DS-Lite on 23.7.6+ (23.7.10_1)

[Patrick M. Hausen]

Thanks, @meyergru! Also consider that an explicit assignment of a single address from a LAN /64 to a different interface is possible if a prefix length of /128 is used.

We use this for all our hosts at Hetzner who also give us a single /64 per server by default.

<prefix>::1/128 goes to the outside interface of the host (with a link-local default gateway, of course - fe80::1).
<prefix>::2/64 goes to "jail0" which is an isolated bridge interface without any external interface as a member. This address acts as the default gateway for all the VNET jails connected to that bridge.
<prefix>:<random address for jail>/64 goes to the individual jails.

So you could e.g. use the WAN MAC address to create a GUA from the prefix in SLAAC style and assign it as /128.

Kind regards,
Patrick

[franco]

> So you could e.g. use the WAN MAC address to create a GUA from the prefix in SLAAC style and assign it as /128.

I was actually considering taking a /64 from the PD for WAN and only assigning a /128 instead of a /64 to work around this limitation, but the delegation in dhcp6c only works with prefixes as narrow as /64.

Thanks for your input so far. I also tend to agree that the limitation no longer applies and I'll consider patching dhcp6c for 24.7 and bringing back the WAN tracking code.


Cheers,
Franco

[meyergru]

I'll be glad to test it. There will be a few hurdles, of course...

[franco]

PPPoE specific fails are not on my panic list today ;)


Cheers,
Franco

[jbourne]

FWIW I am happy to test as well in the weird environment that Japanese IPv6 is, if that is helpful. Especially since I'm the one who revived this thread  ;D

[jbourne]

Understood, thanks. I'm going to guess that with all the stuff yall have to do, pandering to weird Japanese setups isn't going to be _too_ high on the list, hehe ... Is there anything I can do in the meantime as far as a manual hack goes? I suppose I could write some kind of a script that runs as a cron job or something, but ideally I want to just patch into the boot process somewhere.

[edit] browsing through forums, I came across a, what I think, was a similar issue:
https://forum.opnsense.org/index.php?topic=35876.0

and there was a patch issued,
https://github.com/opnsense/core/commit/315153a07

Was this ever deployed into subsequent releases? I looked through src/etc/inc/interfaces.inc and I don't think I see the code referenced in that patch, and it's for an older version, so I don't know if I should risk it or not.

[edit] one more edit. i managed to make it come up on boot by editing 10-newwanip, adding a sleep timer of 30 seconds (to allow WAN to come up), doing the gif config, and then adding a new script all the way at the end of the boot, doing another 10 second sleep, and adding a configctl service restart strongswan to restart the IPSec tunnel. This survived the last two reboots, so it might be an OK hack at the moment. :)

Updating my own post. Adding it to 10-newwanip survived reboots, but didn't survive a firmware update (duh, I suppose), and I forgot that I did it, so everything fell apart again. Adding it to a _new_ script did not work, I have no idea why.

So I fortunately remembered to revisit this thread and see my notes on it, but I guess I will stop updating the firmware because it's just going to break everything again.

[franco]

Adding it to a _new_ script did not work

No executable permission most likely.

[jbourne]

Adding it to a _new_ script did not work

No executable permission most likely.

Haha. That would've been too easy. No, exec perms are on. I have the GIF tunnel as part of 10-newwanip and 93 for ipsec restart (I have an ipsec tunnel I absolutely must have on boot). If I put the gif code with a 30 sec sleep followed by strongswan restart into 93, it does not work. If I put the GIF config code into 10 with a 30 sec sleep and then separately leave the strongswan restart in 93, it works. No idea why.

[franco]

https://github.com/opnsense/core/issues/5630

Revived this for 24.7... stay tuned.

[jbourne]

Sweet! Thank you very much. I'll watch that thread and this one also for when it makes it into beta so I can switch branches and test.

[jbourne]

Ah, another expected, but unwelcome, side effect of the status quo: WAN interface does not get a IPv6 IP, so if you want a dynamic IPv6 host alias for firewall rules, that does not work. Have to use LAN interface as "source" under Firewall > Aliases, and I don't know if that's safe to use or not, but it seems to work for now.

[franco]

It's safe and relatively normal. But the code for a prefix subnet on WAN is tested and works. We even added a way to define the suffix part of the address statically instead of using the MAC/EUI-64 format.

The plan is to offer the GUI knobs for 24.7 but bring in the latest fixes for the dhcp6c client in 24.1.9.


Cheers,
Franco

[jbourne]

Cool. That's good to hear. Can I deploy that via the beta tree or it's not published yet?

[franco]

Command to test was posted here: https://github.com/opnsense/core/issues/5630#issuecomment-2154825737


Cheers,
Franco

[jbourne]

Command to test was posted here: https://github.com/opnsense/core/issues/5630#issuecomment-2154825737


Cheers,
Franco

Oops I totally missed that thread. I will check it, patch, and see how it goes. Thanks!