[SOLVED] Stateless DHCPv6 support missing?

[Maurice]

Hello all,

This is my first post! I'm currently virtualizing a router by migrating from an old embedded Linux box to a fresh install of OPNsense 17.7.7_1 in a Hyper-V VM. Pretty straightforward so far, but now I'm stuck at setting up stateless DHCPv6 for the LANs.

In the existing setup, clients use SLAAC for address autoconfiguration. Clients which don't support the RDNSS / DNSSL options in RAs (like older Windows versions) use stateless DHCPv6 for DNS server and domain information.

In OPNsense, the Router Advertisement "Assisted" mode seems to be the only one which sets the required A and O flags in RAs. But it also sets the M flag which indicates stateful DHCPv6. There seems to be no "A + O flag only" mode. Also, the DHCPv6 server can not be enabled unless you specify an address range.

I've never used an IPv6 router which doesn't support this, so I'm not sure whether this is really missing or I just can't figure out how to configure it (these are my first steps with OPNsense).

Thanks

Maurice

[franco]

Hi Maurice,

Forgive me for not being able to follow. What configuration combination is wrong and how can we flip the radvd config to the expected behaviour?


Cheers,
Franco

[Maurice]

Hi Franco,

I wouldn't say something is wrong, but something is missing. I did some more research and it seems that this was added to pfSense after the fork: https://github.com/pfsense/pfsense/pull/1033
Maybe this can be added to OPNsense, too?

Background: There are 3 flags in RAs relevant for address configuration and optional information (DNS servers, domain search list etc.):

• The A flag tells the client to autoconfigure an address using SLAAC.
• The O flag tells the client to query a stateless DHCPv6 server for optional information.
• The M flag tells the client to query a stateful DHCPv6 server for an address.

In Services / DHCPv6 / Advertisements there are 4 operating modes:

• Router Only sends RAs without any of these flags. Clients have to be configured in another way.
• Unmanaged sets the A flag only. Clients may autoconfigure an address and use the RDNSS / DNSSL options in RAs to get DNS servers and domain search list.
• Managed sets the M + O flags. Clients may query a stateful DHCPv6 server for an address and all the optional information.
• Assisted is like Managed but additionally sets the A flag so clients may autoconfigure an address (in additon to the address they get from DHCPv6).

What is missing is a mode which sets the A + O flags, indicating that clients may autoconfigure an address and query a stateless DHCPv6 server for optional information only.
Also, it should be possible to enable the DHCPv6 server (Services / DHCPv6 / Server) without specifying an address range so it is running in stateless mode.

Thanks

Maurice

[franco]

Hi Maurice,

Thank you for the context! How about this then? https://github.com/opnsense/core/commit/38c1daa

Apply from the console via:

# opnsense-patch 38c1daa

Run again to remove or revert back to a known state:

# opnsense-revert opnsense


Cheers,
Franco

[Maurice]

Hi Franco,

Wow, that was quick! I'm seriously impressed.

Initially the patch failed to install, but I figured out I had to apply 97c4edf first. Then it worked.
Flags in RAs are looking good now and the DHCPv6 server can be enabled without specifying an address range.

Going further, there seem to be multiple issues with incorrect or missing RDNSS / DNSSL options in both RAs and DHCP replies. I'll investigate that in more detail and report back.

Thanks again!

Maurice

[franco]

Hi Maurice,

Thanks, I totally forgot about 97c4edf. Nice catch.

Just let me know what we are still missing and then we can ship the whole batch of improvements in a subsequent 17.7.x.


Cheers,
Franco

[franco]

This was shipped today in 17.7.9.


Cheers,
Franco