Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 and internal DNS registration

    Scheduled Pinned Locked Moved IPv6
    53 Posts 4 Posters 17.4k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott @Jim-bob-the-grand
      last edited by

      @jim-bob-the-grand

      First off, you'd normally use SLAAC, not DHCPv6 on the LAN. With SLAAC you should have at least a consistent address, often based on the MAC. You may also have up to 7 "privacy" addresses, where you get a new one every day. You point the DNS at the consistent address, just as you would with IPv4.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      Jim-bob-the-grandJ H 2 Replies Last reply Reply Quote 0
      • Jim-bob-the-grandJ Offline
        Jim-bob-the-grand @JKnott
        last edited by

        @jknott Thanks for your suggestion, I have thought of doing this and/or using a site local static address to compliment public IPv6 addresses, it does seem to work for static stuff if I understand correctly. But it still involves manually settings entries in the resolver?

        This surely isn't the only way? How does this help with clients and mobile devices or other random VMs/containers I fire up all the time?

        For example, I see in Netflow through Elastisearch that an IPv4 address is doing some stuff, I can do a reverse lookup easy to see what that device is. With IPv6, I have no mechanism to find which device on the network needs looking into?

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @Jim-bob-the-grand
          last edited by

          @jim-bob-the-grand

          First off, site local addresses are obsolete. They have been replaced with Unique Local Addresses, which start with fc or fd. Yes, you can use ULA by adding a prefix to the Router Advertisements page. Start the prefix with fc or fd and fill out the rest of the 64 bits with some random number. Use a /64 subnet size. Devices on the LAN will then have a consistent ULA address and probably privacy addresses, in addition to the GUA addresses.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • Bob.DigB Offline
            Bob.Dig LAYER 8 @Jim-bob-the-grand
            last edited by Bob.Dig

            @jim-bob-the-grand For Internal DNS you can use the DHCPv6 Server with Static Mappings. The hostname you provide there is your internal DNS (together with home.arpa for example for FQDN).
            With dynamic prefixes you only define the host part in Static Mappings e.g.

            ::1:2:3:4
            
            JKnottJ Jim-bob-the-grandJ 2 Replies Last reply Reply Quote 1
            • JKnottJ Offline
              JKnott @Bob.Dig
              last edited by

              @bob-dig

              Will that also work with SLAAC? Some here have a problem where their prefix changes. Mine doesn't so I have no problem using the full address.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              Bob.DigB 1 Reply Last reply Reply Quote 0
              • Bob.DigB Offline
                Bob.Dig LAYER 8 @JKnott
                last edited by

                @jknott No, Static Mappings is a DHCPv6 Server feature.

                1 Reply Last reply Reply Quote 0
                • Jim-bob-the-grandJ Offline
                  Jim-bob-the-grand @Bob.Dig
                  last edited by

                  @bob-dig Thank you for the write up, I appreciate it.

                  If I understand correctly, this means I should be providing a static host portion to the client, but the client should still generate and route a host portion based on privacy extensions? This would be an acceptable solution for me in my lab.

                  But again, this does limit the recording of names to only those mapped by an administrator, is there no way to just log the names of devices not statically mapped like we do with IPv4?

                  I don't know the RFC's well enough to know if it should be recorded or if any software that wants it should do a discovery for the names of the devices.

                  Bob.DigB 1 Reply Last reply Reply Quote 0
                  • Bob.DigB Offline
                    Bob.Dig LAYER 8 @Jim-bob-the-grand
                    last edited by

                    @jim-bob-the-grand I am with you, but it seems to be complicated. And also pfSense doesn't care about MAC-Addresses, but this probably would be a requirement to get full control back like we used to. 😀

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      hmf @JKnott
                      last edited by

                      @jknott Sorry to be a novice on an old topic, but...

                      I converted an old Windows domain (server 2019) to use a new pfsense appliance. After transferring DHCPv6 to the appliance, the delegated v6 subnet worked like a charm, but specifying the Windows server DNS service in pfsense DHCPv6 caused 2 problems.

                      The important one is that the DNS server has a fixed (fd::) IPv6, given out by DHCPv6 for DNS, NTP, etc. I am not aware of how to get the server to also have a routable address, so it became an internet island. I had to enable IPv4 to get it onto the Internet.

                      In general, I think I still need to assign more than one IPv6 for the server, or can I depend on every client knowing how to deal with adding an implicit network to the host ID (on hosts with currently fixed IPs, like my old NetGear WiFi controller, and top-level inter-VLAN switch)?

                      PS: Off-topic, but the local DNS's TLD is "<domain>.local" since 1985. Do I dare fix that?

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ Offline
                        JKnott @hmf
                        last edited by

                        @hmf

                        First off, the Unique Local Addresses (ULA), which start with fc or fd are routeable. They're just not allowed on the Internet. Also, public addresses come from your ISP. Are they providing IPv6?

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        H 1 Reply Last reply Reply Quote 0
                        • H Offline
                          hmf @JKnott
                          last edited by

                          @jknott Thanks for replying. Yes, misspoke, I meant not routable on Internet. Yes, prefix is being delegated from ISP (comcast) through Netgate DHCPv6.

                          JKnottJ 1 Reply Last reply Reply Quote 0
                          • JKnottJ Offline
                            JKnott @hmf
                            last edited by JKnott

                            @hmf

                            Do you not have public addresses on the LAN side? They start with a 2.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            H 1 Reply Last reply Reply Quote 0
                            • H Offline
                              hmf @JKnott
                              last edited by

                              @jknott Of course; that is the purpose of the delegation. Let me try to rephrase the question:

                              I have a local DNS server. Its address must be fixed, since it is sent out to machines on the network via DHCPv6, along with public addresses (delegated by Comcast). Without being able to assign a delegated IPv6 to the DNS server in addition to the fixed IPv6 (I don’t know how to do this, anyway), the internet becomes inaccessible from the server.

                              How can I assign a fixed IP to the server? I can’t just pick one from the delegation if Comcast can roll (this has happened) my network into a new prefix and (after a period of about a week) stop routing traffic to the old prefix.

                              JKnottJ 1 Reply Last reply Reply Quote 0
                              • JKnottJ Offline
                                JKnott @hmf
                                last edited by

                                @hmf

                                You can use Unique Local Addresses on your LAN, in addition to the public addresses. That's what I do here, even though my prefix is solid.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                H 1 Reply Last reply Reply Quote 0
                                • H Offline
                                  hmf @JKnott
                                  last edited by

                                  @JKnott

                                  Some Windows guru sent me this: "The key to using this feature is the new dhcpstaticipcoexistence parameter in netsh."

                                  Any more verbose Windows gurus know about this?

                                  JKnottJ 1 Reply Last reply Reply Quote 0
                                  • JKnottJ Offline
                                    JKnott @hmf
                                    last edited by

                                    @hmf said in IPv6 and internal DNS registration:

                                    dhcpstaticipcoexistence

                                    I'm not sure that does what you think. It allows a static IP along with DHCP. However, you still need a prefix.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    H 1 Reply Last reply Reply Quote 0
                                    • H Offline
                                      hmf @JKnott
                                      last edited by

                                      @jknott

                                      Thanks to @jmore...

                                      If anyone should happen upon this thread, the answer has to do with the fact that my 'NIC' is a team (LAG), and Windows does not set the right defaults. Here's what worked:

                                      netsh interface ipv6 set interface "8" dhcpstaticipcoexistence=enabled
                                      set-netipinterface -interfaceindex 8 -addressfamily ipv6 -dhcp enabled

                                      This allowed me to assign a fixed IP in the GUI and tell the team to get a global address.

                                      JKnottJ 1 Reply Last reply Reply Quote 0
                                      • JKnottJ Offline
                                        JKnott @hmf
                                        last edited by

                                        @hmf

                                        I thought your concern was the prefix could change. How does that fix that? Any static address has to be within whatever the prefix is. With ULA, to set your own prefix that has nothing to do with your ISP. I have ULA running hear and use it for local LAN connections, even though public addresses are also available.

                                        PfSense running on Qotom mini PC
                                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                        UniFi AC-Lite access point

                                        I haven't lost my mind. It's around here...somewhere...

                                        H 1 Reply Last reply Reply Quote 0
                                        • H Offline
                                          hmf @JKnott
                                          last edited by

                                          @jknott

                                          This works because I assign ULAs to the servers, pass those out from the NetSense DHCPv6 as the address for services (DNS, NTP), and then issue the commands above, which causes the machines to also acquire global addresses from the NetSense DHCPv6.

                                          My problem, as I said above, was that I didn’t know how to get the machines to do both static and DHCP. I wonder whether this just works normally, just not for LAG interfaces, in Windows.

                                          Anyway, the machines now do the right thing if the delegation changes; when their leases expire, they get new global addresses via DHCP and eventually forget about the old prefix.

                                          Thanks for your help!

                                          Jim-bob-the-grandJ JKnottJ 2 Replies Last reply Reply Quote 0
                                          • Jim-bob-the-grandJ Offline
                                            Jim-bob-the-grand @hmf
                                            last edited by Jim-bob-the-grand

                                            @hmf

                                            This is what I ended up doing, I have a delegated /64 to the LAN and have a DNS server in my network with a static assigned fd00 address.
                                            Under: Services/ DHCPv6 Server & RA / LAN / DHCPv6 Server
                                            18dc7c19-e416-464f-9686-2879920bdf26-image.png
                                            Under: Services/ DHCPv6 Server & RA / LAN / Router Advertisements
                                            4c2a9b7e-8fbe-449f-b94b-85c85cf61c1f-image.png

                                            My clients get both public routable and ULA address, they resolve DNS on the ULA. It all seems to work, but I still don't get any dynamic way of knowing what the clients IPs are at any time like you do with IPv4s DHCP DNS registration =(

                                            H 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.