this post was submitted on 15 Oct 2024
19 points (100.0% liked)

networking

2824 readers
7 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 1 year ago
MODERATORS
 

Greetings all!

I have been working on getting a new network setup. The current test host (A server running OpenSUSE Leap 15.6 w/ Wicked) is able to get routes and obtain an address via DHCP from the router of the network (running OPNSense 24.7.6), but is unable to resolve routes and obtain an address via the local DHCPv6 server. Admittedly, I am not great with IPv6 doubled with the ISP for this network granting a statically-defined /128 address for the router and manually-delegated /64 address blocks.

The OPNSense configuration has a /64 address block assigned as its address space for the LAN interface. The configuration has the ISC DHCPv6 server allocating address range 2602:xxxx:xxxx:xxxx::8888:0 - 2602:xxxx:xxxx:xxxx::8888:ffff. The radvd server is set to managed, set with an automatic source address, set to advertise the default gateway, set to use the dhcpv6 dns configuration, and set with no additional routes advertised.

As noted, the OpenSUSE machine is unable to get any routes beyond link-local via ipv6 nor is it able to automatically be assigned an ipv6 address from the DHCPv6 server. I have done some diagnostics, but have been unable to determine any conclusive issue.

Starting ip route and address checks:

ip -6 addr

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::xxxx:xxxx:xxxx:a4ee/64 scope link proto kernel_ll [OpenSUSE Leap 15.6 Server link-local address]
       valid_lft forever preferred_lft forever

ip -6 route

fe80::/64 dev eth0 proto kernel metric 256 pref medium

The eth0 interface noted is using a standard configuration as provided by Wicked (BOOTPROTO=dhcp, STARTMODE=auto, ZONE=public). Testing dhcpv6 address acquisition by hand results in nothing:

wicked test dhcp6 -m auto eth0

wicked: eth0: Request to acquire DHCPv6 lease with UUID <$uuid-a> in mode auto

However, testing in forced managed mode does get results from the DHCPv6 server:

wicked test dhcp6 -m managed eth0

wicked: eth0: Request to acquire DHCPv6 lease with UUID <$uuid-b> in mode managed
INTERFACE='eth0'
TYPE='dhcp'
FAMILY='ipv6'
UUID='<$uuid-b>'
IPADDR='2602:xxxx:xxxx:xxxx::8888:807/128' [theoretical bound address on LAN]
PREFIXLEN='128'
DNSSERVERS='2602:xxxx:xxxx:xxxx::1' [LAN address of router]
DNSSEARCH='<$domain>'
ACQUIRED='1729020515'
CLIENTID='<$clientid>'
SERVERID='<$serverid>'
SERVERADDR='fe80::xxxx:xxxx:xxxx:a4ee' [OpenSUSE Leap 15.6 Server link-local address]

So unless I am mistaken at this point, this likely means that something is going wrong with the Router Advertisements for the system to not automatically try get assigned an ipv6 address. Checking a router advertisement broadcast to the OpenSUSE server, I am not seeing anything out of the ordinary:

radvdump

#
# radvd configuration generated by radvdump 2.17
# based on Router Advertisement from fe80::xxxx:xxxx:xxxx:4eb4 [router link-local on LAN]
# received by interface eth0
#

interface eth0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag on;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvLinkMTU 1500;
        AdvSourceLLAddress on;

        prefix 2602:xxxx:xxxx:xxxx::/64 [public /64 address block manually delegated as LAN]
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous off;
                AdvRouterAddr off;
        }; # End of prefix definition


        RDNSS 2602:xxxx:xxxx:xxxx::1 [LAN address of router]
        {
                AdvRDNSSLifetime 600;
        }; # End of RDNSS definition


        DNSSL <$domain>
        {
                AdvDNSSLLifetime 600;
        }; # End of DNSSL definition

}; # End of interface definition

sysctl -a | grep eth0.accept_ra

net.ipv6.conf.eth0.accept_ra = 1
net.ipv6.conf.eth0.accept_ra_defrtr = 1
net.ipv6.conf.eth0.accept_ra_from_local = 0
net.ipv6.conf.eth0.accept_ra_min_hop_limit = 1
net.ipv6.conf.eth0.accept_ra_mtu = 1
net.ipv6.conf.eth0.accept_ra_pinfo = 1
net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.eth0.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.eth0.accept_ra_rtr_pref = 1

Am I missing something with why Wicked doesn't actually get a proper route to the LAN nor an address via IPv6?

To recap: IPv4 works, this is the only device connected to the network thus far, IPv6 configuration appears (to me at least) correct for the router advertisements and DHCPv6 config.

EDIT:

Found the source of the problem. The OPNSense configuration is in fact correct for what I want to do. The issue is on the OpenSUSE machine. I forgot about a funny little Linux kernel networking quirk regarding ipv6 forwarding. In OpenSUSE, enabling forwarding for IPv6 from the installer keeps net.ipv6.conf.*.accept_ra set to 1. However, setting net.ipv6.conf.*.forwarding to 1 will disable accepting routes from RA, and in my case of expecting automatic IPv6 configuration from DHCPv6 without forcing managed mode on the Linux server.

Unless I feel like bypassing some functionality provided by the router, one needs to set net.ipv6.conf.*.accept_ra to 2 for all affected network interfaces. This enforces accepting routes with forwarding enabled. This in turn for my case also allows for DHCPv6 resolution to function without forcing or bypassing it from the OpenSUSE machine. I can only assume the reason this isn't just default if applied from the installer is that fully-manual static IP addressing is expected rather than wanting to use DHCP reservations for assigning addresses.

So in short:

All is good with the OPNSense configuration. I needed to change the sysctl flag net.ipv6.conf.eth0.accept_ra = 1 to net.ipv6.conf.eth0.accept_ra = 2, in order to forcefully accept RA routes and normal DHCPv6 address assignment on my ethernet interface. This is necessary because I need forwarding over IPv6 for the affected machine.

top 1 comments
sorted by: hot top controversial new old
[โ€“] [email protected] 6 points 1 month ago* (last edited 1 month ago)

~~It took me a week to get working ipv6, don't despair. I don't have time now to post my config (I'm on opnsense too), will do tomorrow ๐Ÿ™‚~~

Well glad to see you didn't need help in the end! ๐Ÿ™‚ great job!