[solved] ISC DHCPv6: Router chain: IPv6 Prefix delegation not working anymore

[stefan00]

Hi folks,

I cannot get dynamic v6 prefixes delegated to a OPNsense downstream router ("Slave" see below) anymore. PD from FritzBox to the first OPNsense box in the chain works fine. Pretty stuck here.

Router chain Setup:

A) Fritzbox (/56 assigned)
  -> B) OpnSense Master (/57 assigned)
    -> C) OpnSense Slave (/59 expected, not assigned)

The exact same setup has worked fine previously, with the drawback of needing to reboot the Slave C) sometimes after it lost the prefix. However since updating to the latest OPNSense releases on both boxes yesterday, prefix delegation has stopped completely. Played with felt every possible setting already but can not get v6 networks delegated to the C) Slave.

Please see the screenshots of the settings below.

Did anything dramatically change?

Screenshot: B) OpnSense Master DHCP Server config

You cannot view this attachment.

[stefan00]

Sorry for the next post, but screenshots took too much attachment space (300kb limit).

So the text image: B) Master delegated prefix table (empty)

You cannot view this attachment.

[stefan00]

third screenshot: C) OpnSense client router DHCP interface settings

You cannot view this attachment.

[dseven]

Your prefix delegation range looks wrong. It needs to be the start of a /59 prefix - "::a0" is (obviously?) not that...

[Monviech (Cedrik)]

Also consider using KEA for the dynamic prefix delegation to stay in the supported scope:

https://docs.opnsense.org/manual/kea.html#prefix-delegation-ia-pd

Additional to the above documentation I also answered some question about it here recently:
https://forum.opnsense.org/index.php?topic=52169.0

[stefan00]

Issue solved.

Problem: For some reason, after the update OPNsense "auto" enabled Router Advertisements (RA) in "router only" mode on the uplink interface of the problematic box (C - Slave router in this example). After disabling RA on the interface manually, everything worked and prefix is assigned (1).

@Monviech: Thank you for the hints to kea. It will come. But since I heavily rely on v6 on most networks, I need the time for a reliable testing - especially with PD to subrouters.

@dseven: No, ::a0 - ::a0 is the correct notation in this case (2)

references:

(1) similar issue, helped me find the bug: IPv6 connectivity error after update to OPNsense 25.7.10-amd64

(2) still valid about PD ranges / documentation: IPV6 prefix delegation range, please clarify

[dseven]

If that shortening notation works, it's interesting, and kindof weird. I suppose it (something) is contorting the :: notation into the bitfield of the prefix only, as opposed to an entire IPv6 address. I wonder if that's being done by ISC DHCP or by OPNsense. I've moved on to Kea, so I don't care enough to try to figure it out. I'm don't know why you wouldn't just enter the complete prefix anyway - it can't be dynamic, so it seems there's little value in shortening it.

[stefan00]

its done by ISC and OPNSense does it correctly. Did some research on that back in 2022, referencing the dhcpd.conf(5) man page, see (2) above.

[dseven]

Sorry, I'm obviously being a bit dense - where in the dhcpd.conf(5) man page is this shortening notation described?

[franco]

The OPNsense code merges the ::xx notation into the real prefix during configuration time. dhcpd.conf(5) looks normal with the real prefix. As a design pattern this can work, but it's still hardcoding and relying on a full reload of Dhcpd.

OPNsense Kea code for dynamic PD now avoids the biggest issues with this approach, but to be fair even Kea is not interested in a dynamic prefix registration as it still considers it hardcoded. Dnsmasq is much smarter, but doesn't offer PD.


Cheers,
Franco