Multi WAN and ipv6

Perun · September 11, 2018, 07:17:41 AM

Hi

I have 2 WAN uplinks (cable and vdsl). IPv4 does work as expected and cable ipv6 to... but I have problems with forwarding the IPv6 prefix on the VDSL uplink...

thats are my settings:

cable interface (german vodafone cable)

Code Select


    <opt2>
      <if>igb0_vlan4</if>
      <descr>cable</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <blockbogons>1</blockbogons>
      <ipaddr>192.168.40.3</ipaddr>
      <subnet>24</subnet>
      <gateway>cable_gateway</gateway>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>1</dhcp6-ia-pd-len>
      <dhcp6prefixonly>1</dhcp6prefixonly>
      <dhcp6sendsolicit>1</dhcp6sendsolicit>
      <adv_dhcp6_debug>1</adv_dhcp6_debug>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>
      <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_id/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </opt2>

vdsl interface (german 1&1 vdsl)

Code Select


    <opt3>
      <if>igb0_vlan14</if>
      <descr>vdsl</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <blockbogons>1</blockbogons>
      <ipaddr>192.168.140.3</ipaddr>
      <subnet>24</subnet>
      <gateway>vdsl_gateway</gateway>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>4</dhcp6-ia-pd-len>
      <dhcp6sendsolicit>1</dhcp6sendsolicit>
      <adv_dhcp6_debug>1</adv_dhcp6_debug>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>
      <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_id/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </opt3>

my first lan (should use cable for ipv6)

Code Select


    <opt5>
      <if>igb1</if>
      <descr>lan</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.50.3</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>opt2</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
    </opt5>

my second lan (should use vdsl for ipv6)

Code Select


    <opt1>
      <if>igb2</if>
      <descr>lan_media</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.150.3</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>opt3</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
    </opt1>

cat /var/etc/radvd.conf

Code Select


# Automatically generated, do not edit
# Generated config for dhcp6 delegation from opt2 on opt5
interface igb1 {
	AdvSendAdvert on;
	MinRtrAdvInterval 3;
	MaxRtrAdvInterval 10;
	AdvLinkMTU 1500;
	AdvOtherConfigFlag on;
	prefix 2a02:8109:9d40:476::/64 {
		AdvOnLink on;
		AdvAutonomous on;
		AdvRouterAddr on;
	};
	RDNSS 2a02:8109:9d40:476:20d:b9ff:fe4a:7499 { };
	DNSSL chao5.int { };
};
# Generated config for dhcp6 delegation from opt3 on opt1
interface igb2 {
	AdvSendAdvert on;
	MinRtrAdvInterval 3;
	MaxRtrAdvInterval 10;
	AdvLinkMTU 1500;
	AdvOtherConfigFlag on;
	prefix ::/64 {
		AdvOnLink on;
		AdvAutonomous on;
		AdvRouterAddr on;
	};
	DNSSL chao5.int { };
};

here I'm missing something, there is no prefix on igb2... why?

cat /var/etc/dhcp6c_opt2.conf

Code Select


interface igb0_vlan4 {
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt2_script.sh"; # we'd like some nameservers please
};
id-assoc pd 0 {
  prefix-interface igb1 {
    sla-id 0;
    sla-len 1;
  };
};

cat /var/etc/dhcp6c_opt3.conf

Code Select


interface igb0_vlan14 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt3_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix-interface igb2 {
    sla-id 1;
    sla-len 4;
  };
};

There are 2 running dhcpd6c processes... it is normal?

in /var/log/dhcpd.log | grep dhcp6c I see this:

Code Select


Sep 11 07:14:13 cerber dhcp6c[19870]: Sending Solicit
Sep 11 07:14:13 cerber dhcp6c[19870]: set client ID (len 14)
Sep 11 07:14:13 cerber dhcp6c[19870]: set identity association
Sep 11 07:14:13 cerber dhcp6c[19870]: set elapsed time (len 2)
Sep 11 07:14:13 cerber dhcp6c[19870]: set option request (len 4)
Sep 11 07:14:13 cerber dhcp6c[19870]: set IA_PD
Sep 11 07:14:13 cerber dhcp6c[19870]: send solicit to ff02::1:2%igb0_vlan14
Sep 11 07:14:13 cerber dhcp6c[19870]: reset a timer on igb0_vlan14, state=SOLICIT, timeo=13, retrans=110376
Sep 11 07:14:13 cerber dhcp6c[15879]: unexpected interface (9)

what can be the problem? what I'm doing wrong?

TiA

marjohn56 · September 11, 2018, 09:21:43 AM

You cannot have two dhcp6c processes, dhcp6c should handle all of them in one go. Currently Opnsense doesn't support multiple WAN dhcp6. It was on my 'todo' list.

Perun · September 11, 2018, 11:06:00 AM

was?

marjohn56 · September 11, 2018, 03:34:19 PM

Sorry... still is.

Perun · September 11, 2018, 05:21:08 PM

cool and for what version it is on the roadmap?

marjohn56 · September 11, 2018, 05:50:51 PM

It will be there when I have time, or someone else is welcome to do it. 8)

wget · February 14, 2020, 04:11:25 PM

Quote from: marjohn56 on September 11, 2018, 05:50:51 PM
It will be there when I have time, or someone else is welcome to do it. 8)

Does this restriction still apply with OPNsense 20.1?

franco · February 14, 2020, 04:17:04 PM

Yep.

Cheers,
Franco

marjohn56 · February 14, 2020, 06:02:09 PM

I'll pick this up and aim for 20.7...

Going to need some testers, they'll need dual WAN ISPs using dhcp6.

wget · February 14, 2020, 06:09:07 PM

Quote from: marjohn56 on February 14, 2020, 06:02:09 PM
I'll pick this up and aim for 20.7...

Going to need some testers, they'll need dual WAN ISPs using dhcp6.

Then, if you need testing, I'm your man :)

Btw, since I'm still figuring out how the fallback method is working I wonder how LAN devices tracking the IPv6 PD address range prefix from WAN1 (Global Unicast IPv6 address i.e. 2a02::/8) will fallback to WAN2 (the backup WAN) when WAN1 is down.

And how to address the issue of DNS? Since the prefix will change when WAN1 is down, LAN devices (some of them are servers) will get a new prefix...

marjohn56 · February 14, 2020, 06:20:53 PM

Indeed, that's why it's so complex. Getting dhcp6c to do its thing is relatively straight forwards, handling the firewall is a totally different ballgame, and will require the input of the wizards in that area; it's similar to a change in prefix delegation on a single WAN instance, something as yet not totally got to grips with.

marjohn56 · February 16, 2020, 06:45:08 AM

OK, some success. @wget I'll PM you with what you need to do, but you must be running the dev path, can you confirm that before i send you anything.

marjohn56 · February 16, 2020, 09:03:24 AM

Quote from: wget on February 14, 2020, 06:09:07 PM

Then, if you need testing, I'm your man :)

Btw, since I'm still figuring out how the fallback method is working I wonder how LAN devices tracking the IPv6 PD address range prefix from WAN1 (Global Unicast IPv6 address i.e. 2a02::/8) will fallback to WAN2 (the backup WAN) when WAN1 is down.

And how to address the issue of DNS? Since the prefix will change when WAN1 is down, LAN devices (some of them are servers) will get a new prefix...

It'll not work if you are using global DNS pointing using your GUAs, obviously you would need to update them as well; possibly only a dynamic DNS would work with that. My task is make dhcp6c do its thing by creating the prefixes and addresses on the interfaces, which appears to work.

It appears that you can add multiple GUAs to an interface, the issue there is that you can only have one dhcpv6 server, RADVD may be able to handle it, but this is a long road and it's not going to get implemented overnight, lots more work to do.

wget · February 16, 2020, 06:37:43 PM

Quote from: marjohn56 on February 16, 2020, 06:45:08 AM
OK, some success. @wget I'll PM you with what you need to do, but you must be running the dev path, can you confirm that before i send you anything.

I'm a primarily a full stack dev and only a network enthusiast, so I'm ok with the dev path. :)

Since my OPNsense current apu1c4 is used for production, I'll just visualize one on KVM VM hosted on my Proxmox machine. :)

My xDSL and modem cable both being in bridge mode, my ISPs are allowing a second direct connection on them, shouldn't be a problem :)

wget · February 16, 2020, 06:39:08 PM

Quote from: marjohn56 on February 16, 2020, 09:03:24 AM
It appears that you can add multiple GUAs to an interface, the issue there is that you can only have one dhcpv6 server, RADVD may be able to handle it, but this is a long road and it's not going to get implemented overnight, lots more work to do.

" but this is a long road and it's not going to get implemented overnight," yes, much things to have in mind indeed :)

Multi WAN and ipv6

Perun

September 11, 2018, 07:17:41 AM

marjohn56

September 11, 2018, 09:21:43 AM #1

Perun

September 11, 2018, 11:06:00 AM #2

marjohn56

September 11, 2018, 03:34:19 PM #3

Perun

September 11, 2018, 05:21:08 PM #4

marjohn56

September 11, 2018, 05:50:51 PM #5

wget

February 14, 2020, 04:11:25 PM #6

franco

February 14, 2020, 04:17:04 PM #7

marjohn56

February 14, 2020, 06:02:09 PM #8 Last Edit: February 14, 2020, 06:04:54 PM by marjohn56

wget

February 14, 2020, 06:09:07 PM #9 Last Edit: February 14, 2020, 09:16:38 PM by wget

marjohn56

February 14, 2020, 06:20:53 PM #10

marjohn56

February 16, 2020, 06:45:08 AM #11

marjohn56

February 16, 2020, 09:03:24 AM #12

wget

February 16, 2020, 06:37:43 PM #13

wget

February 16, 2020, 06:39:08 PM #14