DS-Lite on 23.7.6+ (23.7.10_1)

[Patrick M. Hausen]

Thanks, @meyergru! Also consider that an explicit assignment of a single address from a LAN /64 to a different interface is possible if a prefix length of /128 is used.

We use this for all our hosts at Hetzner who also give us a single /64 per server by default.

<prefix>::1/128 goes to the outside interface of the host (with a link-local default gateway, of course - fe80::1).
<prefix>::2/64 goes to "jail0" which is an isolated bridge interface without any external interface as a member. This address acts as the default gateway for all the VNET jails connected to that bridge.
<prefix>:<random address for jail>/64 goes to the individual jails.

So you could e.g. use the WAN MAC address to create a GUA from the prefix in SLAAC style and assign it as /128.

Kind regards,
Patrick

[franco]

> So you could e.g. use the WAN MAC address to create a GUA from the prefix in SLAAC style and assign it as /128.

I was actually considering taking a /64 from the PD for WAN and only assigning a /128 instead of a /64 to work around this limitation, but the delegation in dhcp6c only works with prefixes as narrow as /64.

Thanks for your input so far. I also tend to agree that the limitation no longer applies and I'll consider patching dhcp6c for 24.7 and bringing back the WAN tracking code.


Cheers,
Franco

[meyergru]

I'll be glad to test it. There will be a few hurdles, of course...

[franco]

PPPoE specific fails are not on my panic list today


Cheers,
Franco

[jbourne]

FWIW I am happy to test as well in the weird environment that Japanese IPv6 is, if that is helpful. Especially since I'm the one who revived this thread 

[jbourne]

Understood, thanks. I’m going to guess that with all the stuff yall have to do, pandering to weird Japanese setups isn’t going to be _too_ high on the list, hehe … Is there anything I can do in the meantime as far as a manual hack goes? I suppose I could write some kind of a script that runs as a cron job or something, but ideally I want to just patch into the boot process somewhere.

[edit] browsing through forums, I came across a, what I think, was a similar issue:
https://forum.opnsense.org/index.php?topic=35876.0

and there was a patch issued,
https://github.com/opnsense/core/commit/315153a07

Was this ever deployed into subsequent releases? I looked through src/etc/inc/interfaces.inc and I don't think I see the code referenced in that patch, and it's for an older version, so I don't know if I should risk it or not.

[edit] one more edit. i managed to make it come up on boot by editing 10-newwanip, adding a sleep timer of 30 seconds (to allow WAN to come up), doing the gif config, and then adding a new script all the way at the end of the boot, doing another 10 second sleep, and adding a configctl service restart strongswan to restart the IPSec tunnel. This survived the last two reboots, so it might be an OK hack at the moment.

Updating my own post. Adding it to 10-newwanip survived reboots, but didn't survive a firmware update (duh, I suppose), and I forgot that I did it, so everything fell apart again. Adding it to a _new_ script did not work, I have no idea why.

So I fortunately remembered to revisit this thread and see my notes on it, but I guess I will stop updating the firmware because it's just going to break everything again.

[franco]

Adding it to a _new_ script did not work

No executable permission most likely.

[jbourne]

Adding it to a _new_ script did not work

No executable permission most likely.

Haha. That would’ve been too easy. No, exec perms are on. I have the GIF tunnel as part of 10-newwanip and 93 for ipsec restart (I have an ipsec tunnel I absolutely must have on boot). If I put the gif code with a 30 sec sleep followed by strongswan restart into 93, it does not work. If I put the GIF config code into 10 with a 30 sec sleep and then separately leave the strongswan restart in 93, it works. No idea why.

[franco]

https://github.com/opnsense/core/issues/5630

Revived this for 24.7... stay tuned.

[jbourne]

Sweet! Thank you very much. I'll watch that thread and this one also for when it makes it into beta so I can switch branches and test.

[jbourne]

Ah, another expected, but unwelcome, side effect of the status quo: WAN interface does not get a IPv6 IP, so if you want a dynamic IPv6 host alias for firewall rules, that does not work. Have to use LAN interface as "source" under Firewall > Aliases, and I don't know if that's safe to use or not, but it seems to work for now.

[franco]

It's safe and relatively normal. But the code for a prefix subnet on WAN is tested and works. We even added a way to define the suffix part of the address statically instead of using the MAC/EUI-64 format.

The plan is to offer the GUI knobs for 24.7 but bring in the latest fixes for the dhcp6c client in 24.1.9.


Cheers,
Franco

[jbourne]

Cool. That's good to hear. Can I deploy that via the beta tree or it's not published yet?

[franco]

Command to test was posted here: https://github.com/opnsense/core/issues/5630#issuecomment-2154825737


Cheers,
Franco

[jbourne]

Command to test was posted here: https://github.com/opnsense/core/issues/5630#issuecomment-2154825737


Cheers,
Franco

Oops I totally missed that thread. I will check it, patch, and see how it goes. Thanks!