[HOWTO] Configure IPv6 in order to "just work" (tm)

[Patrick M. Hausen]

1. Ask your ISP for static prefixes (good luck).

German Telekom, business contract. Done. Not even all that expensive.

[IsaacFL]

This is what I'm going to try:

I plan to use part of my delegated prefix like a ULA range.
My ISP allocates a /56, so I have plenty of subnets to spare.

I'll keep using Track Interface for each interface, but on each one I'll add a Virtual IP (VIP) from the next subnet.

For example, on one interface I configure it with prefix ID 60, which gives me 2603:aaaa:bbbb:cc60::babe/64.
Then I create a VIP on the same interface with the address 2603:aaaa:bbbb:cc61::babe/64.

After restarting services, I can see in radvd.conf that it's now advertising both prefixes. On one of my test Linux devices, I can confirm it's getting addresses from both prefixes.

Next, I'll update DNS to use the 2603:aaaa:bbbb:cc61::/64 addresses for my hosts.

I'm not entirely sure how I'll test everything yet, but I'll see how it behaves.

Will this approach work?

[Maurice]

@meyergru Agreed. From my experience, if #1 (IPv6-only with static GUAs) isn't viable, #2 (IPv6-only with dynamic GUAs + static ULAs) is the preferred option for advanced users. Having to deal with only one IP stack at a time makes so many things so much easier. I only fully realized this once I tried it.
On the other hand, #4 (Dual Stack with dynamic GUAs + static RFC1918) is still unrivaled for your average zero-configuration home network.

@Patrick M. Hausen Probably not an option for IsaacFL. ;-) For myself, this would be more than twice of what I pay with my current ISP - for the same bandwidth over the same fibre.

@IsaacFL I don't think that's a good idea. You'll still have to manually change the VIPs and DNS records when your PD changes. What's your concern with the other options we discussed?

[Patrick M. Hausen]

Probably not option for IsaacFL. ;-)

Granted.

For myself, this would be more than twice of what I pay with my current ISP - for the same bandwidth over the same fibre.

I prefer one static IPv4 and a static /56 over more bandwidth. I have a DSL 100/40 Mbit/s contract and as long as that is enough to stream TV I'd rather keep the static addresses than go shopping for higher speed. For all real work use it is more than enough. Larger file transfers between servers in our DC I just do not run via my Mac but keep them local to the DC - of course.

But to each their priorities.

[Maurice]

@Patrick M. Hausen I'm with you that you don't always need the highest speed available. I use GPON and could get 1000/500, but decided that 300/150 is fine. That's what I compared - 300/150 for 45 € with my current ISP vs. ~93 € for Telekom's Business offering. Downgrading to 150/75 would only be 5 € less. And I'm not paying 500 € a year just for a static prefix at home.

[IsaacFL]

@meyergru Agreed. From my experience, if #1 (IPv6-only with static GUAs) isn't viable, #2 (IPv6-only with dynamic GUAs + static ULAs) is the preferred option for advanced users. Having to deal with only one IP stack at a time makes so many things so much easier. I only fully realized this once I tried it.
On the other hand, #4 (Dual Stack with dynamic GUAs + static RFC1918) is still unrivaled for your average zero-configuration home network.

@Patrick M. Hausen Probably not an option for IsaacFL. ;-) For myself, this would be more than twice of what I pay with my current ISP - for the same bandwidth over the same fibre.

@IsaacFL I don't think that's a good idea. You'll still have to manually change the VIPs and DNS records when your PD changes. What's your concern with the other options we discussed?

I think you are right about it not being a great idea. I did test it and seems to work, but it is bringing more complexity, really almost like using ULA.

I think I am going to use static interface assignments and figure out a way to monitor if the prefix changes.

Last time I had the prefix change, I just did a search and replace on the old prefix to new prefix in the config.xml file and just restored the edited file.

[Maurice]

I think I am going to use static interface assignments and figure out a way to monitor if the prefix changes.

You can e. g. create a ping test, setting the source address to a LAN interface address. The ping will fail when your ISP changes your prefix delegation.

[IsaacFL]

I think I am going to use static interface assignments and figure out a way to monitor if the prefix changes.

You can e. g. create a ping test, setting the source address to a LAN interface address. The ping will fail when your ISP changes your prefix delegation.

I guess that would work if I kept one of the interfaces to track and then pinged a host in that interface. My Guest Wifi would be good for that.

Another way would be to look at the file where the ipv6 prefix is kept. For me that is /tmp/vtnet0_prefixv6 but I'm not sure monit is smart enough to do that.

[Maurice]

You can just ping a target on the Internet. Since the source address is static, the ping will fail when your ISP stops routing this address to you.
Yes, monit can monitor files for changes. Interesting approach!

[allebone]

Hello,

I have a question about setting the prefix in opnsense.
I have a range in the format abcd:efgh:ijkl:XX::/56

In opnsense I tried to set " Optional prefix ID" on lan and wan to be 00 and 01. When trying this opnsense interprets this as a random character and then 0 or 1 respectively so could be :
abcd:efgh:ijkl:f0 or abcd:efgh:ijkl:31 for example.

When I changed this to 10 and 11 I get what I expect eg:
abcd:efgh:ijkl:10 or abcd:efgh:ijkl:11

How can I use the first 10 subnet prefixes in opnsense? eg 00-09 ?

[Maurice]

A /56 would be abcd:efgh:ijkl:mn00::/56. Are you sure you actually get a /56? Check Interfaces / Overview / WAN / Details / Dynamic IPv6 prefix received.

If you get a /56, setting the prefix ID to 0 or 1 (no leading zero) should result in abcd:efgh:ijkl:mn00::/64 / abcd:efgh:ijkl:mn01::/64.

[allebone]

A /56 would be abcd:efgh:ijkl:mn00::/56. Are you sure you actually get a /56? Check Interfaces / Overview / WAN / Details / Dynamic IPv6 prefix received.

If you get a /56, setting the prefix ID to 0 or 1 (no leading zero) should result in abcd:efgh:ijkl:mn00::/64 / abcd:efgh:ijkl:mn01::/64.

Thank you, you ae actually correct. I must have become confused when I tested this because it does exactly as you say when I try this now. This is new to me so apologies for this.

Can I ask another question? Regards using SLAAC, this works well and as the OP post states via router advertisements fully functional for clients.

However before when I used DHCP I could easily see what client was what ip address. This allowed me to identify a client easily in the firewall log as I know for example "peters iphone" might be 192.168.2.66 or something.

In ipv6 how do I see or create a database of what client is what address? Like for example knowing abcd:efgh:ijkl:mn12:289a:845e:7103:1690 is in the firewall log does not actually tell me what device that is. Is this no longer possible in ipv6?

[Maurice]

That's not possible, by design. When enabling SLAAC, most clients use privacy extensions, meaning they randomise their interface identifier (lower 64 bits of the IPv6 address) for outbound connections.

If you really need to identify individual clients, you have to disable SLAAC and use stateful DHCPv6 (which is not supported by all clients).

You could look into identifying clients by their MAC address, but many randomise that, too.

If you need certain rules for certain groups of clients, it makes more sense to assign them to separate (V)LANs.

[allebone]

That's not possible, by design. When enabling SLAAC, most clients use privacy extensions, meaning they randomise their interface identifier (lower 64 bits of the IPv6 address) for outbound connections.

If you really need to identify individual clients, you have to disable SLAAC and use stateful DHCPv6 (which is not supported by all clients).

You could look into identifying clients by their MAC address, but many randomise that, too.

If you need certain rules for certain groups of clients, it makes more sense to assign them to separate (V)LANs.

This is an interesting problem, because as you say, some clients like android only do SLAAC. So this seems kind of unintuitive in terms of an enterprise setup to just abandon knowing anything about clients that connect through your firewall. I can imagine this causing abuse problems if I was that way inclined to steal from the rich and democratize the poor. A most interesting development.

[Patrick M. Hausen]

In an enterprise setup you will in most cases have a Windows domain and Active Directory so all clients running Windows can do authenticated and trustworthy dynamic DNS updates.

You can still run OPNsense as your frontmost recursive DNS, just create forwarding entries for the internal zones pointing to your domain controllers.