[FR]: Configure Multiple IPv6-Prefixes

[Senjuu]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have searched the existing issues and I am convinced that mine is new.
• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

Is your feature request related to a problem? Please describe.

In my local network I want to asign not only Global Unicast Addresses via "IPv6 Interface tracking" but also Unique Local Addresses via "Static IPv6". So every machine has a public IPv6 with which it can connect to the internet but also have a static IPv6 so that I give it a DNS entry via Unbound DNS. This setup would also provide the possibility to reach every device even during an extended internet outage in which the tracking of IPv6 could be lost and Link Local Unicast could not cross network segments.

By solving this problem, I think it should also be possible to track multiple WAN-Interfaces for redundancy (e.g. a DSL/Fiber-Interface and a cellular/Starlink-Interface).

Describe the solution you like

I would like a "+" for "IPv6 Configuration Type" in the /interfaces.php so that multiple ways to optain IPv6-prefixes could be entered and configured at the end of the page.

Describe alternatives you considered

A clear and concise description of any alternative solutions or features you considered.

[marjohn56]

How do you intend to add a static GUA address when you do not have one?

[Senjuu]

I did not intend to add a static GUA but a static ULA. I edited my post in this regard.

[fichtner]

@Senjuu maybe I'm missing something, but why don't you use Virtual IPs for this?

Cheers, Franco

[Senjuu]

I tried using them, but they did not work in tandem with Interface Tracking as my machine. Even if I manually specify multiple Virtual IPv6 my machine gets only one IPv6-prefix delivered.

As I researched for writing a bug-report that it is IPv6 standard that multiple IPv6-prefixes can be announced to a client and on the OPNsense docs it is written that

IP Alias [add a] standard extra address [...] [which] will act like a normal interface address.

So I no longer thought that this is a bug but a missing feature. Because what I want to accomplish is not adding another IP address to the Interface but instead a whole new prefix.

[marjohn56]

So what you want is ULA prefix on a LAN segment? If so, add a ULA, then announce that to your clients using dhcpdv6 and RADVD.

[marjohn56]

Just to add, you will need to use manual override on a tracked LAN/VLAN to achieve this.

[Senjuu]

So what you want is ULA prefix on a LAN segment? If so, add a ULA, then announce that to your clients using dhcpdv6 and RADVD.

I already tried using RADVD. But the provided interface only allows me to announce routes "Advertise Routes" (ICMPv6 Option Type 24) but not announce Prefixes (ICMPv6 Option Type 3). Even if it did, this would be a hasle as I would need to change the GUA-prefix regularly as it is delegated from a dynamically assigned prefix to me by my provider. I would not emphasize the usefullness of static ULAs for my network otherwise.

Also I should not need a DHCPv6 server as my setup is intended to use SLAAC which is completely handled via ICMPv6.

[marjohn56]

Something here is being lost in translation, it happens a lot! 🤔

The WAN obtains a prefix from your ISP using dhcpv6, the prefixes are applied to the LAN with a /64. If your ISP gives you a bigger PD allocation then you have a bunch of prefixes that can be given out to sub routers on those LAN networks. this is handled by dhcpdv6 on the LAN interface(s). Radvd will continue to issue adverts for the GUA address whether the override is in place or not as it will be configured automatically to announce that prefix whilst it exists. By adding a ULA address to the interface and adding that into Radvd's config you will announce both the GUA and ULA on that LAN segment. You would not have to change the GUA address as that will be handled automatically should the prefix change, or at least it will do soon.

[Senjuu]

I'm trying to convey my whole setup. From my ISP I get a dynamic /60 prefix. From this prefix I delegate a /64 subprefix to my LAN and another one to my DMZ. On both I want to also add static ULA prefixes. I set this up using interface tracking from WAN interface and Virtual IPs. This resulted in the clients NOT getting both prefixes instead they only got the ULA one.

Theoretically I could use RADVD to manipulate the Router Advertisment's Prefix Information (ICMPv6 Option Type 3). This is currently not possible with the WebGUI and even if it would it would be, from my understanding, be a hassle to update the advertisments for the delegated prefixes as they change.

Finally even if the setup with Virtual IPs and RADVD was possible would not need to manually change the delegated prefix from my ISP. It would still look messy from my point of view because it would be needed to enter each ULA-prefix multiple times. One time for the Virtual IP and one time for RADVD. Also because as already mentioned from the OPNsense-docs

IP Alias [add a] standard extra address [...] [which] will act like a normal interface address.

it seems to me that Virtual IPs are not designed to create a new IPv6 prefix but staying in IPv6 allowing the firewall to have multiple IPv6 in the same prefix on the same interface. Therefore I think it would be more consistent and intuitive to move setting up multiple IPv6 prefixes to the interface configuration at /interfaces.php.

Doing it that way would also be more flexible so that devices could also have multiple GUA prefixes for failover (e.g. one over fiber internet and another over SpaceX's Starlink). Because solving this using IPv6 needs to delegate an aditional IPv6-prefix as of IPv6 standards.

[marjohn56]

OK, had a look at this and there was a bug in there and only the ULA was being advertised by radvd. I've raised an issue and committed a PR which should fix the problem I found, hopefully it will fix yours too,

[Senjuu]

@marjohn56 as you mentioned the PR could solve my problem fundamentally. But as you stated

It did lead me on to something else though, should dhcpdv6 be able to hand out ULA addresses too? For example, if I create a VIP with a /56, should I have the ability to do pd on that?

I as an user of OPNsense doubt that this would be an intuitive way to setup ULAs. Again referring to the docs (https://docs.opnsense.org/manual/firewall_vip.html) it is mentioned that VIPs from type IP Alias are

A standard extra address [...] [and they] will act like a normal interface address[.]

It is also stated that

Usually the subnet mask should match the interfaces or be defined as a single address (/32 or /128).

Therefore I doubt that it would be easy to come to the conclusion that VIPs are intended to be used to add static IPv6-prefixes (e.g. ULA) to a network segment. Comming to the understanding that VIPs are not intended for this use was the main reason I did not believe my problem being caused by a bug but rather being a missing feature.

As I further investigate this seaming misunderstanding I found something problematic. As it seems it is not possible to setup a IPv6-ULA-only network with SLAAC from the interface.php alone. But it is needed to set the IPv6 configuration type to SLAAC and then a VIP must be setup.

In my opinion this still needs to be resolved by either:

• allowing multiple IPv6-type as stated by my FR
• changing the documentation to reflect the intend to use VIP to add static prefixes (e.g. ULA) which are to be used with SLAAC

[marjohn56]

The LAN interface should not be set to SLAAC, it should be set to either track or static. It's not getting its own GUA IPv6 address from SLAAC.

[Senjuu]

Excuse me than I must have misunderstood SLAAC. I thought that SLAAC meant that only Link-Local-Adresses (via SLAAC) are setup as that was what I experienced. I had at that time only my tests as it is not well documentend on https://docs.opnsense.org/manual/interfaces.html. Following your post took a look at the docs from pfSense (https://docs.netgate.com/pfsense/en/latest/interfaces/configure-ipv6.html) as OPNsense is forked from it. There it was better explained what "SLAAC"-configuration was meant for.

In that case I would state that this issue can be closed by fixing my problem through your PR and revising the documentation of VIP's behaviour regarding IPv6.

[marjohn56]

I've never read either of those documents; There's very good IPv6 documentation out there that goes into hundreds of pages.