How do I get my IPv6 hosts into DNS

IsaacFL · April 13, 2018, 05:33:21 PM

I just installed OpnSense so trying to figure out a few things.

I get a dynamic /56 prefix from my isp and I have opnsense working with /64 subnets set up and everything can access the web via ip6 and in their proper subnet. But how do I get these ipv6 hosts into the dns? It appears only slaac is an option, which is ok, but need a method to get the hosts into dns.

Prior to using opnsense, I would enable dhcp6 and slaac at the same time, so each host got 3 ip6 addresses, and the dhcp6 provided address would automatically get in the dns.

So is there a way to add them in the dns automatically, when prefix can change?

JasMan · May 01, 2018, 03:20:16 PM

Hi,

I've the same question :)

My provider gives me a new prefix when I restart my modem. It works fine with DHCPv6, but how should I configure client-based firewall rules when the address is changing periodically?

Thank you
Jas Man

franco · May 02, 2018, 05:11:27 PM

It depends what DNS you want to give your clients. If you enable Dnsmasq or Unbound your clients will get the OPNsense IP to do DNS automatically. But it may not be what you desire?

Cheers,
Franco

JasMan · May 02, 2018, 10:54:07 PM

Hey,

my desire is to set up an IPv6-only VLAN for testing.

My OPNsense get an dynamic /64 prefix for delegation from the ISP router.

The LAN IF of my IPv6-only VLAN is configured as tracking IF. The delegation works fine. All clients get an IPv6 address in the range of the delegatet prefix.

Unbound is also working fine. It resolve the external addresses like ipv6.google.com.

What I want to do now:

To access the clients in my IPv6-only VLAN I would like to use the internal DNS names of them. But Unbound can't resolve them.

I would like to set up some client-based firewall rules (e.g. client A is allowed to access HTTP(S), client B only FTP). How can I do this when the delegated prefix is changing periodically, and therefore the client addresses too?

As I understand I must configure static DHCPv6 addresses for both cases to register them in Unbound, and to use them in the firewall rules or in alias objects. But to activate DHCPv6 I must configure an static IPv6 address for the LAN IF. And when I do this, the delegation is not working anymore.

Maybe I'm thinking to much in IPv4-style, and the solution for my issues is an completly different.

Thank you.
Jas Man

franco · May 03, 2018, 01:04:39 PM

1. Where would these internal names come from? If they only exist on a piece of paper you need add them to the Unbound Host Overrides. You can also enable "Register DHCP leases in the DNS Resolver", but that would require said static DHCPv6 server which you can't use with the tracking setup yet.

2. I don't know. It's part of the problem of IPv6 without NAT. Maybe someone else has solved this?

Cheers,
Franco

JasMan · May 03, 2018, 01:55:11 PM

1. My main goal is or was to allow dynamic DNS registrations by the clients. In my opinion this would also solve the firewall problem because then I could work with the DNS names.

2. This was not what I want to hear. :( On the other side it means that I've understood this part of IPv6 :)

That means in conclusion OPNsense is not usable as firewall and/or internal DNS server on connections with dynamic prefixes at the moment. The workaround would be to use NATv6. But than I will lost all advanteges of IPv6.

JasMan · May 04, 2018, 10:41:28 PM

Would it be possible to add an variable for the IPv6 prefix of client addresses in aliases or firewall rules, which updates itself when the prefix has changed?

Like

$NAME_OF_LAN_IF$:00:11:22:33:44

Maurice · May 05, 2018, 04:34:31 AM

Quote from: franco on May 03, 2018, 01:04:39 PM
You can also enable "Register DHCP leases in the DNS Resolver", but that would require said static DHCPv6 server which you can't use with the tracking setup yet.

I couldn't get that to work even with a static prefix. My guess would be that currently only DHCPv4 leases are being processed by this feature.

Quote from: franco on May 03, 2018, 01:04:39 PM
I don't know. It's part of the problem of IPv6 without NAT.

It's a problem of dynamic IPv6 prefixes. Those are harmful for anything but the most basic home networks. ISPs know that and (ab)use them for justifying the higher prices of business plans (with static prefixes).

Quote from: franco on May 03, 2018, 01:04:39 PM
Maybe someone else has solved this?

Some (closed source) firewalls solved this by allowing the use of interface identifiers instead of full IPv6 addresses when creating firewall rules, static DNS records, DHCPv6 reservations and so on. The dynamic prefix will then be added automatically. Pretty much like JasMan suggested in the last post. But it seems OPNsense does not support that yet.

Quote from: JasMan on May 03, 2018, 01:55:11 PM
That means in conclusion OPNsense is not usable as firewall and/or internal DNS server on connections with dynamic prefixes at the moment.

I'm afraid I have to agree. Static prefix or other firewall it is.

Quote from: JasMan on May 03, 2018, 01:55:11 PM
The workaround would be to use NATv6.

You really don't want to go there.

JasMan · May 05, 2018, 03:08:11 PM

Quote from: Maurice on May 05, 2018, 04:34:31 AM
Quote from: JasMan on May 03, 2018, 01:55:11 PM
The workaround would be to use NATv6.

You really don't want to go there.

Yep, I don't want to :)

For me this is only a test of IPv6 in my privat LAN. It would be nice to use unique IPv6 addresses for all my clients, but it's not mandatory. I think it's also a question of time until OPNsense can handle dynamic prefixes.

marjohn56 · May 05, 2018, 07:08:56 PM

Quote from: Maurice on May 05, 2018, 04:34:31 AM
Quote from: franco on May 03, 2018, 01:04:39 PM
You can also enable "Register DHCP leases in the DNS Resolver", but that would require said static DHCPv6 server which you can't use with the tracking setup yet.

I couldn't get that to work even with a static prefix. My guess would be that currently only DHCPv4 leases are being processed by this feature.

Works perfectly well with statics on my system, and yes, I have a proper ISP who allocates a /48 static IPv6 prefix and a /64 static on the WAN side too, and it's a domestic plan.

My servers are all accessible using DNS IPv6 as they are added to my upstream DNS records, it will still resolve to my server inside my LAN.

The solution if your ipv6 prefix provision is DHCP6 is probably to use an IPv6 dynamic DNS service.

Maurice · May 06, 2018, 12:54:50 AM

Are you sure we are talking about the same thing? franco mentioned "Register DHCP leases in the DNS Resolver" which is an unbound setting. If this is set, A and PTR records are created when clients request a DHCPv4 lease. This does not work for DHCPv6 leases in my setup.

(Not to be confused with "Enable registration of DHCP client names in DNS" which is a DHCP setting.)

franco · May 06, 2018, 07:33:07 PM

We can look at all these things and gradually improve. Best thing as Maurice did is open issues on GitHub to discuss bug as well as small and big additions.

There are several small additions what should be worked on before we are going to address dynamic prefix for "static" DHCP servers. One of the issues is that we don't even have a static definition of a dynamic prefix yet, but this is one of those steps to make that happen:

https://github.com/opnsense/core/issues/1993

Cheers,
Franco

How do I get my IPv6 hosts into DNS

IsaacFL

April 13, 2018, 05:33:21 PM

JasMan

May 01, 2018, 03:20:16 PM #1

franco

May 02, 2018, 05:11:27 PM #2

JasMan

May 02, 2018, 10:54:07 PM #3

franco

May 03, 2018, 01:04:39 PM #4

JasMan

May 03, 2018, 01:55:11 PM #5

JasMan

May 04, 2018, 10:41:28 PM #6

Maurice

May 05, 2018, 04:34:31 AM #7

JasMan

May 05, 2018, 03:08:11 PM #8

marjohn56

May 05, 2018, 07:08:56 PM #9

Maurice

May 06, 2018, 12:54:50 AM #10

franco

May 06, 2018, 07:33:07 PM #11