-
Notifications
You must be signed in to change notification settings - Fork 905
Description
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Is your feature request related to a problem? Please describe.
It would be nice for IPv6-only or dual-stack networks to be able to use the captive portal system as well. Currently only IPv4 is supported.
Describe the solution you like
No functional changes on the user-facing Captive Portal administration end, just automatic compatibility with IPv6.
Technically, the impact would be as follows:
- The captive portal web interface should bind to
::1as well. - Redirection should take place to
::1. - The current firewall rules already handle IPv4 and IPv6 correctly (except for redirection).
- Authentication should account for NDP entries as well, matching on MAC address and inserting the relevant IPv6 address(es) in the zone pf table.
- The background process synchronizing the zones must have an accurate reflection of the NDP table at all times, which may be quite expensive as this table can grow a lot larger than the ARP table. In an ideal scenario one should be able to subscribe to NDP state changes, but it as yet unclear whether this is possible.
- Ethernet accounting rules must match on
0x86DD. Initial experiments show some IPv6 traffic matching on0x0800(IPv4) as well, producing some garbage entries which may unnecessarily grow (and slow down) the accounting output. - Usage of multiple IPv6 addresses on clients can be problematic, see note below.
- Other unkowns.
Enabling users to use multiple IP addresses on the same client should be considered as well (although perhaps optionally as a toggle). This is relevant for both IPv4 (virtual IPs) and IPv6, however, this scenario is more common in IPv6 with the option of privacy extensions on SLAAC, which may keep old IPv6 addresses active and actively used by clients.
Describe alternatives you considered
N/A
Additional context
Initial work provided in https://github.com/opnsense/core/tree/cp_ipv6