New IPv6 address assignment option "Identity Association" assigns a /63

Started by melectronics, March 30, 2026, 07:52:43 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
April 09, 2026, 11:53:17 AM #15
Quote from: Maurice on April 01, 2026, 04:43:00 PMA good idea in theory (and some / most consumer routers do that), but for more advanced setups you really need to know the PD size in advance. For example, when configuring the subnet IDs of your LANs, you need to know how many bits are available. Let's say you configure a subnet ID 0x10 but then only get a /60...
Doesn't sound like a real reason not to do it like most consumer routers do, to me. In my mind, OPNsense could be doing something better than the original but then refuses to do it for the same stubborn reasons.
April 09, 2026, 12:22:02 PM #16
So what magical thing do they do?
April 09, 2026, 01:53:03 PM #17
Consumer routers don't let you create an arbitrary number of subnets or manually configure subnet IDs at all. If all you have is one LAN and maybe a guest network, it's easy to handle a dynamic PD size. Just use subnet ID 0 for the LAN and 1 for the guest network. If you only get a /64, disable IPv6 for the guest network (or enable an NDP proxy).

We shouldn't do that level of automation in OPNsense. But the current workflow isn't ideal either. Many ISPs don't document their PD size. So you have to go to Interfaces / Overview, click the WAN interface's magnifying glass, scroll down to "Dynamic IPv6 prefix received" and then configure the PD size displayed there in the WAN interface's DHCPv6 client settings.

Franco, I think we once discussed the idea of a big fat warning somewhere in the GUI when the configured PD size doesn't match the actual PD size. I still think that would be a good idea.

Or maybe go one step further and actually change the config based on the actual PD size (optionally of course)?

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
April 09, 2026, 02:08:12 PM #18
> Or maybe go one step further and actually change the config based on the actual PD size (optionally of course)?

I do dread all of the dynamic-things-change-the-config.xml-state-which-changes-the-behaviour-of-the-firewall-further-by-triggering-a-required-reconfigure ideas. But that's just me.  :)

> Franco, I think we once discussed the idea of a big fat warning somewhere in the GUI when the configured PD size doesn't match the actual PD size. I still think that would be a good idea.

We do have a banner facility that could read the respective PD info file and complain either everywhere or in the interface settings page specifically.

The biggest hurdle is still that interface pages are not MVC, but with the banner/notification system it's not so bad as it used to be.

Ticket would be a good start?



Cheers,
Franco
Print
Go Up Pages 1 2
User actions