Best practice for Windows Server DHCPv6

[JamesFrisch]

I was wondering what if there is some best practice guide regarding running OPNsense and Windows AD / DHCPv6 / DNS. I tried a lot of settings but got very inconsistent results.

Situation: ISP gives me a /48, and I assign a /64 for the VLAN with Windows Clients and Server. There are other VLAN, they all use /64 and the "Track prefix" option. For every other VLAN, I did not set any settings and Router Advertisement and SLAAC works great out of the box.


But for the Windows Server VLAN, the problem with leaving everything at default, is that as the default DNS6 server, the clients get the IPv6 of the Interface, which of course can not resolve requests to local A and AAAA records and will also break auth stuff like network shares. Windows clients will get home.arpa as Domainname in addition of contonso.corp form the Windows Server.


So far I have tried a lot of things. All of these settings have the problem, that sometimes Windows clients will get the OPNsense Interface IPv6 as their DNS6 server. I set router advertisement to "router only", I tried "Assisted" in combination with a Windows DHCPv6, I tried setting advertising the DNS and many more.


I also thought about either setting up a DHCPv6 Relay Server and pointing to my Windows Server or using DHCPv6 of OPNsense itself with Windows Server as the DNS server, but I don't know if Windows AD would really like a setup like this.


Maybe I am just way off. So I was wondering how others here use IPv6 in combination with OPNsense and Windows Server and what settings they use.

PS: OPNsense Business 23.10.2

[Patrick M. Hausen]

Use BIND instead of Unbound and set up a secondary zone for your Windows domain from the AD controllers is what I do in such cases. Or set DHCP to hand out the AD controllers' addresses as DNS servers and be done with it.

You don't need DNS via IPv6 to have DNS for IPv6. I keep DNS to IPv4 only for internal networks because I am lazy and IPv4 is not going away, soon.

[JamesFrisch]

Or set DHCP to hand out the AD controllers' addresses as DNS servers and be done with it.

DHCP on OPNsense right?
So maybe RA Assited, DHCPv6 on OPNsense, give the clients the IPv6 of DC as DNS.
That is probably worth a try.

You don't need DNS via IPv6 to have DNS for IPv6.

Sure. The problem is more that Windows clients prefer IPv6 over IPv4. Now with the clients getting OPNsense as DNS server, AD is basically broken because every try to connect to DC, DC is not known to OPNsense.

I keep DNS to IPv4 only for internal networks because I am lazy and IPv4 is not going away, soon.

Would love to do that, but the default settings of OPNsense will hand out a DNS6 server to clients


This is how I imagine my optimal setup would look like:
Clients get an IPv6 by SLAAC from OPNsense. That way the clients get Privacy Extension. To my knowledge, Windows Server does not offer SLAAC out of the box, so this should come from OPNsense. At the same time, for DNS requests, it should use the internal DC.
So I guess easiest way to achieve this would be to use DHCPv6 on OPNsense and set the DNS there?
Only downsides would be that I have create fixed IPs on OPNsense (not really a downside, don't need fixed internal IPv6 anyway) and that DHCP leases will not get registred by the DNS server (not really a downside, since I don't use IPv6 for local access, and even if I did I could create an AAAA record on the DNS server).

[Patrick M. Hausen]

Sure. The problem is more that Windows clients prefer IPv6 over IPv4. Now with the clients getting OPNsense as DNS server, AD is basically broken because every try to connect to DC, DC is not known to OPNsense.

Correct. For a Windows domain to work the DCs must be the recursive name servers for all clients or the recursive name server must have a domain override or a secondary zone or something of this kind.

I keep DNS to IPv4 only for internal networks because I am lazy and IPv4 is not going away, soon.

Would love to do that, but the default settings of OPNsense will hand out a DNS6 server to clients

Services > Router Advertisments > <Interface> > DNS options > [/] Do not send any DNS configuration to clients

[JamesFrisch]

I will have to look into secondary zones, I currently don't know how they work.

Services > Router Advertisments > <Interface> > DNS options > [/] Do not send any DNS configuration to clients

Good catch, that could be an error on my part. I did set "Use DNS of DHCPv6", set a DNS option under DHCPv6 but did not enable DHCPv6 on OPNsense. Maybe this setting is ignored because DHCPv6 is not enabled?

So it seems to me like there are many options to run IPv6.


Setup 1:
RA unmanaged, do not send DNS, advertise default gateway. Windows not running DHCPv6.
Windows Clients will not get any DNS6 Server and ask IPv4 DC DNS for AAAA records. Setting OPNsense as secondary DNS.

Pros: Default and easy, if DC goes down, there is still internet access
Cons: -

Setup 2:
RA unmanaged, do not send DNS, advertise default gateway. Windows not running DHCPv6. Set IPv6 Relay to DC and make sure DC does not use OPNsense IPv6 DNS to prevent a DNS loop 
Even if Windows clients for some reason get OPNsense as DNS6 server, it will be relayed to DC.

Pros: More failsave?
Cons: Seems complicated, no backup to reach internet if DC DNS goes down.


Setup 3:
RA unmanaged, do not send DNS, DC does DHCPv6 and DNS6, advertise default gateway. Set DHCP options to hand out DC as primary and OPNsense as secondary DNS.
Windows Clients will get both, SLAAC and a DHCPv6 lease from DC.

Pros: Can assign static IPv6 from DC, if DC goes down clients can still reach the internet.
Cons: -

Setup 4:
RA assisted, send DNS, DHCPv6 with DNS pointing to DC, advertise default gateway. Windows not running DHCPv6. Set DHCP options to hand out DC as primary and OPNsense as secondary DNS.
Windows Clients will get both, SLAAC and a DHCPv6 lease from OPNsense.

Pros: Can assign static IPv6 from OPNsense, if DC goes down clients can still reach the internet.
Cons: Maybe some Windows shenanigans?


Setup 1 did not work for me, because I did not set the "Do not send any DNS" settings.

I think that setup 3 failed me, because instead of using "unmanaged" I used "assisted". This lead OPNsense to send AdvManagedFlag and AdvOtherConfigFlag, which were not necessary and assigned DNS search domains and DNS Servers to clients.


So I guess I will try setup 1 and move to setup 3 if I ever need DHCPv6.

[Patrick M. Hausen]

I use setup #1. Works great for me. Secondary zone needs BIND instead of Unbound, but then you should have at least two DCs, anyway. 

[JamesFrisch]

Yeah I know, but the we don't wanna spend the money for a second DC 

Will also try setup 1, with the DNS settings of your picture. Thanks a lot for your input and help!

[JamesFrisch]

Maybe this helps someone else, so I will report what I tested.


Just setting it to "Unmanaged" and "do not send any DNS information" did not work.
I did it yesterday and also tested a client. The client did get link local and normal IPv6s and the Gateway and no IPv6 DNS server. AAAA records worked through the IPv4 DNS. But this morning clients were unable to connect network shares so I had to disable it again.

Not really sure what the problem was to be honest. I never had this problem with the default settings of pfSense.


Next up I will try setup 3 or 4.

[JamesFrisch]

I totally overlooked something!

I somehow thought that these are radio buttons:

-  Use the DNS configuration of the DHCPv6 server
- Do not send any DNS configuration to clients

But they are not 

So in theory, I could not enable DHCPv6 on Windows server, leave both checkboxes unchecked, fill out the two forms DNS server and Domain search list right under the checkboxes to point to my DC, and everything should work.
Will test that tomorrow, wish me luck 

[JamesFrisch]

I have tried lots of different settings, but Windows clients acted up strange on all of them. Sometimes I was not really sure if OPNsense is acting strange or if there is a bug. Like for one example, I was setting the Interface to Static IPv6 and got the error to specify a valid IPv6. Just reloaded the page, pasted the exact same IPv6 again and it worked. There were no spaces in the paste. Anyway I found a config that works for me.

I set RA back to router only and let Windows Server DHCPv6 hand out IPv6.
Seems like there is not SLAAC possible but since there are no phones on the network anyway, I don't really care.

[JamesFrisch]

Two Updates 

Since Windows Server seems to be unable to offer privacy extension, I switched back to
"unmanaged" and send the Windows Server IP as DNS server and OPNsense as second DNS server in case the DC goes down for some reason.

That worked perfect. Clients got an IPv6 with privacy extension and the DNS settings.

But since the update to 23.10.2, clients get home.arpa as DNS suffix and search stuff again.


So in the end, I am still not sure what best practice for this situation would be.
I also don't trust OPNsense to have implemented this bug free, since the behavior seems to inconsistent.
So for the moment I will disable IPv6.

If you have any links on how to offer privacy extensions in a Windows AD, please let me know.