IPv6 and internal DNS registration

Jim-bob-the-grand · Sep 14, 2021, 6:46 AM

This is what I ended up doing, I have a delegated /64 to the LAN and have a DNS server in my network with a static assigned fd00 address.
Under: Services/ DHCPv6 Server & RA / LAN / DHCPv6 Server

Under: Services/ DHCPv6 Server & RA / LAN / Router Advertisements

My clients get both public routable and ULA address, they resolve DNS on the ULA. It all seems to work, but I still don't get any dynamic way of knowing what the clients IPs are at any time like you do with IPv4s DHCP DNS registration =(

JKnott · Sep 14, 2021, 10:46 AM

@hmf

If you enable ULA, as I suggested, and use SLAAC, then the addresses will be static,

Jim-bob-the-grand · Sep 14, 2021, 11:01 AM

@jknott

Static client devices doesn't solve the issue I have. I would still need to make manual DNS entries for devices.

JKnott · Sep 14, 2021, 2:00 PM

@jim-bob-the-grand

Perhaps I'm missing something. I thought you needed a stable DNS address, but your ISP doesn't provide a stable prefix. Is that correct? Assuming your DNS is for the local LAN only, then ULA will do everything you want. In addition to the prefix from your ISP, you create another with ULA. Every device on your LAN will then have both ULA and GUA addresses. By using the ULA to reach the DNS server, you will have everything you need, regardless of whether the ISP provides a stable prefix. If you want the DNS to be reachable from elsewhere, then you'll need a stable prefix.

Here's what's in resolv.conf on my computer:

nameserver fd48:1a37:2160:0:4262:31ff:fe12:b66c
nameserver 2001:4860:4860::8888
nameserver 8.8.8.8

The first line is the ULA address for pfsense. The other 2 lines are for Google's DNS servers.

Here's all I had to add on the RA page:

It's as simple as that. Do it right, do it once.

Bob.Dig · Sep 14, 2021, 2:00 PM

@jknott said in IPv6 and internal DNS registration:

Every device on your LAN will then have both ULA and GUA addresses.

But remember you will need to use VIP for that.

hmf · Sep 14, 2021, 2:11 PM

@jim-bob-the-grand I did exactly (except for a different fd:: fixed address) the same thing. Once I convinced the Windows Server’s (LAG/team) NIC to acquire a global address from DHCP, it worked fine.

I still have the other problem that I hinted at above, but didn’t mention here because… Windows. The Windows Server that runs my DNS throws errors because it does not like the DNS registration being done by pfsense. It complains, but then repairs the registration.

I don’t suppose you have Windows Server expertise or that there is a solution to this. Windows is famous for stuffing the logs with unavoidable errors that obscure other important error reports. :-(

hmf · Sep 14, 2021, 2:25 PM

@bob-dig Could you give a n00b-teachable version of this comment? How do you create a “VIP for that” plus example?

Bob.Dig · Sep 14, 2021, 2:28 PM

@hmf If you want ULA and GUA on the same interface.

JKnott · Sep 14, 2021, 3:07 PM

@bob-dig said in IPv6 and internal DNS registration:

But remember you will need to use VIP for that.

No, you just enable it on the RA page and it will work automagically.
As soon as you create the 2nd prefix, there will be router advertisements for it and all devices will have ULA addresses, in addition to GUA.

Correction, you still have to use a VIP on pfsense, but you don't have to manually add an address elsewhere.

JKnott · Sep 14, 2021, 3:03 PM

@hmf

No need, if you set up ULA the way I described.

JKnott · Sep 14, 2021, 3:05 PM

@bob-dig said in IPv6 and internal DNS registration:

If you want ULA and GUA on the same interface.

Is there a problem with that? IPv6 was designed to have multiple addresses and prefixes on an interface. It just works. In fact, you could add multiple ULA prefixes to a LAN, though I don't know why you'd do that.

hmf · Sep 14, 2021, 3:39 PM

@jknott Don’t want to put words in @Bob-Dig ’s mouth, but my problem was that the GUI for the DNS server allows an exclusive choice (‘xor’) between DHCP and ULA configuration; I had to learn about the command-line to enable both.

I have a question about your POV, though. I used DHCP on the appliance so that it would publish several options on the domain (including the ULA of the DNS that caused the original problem). Are you saying that the RA/SLAAC solution accomplishes this and is preferable to or better than the DHCP/ULA solution for some reason?

JKnott · Sep 14, 2021, 6:22 PM

@hmf

A the stuff that's provided by DHCP is provided by the router advertisements, including RDNSS, which contains the DNS server address. One disadvantage with DHCPv6 is it doesn't work with Android devices, because some genius at Google didn't want to support it.

JKnott · Sep 14, 2021, 6:27 PM

@hmf said in IPv6 and internal DNS registration:

but my problem was that the GUI for the DNS server allows an exclusive choice (‘xor’) between DHCP and ULA configuration; I had to learn about the command-line to enable both

I don't have DHCPv6 enabled on my network, but DHCPv6 server and RA are 2 separate pages in the config. Does it actually prevent you from adding an additional prefix on the RA page when a DHCPv6 server is enabled? You always have router advertisements, no matter what. Also, if you have Android devices, you do not want to run DHCPv6.

hmf · Nov 21, 2021, 9:32 PM

@jknott Oh, help...

I just upgraded by 6100 appliance and things stopped working again! Now, instead of RA just publishing the DNS ULA (fd...) it is using the IPv6 alias as the source for the network prefix instead of the PD prefix. Now none of the hosts are on the internet unless I remove the alias and exclusively use DNS / IPv4.

How do I get it to publish the PD prefix for SLAAC and the ULA for DNS again?

JKnott · Nov 21, 2021, 10:44 PM

@hmf

First off, do you still have DHCPv6 enabled on the LAN? If so, get rid of it. The DNS server address is supposed to be the host address for pfsense, unless you've changed it. That would be done in the DNS Configuration on the Router Advertisement page. Those 3 boxes should be empty. Are they?

hmf · Nov 21, 2021, 11:37 PM

@jknott Thanks for getting back. (just fixed, still confused; See 2nd ppg)

It does not seem to matter whether I disable DHCPv6, but it only exists to set the domain DNS search, and a few windows-specific options anyway. Remember, the whole point was to use the local DNS (and sat-converged NTP, but that is off) for the domain subnet. The unsecured subnet does, in fact, leave all those empty.

I just got things working again! I removed the fixed ULA for the Netgate's LAN, but not the RA subnet. Total accident. Immediately, clients started SLAAC'ing to the PD prefix again, and the Windows clients started registering in DHCP and getting the Domain Controller options! (I set the router's additional IPv6 by rote from your instructions on how to combine ULA with delegation.)

SO... in the latest update, if you assign multiple IPv6 addresses to the LAN, Android clients use that prefix, but if you only set up the subnet, then they get both GUAs with the PD prefix and also ULAs, and (remembering why we are in the swamp in the first place) everybody can get to the LAN's DNS.

I don't understand why the update either broke it, or why it ever worked to assign the router's ULA, depending on your point of view. Isn't it a bug that assigning another IPv6 breaks client SLAAC connection to the ISP delegated prefix? What happens if you ever need a fixed address for the router?

hmf · Nov 21, 2021, 11:44 PM

@hmf Just noticed the 6100 doesn't have a GUA any more, all the default gateways show as link-local. Not a bad thing... right?

JKnott · Nov 22, 2021, 2:19 AM

@hmf

I'm beginning to think you've messed up the config so much you might be better off starting from scratch. And no, if you don't have a GUA and only link local addresses, then it's not good. Also, I run 2 prefixes on my LAN, global and unique local. It works fine. Doing that requires providing a 2nd prefix on the RA page and creating a virtual IP for the interface.

hmf · Nov 22, 2021, 8:00 PM

@jknott

Thank you again for helping me. Hope my lack of expertise does not annoy you too much…

First, I may have misspoke: The 6100 does have a GUA on the LAN (2601…) but all the other nodes refer to it / prefer its local address (fe80…) now. If you are willing, could you explain why it’s not good that way? (It is my only router; everything here is link local by VLAN).

Anyway, I did what you suggested. After rebuilding, it works the same way: If I set up the ULA subnet in RA, things all (Android, Apple, Windows) work, meaning they can see the local DNS, NTP, etc., and get delegated IPv6 addresses. The minute I assign a full address (virtual IPv6) on the LAN, all the clients lose their delegated addresses and only show addresses with the ULA prefix.

Recap: Add subnet RA — everything works super. Add alias — clients do not get Internet routable (delegated) addresses.

PS: The only remotely unusual thing I do is RA on the VLAN, not the LAN port (which doesn’t seem that unusual).