Windows nslookup problem after reboot of OPNSense firewall

[SerErris]

Hi, I am experiencing a strange behaviour on my Windows client.

I am running on OPNSense 25.1.1 (the issue was there before in 24.x releases and probably before that). Every time I restart the firewall, my Windows box will no longer be able to run any nslookup commands... It will just not get any result, for whatever reason. That is only the case if IPv6 is enabled on my windows machine.

If I disable IPv6 on my windows machine, there is no issue.

I can run nslookup all day without any issue, but as soon as the fire restarts - no answer any longer.

I suspect that this is a windows issue as no linux machine has the same problem. But I was not able to find any hint on what to do or what to change to make it go away.

Any suggestions?

[dseven]

Does the IPv6 address that Windows is trying to use change when you reboot OPNsense? Different delegated prefix from your ISP each time, maybe? Compare `ipconfig /all` to the addresses currently active on the firewall. How is your LAN interface configured (addressing type, DHCPv6 and RA)?

[meyergru]

It is very likely that your DNS configuration for IPv6 is wrong. If that is picked up after or with higher priority than the - presumably correct - DHCPv4 configuration, DNS lookups will not work. Besides the DNS server IP(s), it can also be the search domain list that is different.

[SerErris]

So I tried to troubleshoot it a little bit more.

So yes, my ISP assigns a new IP/56 range each time I connect. This is telekom private customer connection, so I do not get a fixed IP address/prefix.

This is a fibre line from Deutsche Telekom with PPPOE connection, with a dedicated VLAN (7). And the setup works so far so good.

I followed the IPv6 setup guide here:
https://docs.opnsense.org/manual/how-tos/ipv6_dsl.html

Please see attached my screenshots, how I did set this up.

So yes the problem is, the ISP assigns a new IPv6 range every time I reboot or redial PPPOE. And then Windows does not recognize that it need to reask for a new IPv6 configuration via DHCP. So it will ask the old DHCP server which has a different prefix and which obviously does not work any more.

I now learned that ipconfig /renew6 will actually renew the ipv6 configuration (tried a lot of time ipconfig /renew, which did nothing).

So is there any way I can prevent that happening? For instance put in a manual DHCPv6 configuration that uses the link local IP for the DNSv6 resolution? Something like FE80::something?

Because my default gateway is anyhow fe80::6662:66ff:fe21:b957%6 ... I do have other IPv6 addresses assigned with public routable addresses ... However with my configuration and no explicit DHCPv6 server configuration the dhcpv6 server delivers the public 2003:fb:XX:XXXX:6662:66ff:fe21:b957. Of cause that is exactly what changes every time and if DNS would point to fe80::6662:66ff:fe21:b957 instead, that should better work? But still the local IPv6 would be still wrong as the old prefix is not valid any longer.

So any Telekom customer here with a private contract (vs commercial) that got a good solution around it, that I can replicate?

[SerErris]

Okay I need to learn a lot about IPv6. Nothing works how I would assume it works.

So actually the Router Advertisements daemon should handle that advertisement I am looking for - but the documentation does not state where to find it.

In the documentation here https://docs.opnsense.org/manual/radvd.html it suggests that it is configurable under Services like DHCP. However there is no entry for Router Advertisement.

I think I need some more help.

Lets start over. What exactly do I need to configure to get permanent IP adddresses assigned to my local network, so that DHCPv6 will always work? I read in another thread that setting up ULA, but that is the next topic I do not understand at all where to do it and how to do it in OPNsense. And from the documentation it reads that this is for static ip addresses only ... and of cause I do not have a static address.

[dseven]

I would be tempted to try disabling DHCPv6 for the LAN (unless you actually need it?) - you'd need to first use the option to "Allow manual adjustment of DHCPc6 and Router Advertisements", then under [Services > Router Advertisements > LAN], set "Router Advertisements" to "Unmanaged". Hopefully RA would announce the new DNS server address when your prefix changes. There are some ways to configure what DNS servers get advertised. Addresses using the old prefix should get deprecated when a new prefix is announced.

[dseven]

What exactly do I need to configure to get permanent IP adddresses assigned to my local network, so that DHCPv6 will always work? I read in another thread that setting up ULA, but that is the next topic I do not understand at all where to do it and how to do it in OPNsense. And from the documentation it reads that this is for static ip addresses only ... and of cause I do not have a static address.

That would be the other approach... You could use a ULA prefix for your LAN and use NPTv6 to map it to a (dynamic) GUA prefix (from your delegated range). I've read that NAT with DHCPc6 in general can be problematic, but couldn't speak for that personally.....

[meyergru]

Why do you need DHCPv6? The OP asked for a fool-proof solution, which is already there and now he knows why it exists. No need to re-invent the wheel.

[dseven]

Why do you need DHCPv6? The OP asked for a fool-proof solution, which is already there and now he knows why it exists. No need to re-invent the wheel.

If that's addressed to me (the only other person in the thread); I suggested *DISABLING* DHCPv6

edit: since it's probably not obvious to the OP; if you don't use that option to "Allow manual adjustment of DHCPc6 and Router Advertisements", DHCPv6 gets enabled automatically

[meyergru]

No, I meant the OP. How that is configured is explained in my HOWTO.

[SerErris]

Thanks @meyergru for the howto. Will work through it. I think that should also go into the official documentation (there are other documents as yours in there already).

Let me try it, maybe I have some feedback and I let you know if that works for me.