Which trigger for new IPv6 PE addresses?

[drosophila]

I'm stuck trying to react to the WAN interface getting a new IPv6 privacy extensions address. I've found the "newwanipv6" trigger but that only triggers when the main IPv6 address / prefix has changed. It does, however, not trigger when privacy extension addresses expire / new ones are generated. I need to react to both these events. A cron job would be possible but running that every minute is both wasteful and slow to react. There must be a better way, can somebody please point me in the right direction?

[JamesFrisch]

I need to react to both these events.

Why? Maybe we can help you better if you tell us why that should matter.


IMHO a changing PE IPv6 should never matter. And AFIK, OPNsense does not get a PE IPv6 on the WAN interface, even when SLAAC is used.

[meyergru]

AFAIK, OpnSense itself uses no privacy extensions for its own outbound connections. With IA_NA, it just cannot, because that would be a /128 and even with IA_PD, it does not, which has been criticised in the past.

Thus, I suspect you try to achieve something different? Dynamic DNS is out of the question, because you would rely on the redundant EUI-64 based parts for that, so what is your intention?

[drosophila]

Why? Maybe we can help you better if you tell us why that should matter.

Thus, I suspect you try to achieve something different? Dynamic DNS is out of the question, because you would rely on the redundant EUI-64 based parts for that, so what is your intention?

My issue is twofold. On my WAN connection I have at least five addresses, occasionally seven or eight. It's a router-behind-router setup with OPNsense on the "LAN" port of the ISP router. That receives a proper 56 from the ISP and could in theory delegate its prefix to OPNsense but I disabled DHCP6 and use SLAAC so I get proper PEAs on the OPNsense box (it also creates them when I use DHCP6 with PD but never uses them). One needs to enable the relevant tunables first, of course.

To be able to raliably reach the ISP router I also assign a fixed ULA prefix to it that OPNsense also picks up properly. So it has two prefixes and generates one PEA for each. Obviously I don't need the PEA for the ULA but it doesn't matter. Add to this the expiring PEAs and you get two more, plus one that sticks around a bit longer for whatever reason occasionally. With the LLA this are up to eight IPv6 addresses on the WAN IF. This is why I need ways to choose which picker picks from what pool.

Sample ifconfig output with five addresses:

Code Select Expand

re1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=2008<VLAN_MTU,WOL_MAGIC>
ether mac:mac:mac:mac:mac:mac
inet 192.168.aaa.aaa netmask 0xffffff00 broadcast 192.168.aaa.255
inet6 fdyy:yyyy:yyyy:yyyy:mac:mac:mac:mac prefixlen 64 autoconf pltime 3600 vltime 7200
inet6 fdyy:yyyy:yyyy:yyyy:pea1:pea1:pea1:pea1 prefixlen 64 autoconf pltime 3600 vltime 7200
inet6 fe80::mac:mac:mac:mac%re1 prefixlen 64 scopeid 0x2
inet6 2xxx:xxxx:xxxx:xxxx:mac:mac:mac:mac prefixlen 64 autoconf pltime 3600 vltime 7200
inet6 2xxx:xxxx:xxxx:xxxx:pea2:pea2:pea2:pea2 prefixlen 64 autoconf temporary pltime 3600 vltime 7200
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>Currently, which one gets picked by the various pickers depends on their sequence, which is essentially random. The kernel does pick the PEA for outbound connections properly regardless of the order they are in, according to curl v6.ipinfo.io (which is a great tool because it provides output when used with curl so it works from the console(!)).

For Dynamic DNS this, however, isn't desirable due to the frequent changes, so that needs to pick the non-PE address. That I can only achieve with the "interface IP" picker, but currently that doesn't let me chose which address to prefer (hence this post https://forum.opnsense.org/index.php?topic=51477.0 for DDNS.). It seems to pick the first global IP it finds, most of the time that will be the non-PEA because that tends to be on top. Fine so far, but:

Second, and I didn't want to bring up the the "Voldemort of IPv6": NAT66. My LAN is nated to the WAN IP and the picker for this seems to not use PEAs unless they're the first in the ifconfig list. I wish it to always use the PEAs, never the GUAs. In fact, it picks the first non LLA it finds, which will often be an ULA, like in the ifconfig output above. That of course results in broken connectivity and must never happen regardless.

Therefore I need the NAT picker to use the global PEA if there is one, preferredly the non-deprecated one, and only fall back to the GUA if there is no PEA. Alas, I cannot instruct the picker to do so. Of course, that must not be hardcoded in the picker because there certainly are cases where you need to NAT between two ULA prefixes.

Thus I've resorted to writing a script that reorders the IP addresses on the interface so that a non-deprecated PEA is on top of the list so the NAT picker will choose that. This probably makes the DynDNS picker pick the global PEA instead of the GUA, but that is less detrimental than NAT picking a non-PEA and less disruptive than NAT picking an ULA.

However, this script has to run every time a new PEA is generated because that essentially randomizes the address list again. This happens hourly. Now I could set up a cron job that either tries to catch it at the proper time (which isn't going to work), or do it every minute, as in my OP.

To sum it up / TL;DR: I want the DynDNS picker to use the GUA, and the kernel and the NAT picker to use the most recently generated global PEA. Sounds simple but seems next to impossible ATM. :)

[meyergru]

I do that completely differently: Whatever the outbound IPv6 is, it will always have the same /56 prefix, because I use IA_NA only.

Thus, the lower 68 Bits consist of the interface ID + 64 bits of whatever any client or OpnSense has. In order to make services available, it is best to refrain from privacy addresses (because they change!) and use the (fixed) EUI-64 part. There are many dynamic DNS providers that are capable of chopping off the lower bits and only change the prefix to the incoming connection. I happen to use my own.

Thus, they keep whatever you manually configure the lower bits to be. This makes it possible to have dynamic DNS updates done by OpnSense "in lieu" of any client.

[drosophila]

There are many dynamic DNS providers that are capable of chopping off the lower bits and only change the prefix to the incoming connection.

Thanks for the hint, I will see if the one I chose (dynv6.com) will do that, which would alleviate the DynDNS issue. If it doesn't, I'll ask what you're using. ;)

However, I'd still need to reorder the addresses in a timely manner to make Voldemort use the correct PEA. :(

Oh, almost forgot: the reordering also breaks the Gateway monitor, which will, for whatever reason, show 100% loss for IPv6 even though the GW is perfectly reachable on the specified ULA address. I guess I'll just throw that out to make space for more important bits in the dashboard, but it shouldn't even be affected by this in the first place...?