Hi all,
I’m looking for advice/input on a DHCPv6 issue I’ve found with a Sony PS5 when using Kea on pfSense, whereby it doesn’t assign an IPv6 address to the client. I have a working workaround, but I’d like to understand whether this is expected behaviour, a pfSense/Kea issue, a PS5 client bug, or if there is a cleaner fix. I’m still going through a steep learning curve with IPv6, so it may be something I’m doing wrong.
Environment
• pfSense CE 2.8.1-RELEASE (Running as Proxmox VM)
• IPv4/IPv6 dual stack
• DHCPv6 backend: Kea
• Router Advertisements: Managed
• PS5 is on a VLAN along with other IPv6 clients that work fine with Kea.
• DHCPv6 used for IPv6 address assignment/static reservations
• Clients are allowed; this is not caused by “deny unknown clients”
• Problem persists regardless of whether DNS server address is provided by RA or DHCPv6.
• The PS5 obtains an IPv6 address immediately if I switch the backend to ISC.
I would prefer to keep Kea because I use some of its custom options to specify alternative DNS for some other clients on my main LAN. I have redacted MAC addresses / DUID identifiers and replaced my real IPv6 prefix.
The Issue
With Kea enabled, the PS5 receives a DHCPv6 Advertise, sends a Request, but Kea does not send a Reply. The PS5 then repeats the Request and never receives/configures the IPv6 address.
The Router Advertisement appears normal:
pfSense -> PS5: Router Advertisement
Flags: managed, other stateful
Prefix: 2001:db8:abcd:1234::/64
Router lifetime: 1800
The PS5 then sends a DHCPv6 Solicit:
PS5 -> ff02::1:2.547: dhcp6 solicit
client-ID hwaddr type 1 <redacted-client-mac>
IA_NA IAID: <redacted>
option-request DNS-search-list DNS-server
Kea responds with an Advertise:
pfSense/Kea -> PS5: dhcp6 advertise
client-ID hwaddr type 1 <redacted-client-mac>
server-ID hwaddr/time type 6 time <redacted-time> <redacted-server-identifier>
IA_NA IAID: <redacted>
IA_ADDR 2001:db8:abcd:1234::3
preferred lifetime: 4500
valid lifetime: 7200
DNS-server 2001:db8:abcd:1234::1
DNS-search-list home.arpa.
The PS5 then sends a Request, but the Server-ID is different:
PS5 -> ff02::1:2.547: dhcp6 request
IA_NA IAID: <redacted>
IA_ADDR 2001:db8:abcd:1234::3
client-ID hwaddr type 1 <redacted-client-mac>
server-ID hwaddr/time type 1 time <same-redacted-time> <same-redacted-server-identifier>
option-request DNS-search-list DNS-server
The important difference is:
Kea Advertise:
server-ID hwaddr/time type 6 time <time> <identifier>
PS5 Request:
server-ID hwaddr/time type 1 time <same-time> <same-identifier>
After that, Kea sends no Reply. The PS5 repeats the Request with the same server-ID hwaddr/time type 1, and Kea continues not to reply.
Therefore, it looks like Kea is advertising a DUID-LLT server identifier with hardware type 6, but the PS5 echoes it back as hardware type 1.
My understanding is:
htype 1 = Ethernet
htype 6 = IEEE 802 Networks
Both appear to be valid hardware types, but I believe the DHCPv6 Server Identifier should be treated as an opaque identifier and echoed back exactly. I assume Kea is ignoring the Request because the Server Identifier in the Request no longer matches Kea’s own server DUID. I'm at (and honestly, past) the limit of my knowledge here though so I might be talking a load of rubbish.
Workaround
I added a global Kea DHCPv6 custom configuration to pin the Kea server-id to htype: 1.
In pfSense: Services > DHCPv6 Server > Settings > Custom Configuration:
{
"server-id": {
"type": "LLT",
"htype": 1,
"time": <same-time-value-as-existing-kea-duid>,
"identifier": "<same-server-identifier-as-existing-kea-duid>"
}
}
After applying that, everything works normally and pfSense assigns an IPv6 address to the PS5 via DHCP. I then set up a static address for it, it uses the assigned address and performs neighbour discovery normally.
Comparison with ISC
If I switch the DHCPv6 backend from Kea to ISC, the PS5 gets an IPv6 address without any special configuration. Therefore, the issue appears specific to the combination of:
pfSense/Kea generated server-id using htype 6 and the PS5 changing/echoing that server-id back as htype 1
As soon as I change the backend back to Kea, the issue returns and it fails to obtain an address (neither dynamic nor static).
Questions
Is Kea using DUID-LLT with hardware type 6 expected/normal on pfSense, FreeBSD, virtual NICs, or VLAN interfaces?
Is the PS5 at fault here (although I couldn't find any evidence of this being a known PS5 IPv6 bug) for changing the Server-ID htype from 6 to 1, or is there any reason Kea/pfSense should be using 1 by default?
Is there a better/cleaner pfSense-supported way to pin the Kea DHCPv6 server-id, other than using global Kea custom configuration?
Could this be considered a pfSense/Kea integration issue? Is this worth raising as a pfSense bug?
Are there any long-term downsides to pinning the Kea DHCPv6 server-id to DUID-LLT htype: 1?
I’d appreciate any input because as stated above, I’m at the very limit of my knowledge on IPv6 and feel a bit out of my depth trying to problem solve. Maybe at least this will help someone as I do have a working solution, I just don't fully understand why or how!
