Change ISC DHCPv6 to KEA DHCPv6

Started by jeans, June 19, 2026, 01:03:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 19, 2026, 01:03:49 PM
Hello,

I would like to switch from ISC DHCPv6 to KEA DHCPv6.

In ISC, I use a prefix delegation size of 64 and would like to use the same setting in KEA, but when I try to create a pool under PD Pools, I always get the error message:
"Dynamic prefix '2a00:xxxx:xxxx:xxxx::/64' is too small to create a non-overlapping PD pool; split prefix length would be '65'."

So I just tried different lengths (which doesn't make any sense), but those weren't accepted either.
Did I misunderstand KEA and IPv6 and make a configuration error, or is this a bug?

Thanks and best regards
Jens
June 19, 2026, 01:06:31 PM #1
You might need to edit your interface settings to reserve prefix lengths for KEA.

I tried to explain it as best as I could here. I have to admit it can be a little challenging at first:

https://docs.opnsense.org/manual/kea.html#dynamic-prefix

If you don't understand something let me know.
Hardware:
DEC740
June 19, 2026, 01:31:42 PM #2
Thanks, I actually tried following these instructions exactly:
Here's what I have on the interface:
IPv6 Configuration Type: Identity association
Parent Interface: WAN
Assign prefix ID 0x10
Reserved prefix range 1

Here's what I have on the Subnet:
Interface selected
and marked Dynamic Prefix

Here's what I try on Edit PD Pool
Subnet selected
Delegated Length 64

And the I get the failure

I probably entered the wrong fields somewhere, but unfortunately I can't figure out where.

June 19, 2026, 02:05:23 PM #3 Last Edit: June 19, 2026, 02:08:17 PM by Monviech (Cedrik)
Hello,

The reserved prefix range 1 means you reserve exactly 1x /64. But the IA_NA pool in KEA requires the first /64 network. Which means you have nothing left.

You should try with at least a reserved prefix range of 4.

Then 4x /64 are reserved, which results in a /62 prefix available for KEA. It will split this into two subnets. It will take the first /63 for the IA_NA pool, and for the IA_PD pool you will also have /63.

If you then set the delegated length to /64, you have 2x /64 networks available that your clients can get (in a /63 there are two /64).
Hardware:
DEC740
June 19, 2026, 02:17:45 PM #4
The help text for "Reserved prefix range" says:

"The value in this field is the length of the reserved prefix range for downstream prefix delegation. The range starts at the given prefix ID. The default is to only reserve the given prefix ID."

Should that actually say something like "... the length of the prefix range for BOTH the interface itself (subnet) AND downstream prefix delegation"?
June 19, 2026, 02:44:37 PM #5
Well, the feature is for PD reservation. The default is just for backwards compatibility not allowing you to reserve a PD. It's easier than trying to tell people to calculate off-by-one sizes or weird ranges that contain smaller actual networks than the user things.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Today at 11:22:41 AM #6
Quote from: Monviech (Cedrik) on June 19, 2026, 02:05:23 PMYou should try with at least a reserved prefix range of 4.

Then 4x /64 are reserved, which results in a /62 prefix available for KEA. It will split this into two subnets. It will take the first /63 for the IA_NA pool, and for the IA_PD pool you will also have /63.

Thanks, that was a crucial tip.

For testing purposes, I've enabled IPv6 on only one interface for now, since I want to keep the addresses on that interface the same as before.
To do this, I entered the following in the interface settings: Assign prefix ID 0x17
Reserved prefix range 4.

When I then enter "Delegated Length 64" in the "Edit PD Pool" section, I get the following message again:   
"Dynamic prefix '2a00:xxxx:xxxx:xx17::/64' is too small to create a non-overlapping PD pool; split prefix length would be '65'."
However, if I enter the following in the interface: Assign prefix ID 0x16
Reserved prefix range 4
it works.
Unfortunately, I don't understand where my mistake is right now... But I'd really like to keep the 17.
Today at 12:16:53 PM #7 Last Edit: Today at 12:23:13 PM by Monviech (Cedrik)
Hello,

0x17 cannot work with a reserved prefix range of 4 because 4 × /64 networks form a /62, and a /62 must start on a boundary divisible by 4.

Valid starts are:

0x10, 0x14, 0x18, 0x1c, ...

But 0x17 would require the range:

0x17, 0x18, 0x19, 0x1a

which crosses a /62 boundary and therefore cannot be represented as a single contiguous /62 prefix.

So if you want a reserved prefix range of 4, you'll need to use an aligned prefix ID such as 0x14 or 0x18.

Please note it is intentionally this way because you have to think about proper subnetting now. There are no assumptions and no magic left in the code.

I know this might seem a bit confusing at first, but it is essentially just normal IPv6 subnetting. The same alignment rules apply as when splitting IPv4 networks into smaller subnets.
Hardware:
DEC740
Print
Go Up Pages1
User actions