IPv6 prefix shortcut - Where can it be used?

Started by Mpegger, Today at 03:38:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 03:38:52 AM
I know I'm going to use the wrong terminology, but hopefully the question will be understood.

My ISP (Verizon) designates a prefix for IPv6 addresses, and it is not fixed. So in sections such as "Firewall > Aliases", or "ISC DHCPv6", I need to use the shortened IPv6 address, such as "::aaaa:bbbb:cccc:dddd". But what about sections such as "System > General > DNS Servers"? Is there a list of where the ::x:x:x:x shortcut can be used, or where it can't be used?
Today at 04:41:58 AM #1 Last Edit: Today at 05:36:50 AM by OPNenthu
Haven't seen such a list where partial IPv6 addresses are accepted but so far I've only seen them used in the same places you listed (DHCP and "Dynamic IPv6 Host" aliases).

Are you trying to use a separate DNS server on your LAN as the system DNS for OPNsense?  You could use ULAs or IPv4, but AFAIK there's no current ability to specify a host with a dynamic prefix.

EDIT: On second thought, it's probably better to use an external DNS there which would be available to OPNsense at all times.  With a LAN-side DNS you might have issues on OPNsense startup before the DNS server is able to reach the internet.  I use Cloudflare (1.1.1.1) as the system DNS, for example.
Today at 05:32:41 AM #2
Yes, I run a pair of Pi-holes strictly for ad-blocking, into Unbound on Opnsense with a override list for those systems that have a fixed IP and recursive quieries, and currently use ISC+RA for DHCP/DHCPv6. I'm in the process of (finally) switching over to DNSMASQ for DHCP/DHCPv6/RA, hence why I'm wondering where I can use the partial IPv6 address cause I want to use GUA for all the systems that work with DHCPv6. I had tried ULA, but it didn't seem to play nice on the LAN (systems randomly were inaccessible from one moment to another, Unbound would spam the Pi-holes with thousands of requests a second [infinite loop?]), and it's my understanding that in a mixed IPv4/IPv6 environment, ULAs will pretty much be ignored if a IPv4 or GUA is available in a DNS response. I currently use the LLA address of the Pi-holes for its IPv6 address which seems to work. But if I can make use of partial GUA IPv6 addresses everywhere, I'd rather try to do that.
Today at 06:06:31 AM #3 Last Edit: Today at 06:08:30 AM by OPNenthu
It sounds like you have a configuration issue somewhere.  There shouldn't be any loops regardless of whether you use GUAs or ULAs, or both.

I edited my reply above to mention that I don't think it's a good idea to use an internal DNS for OPNsense itself (fine for LAN clients).  I feel that OPNsense being the head of the network should not depend on anything downstream of it for its core functions.  Why do you need the OPNsense itself to go over Pi-hole?

You're right the ULA would not be preferred where a GUA or IPv4 is available but unless OPNsense knows about them they wouldn't be used.  Hypothetically, you would just enter the ULA address in the OPNsense config and that's what it would use, but don't quote me on that.  Again, I don't think it's a good idea anyway.

Just my unqualified two cents...
Today at 06:34:41 AM #4
OPNsense itself does not go through the Pi-holes since Unbound is active and the option to disable using itself (127.0.0.1) for queiries is disabled (not check marked).

However, pretty much any and every DHCP configuration section(s) that allows you to set a DNS server (besides System > General) will tell you that if a DNS server is not set, it will use the DNS server entries already set in System > General. So one setting should cover any and every other section that could also use that setting, instead of manually configuring each and every entry.
Today at 07:13:34 AM #5
Gotcha.  I think you would still need to specify the DNS in DHCP if you really need to use GUAs because unless you have a static prefix you can't use the System->General configs.

In Dnsmasq you can conveniently use constructors like [::] and they would track the interface.
Today at 12:34:51 PM #6
This "partial IPv6" (aka dynamic IPv6 alias) is only available as firewall alias and its main purpose is to create firewall rules for IPv6 clients when you have dynamic IPv6 prefixes. BTW: the more general approach would be to use the device's MAC instead, because the EUI-64 is not the only way an IPv6 device can communicate - think of IPv6 privacy extensions. It is no means to specify IPv6 addresses anywhere else.

As for DNS (or any other) services on your network: Keep in mind that you do not need a specific DNSv6 server at all, because IPv6 can be resolved via DNSv4 just fine. So, if you have dual stack on your LAN and have a working DNSv4 server, you are all set.

Thus, you usually do not need to distribute DNSv6 via DHCPv6 at all. Strictly speaking, you do not need DHCPv6 either and with dynamic IPv6 prefixes, you should probably better use SLAAC in the first place. See this for why.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions