Is there any way to hand off a prefix to another pfsense instance?
-
You have to configure your DHCPv6 server on the main system to hand out PDs to the systems inside the LAN. Unless your PD stays static, that's essentially impossible (or requires manual config change) as things stand today. If your PD is at least relatively static, could configure the PD accordingly. Though because the DHCPv6 screen is hidden where you're using track interface (today at least), that's more convoluted.
Doable, but requires some hacking.
-
Thanks cmb,
that was the conclusion I was coming to.
ISTM that it ought to be possible for this to automated i.e. to generate the correct config for the DHCPv6 server on the LAN side of the internet pfsense appliance, and to regenerate this when the lease expires.
Does that make sense?
I might see what I can come up with here. -
Hmm, this is getting stranger quickly.
My dhcpdv6.conf already has a rather interesting delegation line in it. I just upgraded to 2.2.4 to make sure everything is current, and checked the file again. It seems to be set up to hand out up to 3x /63 delegations. So I made the lab firewall ask for a /63, and sure enough, I get one. Here's my /var/dhcpd/etc/dhcpdv6.conf with addresses suitably munged:
option domain-name "internal.splhi.com";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
ping-check true;
update-conflict-detection false;
authoritative;
subnet6 2601:STUV:WXYZ:2de0::/64 {
range6 2601:STUV:WXYZ:2de0::1000 2601:STUV:WXYZ:2de0::2000;
option dhcp6.name-servers 2601:STUV:WXYZ:2de0:XXXX;XXXX:XXXX:XXXX;
prefix6 2601:STUV:WXYZ:2de8:: 2601:STUV:WXYZ:2dec:: /63;
option dhcp6.name-servers 2601:STUV:WXYZ:2de0:XXXX;XXXX:XXXX:XXXX;}
ddns-update-style none;That prefix6 line is there, but I didn't do anything to create it. My WAN setup isn't using advanced and simply requests a /60 along with the checkbox for "Send an IPv6 prefix hint …" checked. Any thoughts on how we generated this?
-
Looks like the following code starting at line 1217 in file etc/inc/services.inc in origin/master is responsible:
/* prefix length > 0? We can add dhcp6 prefix delegation server */ if ($pdlen > 2) { $pdlenmax = $pdlen; $pdlenhalf = $pdlenmax -1; $pdlenmin = (64 - ceil($pdlenhalf / 4)); $dhcpdv6cfg[$ifname]['prefixrange'] = array(); $dhcpdv6cfg[$ifname]['prefixrange']['prefixlength'] = $pdlenmin;…
This is in the "fake out" code for track6 interfaces. It ought to be relatively simple to make the values configurable.
-
…
WAN setup isn't using advanced and simply requests a /60 along with the checkbox for "Send an IPv6 prefix hint ..." checked.
...To configure all things to your liking you have to use [Interfaces: WAN DHCP6 -Client- conf. Advanced] on the 1st pfSense in order to be able to manage the DHCP6 Server on that 1st pfSense.
The method "Track Interface" is a default consumer non-professional solution. You would like to work with your quasi-Static (by dhcp6c) /60 from ISP and with your Static LAN config on 1st pfSense and 2nd pfSense.
-
Hi hda,
the problem with overriding the file by hand is that that only works for a static IPv6 allocation. That's not what Comcast hand out (though it does seem pretty stable). The code that I quoted is the beginning of code in pfSense today that sets some of the variables that cause PD to happen. If you have at least a /60, it will set up some prefixes to hand out.
After restarting everything, I got a /63 handed out to my 2nd-level gateway.The only things that concern me are:
-
this functionality doesn't seem to be documented
-
the subnet sizes are hardcoded based on the original delegation
For the most simplistic case using track interface, ISTM that we should assign one /64 to LAN, and set up delegations for /64 for the remaining address range (so in my /60 case, we'd offer up to 15x /64 prefixes) on the basis that it's unlikely that anyone will have more than two tiers (perhaps I should say "even more unlikely than somebody having more than one ;)")
Is there any interest in me working on the code to make this configurable i.e. to add a couple of nerd knobs for "Track interface" along the lines of
-
Enable Prefix Delegation
-
Prefix subnet size
?
-
-
@cmb:
Though because the DHCPv6 screen is hidden where you're using track interface (today at least), that's more convoluted.
Just thought I'd point out Feature 3029… someone has provided a pull request for it. There are lots that would love to set custom DHCPv6 and RADVD settings with a track interface LAN, if'it's something that is really feasible.
-
Yeah that's a priority to get in for 2.3.
-
Hate digging up old topics, but is this feature still on track to be included in 2.3 ? If not i've better start saving some bucks in hope that i can bribe someone working for my isp (gunning for a static /56 ).
-
It would be great if Chris would provide an update… given that 2.3 is in beta now and apparently major features aren't being added/changed, I'm getting the feeling that this won't make the 2.3 release, and the can gets kicked down the road a little more.
Unless it's something being tested outside of the beta snapshots, and will be merged all at once before RC... which I doubt...
-
Well, a glimmer of hope that this will make it to 2.3… :) The Redmine feature request has been assigned, and has a target version of 2.3.
I'll be happy to give it some testing when all is said and done!
-
YAY! merged:
https://redmine.pfsense.org/issues/3029#change-25320 -
Yep… time to give this some testing when I get home tonight!!
