Multi WAN and ipv6

[Perun]

Hi

I have 2 WAN uplinks (cable and vdsl). IPv4 does work as expected and cable ipv6 to... but I have problems with forwarding the IPv6 prefix on the VDSL uplink...

thats are my settings:

cable interface (german vodafone cable)

Code: [Select]

    <opt2>
      <if>igb0_vlan4</if>
      <descr>cable</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <blockbogons>1</blockbogons>
      <ipaddr>192.168.40.3</ipaddr>
      <subnet>24</subnet>
      <gateway>cable_gateway</gateway>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>1</dhcp6-ia-pd-len>
      <dhcp6prefixonly>1</dhcp6prefixonly>
      <dhcp6sendsolicit>1</dhcp6sendsolicit>
      <adv_dhcp6_debug>1</adv_dhcp6_debug>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>
      <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_id/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </opt2>

vdsl interface (german 1&1 vdsl)

Code: [Select]

    <opt3>
      <if>igb0_vlan14</if>
      <descr>vdsl</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <blockbogons>1</blockbogons>
      <ipaddr>192.168.140.3</ipaddr>
      <subnet>24</subnet>
      <gateway>vdsl_gateway</gateway>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>4</dhcp6-ia-pd-len>
      <dhcp6sendsolicit>1</dhcp6sendsolicit>
      <adv_dhcp6_debug>1</adv_dhcp6_debug>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>
      <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_id/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </opt3>

my first lan (should use cable for ipv6)

Code: [Select]

    <opt5>
      <if>igb1</if>
      <descr>lan</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.50.3</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>opt2</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
    </opt5>

my second lan (should use vdsl for ipv6)

Code: [Select]

    <opt1>
      <if>igb2</if>
      <descr>lan_media</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.150.3</ipaddr>
      <subnet>24</subnet>
      <ipaddrv6>track6</ipaddrv6>
      <track6-interface>opt3</track6-interface>
      <track6-prefix-id>0</track6-prefix-id>
    </opt1>

cat /var/etc/radvd.conf

Code: [Select]

# Automatically generated, do not edit
# Generated config for dhcp6 delegation from opt2 on opt5
interface igb1 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix 2a02:8109:9d40:476::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2a02:8109:9d40:476:20d:b9ff:fe4a:7499 { };
DNSSL chao5.int { };
};
# Generated config for dhcp6 delegation from opt3 on opt1
interface igb2 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
DNSSL chao5.int { };
};

here I'm missing something, there is no prefix on igb2... why?

cat /var/etc/dhcp6c_opt2.conf

Code: [Select]

interface igb0_vlan4 {
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt2_script.sh"; # we'd like some nameservers please
};
id-assoc pd 0 {
  prefix-interface igb1 {
    sla-id 0;
    sla-len 1;
  };
};

cat /var/etc/dhcp6c_opt3.conf

Code: [Select]

interface igb0_vlan14 {
  send ia-na 0; # request stateful address
  send ia-pd 0; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt3_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
  prefix-interface igb2 {
    sla-id 1;
    sla-len 4;
  };
};

There are 2 running dhcpd6c processes... it is normal?

in /var/log/dhcpd.log | grep dhcp6c I see this:

Code: [Select]

Sep 11 07:14:13 cerber dhcp6c[19870]: Sending Solicit
Sep 11 07:14:13 cerber dhcp6c[19870]: set client ID (len 14)
Sep 11 07:14:13 cerber dhcp6c[19870]: set identity association
Sep 11 07:14:13 cerber dhcp6c[19870]: set elapsed time (len 2)
Sep 11 07:14:13 cerber dhcp6c[19870]: set option request (len 4)
Sep 11 07:14:13 cerber dhcp6c[19870]: set IA_PD
Sep 11 07:14:13 cerber dhcp6c[19870]: send solicit to ff02::1:2%igb0_vlan14
Sep 11 07:14:13 cerber dhcp6c[19870]: reset a timer on igb0_vlan14, state=SOLICIT, timeo=13, retrans=110376
Sep 11 07:14:13 cerber dhcp6c[15879]: unexpected interface (9)

what can be the problem? what I'm doing wrong?

TiA

[marjohn56]

You cannot have two dhcp6c processes, dhcp6c should handle all of them in one go. Currently Opnsense  doesn't support multiple WAN dhcp6. It was on my 'todo' list.

[Perun]

was?

[marjohn56]

Sorry... still is.

[Perun]

cool and for what version it is on the roadmap?

[marjohn56]

It will be there when I have time, or someone else is welcome to do it. 

[wget]

It will be there when I have time, or someone else is welcome to do it. 

Does this restriction still apply with OPNsense 20.1?

[franco]

Yep.


Cheers,
Franco

[marjohn56]

I'll pick this up and aim for 20.7...


Going to need some testers, they'll need dual WAN ISPs using dhcp6.

[wget]

I'll pick this up and aim for 20.7...


Going to need some testers, they'll need dual WAN ISPs using dhcp6.

Then, if you need testing, I'm your man

Btw, since I'm still figuring out how the fallback method is working I wonder how LAN devices tracking the IPv6 PD address range prefix from WAN1 (Global Unicast IPv6 address i.e. 2a02::/8) will fallback to WAN2 (the backup WAN) when WAN1 is down.

And how to address the issue of DNS? Since the prefix will change when WAN1 is down, LAN devices (some of them are servers) will get a new prefix...

[marjohn56]

Indeed, that's why it's so complex. Getting dhcp6c to do its thing is relatively straight forwards, handling the firewall is a totally different ballgame, and will require the input of the wizards in that area; it's similar to a change in prefix delegation on a single WAN instance, something as yet not totally got to grips with.

[marjohn56]

OK, some success. @wget I'll PM you with what you need to do, but you must be running the dev path, can you confirm that before i send you anything.

[marjohn56]

Then, if you need testing, I'm your man

Btw, since I'm still figuring out how the fallback method is working I wonder how LAN devices tracking the IPv6 PD address range prefix from WAN1 (Global Unicast IPv6 address i.e. 2a02::/8) will fallback to WAN2 (the backup WAN) when WAN1 is down.

And how to address the issue of DNS? Since the prefix will change when WAN1 is down, LAN devices (some of them are servers) will get a new prefix...

It'll not work if you are using global DNS pointing using your GUAs, obviously you would need to update them as well; possibly only a  dynamic DNS would work with that. My task is make dhcp6c do its thing by creating the prefixes and addresses on the interfaces, which appears to work.


It appears that you can add multiple GUAs to an interface, the issue there is that you can only have one dhcpv6 server, RADVD may be able to handle it, but this is a long road and it's not going to get implemented overnight, lots more work to do.

[wget]

OK, some success. @wget I'll PM you with what you need to do, but you must be running the dev path, can you confirm that before i send you anything.

I'm a primarily a full stack dev and only a network enthusiast, so I'm ok with the dev path.

Since my OPNsense current apu1c4 is used for production, I'll just visualize one on KVM VM hosted on my Proxmox machine.

My xDSL and modem cable both being in bridge mode, my ISPs are allowing a second direct connection on them, shouldn't be a problem

[wget]

It appears that you can add multiple GUAs to an interface, the issue there is that you can only have one dhcpv6 server, RADVD may be able to handle it, but this is a long road and it's not going to get implemented overnight, lots more work to do.

" but this is a long road and it's not going to get implemented overnight," yes, much things to have in mind indeed