Core: DHCPv6 on multiple Interfaces takes wrong Interface/subnet

Created on 3 May 2020 · 22Comments · Source: opnsense/core

I use ipv6 with DHCPv6 Prefix delegation size 60.
On 2 Interfaces I enter Track Interface. One with prefixID 0, the other with prefixID 1.

The DHCPv6 gives all devices from all Interfaces (VLAN) a IP from ONE subnet. In DHCPv6 leases you can also see, on Interface is always one Interfaces shown.

I think, its always the first Interface, where I set track interface.

when I look at /var/dhcpd/etc/dhcpdv6.conf

it´s shown as following:

subnet6 xx:xx:xx:8b00::/60 {
  range6 xx:xx:xx:8b00::xxx xx:xx:xxx:8b00::xxx;
  option dhcp6.name-servers xxx;
  prefix6 xx:xx:xx:8b08:: xx:xx:xx:8b0c::/63;
}
subnet6 xx:xx:xx:8b00::/60 {
  range6 2003:c7:746:8b01::1000 xx:xx:xxx:8b01::2000;
  option dhcp6.name-servers xx:xx:xx:8b01:xx:xx:xx:5672;
  prefix6 xx:xx:xx:8b08:: xx:xx:xx:8b0c::/63;
}

the --subnet6 xx:xx:xx:8b00::/60 -- Entry is twice.
I think, the second has to be subnet6 xx:xx:xx:8b01::/60 {

When I use only ONE track interface, it works fine.

OPNsense 20.1.6-amd64
FreeBSD 11.2-RELEASE-p19-HBSD
OpenSSL 1.1.1g 21 Apr 2020
CPU Type | Intel(R) Celeron(R) N4100 CPU @ 1.10GHz (4 cores)

It could be a bug.

support

Source

Bytechanger

All 22 comments

OK, needed to check something. Looks good here on 20.1 latest. Here's my config file. LAN1 set to track with ID 0 LAN2 with ID 1.

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;

subnet6 2a02:xxxx:xxxx:f020::/64 {
range6 2a02:xxxx:xxxx:f020::1000 2a02:xxxx:xxxx:f020::2000;
option dhcp6.name-servers 2a02:xxxx:xxxx:f020:20e:c4ff:fed2:8143;
prefix6 2a02:xxxx:xxxx:f028:: 2a02:xxxx:xxxx:f02c::/63;
}

subnet6 2a02:xxxx:xxxx:f021::/64 {
range6 2a02:xxxx:xxxx:f021::1000 2a02:xxxx:xxxx:f021::2000;
option dhcp6.name-servers 2a02:xxxx:xxxx:f021:20e:c4ff:fed2:8144;
prefix6 2a02:xxxx:xxxx:f028:: 2a02:xxxx:xxxx:f02c::/63;
}

ddns-update-style none;

marjohn56 on 3 May 2020

Will install 20.7 and see what that shows.

marjohn56 on 3 May 2020

Live mode on a 20.7 USB checks out too, all good. @Bytechanger - can you make sure that your IDs are set incrementally and then unplug your WAN and then plug it back in to force a dhcpdv6 update.

marjohn56 on 3 May 2020

There is one thing, in auto mode it does assign the same PD range to both interfaces, I think that's a good reason why there's a manual override . :)

marjohn56 on 3 May 2020

Hi,

Now, I check "allow manual adjustment of DHCPv6 and Router Advertisements " to get more control over DHCPv6 in each interface.

Here are my settings:
Interfaces->
[LAN]->Track Interface->IPv6 Interface WAN
-> IPv6 Prefix ID 0x0 (so I think, its only an ID)
-> allow manual adjustment of DHCPv6 and Router Advertisements checked

[Kamera]->Track Interface->IPv6 Interface WAN
-> IPv6 Prefix ID 0x1
-> allow manual adjustment of DHCPv6 and Router Advertisements checked
[Gast]->Track Interface->IPv6 Interface WAN
-> IPv6 Prefix ID 0x2
-> allow manual adjustment of DHCPv6 and Router Advertisements checked
Overview->
[LAN] -> IPv6 address xxx:xx:xxx:8b00:xxx:xxxx:fe92:8584 / 60
[Kamera]-> IPv6 address xxx:xx:xxx:8b01:xxx:xxxx:fe92:8584 / 60
[Gast] ->IPv6 address xxx:xx:xxx:8b02:xxx:xxxx:fe92:8584 / 60

Service->DHCPv6
[LAN]->
Subnet xxxx:xx:xxx:8b00::
Subnet mask 60 bits
Current LAN IPv6 prefix xxxx:xx:xxx:8b00::
Available prefix delegation size 61
Available range 2003:c7:746:8b00:: - 2003:c7:746:8b0f:ffff:ffff:ffff:ffff
Range: xxxx:xx:xxx:8b00:: - xxxx:xx:xxx:8b00:ffff:ffff:ffff:ffff

[Kamera]->
Subnet xxxx:xx:xxx:8b00::
Subnet mask 60 bits
Current LAN IPv6 prefix xxxx:xx:xxx:8b01::
Available prefix delegation size 61
Available range 2003:c7:746:8b00:: - 2003:c7:746:8b0f:ffff:ffff:ffff:ffff
Range: xxxx:xx:xxx:8b01:: - xxxx:xx:xxx:8b01:ffff:ffff:ffff:ffff

[Gast]->
Subnet xxxx:xx:xxx:8b00::
Subnet mask 60 bits
Current LAN IPv6 prefix xxxx:xx:xxx:8b02::
Available prefix delegation size 61
Available range 2003:c7:746:8b00:: - 2003:c7:746:8b0f:ffff:ffff:ffff:ffff
Range: xxxx:xx:xxx:8b02:: - xxxx:xx:xxx:8b02:ffff:ffff:ffff:ffff

As you see, there is ALWAYS Subnet 8b00 for ALL Interfaces set...?!
And you see, that I try to set the Interfaces Range to 8b00, 8b01b, 8b02, ...

Now my PC in [LAN] gets an IP from [Gast], wich is shown in DHCPv6->leases->Interface [Gast]?!?!
All leases came now from [Gast] and they all are from IP-Range in [Gast].
When I´m at Router, I would try to disconnect WAN for a short time....

Greets

Byte

Bytechanger on 3 May 2020

Hi,

possible issue was, that I didn´t request full prefix length.
When I set prefix size to 56 it might work. I will test it now.
But there should be an error message or other hint, when this happens....

I will write here again, if I know, that it works fine ...

Bytechanger on 3 May 2020

Now it works, thanks....

Bytechanger on 4 May 2020

We discussed this on the forum. Strange things happen if the prefix delegation size selected in the WAN interface DHCPv6 client configuration doesn't match the actual size of the prefix delegated by the ISP. In this case, a /60 was requested but the ISP delegated a /56 anyway. This can happen, especially since many ISPs don't properly document what prefix length(s) they offer.

Troubleshooting this was messy because the UI doesn't show the delegated prefix (and especially its length) anywhere.

So maybe this could be turned into a feature request: Show the delegated prefix in the UI. Interfaces / Overview might be a good place. Bonus points for showing a warning if the sizes don't match.

maurice-w on 5 May 2020

We can do that... working around that area at the moment. Actually I though it was already done.

marjohn56 on 5 May 2020

👍1

Hm, maybe in the very latest code? I'm currently on 20.7.b_97 and can't find the delegated prefix in the UI.

maurice-w on 5 May 2020

No, I think I did it a while back and never posted a PR... let me see if I can find it.

marjohn56 on 5 May 2020

dhcpd does show the available prefix delegation size. If I'm nit much mistaken, subtract one from that and you get what has been given. I'll check that with various PD sizes to confirm. Yup confirm on my test kit with two different prefix ranges, one I request a /60 the other a /56. DHCPv6 services show I have /61 and /57 available respectively.

marjohn56 on 5 May 2020

'Available prefix delegation size' shows the _configured_ size (+1), not the _actual_ size. So if you request a /60 but get a /56, the available prefix delegation size still shows /61. So you still don't know what size you _actually_ got. (I can't test that myself right now, but from the information given by @Bytechanger that seems to be the case.)

And even if it would work, that would be a rather convoluted way to get that information, don't you think?

maurice-w on 5 May 2020

You'll get an error in the dhcp6c logs. like so. dhcp6c[77271]: invalid prefix length 60 + 8 + 64, that's because I asked for a /56 but only a /60 was available. There's no way of automating that, you can ask for a smaller prefix than the max but never a larger one. As part of the dhcp.conf file, if you take a quick look you'll see the prefix delegation size is set for the interface you wish to apply it to, you cannot do this dynamically. So requesting a larger PD than the ISP will give you results in failure, requesting a smaller one is successful but the allocation applied is still that given by the ISP, i.e. if you request a /60 and they give you a /56 that /56 is what is applied as the PD to the interface, the fact that you are only using /60 is down to you. What you are asking for is an output from dhcp6c which will show what the ISP supplied prefix length is.... Hmm, did that once by adding a new env var that gets given when the dhcp6c.script is run. I'll try and dig it out, but it is visible in the log.

marjohn56 on 5 May 2020

@Bytechanger _did_ ask for a (smaller) /60 but got a (larger) /56. This caused the issue. There is no obvious failure, it kind of works, but the DHCPv6 server gets configured incorrectly (see the dhcpdv6.conf from the original comment). This was not easy to troubleshoot because everything seemed to work except for the DHCPv6 server anomalies.

What you are asking for is an output from dhcp6c which will show what the ISP supplied prefix length is

Exactly. I'm not in favour of automating anything, just a clear indication that the actual delegated prefix size does not match the configured one. It is then up to the user to change the settings accordingly. Currently, it is hard to notice a mismatch at all. Something doesn't seem right and you then have to check debug logs or do a packet capture or guess to find out what went wrong.

maurice-w on 5 May 2020

Well it was easy when we didn't want to do multiwan/multilan dhcp6c, I just pulled the prefix and added it to the env vars when the script was called, as it would just be a single PD. However with multiwan and multilan that's not possible. I've spent a couple of hours trying to pull the pd from the lists passed to the script function and have given up with a headache! It's the only way I can see of getting the PD out of dhcp6c. It would appear that the prefix is added to the optinfo struct at c1647 in dhcp6c.c, but I'll be buggered if I can pull it from the structure in the script env function, you take a look and see if you have better luck. If we can get it into an env then we can push it to the GUI.

marjohn56 on 6 May 2020

It's done! dhcp6c now creates an env var that can be echoed to /tmp in the wan script. We can display that on the GUI, @fichtner - how does that sound?

marjohn56 on 6 May 2020

❤1

Done, now displaying in interfaces overview. Once the multiwan is completed then I'll push a PR for this.

marjohn56 on 7 May 2020

❤1

If we can decrease 1 layer of magic that would be good, not sure what the best delivery option is for the information. Then again, the system also does /tmp/em1_routerv6 on its own. While we are getting the PD size, can we also get the router IP?