DS-Lite on 23.7.6+ (23.7.10_1)

[DanAnimal]

I am once again working toward getting DS-Lite operating.
(And I have acquired a second device so that I can test and roll-back much more easily than before).

As per the release note I saw for 23.7.6; that

This update is a maintenance release improving the DS-Lite use via separate
GIF tunnels on top of IPv6-only connectivity.

And the referral from https://twitter.com/opnsense/ that I should follow my previous work to get it happening.
https://twitter.com/opnsense/status/1739902581055377705
https://forum.opnsense.org/index.php?topic=27935.msg136305#msg136305

Following this through (testing on OPNsense 23.7.10_1-amd64), I have found that the DS-Lite GIF tunnel does not connect instantly.
And in my case it does not connect without disabling and re-enabling the DS-Lite GIF interface after the parent WAN IPv6 interface is established.

Disabling and re-enabling the DS-Lite GIF interface after the parent WAN IPv6 interface is established does seem to reliably establish DS-Lite connectivity.

(But requiring manual intervention to establish the connection - ie after a power failure is a not an option for me in production).

@opnsense on Twitter told me

Yes it was missing an external connection trigger like a DHCPv6 renew. Now it should be up instantly (the IPv4 part).

Yet this does not seem to be the case.
Am I missing something or doing something wrong?
Is there a way I should be generating debugging or error data to diagnose this?

[Maurice]

This currently works in my test environment, no intervention is required after a reboot. There have indeed been significant improvements since your last attempt.
You might want to share details about your configuration, maybe I can reproduce it.

Cheers
Maurice

[DanAnimal]

Thanks Maurice.

I am testing on a fresh install of 23.7 updated to 23.7.10_1.
This is on a Celeron J4125 with 12 gb of RAM with four Intel I225-V NICs.
Connecting to an NTT GE-PON ONU.

(My working set up is the same, but that OPNsense is far more heavily configured for our LAN environment. And OPNsense connects DHCP to a FriendlyElec R4S running OpenWRT which maintains the DS-Lite connection through the NTT GE-PON ONU).

What specifically should I detail for you?

[Maurice]

wan and gif interface settings, gif tunnel settings, gateway settings.

[DanAnimal]

Here are screen captures of the WAN and GIF Interface settings
I don't know if there's a more concise way I could get this data from the CLI? I can't add all the screen captures together as the attachments are too large for the forum.

[DanAnimal]

Here are the GIF Tunnel Settings and the GIF Gateway Settings.

The GIF Remote Address is the IPv6 address for the AFTR host for our ISP dgw.xpass.jp

[doktornotor]

I wonder, could you make the screenshots a bit bigger? Like, 8K or so at least.  ::)

[DanAnimal]

I have no idea what the forum is doing to these images. They're straight screen captures from Brave on MacOS.

Here they are again down sized.

[doktornotor]

Untick the block bogons/private networks and try again?

[Maurice]

Your settings work fine in my test environment. The GIF tunnel gets configured automatically once the WAN is up.

The GIF interface reconfiguration is triggered by rc.newwanipv6 when the WAN interface gets a new IPv6 address. You might want to check the log for rc.newwanipv6. Do you get your WAN address via DHCPv6 or SLAAC?

[DanAnimal]

System > Log Files > Backend, Boot, General have no mention of rc.newwanipv6

Do you want me to look elsewhere?

System > Log Files > General; filtering for 'wan' (showing a period when plugging in the ONT to OPNsense already running (DS-Lite did not connect), then manually disabling and re-enabling the GIF interface (which made the DS-Lite connection work), then a reboot afterwhich DS-Lite was down again)

Code Select Expand


2024-01-04T00:08:28 Notice kernel <118> WAN (igc1) -> v4: 127.0.0.2/32
2024-01-04T00:08:28 Notice kernel <118> DSLiteWAN (gif0) ->
2024-01-04T00:08:24 Notice kernel <118>>>> Invoking start script 'newwanip'
2024-01-04T00:08:20 Notice kernel <118>Configuring WAN interface...
2024-01-04T00:08:19 Notice kernel <118>Configuring DSLiteWAN interface...done.
2024-01-04T00:03:01 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : webgui_configure_do(,opt1))
2024-01-04T00:03:01 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : vxlan_configure_do())
2024-01-04T00:03:01 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : unbound_configure_do(,opt1))
2024-01-04T00:03:01 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : openssh_configure_do(,opt1))
2024-01-04T00:03:01 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : opendns_configure_do())
2024-01-04T00:03:01 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : ntpd_configure_do())
2024-01-04T00:03:01 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : dnsmasq_configure_do())
2024-01-04T00:03:01 Notice opnsense /interfaces.php: plugins_configure newwanip (,opt1)
2024-01-04T00:03:00 Notice opnsense /interfaces.php: ROUTING: configuring inet6 default gateway on wan
2024-01-04T00:02:58 Notice opnsense /interfaces.php: plugins_configure monitor (execute task : dpinger_configure_do(,DS-WAN))
2024-01-04T00:02:58 Notice opnsense /interfaces.php: plugins_configure monitor (,DS-WAN)
2024-01-04T00:02:48 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : webgui_configure_do(,opt1))
2024-01-04T00:02:48 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : vxlan_configure_do())
2024-01-04T00:02:48 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : unbound_configure_do(,opt1))
2024-01-04T00:02:48 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : openssh_configure_do(,opt1))
2024-01-04T00:02:48 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : opendns_configure_do())
2024-01-04T00:02:48 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : ntpd_configure_do())
2024-01-04T00:02:48 Notice opnsense /interfaces.php: plugins_configure newwanip (execute task : dnsmasq_configure_do())
2024-01-04T00:02:48 Notice opnsense /interfaces.php: plugins_configure newwanip (,opt1)
2024-01-04T00:02:48 Notice opnsense /interfaces.php: ROUTING: configuring inet6 default gateway on wan


It really seems like all the settings are as the need to be to connect but the GIF interface is not being brought up without manual intervention.

[Maurice]

No rc.newwanipv6 in System: Log Files: General is really strange. You do get a /64 prefix delegation via DHCPv6? Your configuration implies that you also get the WAN address via DHCPv6; is that actually the case? Or is there SLAAC involved? What about IPv6 DNS servers?

You might want to post a screenshot of Interfaces: Overview: WAN with as little obfuscation as you feel comfortable with.

[franco]

Sorry, late to the party. It looks like IPv6 is not kicking in when it should... which is strange for DS-Lite because it's required to establish any connectivity. ;)

But you're in good hands with Maurice on the job.


Cheers,
Franco

[DanAnimal]

Thank you both.

Maurice, here's the details of the IPv6 connection from the OpenWRT shim I use upstream of my in-service OPNsense:

Protocol: DHCPv6 client
Address: 2001:XYY:ZXXX:ZYXX:ZXYZ:XZYY:XZYX:ZXYY/64
Gateway: fe80::225:84ff:fe11:dac1
DNS 1: 2001:a7ff:5f01::a
DNS 2: 2001:a7ff:5f01:1::a

(I think the public IPv6 is all I should be worried to redact. Is that correct?)

So it appears I am being served a DHCPv6 address and IPv6 DNS servers with a /64 prefix.
I can see anythiing regarding SLAAC being involved.

(As an aside; I am unclear as to whether the /64 means I should have over eighteen quintillion addresses I can use internally or that I have one address from an over eighteen quintillion address pool the ISP has. IPv6 is still frustratingly unclear to me).

I will reconnect the testing OPNsense and get that screenshot of Interfaces > Overview > WAN for you shortly.

[DanAnimal]

Here's the Interfaces > Overview > WAN from the testing OPNsense connected directly to the ONT.

It is getting obscured by the small resolution on the machine I'm testing with and the header and footer being rendered into frame by the browser. Sorry I don't have an easy way to get all the data on screen at once yet. Do you need the In/out packets (block) details?