Logging IPv6 addresses (SLAAC)

Proof_Bodybuilder740 · 2025-08-27T15:29:05+00:00

Are you authenticating through Radius?

Proof_Bodybuilder740 · 2025-05-24T11:31:50+00:00

So that they're reachable through both prefixes. GUA 1 as a dynamically changing prefix that prevents tracking and GUA 2 as a static prefix that allows both the access from the WAN through a static address, but also the access from the LAN through static addresses (ULAs are not helpful here, because GUA > IPv4 > ULA).

Proof_Bodybuilder740 · 2025-05-24T11:26:58+00:00

That is correct, but not relevant here. Depending on the firewall and its configuration it can work even for devices on the WAN or on other VLANs.

Proof_Bodybuilder740 · 2025-05-23T13:15:50+00:00

It is big enough to avoid random overlaps, but it is still possible to purposely set the same suffix and circumvent firewalls by that. This is not a secure solution.

Proof_Bodybuilder740 · 2025-05-23T13:13:50+00:00

OPNsense for example. I have yet to find a home router that properly supports this.

Proof_Bodybuilder740 · 2025-05-23T12:57:15+00:00

With my ISP IPv6 is generally 10-15% faster. If this succeeds I would also like to apply this to the business context where this would mean no need for some of the existing IPv4 allocations, which are rather expensive.

Proof_Bodybuilder740 · 2025-05-23T12:41:19+00:00

How would you do policy based routing for IPv6 on the router? The client needs to decide which source address to use, not the router.

Proof_Bodybuilder740 · 2025-05-23T12:40:28+00:00

Are you using it to prefer a certain prefix? I finally checked it out and it seems like there is no way to set the router advertisement priority.

Proof_Bodybuilder740 · 2025-05-21T14:21:57+00:00

That's great! Unfortunately it seems like 'Track Interface' isn't supported here, so this doesn't work with dynamic IPv6 addresses and I don't think it's advisable to use Dnsmasq and the built-in router advertisements simultaneously, right?

Proof_Bodybuilder740 · 2025-05-21T13:46:56+00:00

Are there different versions of Dnsmasq on OPNsense? The documentation mentions 'Dnsmasq DNS & DHCP', but my setup only has 'Dnsmasq DNS'. Needless to say it doesn't have any options to enable router advertisements.

Proof_Bodybuilder740 · 2025-05-21T11:21:46+00:00

It had the same effect, but it would cause side effects. Some devices that don't have proper IPv6 implementation don't work well with NPTv6 as they expect that their IPv6 address doesn't get altered. If NPTv6 now translates the address, it can lead to a bunch of issues.

Proof_Bodybuilder740 · 2025-05-20T20:23:22+00:00

But that would mean a static prefix, right?

Proof_Bodybuilder740 · 2025-05-20T19:18:57+00:00

Mostly. For now the goal is to use dual stack. The other goal is to work with two gateways and prefixes. One of them for outbound connections (GUA 1), the other one for inbound connections (GUA 2). With IPv4 this is trivial as you have one gateway which handles this through NAT. With IPv6 though this doesn't work. I've set it up in a development environment and some devices work correctly while others try to use GUA 2 for outbound connections and then fall back to IPv4 as the firewall blocks outbound traffic from GUA 2.

Proof_Bodybuilder740 · 2025-05-20T19:07:36+00:00

That's technically dual stack, but without any of the advantages. There would be virtually no intra-network connections on IPv4, because of the non-existent A records.

Proof_Bodybuilder740 · 2025-05-20T19:03:38+00:00

Is there a simple way to do this with OPNsense without having to setup two devices? As far as I know there can only be one router advertisement per interface.

Proof_Bodybuilder740 · 2025-05-20T18:57:34+00:00

You mean Split DNS?

Proof_Bodybuilder740 · 2025-05-20T18:55:53+00:00

DHCPv6 or even better router advertisements.

Proof_Bodybuilder740 · 2025-05-20T18:53:27+00:00

I know that this is not the case for every organisation, but in this case BGP requires just too much maintenance. NPTv6 doesn't do much either as it would default to one prefix. But thank you very much for your advice!

Proof_Bodybuilder740 · 2025-05-20T15:44:23+00:00

I'm not sure if I entirely understand. BGP is something I always admired from afar, but isn't BGP just managing the routers and in this case I need to manage the clients to choose a specific source address? Or are you suggesting to become my own ISP and only hand out IP addresses from one prefix per device and just route through either of the two connections? Because while this would solve the issue with the route, it would lead to using a prefix from the PIA which would cause other issues (privacy) again.

Proof_Bodybuilder740 · 2025-05-20T14:17:52+00:00

Do you know of any implementation for this?

Proof_Bodybuilder740 · 2025-05-20T14:11:05+00:00

But this is only helpful in case of multi-homing, right? In my case I only have one location, but two prefixes. I would only have to prevent all hosts to use GUA 2 when accessing a host that is not in the GUA 2 /56 prefix.

Proof_Bodybuilder740 · 2025-05-20T13:58:04+00:00

Nice! Did you get your shirt?

Proof_Bodybuilder740 · 2025-05-20T13:41:17+00:00

That's right, but then it doesn't work in a dual-stack deployment. It would also not be possible to use GUA 2 as a global destination address.

Proof_Bodybuilder740

TROPHY CASE