New IPv6 address assignment option "Identity Association" assigns a /63

Started by melectronics, March 30, 2026, 07:52:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 30, 2026, 07:52:43 PM
Hello to the OPNsense community,

I´m new here, but I think I have found a bug in OPNsense 26.1.5.
The new IPv6 address assignment option "Identity Association" assigns a /63 instead of a /64 to the interface.
And also when I choose the 0x1 prefix, it also assigns a /63 which is not correct because the first /63 goes from `0000 - 0001`. So this wont work with multiple /63.

I´m looking forward to get informations if the bug is known already (I don´t found a forum topic about that) or not. :)

March 30, 2026, 10:14:55 PM #1 Last Edit: March 30, 2026, 10:18:17 PM by meyergru
It does not do that per default. Identity association is the new version of the former "Track Interface". Thus, it depends on how many bits you have in your parent interface's prefix delegation size. AFAIK, you need a shorter than /64 prefix in order to be able to supply a full /64 prefix to any interface.

Maybe your ISP does not give you a /56 (which is pretty much the default) or you did not request as much on your WAN. How many bits is your IA_PD prefix?

Perhaps you should take a look at the official docs: https://docs.opnsense.org/manual/ipv6.html

Or my IPv6 guide (which is still based on track interface): https://forum.opnsense.org/index.php?topic=45822.0
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
March 31, 2026, 08:22:04 AM #2
Hi, thanks for the answer :)

This is a OPNsense in my lab and it gets a /60 from a higher router.
So there should be enough room for 16x /64 prefixes.

I looked at the WAN interface and I set it to request a /61 prefix, but get a /60. In this situation the OPNsense assigns /63 to any interface where I activate the IA. When I turn it to request a /60 prefix it works fine.
Why this behavior is there? That shouldn´t be like this I think.😅
March 31, 2026, 09:53:34 AM #3
IDK. If you feel that is a bug, create a bug request on Github.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
April 01, 2026, 11:47:00 AM #4
Something appears to be rather broken with LAN prefix assignment in 26.1.x. I just attempted a new configuration from scratch (with the intent to document the process for my ISP's community). I have a /56 prefix delegation from the ISP. When my LAN interface is configured for "Identity Association", OR even when configured for "Track Interface (legacy)", it (the LAN interface) gets assigned the entire /56 prefix, where it should be given the first available /64. If I try to change "Assign prefix ID" to 1 (instead of 0) (shouldn't have to do this, but as a data-point...), it says that that's out of range.

@melectronics, did you open a bug for this yet?
April 01, 2026, 01:14:03 PM #5
April 01, 2026, 02:14:23 PM #6
I am using PPPoE and get a /48 prefix from my ISP.

On 26.1.5, I have no issues and it works exactly as it should.

Identity association on the LAN and I get a /64 with an Assign prefix ID of 0

I do "Request Prefix Only" on the WAN interface, and nothing else. (Apart from Prefix delegation size of 48)

Doesn't help you, but I just wanted to say it works perfectly for me.....
Hardware:
DEC750v2
April 01, 2026, 02:27:30 PM #7
Actually it could have helped me, but we got there in the github discussion.

In my case, at least, the issue was (in part, at least) my failure to pay attention to the "Prefix delegation size" for the WAN interface. In my mind, this should be determined from the DHCP response, so I shouldn't have to configure it statically. Apparently when this setting is 64 (the default) it causes the prefix allocation for LAN interfaces to use the entire delegation (not sure why). So I think it's partly a user error, partly a shortcoming (should be automatic) and partly a bug (the weird end result).
April 01, 2026, 04:43:00 PM #8
Quote from: dseven on April 01, 2026, 02:27:30 PMIn my mind, this should be determined from the DHCP response, so I shouldn't have to configure it statically.
A good idea in theory (and some / most consumer routers do that), but for more advanced setups you really need to know the PD size in advance. For example, when configuring the subnet IDs of your LANs, you need to know how many bits are available. Let's say you configure a subnet ID 0x10 but then only get a /60... Things will break.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
April 01, 2026, 06:20:54 PM #9
I suppose so. I'm currently focused on the "out of box experience" - i.e. I just want to plug in the credentials supplied by my ISP and I expect basic internet access (including IPv6) to "just work". It seems unfriendly that I have to configure something that seemingly could easily be derived from the DHCP response.
Print
Go Up Pages1
User actions