Major problem with DHCPv6 static mappings
-
@chrisjenk Your problem piqued my curiosity... I do have IPv6 implemented in a few networks, and while I've yet to into the problem you describe, I did test out your claim, and indeed, my windows 10 laptop has a DUID that is the same on all interfaces (one wired, and two wireless), only the IAD differs, so it appears to be a legitimate concern. Of note, a similar problem arises when machines are cloned from a golden image, they all end up with the same DUID!
According to the spec, the DUID is generated ONCE, at machine creation, and never changed again. Windows uses DUID-LLT which includes time (when windows was installed) and the mac address of one interface. Different OS vendors may of course implement this different ways.Ultimately though, the problem appears to lie within the ISC DHCP server that is used in pfSense.
On the surface it seems that ISC's DHCPv6 implementation has neglected a way to specify the IAID part in a reservation. Your specific use case does come up in a handful of hits while searching for this, but it appears to be by no means common, either that or very few people are aware, or are using windows server's DHCP6 implementation which supports IAID.RFC3315 makes it clear that a IAID,DUID tuple is needed to >>uniquely<< identify an interface of a client. Link here
DHCPv4 reservations have worked well for most use case scenarios, and in comparison, one gets the feeling that the DHCPv6 reservations mechanism was over-engineered to cover just about any imaginable use case, and consequently is confusing.
pfSense's DHCP server doesn't pretend to be all things to all users, in the end, you may need to run a separate DHCP server to get around the issue.
Lastly, when digging around for info on this issue, I did see that ISC has developed a new, more modern, DHCP server, called KEA. It does appear to support IAIDs, at least for prefixes, or that's what I could find in the format of ipv6prefix@iaid. Maybe it also works for single IPs. Anyway, a moot point since that's not what is in pfSense.
-
@awebster Thanks for confirming my suspicion. This is quite disappointing given how good pfSense seems to be in most other areas. I could as you say try to run a separate DHCPv6 server butt frankly one of the reasons I bought my SG-3100 was to consolidate all of the network management stuff into a single 'best pf breed' appliance. I don't want to have to start downloading/building/maintaining another piece of software to overcome this one shortcoming.
I guess I need to find out how to log a bug / feature request against pfSense.
-
@jknott said in Major problem with DHCPv6 static mappings:
Also, do you need DHCPv6? Android devices won't work with it. You can thank some "genius" at Google for that one.
What do you mean by that?
-
@chrisjenk said in Major problem with DHCPv6 static mappings:
That's fine if there is only ever one interface active on the host at any time, but this is rarely the case.
Is it though? I would say it is the overwhelming case.
But you are right, if you got two on the same network, then DHCPv6 is only working for one. -
@bob-dig As I explained, it isn't the overwhelming case at all in some scenarios; here at home for example it is the common case. Probably less so in a more enterprisey setup. Also, even in this case DHCPv6 works fine unless you use static mappings. Sadly, I really want to use static mappings for a segment of my client population.
This is clearly a deficiency in pfSense DHCPv6 support (one might call it a bug).
-
@bob-dig said in Major problem with DHCPv6 static mappings:
What do you mean by that?
Android devices don't support DHCPv6. This was a decision by someone on the Android team at Google.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
Don’t most operating systems disable wifi if ethernet is enabled and on the same subnet.
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
@jknott said in Major problem with DHCPv6 static mappings:
Android devices don't support DHCPv6. This was a decision by someone on the Android team at Google.
You're right. Should have my phone checked first.
-
@nogbadthebad If by 'most' you mean Windows then yes (so I am informed). Neither Linux nor macOS do so however. There is no reason to do so after all (unless your DHCP server has incorrectly handed out the same IP address to both interfaces!).
-
@nogbadthebad said in Major problem with DHCPv6 static mappings:
Don’t most operating systems disable wifi if ethernet is enabled and on the same subnet.
No, *nix use "metric" to decide. The lowest metric is selected. For example, my ThinkPad is connected via both Ethernet and WiFi to my LAN. Here's what it shows:
ip route show
default via 172.16.0.1 dev eth0 proto dhcp metric 100
default via 172.16.0.1 dev wlan0 proto dhcp metric 600
172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.42 metric 100
172.16.0.0/24 dev wlan0 proto kernel scope link src 172.16.0.40 metric 600Since Ethernet has a 100 metric and WiFi 600, Ethernet will be used.
This is basic routing and all the routing protocols use a metric for the the routes to pick the best one. For example, the obsolete Routing Information Protocol (RIP) used hop count. So a single hop would have a lower metric than a 2 hop route and be selected. More sophisticated routing protocols, such as OSPF or EIGRP use more advanced metrics that can also include things like bandwidth and more.
A bit of history, IP was created on BSD Unix, at University of California, Berkeley and the Internet is pretty much built on various Unix, including Linux, variants and even Cisco has used Unix or Linux in routers.
-
A bit of history, IP was created on BSD Unix, at University of California, Berkeley and the Internet is pretty much built on various Unix, including Linux, variants and even Cisco has used Unix or Linux in routers.
Yup I’m old enough to remember installing the Unipalm TCP IP stack onto DOS PCs as well as Windows.
-
I never had occasion to use IP on DOS. Back in those days, we had Netware at work and I recall modifying config.sys and autoexec.bat to run it. NET3 & NETX come to mind. I didn't deal with IP until I got my own connection and was running OS/2. Then, at IBM, I worked with IP, SNA and NetBIOS on token ring.
