Identity Association IPv6 mode impossible to apply

Started by tgurr, January 29, 2026, 11:50:48 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
Today at 05:21:25 PM #15
An alternative is to create a SLAAC network and use this ndp proxy on the downstream OPNsenses (aka Opnsense 2 in this schema).

(If its ISP -> Opnsense 1 -> Opnsense 2...)

https://docs.opnsense.org/manual/ndp-proxy-go.html
Hardware:
DEC740
Today at 05:35:01 PM #16 Last Edit: Today at 05:37:03 PM by tgurr
Quote from: franco on Today at 05:11:01 PMSimple. The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea. In Kea there is no integration for dynamic prefixes. Dnsmasq does not support it at all.

Thanks for the explanation, I was happy that I got things working in the first place so my networking knowledge sadly really doesn't go very deep, especially for IPv6 so two follow up questions:

1. Will the option "Track interface (legacy)" stay and is the (legacy) just meant to tell that's the "old" way, or is this expected to disappear  some time in the future?
2. I was under the assumption that GigaNetz and/or most ISP use dynamic prefixes? Or am I wrong here and basically "The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea" is enough here.

My WAN looks like:


and for HOME/GUEST:



So nothing that fancy I guess, it's working great like that with these settings and Dnsmasq, I just don't want to end up hitting a wall with a future update. So any advice on what and how to change is very welcome.
Today at 05:47:39 PM #17
> 1. Will the option "Track interface (legacy)" stay and is the (legacy) just meant to tell that's the "old" way, or is this expected to disappear  some time in the future?

It will likely disappear when ISC-DHCP plugin will be removed, but that's not before 2027/28 in any case unless something more serious happens that would mean to prohibit use of the EoL ISC-DHCP but I doubt it.

> 2. I was under the assumption that GigaNetz and/or most ISP use dynamic prefixes? Or am I wrong here and basically "The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea" is enough here.

That's sadly true. We'll tinker with Kea more now that we don't have ISC-DHCP to worry about as much. Probably changes and improvements coming for 26.7 and beyond. We try to cluster our work nowadays which seems to be more effective in terms of long term gains. That's why Kea was put on the backseat for Dnsmasq.


Cheers,
Franco
Today at 06:11:02 PM #18
Quote from: franco on Today at 05:47:39 PM> 1. Will the option "Track interface (legacy)" stay and is the (legacy) just meant to tell that's the "old" way, or is this expected to disappear  some time in the future?

It will likely disappear when ISC-DHCP plugin will be removed, but that's not before 2027/28 in any case unless something more serious happens that would mean to prohibit use of the EoL ISC-DHCP but I doubt it.

> 2. I was under the assumption that GigaNetz and/or most ISP use dynamic prefixes? Or am I wrong here and basically "The ability to forward DHCPv6 PD to downstream routers from OPNsense is only in ISC-DHCP and Kea" is enough here.

That's sadly true. We'll tinker with Kea more now that we don't have ISC-DHCP to worry about as much. Probably changes and improvements coming for 26.7 and beyond. We try to cluster our work nowadays which seems to be more effective in terms of long term gains. That's why Kea was put on the backseat for Dnsmasq.

> It will likely disappear when ISC-DHCP plugin will be removed

Is that because of the usage of ISC DHCP client here (option DHCPv6 I use for WAN) that has be be removed as well due to EOL? Would using dhcpcd as a replacement work? I'm asking that because in my setup the ISC-DHCP plugin is already uninstalled so why there's the need to remove "Track interface (legacy)" in the first place - if not for the EOL of the client as well? I also don't yet get the (technical) difference between "Track interface (legacy)" and "Identity Association".

With that info I guess I'll stay on Dnsmasq+Track interface (legacy) for now then. It would be great if you could somehow release a tutorial / short howto then on how to configure these things for regular ISP usage then, as in "Configuration for just replacing my ISP Fritz!Box with OPNsense" as it's really hard to puzzle together everything, especially in this kind of constellations where things and certain combinations don't work at all.

Thanks for your patience to answer all my unskillful probably confusingly stated questions.
Today at 06:45:28 PM #19
Quote from: tgurr on Today at 06:11:02 PMWith that info I guess I'll stay on Dnsmasq+Track interface (legacy) for now then. It would be great if you could somehow release a tutorial / short howto then on how to configure these things for regular ISP usage then, as in "Configuration for just replacing my ISP Fritz!Box with OPNsense" as it's really hard to puzzle together everything, especially in this kind of constellations where things and certain combinations don't work at all.

Our setups are, I think, identical, and the best way to determine the optimal approach is to have someone excoriate you for doing it wrong, so I'll explain my approach, which is, you know, probably wrong.

So my ISP hands me a /56, which has not changed in ages, but that is by no means guaranteed, etc. As with your setup, I've always prefixed this into /64s for my internal networks, i.e., LAN is 0, GUEST is 1, etc. I've been migrated for months now from ISC to dnsmasq, and I'm happy with the dnsmasq setup, which I've had set to only do DHCP for v4.

Options appear to be two:
  • I could configure IPv6 ranges in dnsmasq for each of the lan segments, turn on RA in dnsmasq, and have it hand out addresses.
  • I can skip all that, and just turn on RA (Services -> Router Advertisements) for each of the segments, setting them to 'Unmanaged'.

Option 1 being seemingly the more complicated of the two, I went with option 2, which results dnsmasq doing IPv4 DHCP + DNS only, and IPv6 clients getting addresses purely via SLAAC.

I suspect but do not know for certain that this is more resilient to a renumbering when the /56 changes.

This appears to work properly with the prefix delegation setup, and all the usual IPv6 tests pass, but this is usually the point where more learned individuals tell me that I'm being an idiot, so let's see what they have to say.
Today at 08:38:46 PM #20
Quote from: bazineta on Today at 06:45:28 PMThis appears to work properly with the prefix delegation setup, and all the usual IPv6 tests pass, but this is usually the point where more learned individuals tell me that I'm being an idiot, so let's see what they have to say.

Sounds sensible to me, sent you a pm asking for details cause I'm interested to try to replicate your setup.
Print
Go Up Pages 1 2
User actions