Add IPv6 dual-stack support to Captive Portal #9575
Draft
+791
−172
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Show IPv4 and IPv6 addresses in IP Address column - Aggregate traffic statistics across all IPs for a session - Add tooltip to display full IP addresses when truncated - Update accounting to include traffic from all associated IPs
…tack support - Resolved conflicts in captiveportal.inc: Use upstream's getValues() method while keeping IPv6 rules - Resolved conflicts in AccessController.php: Merged upstream's hostwatch dump with our IPv6 NDP fallback - Resolved conflicts in clients.volt: Use upstream's zone selection placement while keeping tooltip initialization - Resolved conflicts in pf.py: Preserved IPv6 protocol handling (0x86dd) and accounting methods - Resolved conflicts in db.py: Merged our aggregation logic with upstream's prev_* fields for counter reset detection - Resolved conflicts in cp-background-process.py: Adapted dual-stack MAC handling to use upstream's helper methods All IPv6 dual-stack functionality is preserved while incorporating upstream improvements.
Member
|
@agoodkind I haven't looked at your PR yet, but one of the reasons we added our new hostwatch (which will be included in 26.1, https://github.com/opnsense/hostwatch) is captive portal on IPv6. you can't really use ndp reliably because of the limited performance and low lifetime of entries. I expect we will schedule captive portal on IPv6 for 26.7, but the roadmap hasn't been finished yet (all focus on 26.1 first) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Captive Portal only supported IPv4 authentication, leaving IPv6 traffic blocked after authentication. This blocked dual-stack clients from accessing IPv6 resources.
The system only parsed ARP tables for IPv4 and didn't query IPv6 neighbor discovery. As noted, NDP isn't reliable for captive portal due to limited performance and short entry lifetimes.
This PR integrates hostwatch (when enabled) as the primary source for IPv6 address discovery in captive portal, addressing NDP's limitations. The
ARPclass checks if hostwatch is enabled and useslist_hosts.pyfor both IPv4 and IPv6 discovery, falling back to directarp -an/ndp -anwhen hostwatch is disabled.allow.pyadds all discovered addresses immediately on authentication, and the background process preserves IPv6 addresses added via MAC lookup.Fixes: #8761