Add setting for "Use excluded prefix for WAN"
-
As was noted in a topic regarding Verizon and IPv6, Verizon doesn't provide an interface address via DHCPv6, just a prefix. But according to RFC 6603: Prefix Exclude option, option 67 (OPTION_PD_EXCLUDE) specifies a prefix to exclude from use on LAN networks. That excluded prefix can then be used on the WAN interface to provide a global address from the delegated prefix.
For example, Verizon uses option 67 to specify that prefix ID ff be excluded from use. Their router then turns around and uses that prefix ID on the WAN, providing an address of aaaa:bbbb:cccc:ddff::1 on the WAN interface (though any address could be used within that prefix). Using this option could provide an automated way to have a global address on WAN when the ISP doesn't provide a WAN address via DHCPv6. I don't know if any other ISPs are utilizing this option, but it seems like others could be using it if they only provide a prefix and not an interface address.
I'd implement this by having a sub-setting if the "only request a prefix" option is checked... "Request excluded prefix to use for this interface (if available)". If this setting is turned on, request option 67 from the provider, then apply an IP address from the prefix to the interface.
Of course, if for some reason a prefix ID is excluded that one of the other networks is configured to use, that network should not have IPv6 available, since that prefix ID should be used on WAN.
Yes, something similar could be done by applying a virtual IP to WAN (that's what I'm doing for now)... but then if the prefix changes, the virtual IP needs to be manually updated. So I'm just trying to find a way to automate this action instead.
-
@virgiliomi
I trust you understand:
a) You don't need a WAN address.
b) If you need a target for a VPN, SSH, etc, you can use the interface address on the LAN side. -
@jknott
Yep, very aware of both of those things. That doesn't mean that I don't want a global address on the "outside" of my network though. I'd rather have Unbound send its DNS requests to servers around the world from WAN than from LAN.From a rules perspective, I'd rather have things like VPN that terminate at WAN address rather than LAN address. I understand it's the same host, but we always mask our IP addresses, so why would I want to invite outsiders to know my LAN address when I could have a WAN address that is different? Especially if the WAN address is on the opposite end of my prefix from where my LAN and other networks are.
For those that WANT a global WAN address, this would be one way to automate something that can currently be done manually when the ISP doesn't provide an outside interface address, removing a manual step sometime in the future when the prefix inevitably changes. Given that I also have to change a bunch of host overrides and an OpenVPN setting when my prefix changes, it would be nice to have one less thing to do.
-
@virgiliomi said in Add setting for "Use excluded prefix for WAN":
Especially if the WAN address is on the opposite end of my prefix from where my LAN and other networks are.
My WAN address has absolutely nothing to do with my prefix. However, as you mentioned, you could pick any address within your prefix. For example, with my /56, I use prefix ID ff for OpenVPN. There's no reason it couldn't also be used as a target. However, I haven't tried that.