How to disable IPv6 Autoconf on WAN permanently ?

[iv4nd1]

Hello,

My datacenter provider is providing me with a /48 IPv6 address block that I can request using DHCPv6 Prefix Delegation.

The issue is that the datacenter provider also provide the SLAAC method for WAN interface autoconfiguration.

SLAAC cannot be disabled from Provider side.

I have found a command that seems to be doing what I'm looking for :

# ifconfig vtnet0 inet6 -autoconf

However. according to FreeBSD ifconfig documentation ( https://man.freebsd.org/cgi/man.cgi?ifconfig(8) ) this kind of change is lost after a reboot.

So, my question is, how to apply permanently the "-autoconf" flag on my WAN vtnet0 interface ?

Thank you.

[meyergru]

Are you sure that the IPv6 is assigned via SLAAC? Did you try checking the "Request only an IPv6 prefix" on the WAN interface page?

[Maurice]

Interfaces which use DHCPv6 also use SLAAC. That's how it's currently implemented and I'm not aware of a switch which disables SLAAC on a DHCPv6 interface.

Does the autoconfigured address cause any issues or why do you want to remove it?

Two ideas:
1) If the prefix is static, it might be worth trying to configure everything statically. Whether this works depends on how the data center provider routes the prefix to your server. Could be a static route (which would work) or a dynamic route which gets created when the DHCPv6 prefix delegation happens.

2) Ugly workaround: Create a firewall rule which blocks Router Advertisements. No RAs, no SLAAC. You would then have to configure the gateway manually, but DHCPv6 should keep working.

Cheers
Maurice

[iv4nd1]

Are you sure that the IPv6 is assigned via SLAAC? Did you try checking the "Request only an IPv6 prefix" on the WAN interface page?

Yes, both SLAAC and Prefix Delegation are advertised by the Provider router.

If I use the "Request only an IPv6 prefix", I still get an /128 IPv6 address because of SLAAC that I do not want.

If the prefix is static, it might be worth trying to configure everything statically

For security reasons, the Provider router will only route the IPv6 /48 prefix to OPNSense if I do Prefix Delegation with a private DUID-LL. No static routing is possible.

When I have both the SLAAC address and an IPv6 address carved out of the /48 block that are both assigned to the WAN interface, it looks like there is a "race condition" going on :

- If the /64 address that belongs to the /48 block can be seen on the GUI Dashboard of OPNSense, then everything works fine because the route to the v6 Internet is correctly set.

- If the GUI Dashboard display the /128 address from the SLAAC block, then IPv6 either fails or hangs ( like when I try to check the OPNSense updates in the GUI for example )

Thank you.

[iv4nd1]

Also :

On Linux you can fine tune the system in order to allow/deny Router Advertisements and allow/deny Autoconf via SLAAC on a per-interface basis :

root@machine:~# sysctl -a | grep "_ra =" | grep vmbr0
net.ipv6.conf.vmbr0.accept_ra = 0
root@machine:~# sysctl -a | grep vmbr0 | grep autoconf
net.ipv6.conf.vmbr0.autoconf = 0

On FreeBSD / OPNSense it looks like you can only allow/deny Router Advertisements system-wide using the following trick :

sysctl net.inet6.ip6.accept_rtadv=0

This can be set as a "Tunable" value in OPNSense GUI so the setting persists across reboots.

However, event with this variable set to 0, I still get a SLAAC address.

This is unfortunate to say the least.

[Maurice]

If I use the "Request only an IPv6 prefix", I still get an /128 IPv6 address because of SLAAC that I do not want.

That's weird, are you sure? SLAAC addresses are /64, DHCPv6 addresses are /128.

When the DHCPv6 client is configured to only request a prefix, not an address, does IPv6 Internet access still work? Asking because I suspect that your provider might advertise SLAAC, but doesn't actually route SLAAC addresses. This would be a significant (but not unique) misconfiguration which they would have to fix.

OPNsense is neither Linux nor vanilla FreeBSD. ;) If the DHCPv6 client is enabled on any interface, accept_rtadv gets set to 1 at runtime. You can't override this with a tunable.

If nothing else helps, I'd indeed try the firewall approach (block RAs).

[iv4nd1]

Hello,

That's weird, are you sure? SLAAC addresses are /64, DHCPv6 addresses are /128.

Well, I was wrong and you are correct. :)

When the DHCPv6 client is configured to only request a prefix, not an address, does IPv6 Internet access still work?

In that case, IPv6 internet does work for the machines behind the OPNSense box, but the OPNSense box does NOT have IPv6 internet access and thus cannot run firmware and OS updates checks.

Even though, there is a routable public IPv6 assigned from the prefix to the LAN interface for example.

I suspect that your provider might advertise SLAAC, but doesn't actually route SLAAC addresses. This would be a significant (but not unique) misconfiguration which they would have to fix.

Yeah that's likely.

I have found some kind of workaround but it needs an IPv6 from the prefix assigned on the WAN interface.

If do use the command bellow, then IPv6 start working on OPNSense :

#ifconfig vtnet0 inet6 <SLAAC IPv6 address> -alias

Then, I can get IPv6 working for OPNSense update checks because the /128 is taking precedence and is being used as the SOURCE IP address on the WAN interface for IPv6.

Now I'm checking how I can execute a script with this command on each startup...

[Maurice]

Very clever workaround! Adding the SLAAC address as a virtual IP in the GUI should have the same effect, shouldn't it? Then you wouldn't need a custom script.

[iv4nd1]

Hello,

I've tried to do that but this breaks IPv6 on OPNSense with warnings about already configured IP addresses in the console that keeps getting spammed.

Almost back to square one...