@jknott said in 23.01 DUID question - I can't spoof my way to a new prefix:

@mfld

This is the opposite problem of what some others have.

That's the story of my life, brother 😆

I specialize in bizarre tickets.

The reason I want a new prefix is that this one directly resolves to the actual MAC address of the CPE and the OUI on this one is very specific. I'd rather obfuscate. Just out of habit.

I did uncheck that option (meaning yes absolutely release the PD on restart) but they still send the same prefix.

It may need to be offline for a bit. Maybe they tie it to the pppoe credential for a period of time and a reboot is too short.

I called them to ask if their policy changed and the prefixes are static now but they assured me that it's still a /64 only and it's definitely dynamic.

@johnpoz said in What If ISP can only provide a /64:

The point is that you can subnet a /64.

Um not according the the specification - breaking up a /64 is going to be problematic for sure..

If everyone stuck to the specifications and best practice then there would be zero need to have such conversations.

To be clear, I'm not an advocate of splitting up a /64 and certainly not an advocate of anyone receiving just a /64 or worse, not being served by IPv6 at all. None of these limitations are applicable to my situation either. This is just a conversation for those stuck in the gap between what should be happening and what is actually happening when stupid strikes.

☕️

@robbiett Great information. I will definitely look into this, as i am still new to all this.

You might compare the content in /var/dhcpd/var/db/dhcpd6.leases when it works and when it doesn't. See if maybe there is a particular lease present when it fails to parse, or check the file size when it works vs when it doesn't.

@dobby_
Thanks, switches aren't the issue (I have several). I'm just trying to minimize electricity costs. At $0.50/kWh it adds up.

solved, wasn't a pfsense issue

@wentoo

Do you get a bigger prefix than /64 from your ISP? If so, you have to split off some chunk of it for a downstream router to further split. You can use a manual configuration for the link between pfSense and the next router and not worry about using DHCPv6-PD there.

As I mentioned above, you can split a /64, but not for a LAN, which must be a /64 for things to work right.

@jknott I know

@chase My wording isn't the best, glad you figured it out.

@arobase13 said in How to configure dhcp6 service?:

Only Android devices, don't seem to have ipv6.

Yep, as I mentioned above, some genius at Google decided Android users don't want to use DHCPv6. Use SLAAC on your LAN

@jordanp123 Likely related to this...

https://redmine.pfsense.org/issues/14072

@sn3akerz glad you got it sorted.. So you weren't crazy heheh..

So far I've been unable to wrap my head around a firewall rule to block this.

Kind of hard to block something at the firewall if its not going over the firewall ;)

@jbannister

SLAAC .... NPT ....
Never used these, as they are 'not needed' ( ? )

I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years.

I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT.
This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices.

I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing.
And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@jasonreg

I used the first GUA that appeared in the list.