IPV6, prefix delegation and Wireguard
-
Hi
As a bit of background/context, I have successfully set up Wireguard on many hosts and clients including Linux, OpenBSD and pfsense+.
As some of you know, the wireguard interface that is created in pfsense is a "virtual" interface, with no relationship to existing hardware interfaces.
For those of us whose only access to IPV6 in their environments is Prefix Delegation for subnets on the LAN side, having a Wireguard instance with routable IPV6 addresses is a no-go.
My question to the forum:
Should we (pfsense+ users) expect a solution that supports IPV6 Prefix Delegation with the Wireguard interface? Is this a reasonable expectation?
Sure, we can all change providers and get a "real" IPV6 /56 or even a /48 block. That "real" address block would not require Prefix Delegation. But what if changing providers is not an option? Are we just out of luck?
There is precious little information available re: pfsense+ and Wireguard IPv6 provisioning. Likely because it doesn't work in Prefix Delegation environments.
Should we expect a fix (ok, "feature request" if you insist) for this any time soon?
-
You mean using a dynamic prefix from your PD as the Wireguard tunnel subnet?
Or listening on an internal interface that is part of the PD?
-
I mean that the virtual interface that is created as part of the Wireguard deployment process outlined in the pfSense+ documentation is not suitable as a Prefix Delegation target.
When specifying the Wireguard interface in the list of interfaces "asking" for Prefix Delegations, the Prefix Delegation for ALL interfaces fails.
If you're suggesting there is another way of doing this with Prefix Delegation, I'm very interested to hear about it.
Please have a look at this "bug" in the meantime.
Thanks
-
How exactly are you setting it? What error do you see?
-
I don't have the exact error in front of me. It was something like "link failed".
Like I said at the outset, I'm not looking for support advice. I'm looking for someone knowledgeable about specifically Wireguard and ipv6 Prefix Delegation in pfSense+.
If it's not currently supported, shouldn't it be in release notes errata or something?
Here's the file that works:
interface ix2 { send ia-na 0; send ia-pd 0; send ia-pd 1; send ia-pd 2; request domain-name-servers; request domain-name; script "/var/etc/dhcp6c_wan_script.sh"; }; id-assoc na 0 { }; id-assoc pd 0 { prefix-interface igc0 { sla-id 0; sla-len 0; }; }; id-assoc pd 1 { prefix-interface igc0.1001 { sla-id 0; sla-len 0; }; }; id-assoc pd 2 { prefix-interface igc0.69 { sla-id 0; sla-len 0; }; };And here's the code that doesn't:
interface ix2 { send ia-na 0; send ia-pd 0; send ia-pd 1; send ia-pd 2; send ia-pd 3; request domain-name-servers; request domain-name; script "/var/etc/dhcp6c_wan_script.sh"; }; id-assoc na 0 { }; id-assoc pd 0 { prefix-interface igc0 { sla-id 0; sla-len 0; }; }; id-assoc pd 1 { prefix-interface igc0.1001 { sla-id 0; sla-len 0; }; }; id-assoc pd 2 { prefix-interface igc0.69 { sla-id 0; sla-len 0; }; }; id-assoc pd 3 { prefix-interface tun_wg0 { sla-id 0; sla-len 0; }; }; -
Sorry I'm just trying to understand the problem since I've never hit it. Either it's something I've never tried (probably) or it's something that just worked for me in which case it may be a regression for example.
-
Do you happen to know if Wireguard ipv6 with Prefix Delegation is supported by pfSense+ ?
-
No I don't know for sure. I was trying to replicate your setup. It looks like you're using a custom dhcp6c config? Pulling individual PDs?
-
Yes, this is how one "pulls" prefix delegations from CPE.
-
@cmcdonald will know. Let's see...
-
Looking forward to some clarity. Thank you!
-
F FreeYourMind referenced this topic on
