[CALL FOR TESTING] Kea DHCPv6 Dynamic WAN Prefix (IA_NA and IA_PD)

[Monviech (Cedrik)]

Hello,

after spending months with our KEA implementation, improving it with lots features that were highly requested, the natural conclusion of this development cycle arrived with the biggest feature.

We implemented a new option "Dynamic Prefix" which provides these new functionality:
- DHCPv6 Subnets (IA_NA) can be marked as "Dynamic", which will automatically "track" the IA_NA pool and optionally the DNS server option
- DHCPv6 PD Pools (IA_PD) can be attached to a dynamic prefix subnet, offering an automatically "tracked" IA_PD pool to allow prefix delegation to other routers behind the OPNsense even if your WAN has a dynamic prefix.

The big difference to ISC here is that multiple WANs are supported, as well as multiple internal interfaces can all provide a IA_NA and IA_PD pool (if your dynamic prefix(es) are large enough to split them)

The documentation how it works has been updated here:
https://github.com/opnsense/docs/blob/master/source/manual/kea.rst#prefix-delegation-ia-pd

The code itself is currently on master, so you either need a development version with the latest core.git or install in a running 26.1.8 using the patch method:

# opnsense-patch 91093f3344 5b7c8e6a2f 5c51ecdee11

References:
https://github.com/opnsense/core/commit/91093f3344
https://github.com/opnsense/core/commit/5b7c8e6a2f
https://github.com/opnsense/core/commit/5c51ecdee11

Thank you for any feedback,
Monviech

[wootonius]

Thank you, I'm excited to give this a try. I know this has been in the works for a while.


To make sure I'm understanding this and the new DDNS functionality correctly:

My (potentially flawed) understanding from the documentation is that using Kea with Unbound as the DNS doesn't allow for reverse DNS lookups. Is that still the case?

[Monviech (Cedrik)]

Hello,

depending on what you need, Dnsmasq might be the better choice for you. It can do forward and reverse DNS with Unbound, and also work with dynamic residential setups. That's why its our default DHCP and Router Advertisement daemon.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

The above KEA change is for users, who have another Router behind their OPNsense, that should receive a delegated prefix (IPv6) from the OPNsense.

ISP (dynamic IPv6 Prefix) -> OPNsense -> Router2

[wootonius]

Hello,

depending on what you need, Dnsmasq might be the better choice for you. It can do forward and reverse DNS with Unbound, and also work with dynamic residential setups. That's why its our default DHCP and Router Advertisement daemon.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

The above KEA change is for users, who have another Router behind their OPNsense, that should receive a delegated prefix (IPv6) from the OPNsense.

ISP (dynamic IPv6 Prefix) -> OPNsense -> Router2

Gotcha, I use Dnsmasq with dynamic IPv6 prefixes now but and I was thinking this patch would allow for using Kea with similar functionality.

My current setup works pretty smoothly but for some reason I enjoyed the process of using/configuring Kea more than I have Dnsmasq but there's no need to mess with what is working well. Thank you for the quick response!

[Monviech (Cedrik)]

A side effect of the above work is that you can also use DHCPv6 with dynamic prefixes as well (for the subnet IA_NA addressing), without using prefix delegation (IA_PD) pools.

But it will not be an all in one solution like with Dnsmasq, since for KEA you would also need Radvd (Services - Router Advertisements) to provide the Router Advertisements for IPv6.

I'm mostly interested in someone who can test the Prefix Delegation feature.

[Monviech (Cedrik)]

For reference, I could test it myself now.

Here some screenshots with a Fritzbox as example:

https://github.com/opnsense/core/pull/10252#issuecomment-4592525328

I don't hide my prefix since it's dynamic anyway.