@johnpoz said in IPv6 and HE certification web server question:

Still got some grateful dead shirts from concerts 30 years ago though - she better never donate those!!!

She might use them as cleaning rags though! 😉

I went to an Emerson, Lake and Palmer concert in 1973! Didn't get any shirt though. 😭

@CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

@JKnott thanks. that is cool. I'm going to keep experimenting.

A very useful tool for that is Wireshark.

@SteveITS Thank you that was it! I would upvote but it says I need 5 rep to do that..

@Bob-Dig said in Delegate IPv6 subnet to only specific MAC addresses:

is your Prefix really static or is it not

Comcast labels the /56 "static" in a business account portal but how it is delivered to the router I don't know. The last router swap was all auto-configured, the guy just stood there for a few minutes waiting for it to pull its settings.

The problem is 1) what subnet block gets delegated to the inner router, and inner router's LAN, changes when redelegating happens (if the route inward is lost and I start over trying to fix it), and 2) if I set them up as static in the pfSenses, AFAICT the Comcast router doesn't know where to route the innermost subnet...and its GUI only allows IPv4 static routes, and 3) if delegated automatically sometimes the building pfSense still doesn't create a static route.

So ideally I could set it up automatically and only have our one "inner" router get IPv6, and my hope would be routing is auto-configured, but I don't seem to be able to do that without other "inner" routers getting IPv6.

And if I didn't say above, the reason we need to do that is to allow access only to paying tenants, and to set bandwidth limits accordingly.

One possibility (?) is that the building router reacquires IPv6 when the Comcast router boots, but the inner/office router doesn't request delegation because it was already configured and doesn't know it needs to?

I spent quite a bit of time yesterday trying to figure out how to find the DUID that will be used on pfSense. "od -h /var/db/dhcp6c_duid" will show it, with the bytes reversed ("8550" = "50:85").

System > Advanced > Networking has a "DHCP6 DUID" dropdown but on this router if I choose Raw and enter in a DUID, and save the page, it changes my choice to DUID-LLT. I can use DUID-LL and enter a MAC but the output of "od" above includes extra output when I do that, which was confusing. (eventually had to enable DHCP6 debug mode on that page, and restart, to see it in the logs)

And then after all that I still found another router had acquired an IPv6 IP+delegation so had to turn that off again.

All I need is for the static route on the building pfSense to not disappear and I think it should work.

</mini-rant>

@grantems IPv6 has mechanisms to do this that I don't quite understand. I think a bunch of it comes down to dns. Your dns resolver should resolve ip addresses that are accessible from the requesting computer. For internal services, this is the private address. Of course this becomes an issue if you, for example, want a computer to be found on the internet, but only allow certain traffic in whereas from the private network all is allowed in. If you route mdns between subnets, I think it should resolve private addresses, but I'm not sure how it works.

to add private ip addresses without changing anything, add RA subnets in router advertisements

@Gertjan Correct.

@JKnott
Because it doesn't fit my requirements. It's not what I want to do, and doesn't achive what I need.
For my needs, he disadvantages of different SSIDs, outweigh the benefits, since everything but Android works, that's a solution for me at this time.

@SteveITS I have it set to only resolve A records and not AAAA for Google but every once in a while the proxy adds a AAAA back in and Google goes hiatus. It is like unbound mixes one up, Netflix also around 2 hours it thinks I have a tunnel again and it is resolving AAAA for a bit.

Figured out my own issue. For any particular Dynamic DNS entry, it only updates one IP address. One has to clone the existing IPv4 entry, then use the "Service Type" pull down, to select the IPv6 version of that service. Other than that, the remaining settings (i.e. hostname, API key, etc) all stay the same.

Would have been nice if someone could have just said that... instead of responding with snark...

@m0k2001 Don't bother Elno. He's busy being co-President.

@Gertjan said in Setting up IPv6 on my Netgate:

The fe80 are like RFC1918

Actually, unique local addresses are like RFC1918. You can pick whatever addresses you want within the ULA block and, like RFC1918 addresses, they are routeable, just not on the public Internet.

@jwt Definetly looking forward to it and be glad to test it out in first snapshots/betas that will have it. We can easily hook up an v6 only network in the lab (there should already be one) and give it a spin :)

@johnpoz
How on earth did you come to these conclusions about my knowledge level?? Of course I know how to setup a CA in pfSense. I have a CA running just fine since years. Three hosts in my network use it's server certificates. I know how to run multiple services as virtual hosts on one machine. I'm actually doing this on multiple machines (BSD and Linux) in my network. Of course I do use RFC 1918 addresses (who doesn't) and I'm totally aware of how I can assign private addresses.

I just as well know how to configure a browsers to not use Doh. But I won't reconfigure other users' browsers.

You are correct in this assumption: I have no specific need for IPv6. Because I have as many public IP addresses as I need and I'm not forced to access any public services which are not available in IPv4. (I can't speak for my users of course.) This may however be the wrong mind set to look at IPv6 in general. This way IPv6 will probably never take the place it should have.

I WAS wrong about names mandatory for http protocol, thank's for correcting this.

@smaxwell2 I would suggest you start a new post as this is now off topic and not your post to begin with.

For anyone finding this in 2024, I had to enable "Multicast Enhancement" for the Unifi Wifi network AND I had to disable Hotspot 2.0. Only then did the Router Advertisements flow down to wifi clients. I was sitting in wireshark on a MacOS 14.6 laptop client and suddenly there was a flurry of traffic.

Pro-tip: You may have to wait for the RA interval for the Unifi change to make a difference. Default is 200 seconds, you can change this in the RA Server settings. I set mine to 10 seconds then clicked the button to restart the RA server.

This worked!

Screenshot 2024-11-06 084436.png

Screenshot 2024-11-06 084835.png

@JKnott That's true... I don't know what else to use. Never had this issue before. But if the IP from my LAN works, then I use that!

@patient0
You were on the right track.
After an additional nudge from Netgate support (going above and beyond), I changed PD from 62 to 56 and it's working now.

Moderators: please delete this post
I will follow-up in my original post