IPv6 and internal DNS registration
-
This is what I ended up doing, I have a delegated /64 to the LAN and have a DNS server in my network with a static assigned fd00 address.
Under: Services/ DHCPv6 Server & RA / LAN / DHCPv6 Server
Under: Services/ DHCPv6 Server & RA / LAN / Router Advertisements
My clients get both public routable and ULA address, they resolve DNS on the ULA. It all seems to work, but I still don't get any dynamic way of knowing what the clients IPs are at any time like you do with IPv4s DHCP DNS registration =(
-
If you enable ULA, as I suggested, and use SLAAC, then the addresses will be static,
-
Static client devices doesn't solve the issue I have. I would still need to make manual DNS entries for devices.
-
Perhaps I'm missing something. I thought you needed a stable DNS address, but your ISP doesn't provide a stable prefix. Is that correct? Assuming your DNS is for the local LAN only, then ULA will do everything you want. In addition to the prefix from your ISP, you create another with ULA. Every device on your LAN will then have both ULA and GUA addresses. By using the ULA to reach the DNS server, you will have everything you need, regardless of whether the ISP provides a stable prefix. If you want the DNS to be reachable from elsewhere, then you'll need a stable prefix.
Here's what's in resolv.conf on my computer:
nameserver fd48:1a37:2160:0:4262:31ff:fe12:b66c
nameserver 2001:4860:4860::8888
nameserver 8.8.8.8The first line is the ULA address for pfsense. The other 2 lines are for Google's DNS servers.
Here's all I had to add on the RA page:
It's as simple as that. Do it right, do it once.
-
@jknott said in IPv6 and internal DNS registration:
Every device on your LAN will then have both ULA and GUA addresses.
But remember you will need to use VIP for that.
-
@jim-bob-the-grand I did exactly (except for a different fd:: fixed address) the same thing. Once I convinced the Windows Serverās (LAG/team) NIC to acquire a global address from DHCP, it worked fine.
I still have the other problem that I hinted at above, but didnāt mention here becauseā¦ Windows. The Windows Server that runs my DNS throws errors because it does not like the DNS registration being done by pfsense. It complains, but then repairs the registration.
I donāt suppose you have Windows Server expertise or that there is a solution to this. Windows is famous for stuffing the logs with unavoidable errors that obscure other important error reports. :-(
-
@bob-dig Could you give a n00b-teachable version of this comment? How do you create a āVIP for thatā plus example?
-
@hmf If you want ULA and GUA on the same interface.
-
@bob-dig said in IPv6 and internal DNS registration:
But remember you will need to use VIP for that.
No, you just enable it on the RA page and it will work automagically.
As soon as you create the 2nd prefix, there will be router advertisements for it and all devices will have ULA addresses, in addition to GUA.Correction, you still have to use a VIP on pfsense, but you don't have to manually add an address elsewhere.
-
No need, if you set up ULA the way I described.
-
@bob-dig said in IPv6 and internal DNS registration:
If you want ULA and GUA on the same interface.
Is there a problem with that? IPv6 was designed to have multiple addresses and prefixes on an interface. It just works. In fact, you could add multiple ULA prefixes to a LAN, though I don't know why you'd do that.
-
@jknott Donāt want to put words in @Bob-Dig ās mouth, but my problem was that the GUI for the DNS server allows an exclusive choice (āxorā) between DHCP and ULA configuration; I had to learn about the command-line to enable both.
I have a question about your POV, though. I used DHCP on the appliance so that it would publish several options on the domain (including the ULA of the DNS that caused the original problem). Are you saying that the RA/SLAAC solution accomplishes this and is preferable to or better than the DHCP/ULA solution for some reason?
-
A the stuff that's provided by DHCP is provided by the router advertisements, including RDNSS, which contains the DNS server address. One disadvantage with DHCPv6 is it doesn't work with Android devices, because some genius at Google didn't want to support it.
-
@hmf said in IPv6 and internal DNS registration:
but my problem was that the GUI for the DNS server allows an exclusive choice (āxorā) between DHCP and ULA configuration; I had to learn about the command-line to enable both
I don't have DHCPv6 enabled on my network, but DHCPv6 server and RA are 2 separate pages in the config. Does it actually prevent you from adding an additional prefix on the RA page when a DHCPv6 server is enabled? You always have router advertisements, no matter what. Also, if you have Android devices, you do not want to run DHCPv6.
-
@jknott Oh, help...
I just upgraded by 6100 appliance and things stopped working again! Now, instead of RA just publishing the DNS ULA (fd...) it is using the IPv6 alias as the source for the network prefix instead of the PD prefix. Now none of the hosts are on the internet unless I remove the alias and exclusively use DNS / IPv4.
How do I get it to publish the PD prefix for SLAAC and the ULA for DNS again?
-
First off, do you still have DHCPv6 enabled on the LAN? If so, get rid of it. The DNS server address is supposed to be the host address for pfsense, unless you've changed it. That would be done in the DNS Configuration on the Router Advertisement page. Those 3 boxes should be empty. Are they?
-
@jknott Thanks for getting back. (just fixed, still confused; See 2nd ppg)
It does not seem to matter whether I disable DHCPv6, but it only exists to set the domain DNS search, and a few windows-specific options anyway. Remember, the whole point was to use the local DNS (and sat-converged NTP, but that is off) for the domain subnet. The unsecured subnet does, in fact, leave all those empty.
I just got things working again! I removed the fixed ULA for the Netgate's LAN, but not the RA subnet. Total accident. Immediately, clients started SLAAC'ing to the PD prefix again, and the Windows clients started registering in DHCP and getting the Domain Controller options! (I set the router's additional IPv6 by rote from your instructions on how to combine ULA with delegation.)
SO... in the latest update, if you assign multiple IPv6 addresses to the LAN, Android clients use that prefix, but if you only set up the subnet, then they get both GUAs with the PD prefix and also ULAs, and (remembering why we are in the swamp in the first place) everybody can get to the LAN's DNS.
I don't understand why the update either broke it, or why it ever worked to assign the router's ULA, depending on your point of view. Isn't it a bug that assigning another IPv6 breaks client SLAAC connection to the ISP delegated prefix? What happens if you ever need a fixed address for the router?
-
@hmf Just noticed the 6100 doesn't have a GUA any more, all the default gateways show as link-local. Not a bad thing... right?
-
I'm beginning to think you've messed up the config so much you might be better off starting from scratch. And no, if you don't have a GUA and only link local addresses, then it's not good. Also, I run 2 prefixes on my LAN, global and unique local. It works fine. Doing that requires providing a 2nd prefix on the RA page and creating a virtual IP for the interface.
-
Thank you again for helping me. Hope my lack of expertise does not annoy you too muchā¦
First, I may have misspoke: The 6100 does have a GUA on the LAN (2601ā¦) but all the other nodes refer to it / prefer its local address (fe80ā¦) now. If you are willing, could you explain why itās not good that way? (It is my only router; everything here is link local by VLAN).
Anyway, I did what you suggested. After rebuilding, it works the same way: If I set up the ULA subnet in RA, things all (Android, Apple, Windows) work, meaning they can see the local DNS, NTP, etc., and get delegated IPv6 addresses. The minute I assign a full address (virtual IPv6) on the LAN, all the clients lose their delegated addresses and only show addresses with the ULA prefix.
Recap: Add subnet RA ā everything works super. Add alias ā clients do not get Internet routable (delegated) addresses.
PS: The only remotely unusual thing I do is RA on the VLAN, not the LAN port (which doesnāt seem that unusual).
