IPv6 and internal DNS registration
-
@jim-bob-the-grand I am with you, but it seems to be complicated. And also pfSense doesn't care about MAC-Addresses, but this probably would be a requirement to get full control back like we used to.
-
@jknott Sorry to be a novice on an old topic, but...
I converted an old Windows domain (server 2019) to use a new pfsense appliance. After transferring DHCPv6 to the appliance, the delegated v6 subnet worked like a charm, but specifying the Windows server DNS service in pfsense DHCPv6 caused 2 problems.
The important one is that the DNS server has a fixed (fd::) IPv6, given out by DHCPv6 for DNS, NTP, etc. I am not aware of how to get the server to also have a routable address, so it became an internet island. I had to enable IPv4 to get it onto the Internet.
In general, I think I still need to assign more than one IPv6 for the server, or can I depend on every client knowing how to deal with adding an implicit network to the host ID (on hosts with currently fixed IPs, like my old NetGear WiFi controller, and top-level inter-VLAN switch)?
PS: Off-topic, but the local DNS's TLD is "<domain>.local" since 1985. Do I dare fix that?
-
First off, the Unique Local Addresses (ULA), which start with fc or fd are routeable. They're just not allowed on the Internet. Also, public addresses come from your ISP. Are they providing IPv6?
-
@jknott Thanks for replying. Yes, misspoke, I meant not routable on Internet. Yes, prefix is being delegated from ISP (comcast) through Netgate DHCPv6.
-
Do you not have public addresses on the LAN side? They start with a 2.
-
@jknott Of course; that is the purpose of the delegation. Let me try to rephrase the question:
I have a local DNS server. Its address must be fixed, since it is sent out to machines on the network via DHCPv6, along with public addresses (delegated by Comcast). Without being able to assign a delegated IPv6 to the DNS server in addition to the fixed IPv6 (I donāt know how to do this, anyway), the internet becomes inaccessible from the server.
How can I assign a fixed IP to the server? I canāt just pick one from the delegation if Comcast can roll (this has happened) my network into a new prefix and (after a period of about a week) stop routing traffic to the old prefix.
-
You can use Unique Local Addresses on your LAN, in addition to the public addresses. That's what I do here, even though my prefix is solid.
-
Some Windows guru sent me this: "The key to using this feature is the new dhcpstaticipcoexistence parameter in netsh."
Any more verbose Windows gurus know about this?
-
@hmf said in IPv6 and internal DNS registration:
dhcpstaticipcoexistence
I'm not sure that does what you think. It allows a static IP along with DHCP. However, you still need a prefix.
-
Thanks to @jmore...
If anyone should happen upon this thread, the answer has to do with the fact that my 'NIC' is a team (LAG), and Windows does not set the right defaults. Here's what worked:
netsh interface ipv6 set interface "8" dhcpstaticipcoexistence=enabled
set-netipinterface -interfaceindex 8 -addressfamily ipv6 -dhcp enabledThis allowed me to assign a fixed IP in the GUI and tell the team to get a global address.
-
I thought your concern was the prefix could change. How does that fix that? Any static address has to be within whatever the prefix is. With ULA, to set your own prefix that has nothing to do with your ISP. I have ULA running hear and use it for local LAN connections, even though public addresses are also available.
-
This works because I assign ULAs to the servers, pass those out from the NetSense DHCPv6 as the address for services (DNS, NTP), and then issue the commands above, which causes the machines to also acquire global addresses from the NetSense DHCPv6.
My problem, as I said above, was that I didnāt know how to get the machines to do both static and DHCP. I wonder whether this just works normally, just not for LAG interfaces, in Windows.
Anyway, the machines now do the right thing if the delegation changes; when their leases expire, they get new global addresses via DHCP and eventually forget about the old prefix.
Thanks for your help!
-
This is what I ended up doing, I have a delegated /64 to the LAN and have a DNS server in my network with a static assigned fd00 address.
Under: Services/ DHCPv6 Server & RA / LAN / DHCPv6 Server
Under: Services/ DHCPv6 Server & RA / LAN / Router Advertisements
My clients get both public routable and ULA address, they resolve DNS on the ULA. It all seems to work, but I still don't get any dynamic way of knowing what the clients IPs are at any time like you do with IPv4s DHCP DNS registration =(
-
If you enable ULA, as I suggested, and use SLAAC, then the addresses will be static,
-
Static client devices doesn't solve the issue I have. I would still need to make manual DNS entries for devices.
-
Perhaps I'm missing something. I thought you needed a stable DNS address, but your ISP doesn't provide a stable prefix. Is that correct? Assuming your DNS is for the local LAN only, then ULA will do everything you want. In addition to the prefix from your ISP, you create another with ULA. Every device on your LAN will then have both ULA and GUA addresses. By using the ULA to reach the DNS server, you will have everything you need, regardless of whether the ISP provides a stable prefix. If you want the DNS to be reachable from elsewhere, then you'll need a stable prefix.
Here's what's in resolv.conf on my computer:
nameserver fd48:1a37:2160:0:4262:31ff:fe12:b66c
nameserver 2001:4860:4860::8888
nameserver 8.8.8.8The first line is the ULA address for pfsense. The other 2 lines are for Google's DNS servers.
Here's all I had to add on the RA page:
It's as simple as that. Do it right, do it once.
-
@jknott said in IPv6 and internal DNS registration:
Every device on your LAN will then have both ULA and GUA addresses.
But remember you will need to use VIP for that.
-
@jim-bob-the-grand I did exactly (except for a different fd:: fixed address) the same thing. Once I convinced the Windows Serverās (LAG/team) NIC to acquire a global address from DHCP, it worked fine.
I still have the other problem that I hinted at above, but didnāt mention here becauseā¦ Windows. The Windows Server that runs my DNS throws errors because it does not like the DNS registration being done by pfsense. It complains, but then repairs the registration.
I donāt suppose you have Windows Server expertise or that there is a solution to this. Windows is famous for stuffing the logs with unavoidable errors that obscure other important error reports. :-(
-
@bob-dig Could you give a n00b-teachable version of this comment? How do you create a āVIP for thatā plus example?
-
@hmf If you want ULA and GUA on the same interface.
