 networks in 1 prefix
Setup:
Prefix Delegation "from":
::8
Prefix Delegation "to":
::8
Prefix Delegation Size:
62
Result:
1 delegated prefix in the size of /62
1 sub router possible as client
network range delegated to sub router (expanded): 2001:db8:cafe:bb38:0:0:0:0 to 2001:db8:cafe:bb3b:ffff:ffff:ffff:ffff
/64 networks available to sub routers: 4
Note: the remaining range bb3c-bb3f can be used on dhcpv6 servers bound to other interface(s)
available prefixes, full list:
2001:db8:cafe:bb38::/62
Notes
Address syntax notes:
Prefix Addresses can be shortened, eg ::4 equals ::4:0:0:0:0
Notes for current OPNsense implementation (business 22.10, community 22.7):
The help text of "Services:DHCPv6[interface]:Prefix Delegation Range" may be a bit misleading and should be clarified. Also, it could be easier for users to understand if "from" and "to" field description is replaced by "first" and "last" or similar. See corresponding bug report #6143
https://github.com/opnsense/core/issues/6143
.
References:
(1) isc-dhcpd server confpars.c source code at
https://github.com/isc-projects/dhcp/blob/31e68e5e3b863a4859562e0bb808888d74af7497/server/confpars.c#L4302
(2)
https://linux.die.net/man/5/dhcpd.conf
(3)
https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html
(4) generated isc dhcpd config file on current OPNsense host: /var/dhcpd/etc/dhcpdv6.conf
(5) IPv6 calculator at
https://www.internex.at/de/toolbox/ipv6
«
Last Edit: November 18, 2022, 02:11:17 pm by stefan00
»
Logged
OPNsense Hardware:
DEC3850
DEC750
Custom i5-14600K based System
KVM based VM
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
IPV6 prefix delegation range, please clarify