IPv6 and internal DNS registration
-
@jknott Thanks for replying. Yes, misspoke, I meant not routable on Internet. Yes, prefix is being delegated from ISP (comcast) through Netgate DHCPv6.
-
Do you not have public addresses on the LAN side? They start with a 2.
-
@jknott Of course; that is the purpose of the delegation. Let me try to rephrase the question:
I have a local DNS server. Its address must be fixed, since it is sent out to machines on the network via DHCPv6, along with public addresses (delegated by Comcast). Without being able to assign a delegated IPv6 to the DNS server in addition to the fixed IPv6 (I don’t know how to do this, anyway), the internet becomes inaccessible from the server.
How can I assign a fixed IP to the server? I can’t just pick one from the delegation if Comcast can roll (this has happened) my network into a new prefix and (after a period of about a week) stop routing traffic to the old prefix.
-
You can use Unique Local Addresses on your LAN, in addition to the public addresses. That's what I do here, even though my prefix is solid.
-
Some Windows guru sent me this: "The key to using this feature is the new dhcpstaticipcoexistence parameter in netsh."
Any more verbose Windows gurus know about this?
-
@hmf said in IPv6 and internal DNS registration:
dhcpstaticipcoexistence
I'm not sure that does what you think. It allows a static IP along with DHCP. However, you still need a prefix.
-
Thanks to @jmore...
If anyone should happen upon this thread, the answer has to do with the fact that my 'NIC' is a team (LAG), and Windows does not set the right defaults. Here's what worked:
netsh interface ipv6 set interface "8" dhcpstaticipcoexistence=enabled
set-netipinterface -interfaceindex 8 -addressfamily ipv6 -dhcp enabledThis allowed me to assign a fixed IP in the GUI and tell the team to get a global address.
-
I thought your concern was the prefix could change. How does that fix that? Any static address has to be within whatever the prefix is. With ULA, to set your own prefix that has nothing to do with your ISP. I have ULA running hear and use it for local LAN connections, even though public addresses are also available.
-
This works because I assign ULAs to the servers, pass those out from the NetSense DHCPv6 as the address for services (DNS, NTP), and then issue the commands above, which causes the machines to also acquire global addresses from the NetSense DHCPv6.
My problem, as I said above, was that I didn’t know how to get the machines to do both static and DHCP. I wonder whether this just works normally, just not for LAG interfaces, in Windows.
Anyway, the machines now do the right thing if the delegation changes; when their leases expire, they get new global addresses via DHCP and eventually forget about the old prefix.
Thanks for your help!
-
This is what I ended up doing, I have a delegated /64 to the LAN and have a DNS server in my network with a static assigned fd00 address.
Under: Services/ DHCPv6 Server & RA / LAN / DHCPv6 Server
Under: Services/ DHCPv6 Server & RA / LAN / Router Advertisements
My clients get both public routable and ULA address, they resolve DNS on the ULA. It all seems to work, but I still don't get any dynamic way of knowing what the clients IPs are at any time like you do with IPv4s DHCP DNS registration =(
-
If you enable ULA, as I suggested, and use SLAAC, then the addresses will be static,
-
Static client devices doesn't solve the issue I have. I would still need to make manual DNS entries for devices.
-
Perhaps I'm missing something. I thought you needed a stable DNS address, but your ISP doesn't provide a stable prefix. Is that correct? Assuming your DNS is for the local LAN only, then ULA will do everything you want. In addition to the prefix from your ISP, you create another with ULA. Every device on your LAN will then have both ULA and GUA addresses. By using the ULA to reach the DNS server, you will have everything you need, regardless of whether the ISP provides a stable prefix. If you want the DNS to be reachable from elsewhere, then you'll need a stable prefix.
Here's what's in resolv.conf on my computer:
nameserver fd48:1a37:2160:0:4262:31ff:fe12:b66c
nameserver 2001:4860:4860::8888
nameserver 8.8.8.8The first line is the ULA address for pfsense. The other 2 lines are for Google's DNS servers.
Here's all I had to add on the RA page:
It's as simple as that. Do it right, do it once.
-
@jknott said in IPv6 and internal DNS registration:
Every device on your LAN will then have both ULA and GUA addresses.
But remember you will need to use VIP for that.
-
@jim-bob-the-grand I did exactly (except for a different fd:: fixed address) the same thing. Once I convinced the Windows Server’s (LAG/team) NIC to acquire a global address from DHCP, it worked fine.
I still have the other problem that I hinted at above, but didn’t mention here because… Windows. The Windows Server that runs my DNS throws errors because it does not like the DNS registration being done by pfsense. It complains, but then repairs the registration.
I don’t suppose you have Windows Server expertise or that there is a solution to this. Windows is famous for stuffing the logs with unavoidable errors that obscure other important error reports. :-(
-
@bob-dig Could you give a n00b-teachable version of this comment? How do you create a “VIP for that” plus example?
-
@hmf If you want ULA and GUA on the same interface.
-
@bob-dig said in IPv6 and internal DNS registration:
But remember you will need to use VIP for that.
No, you just enable it on the RA page and it will work automagically.
As soon as you create the 2nd prefix, there will be router advertisements for it and all devices will have ULA addresses, in addition to GUA.Correction, you still have to use a VIP on pfsense, but you don't have to manually add an address elsewhere.
-
No need, if you set up ULA the way I described.
-
@bob-dig said in IPv6 and internal DNS registration:
If you want ULA and GUA on the same interface.
Is there a problem with that? IPv6 was designed to have multiple addresses and prefixes on an interface. It just works. In fact, you could add multiple ULA prefixes to a LAN, though I don't know why you'd do that.
