ipv6: Can I get to anounce more than one prefix/subnet?

[KlaverenBoer]

I replied to an old(ish) feature request topic, but maybe that was not the smartest thing to do so I'll post it as a question here as well.

Is it possible to setup Router Advertisement so it announces more than 1 prefix (or subnet) to the clients on that interface?

I get a prefix from my ISP and would like to announce that using Track Interface (WAN). No issue there.
Next to that, I would also like to announce a ULA prefix.


Why the ULA addresses? I need something predictable/"fixed" for my Active Directory.
At home, I don't get a fixed IP nor fixed prefix.
At work, I do, but we will probably change ISPs in the not so distant future.

ULA addresses would make sure I can still reach all machines even when the GUA prefix changes.

[marjohn56]

Is that not what Advertise Routes is for in Services->Router Advertisements->LAN is for?

[KlaverenBoer]

That does add an additional route to the client, but does not give the extra ipv6 adresses in the new subnet.

[marjohn56]

OK.. I'll go take a look and see what's needed.

[KlaverenBoer]

It DOES work, but only if:

1. I add a virtual IP for the interface (I added fddd:999:999:92::1/64)
2. I reboot OPNsense

Just the reboot is not enough, it's the virtual IP that does the trick.

--
EDIT: If that was how it was supposed to work, then that was not clear to me, sorry...

--
EDIT2: The virtual IP causes another undesired effect. After a reboot, the client no longer gets a GUA address, only the additional ULA.

A bit more details:
In my test setup I have 2 VLAN interface (91 and 92), each with a single client.
For VLAN91 I have configured Track Interface (WAN) and so the client originally got a GUA adress only. ipv6 connectivity works as expected.
For VLAN92 I have configured a static ipv6 (fddd:888:888:92::1) and RA announces this prefix.
That works as expected: ipv6 connectivity but only on my own network, and no internet.

Later on I added
* the "advertise routes" setting: fddd:999:999:91::/64 for VLAN91 and fddd:999:999:92::/64 for VLAN92
* virtual IP fddd:999:999:91::1/64 for VLAN91 and fddd:999:999:92::1/64 for VLAN92
and rebooted the firewall.

For VLAN92 I now get:
* 4 ULA addresses, 2 for both subnets (that includes a temp one for both subnets)
* routes for both subnets
That works as I had expected

For VLAN91 I now get:
* 2 ULA addresses (including 1 temp)
* no more GUA addresses

This looks a bit like a known bug (over here or at pfSense) where virtual IP + Track Interface don't work nicely together. That had something to do with the order of the ipv6 addresses in ifconfig on the concerning interface, IIRC.

If required I can try to find that bug report on Monday.

[marjohn56]

No worries.. You have it sorted. It was not something I have done before so I was about to start delving, you've saved me from that.  :)

[KlaverenBoer]

Sorry to disappoint, I have just edited my post while you were adding your reply above.

It's going a bit off-topic, but is a cause of the requirement of that Virtual IP.


Of course, if we continue in this topic, then it may better get a new name, or I open a new one for it next week?

[marjohn56]

I think the best option here is to raise it on Github as an issue. I am uncertain as to whether a VIP is meant to be able to do this or not, and heads better in the VIP area than mine will pick it up if it's raised as an issue.