dhcp: fix test merge of legacy configuration prefix

[Jerroder]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

The help in DHCPv6 "Prefix Delegation Range" says:

When using a tracked interface then please only enter the range itself, i.e. ::xxxx:0:0:0:0. For example, for a /56 delegation from ::100;0:0:0:0 to ::f00:0:0:0:0.

But this is wrong.

My LAN interface is set to "track interface" and I chose to delegate /60, so I set the range as ::10:0:0:0:0 to ::f0:0:0:0:0, because it says to only enter the range. But this was not working. OPNsense RA is Unmanaged and my subrouter was only requesting a prefix and not an address. It got the prefix (f was the first assigned) but its LAN addresses were ::f0:xxxx:xxxx:xxxx:xxxx/128 instead of 2001:(...)f0:xxxx:xxxx:xxxx:xxxx/128. I had to set the range with the public routing prefix too for it to work.

This also caused the route to be created with 0:0:0:f0/60 instead of 2001:(...)f0:xxxx:xxxx:xxxx:xxxx/60.

So either the help is wrong, or the prefix delegation doesn't work as expected.

To Reproduce

1. Add a subrouter (another OPNsense if you want) behind the main OPNsense.
2. Enable DHCPv6 and set the Prefix Delegation Size to 60 and delegate from ::10:0:0:0:0 to ::f0:0:0:0:0
3. Set the subrouter WAN interface to DHCPv6 and its LAN to "track interface"
4. Check the LAN address

Expected behavior

The prefix delegation should delegate the public routing prefix as well as the prefix itself.

Describe alternatives you considered

Add the public routing prefix in the range.

Screenshots

Relevant log files

If applicable, information from log files supporting your claim.

Additional context

Add any other context about the problem here.

Environment

OPNsense 23.7.9-amd64 (virtualized)
Ryzen 5 3600
Linux bridge

[fichtner]

Enable DHCPv6 and set the Prefix Delegation Size to 60 and delegate from ::10:0:0:0:0 to ::f0:0:0:0:0

Well, you need a matching WAN DHCPv6 client config first and LAN tracking it. Otherwise you can't use the WAN prefix with the "::" prefix trick and it will be treated as a normal IPv6.

[fichtner]

Ok you did that in step 3 but if DHCP was already running it can't render the correct prefix.

[Jerroder]

if DHCP was already

I restarted both routers multiple times to make sure it assigns everything correctly. I could only see 0:0:0:f0::/60 in the delegated prefix leases.

[fichtner]

Well, does Interface: Overview list your correct WAN prefix? The merge is pretty straight forward if there is a delegated prefix acquired.

[Jerroder]

The problem is that it acquired ::f0::/60

[fichtner]

Yeah, but it only does that if your prefix failed to acquire. These "dynamic" approaches to static things like DHCP are not really great, but ISPs tend to be on the side of only giving out dynamic IPv6 prefixes so it is what it is.

[Jerroder]

I do get 2001:xxxx:yyyy:zz00::/56 from my ISP.

The DHCP just doesn't seem to delegate that by itself, even though LAN is set to "track interface" and its address is set to 2001:xxxx:yyyy:zz00:vvvv:vvvv:vvvv:vvvv/64.

[fichtner]

/128 .. it should be /64?

[Jerroder]

It is, my bad

[fichtner]

Well it's easy to check the DHCPv6 config file to see if subnet6 and range6 have the expected value:

# cat /var/dhcpd/etc/dhcpdv6.conf 

[Jerroder]

Well now that I set the public routing prefix manually, subnet6 looks good, but range6 doesn't exist. Probably because I didn't set a DHCP address range?

But when I set only the prefix, subnet6 is

subnet6 2001:xxxx:yyyy:zz00::/64 {
  option dhcp6.name-servers 2001:xxxx:yyyy:zz00:vvvv:vvff:fevv:vvvv;
  prefix6 0:0:0:10:: 0:0:0:f0::/60;

}

[fichtner]

that looks good now

[Jerroder]

Then my subrouter only gets ::f0:vvvv:vvvv:vvvv:vvvv/64 on LAN

[fichtner]

I'm very very sure this is a configuration problem because a number of people would immediately say that this doesn't work (anymore). Does your entered prefix range start exactly with "::" ? You can also try the range to see if it merged. I'd still be surprised if it wouldn't.

[fichtner]

Also your steps don't mention setting "Allow manual adjustment of DHCPv6 and Router Advertisements" which is a prerequisite for even configuring the DHCPv6 on that interface configuration.

[Jerroder]

Does your entered prefix range start exactly with "::" ?

Yes

You can also try the range to see if it merged.

I'm not sure I understand this

Also your steps don't mention setting "Allow manual adjustment of DHCPv6 and Router Advertisements" which is a prerequisite for even configuring the DHCPv6 on that interface configuration.

This is enabled, otherwise the daemon wouldn't start, and it wouldn't work when writing the public routing prefix manually.

[fichtner]

Just put a range from ::2000 to ::ffff to see if range6 is merged correctly or not.

[Jerroder]

Now this looks like what I would expect

subnet6 2001:xxxx:yyyy:zz00::/64 {
  range6 2001:xxxx:yyyy:zz00::2000 2001:xxxx:yyyy:zz00::ffff;
  option dhcp6.name-servers 2001:xxxx:yyyy:zz00:vvvv:vvff:fevv:vvvv;
  prefix6 0:0:0:10:: 0:0:0:f0::/60;

}

shouldn't the prefix6 be like range6?

[fichtner]

Yes... but... what's your Available prefix delegation size?

[Jerroder]

57 bits

I get /56 from my ISP so I chose to delegate /60

[fichtner]

Do you see any log message for this?

# opnsense-log | grep "not a valid prefix"

[Jerroder]

No, I don't

[fichtner]

Well, I'm a bit lost. The code issue is somewhere here https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/dhcpd.inc#L1368-L1388

Just to be sure you have set prefix hint on WAN to /56 ?

[Jerroder]

The size is set to 56 (I asked my ISP and it is the right size) but "Send IPv6 prefix hint" is unchecked.

[fichtner]

thanks that should be enough. i checked on my end and it merges fine. I can only recommend trying to emit a few log messages to help me see where it fails.

[Jerroder]

merge_ipv6_address seems to be the problem. It converts ::10:0:0:0:0 into 0:0:0:10::.

So when you merge at the end, it tries to merge 2001:xxxx:yyyy:zz00:0:0:0:0 with 0:0:0:10:: so the function returns here.

Why is there $range_from = merge_ipv6_address($dhcpdv6cfg[$ifname]['prefixrange']['from'], '::');?

If I replace

$dhcpdv6cfg[$ifname]['prefixrange']['from'] = merge_ipv6_address($ifcfgipv6, $range_from, $pdlen);
$dhcpdv6cfg[$ifname]['prefixrange']['to'] = merge_ipv6_address($ifcfgipv6, $range_to, $pdlen);

with

$dhcpdv6cfg[$ifname]['prefixrange']['from'] = merge_ipv6_address($ifcfgipv6, $dhcpdv6cfg[$ifname]['prefixrange']['from'], $pdlen);
$dhcpdv6cfg[$ifname]['prefixrange']['to'] = merge_ipv6_address($ifcfgipv6, $dhcpdv6cfg[$ifname]['prefixrange']['to'], $pdlen);

I do get prefix6 2001:xxxx:yyyy:zz10:: 2001:xxxx:yyyy:zzf0::/60; in /var/dhcpd/etc/dhcpdv6.conf.

[PacoTyson]

Hi,

If it helps by bringing more examples, I’m facing the same issue, see https://forum.opnsense.org/index.php?topic=37348.0

opnsense-log | grep "not a valid prefix" returns nothing either.

[Jerroder]

@fichtner if my LAN IPv6 Prefix ID is 0x1, what should the PD range be? It shouldn't overlap so it is my understanding that ::10:0:0:0:0/60 and ::f0:0:0:0:0/60 do not overlap with ::1:0:0:0:0/64, but should the PD range be from ::12:0:0:0:0/60 to ::f2:0:0:0:0/60 or something?

[maurice-w]

The help text is indeed incorrect, you need to omit the trailing zeroes. For 15x /60, simply enter from ::10 to ::f0.

[Jerroder]

Writing without the trailing zeroes works indeed.

cat /var/dhcpd/etc/dhcpdv6.conf does merge the address with the prefix correctly when using ::10 to ::f0.

[maurice-w]

I've always used it that way, probably never paid attention to the help text. Not sure if it ever worked with trailing zeroes.

[fichtner]

This doesn't make sense to me... trailing zeroes are not optional. It would indicate it's lower /64 bit side. The examples are derived from https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html and you can see they have all the trailing zeroes in the config format. Something about leading and trailing zeroes is weird, maybe an intermediate compress destroys the correct ordering making prefix merge fail.

I've been away the past two weeks so I haven't looked closer yet.

[fichtner]

The relevant change from 5fa042b almost 18 months ago... it must have broken somewhere else in the meantime.

[Jerroder]

This seems to have broken it for me 7fcbb22, 3 months ago, as I found out in #7046 (comment)

[maurice-w]

Well, all I can say is that I've never entered trailing zeroes for the PD range values. It seemed the logical syntax to me and always worked as expected. I just checked some of my config backups from as long as four years ago to confirm.

dhcpdv6.conf needs the prefix6 values to end with :: of course, but this has always been handled by the OPNsense prefix merge code.

Note: This only applies to track6 LAN interfaces. For static LAN interfaces, you have to enter the PD range values "correctly" of course (ending with :: or trailing zeroes).

[fichtner]

dd92fe4 is worth a try... keep in mind this is only a problem due to allowing people to use the wrong legacy format...

# opnsense-patch dd92fe4

Cheers,
Franco

[Jerroder]

The patch works with trailing zeroes

[fichtner]

Thanks, I'll add this to 23.7.11 and close.

Cheers,
Franco

[PacoTyson]

The patch works with trailing zeroes

Not for me, I provided details in the forum post.
Franco, should I open an issue here instead of a forum post ?

[fichtner]

@PacoTyson yeah a separate issue with all the details would be good. Already knowing this is not your issue goes back to square one: 50% change for configuration mistake, 50% chance of another bug. Let's start from the top.

Cheers,
Franco