Skip to content

Captive Portal: IPv6 support #8761

@swhite2

Description

@swhite2

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.

It would be nice for IPv6-only or dual-stack networks to be able to use the captive portal system as well. Currently only IPv4 is supported.

Describe the solution you like

No functional changes on the user-facing Captive Portal administration end, just automatic compatibility with IPv6.

Technically, the impact would be as follows:

  • The captive portal web interface should bind to ::1 as well.
  • Redirection should take place to ::1.
  • The current firewall rules already handle IPv4 and IPv6 correctly (except for redirection).
  • Authentication should account for NDP entries as well, matching on MAC address and inserting the relevant IPv6 address(es) in the zone pf table.
  • The background process synchronizing the zones must have an accurate reflection of the NDP table at all times, which may be quite expensive as this table can grow a lot larger than the ARP table. In an ideal scenario one should be able to subscribe to NDP state changes, but it as yet unclear whether this is possible.
  • Ethernet accounting rules must match on 0x86DD. Initial experiments show some IPv6 traffic matching on 0x0800 (IPv4) as well, producing some garbage entries which may unnecessarily grow (and slow down) the accounting output.
  • Usage of multiple IPv6 addresses on clients can be problematic, see note below.
  • Other unkowns.

Enabling users to use multiple IP addresses on the same client should be considered as well (although perhaps optionally as a toggle). This is relevant for both IPv4 (virtual IPs) and IPv6, however, this scenario is more common in IPv6 with the option of privacy extensions on SLAAC, which may keep old IPv6 addresses active and actively used by clients.

Describe alternatives you considered

N/A

Additional context

Initial work provided in https://github.com/opnsense/core/tree/cp_ipv6

Metadata

Metadata

Assignees

Labels

featureAdding new functionality

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions