Odd defaults for RA and DHCPv6 ISC?

JamesFrisch · February 19, 2026, 11:37:47 AM

So maybe I am overlooking or not getting something, but has the default behavior changed since version 26?
Take it with a grain of salt, I am no expert.

Here is how I think the defaults used to work:
- A new Interface with the "Track Interface" option got RA set to unmanaged.
- A new Interface with the "Track Interface" option got no DHCPv6 enabled.

Here is how I think the defaults work now:
- A new Interface with the "Track Interface" option has no RA enabled by default.
- Not only do new interfaces have DHCPv6 enabled (::1000 to ::2000) it even retroactively enabled DHCPv6 for all old interfaces that did not have DHCPv6 enabled before?

These are the points I don't understand:
- Why is unmanaged RA no longer enabled by default?
- Why is DHCPv6 enabled by default?
- Why do old interfaces get DHCPv6 retroactively enabled (which does probably not even do anything, since RA is unchanged to "unmanaged")?

meyergru · February 19, 2026, 02:04:23 PM

"Track Interface" is legacy now - what you probably want is now called "Identity Association". See: https://docs.opnsense.org/manual/interfaces.html

AFAIR the IPv6 changes were referenced in the 26.1 release notes, also.

JamesFrisch · February 19, 2026, 02:40:59 PM

Quotethe "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.

AFAIK Track interface did also not automatically start ISC-DHCPv6 back in the days. This makes it sound like it did.
So enabling it retroactively seems a little bit strange IMHO.

What I also don't quite understand is this part.

QuoteDnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box. One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default. Use another DHCPv6 server in this case.

We are not talking about prefix delegation on the WAN, right?
Are we talking about the "Assign prefix ID"?

Maybe I am putting the chart before the horse :)
I currently have this for each VLAN:
On the interface -> Static IPv4 and Track Interface for IPv6 and Assign prefix ID with the number of the VLAN, so for example 10.
ISC DHCPv4 -> Does DHCPv4
RA -> Since I did not even enable the manual config on the interface, it is totally default. So SLAAC and nothing else.
Unbound as DNS.

How would that setup look with none legacy stuff like Kea or Dnsmasq?

franco · February 19, 2026, 02:57:21 PM

"Track interface" and ISC/Radvd defaults haven't changed at all.

Cheers,
Franco

Maurice · February 19, 2026, 02:59:07 PM

In automatic mode ("Allow manual adjustment of DHCPv6 and Router Advertisements" not enabled), ISC DHCPv6 has always been active and RAs have always been set to assisted. This is not new.

Quote from: JamesFrisch on February 19, 2026, 02:40:59 PMWe are not talking about prefix delegation on the WAN, right?

No, this is about downstream prefix delegation - OPNsense delegating prefixes to DHCPv6 clients in the LAN. Dnsmasq doesn't support this at all, Kea only with static prefixes.

Cheers
Maurice

JamesFrisch · February 19, 2026, 06:11:58 PM

Ohh, my bad, than I probably misremembered.

QuoteOPNsense delegating prefixes to DHCPv6 clients in the LAN. Dnsmasq doesn't support this at all, Kea only with static prefixes.

So if I wan't to have multiple VLANs with different assigned prefixes, I need Kea.
Or basically my current setting can be replaced by switching from track interface to Identity Association and from switching from ICE to Kea? Is that accurate?

Maurice · Reply #6 - Re: Odd defaults for RA and DHCPv6 ISC?

Quote from: JamesFrisch on February 19, 2026, 06:11:58 PMSo if I wan't to have multiple VLANs with different assigned prefixes, I need Kea.

No. Dynamically assigning a /64 prefix to an interface is done by dhcp6c (via the Track Interface / Identity Association feature) and unrelated to downstream prefix delegation.

Quote from: JamesFrisch on February 19, 2026, 06:11:58 PMOr basically my current setting can be replaced by switching from track interface to Identity Association and from switching from ICE to Kea?

You can switch to Identity Association, but will then have to manually configure Router Advertisements and DHCPv6.
Kea requires a static prefix, so if you have a dynamic prefix and need stateful DHCPv6, you'll have to switch to Dnsmasq or stick with ISC (which imho is the best option for the time being).

I switched from Track Interface to Identity Association and from ISC DHCPv4 to Kea DHCPv4, but keep using radvd and ISC DHCPv6.

JamesFrisch · Reply #7 - Re: Odd defaults for RA and DHCPv6 ISC?

QuoteNo. Dynamically assigning a /64 prefix to an interface is done by dhcp6c (via the Track Interface / Identity Association feature) and unrelated to downstream prefix delegation.

Ahhh that makes sense. Cheers for that.

Humble brag: My ISP is not an idiot and sticks with RIPE recommendations, so I get a static /48 prefix.
DHCPv6 I don't need.
So I could switch to Identity Association for the interfaces, KEA for DHCPv4 and RA for stateless SLAAC, I guess?

But since the DNS registration is not supported by KEA, I should go with dnsmasq, if I want the same as with ICE?

For that I would have to:
- change the interface to Identity Association
- enable dnsmasq as DHCPv4 server
- Either use RA or dnsmasq for RA and stateless SLAAC

Patrick M. Hausen · Reply #8 - Re: Odd defaults for RA and DHCPv6 ISC?

Quote from: JamesFrisch on Today at 08:21:43 AMo I could switch to Identity Association for the interfaces

IMHO you should not. If you get a static /48 from your ISP why don't you configure all internal interfaces statically? At most you need the dhcp6c (client!) on WAN, that's all.

JamesFrisch · Reply #9 - Re: Odd defaults for RA and DHCPv6 ISC?

QuoteIf you get a static /48 from your ISP why don't you configure all internal interfaces statically?

You severely underestimate my laziness! :) /s

But you are right, I could set them statically. Even when I move eventually, my ISP let me keep my static prefix if I ask for it.

How about the other two points?

- enable dnsmasq as DHCPv4 server
- Either use RA or dnsmasq for RA and stateless SLAAC

I like to follow defaults, so I should probably use radvd and not RA form dnsmasq, right?

Patrick M. Hausen · Reply #10 - Re: Odd defaults for RA and DHCPv6 ISC?

I run Kea for DHCPv4 and radvd.

JamesFrisch · Reply #11 - Re: Odd defaults for RA and DHCPv6 ISC?

For whatever reason, I can't get my VM to get any IP. Neither for KEA nor dnsmasq. Works fine with ISC.

For Kea I did:
Subnet: 10.0.60.0/24
Pools: 10.0.60.2-10.0.60.200
Interface is listening on vlan60.
Service is running, restart does nothing, no errors in logs.

For dnsmasq, I can get the service is running, but as soon as I try to add the DHCP range onto the VLAN60 interface by using start 10.0.60.2 and end 10.0.60.200, the service crashes with no logs.

Patrick M. Hausen · Reply #12 - Re: Odd defaults for RA and DHCPv6 ISC?

After or before you enabled and configured Kea, did you disable ISC completely? On all interfaces? You cannot migrate selectively, ISC must be off for Kea to work.

Odd defaults for RA and DHCPv6 ISC?

JamesFrisch

February 19, 2026, 11:37:47 AM

meyergru

February 19, 2026, 02:04:23 PM #1

JamesFrisch

February 19, 2026, 02:40:59 PM #2 Last Edit: February 19, 2026, 02:46:06 PM by JamesFrisch

franco

February 19, 2026, 02:57:21 PM #3

Maurice

February 19, 2026, 02:59:07 PM #4 Last Edit: February 19, 2026, 03:00:45 PM by Maurice

JamesFrisch

February 19, 2026, 06:11:58 PM #5

Maurice

Today at 12:44:52 AM #6

JamesFrisch

Today at 08:21:43 AM #7

Patrick M. Hausen

Today at 08:50:45 AM #8

JamesFrisch

Today at 10:01:34 AM #9

Patrick M. Hausen

Today at 10:09:48 AM #10

JamesFrisch

Today at 11:19:24 AM #11

Patrick M. Hausen

Today at 01:38:36 PM #12