fe80::1:1 as static route for ipv6 track interface LAN? also LAN link-local no response?

AveryFreeman

Hi,

I had fe80::1:1 for a while as my gateway address. It seemed to work fine, I was kind of surprised because I'd never heard of it before.

I am not sure where the address came from, but I noticed it showing up on my pfSense box at one point, and I made use of it for a while. Now it's gone, I'm not sure what I did either to make it show up or go away.

Now that I think about it, though, it would be useful to have a gateway address that is static that points to the LAN (or WAN if I'm mistaken) interface to route ipv6 traffic if my provider changes the IP address, as they do that from time to time.

Is making a permanent static route for fe80::1:1 a viable option? And where in the world did the address come from in the first place, why'd it disappear?

Thanks

Update: fe80::1:1 is back, but I can't seem to ping it from my network (?) I can't seem to ping any of my pfSense box's link-local addresses:

[2.6.0-RELEASE][root@gateway]/root: ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
	ether 0c:c4:7a:73:37:96
	inet6 fe80::ec4:7aff:fe73:3796%em0 prefixlen 64 scopeid 0x1
	inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x1
	inet6 2601:603:4d00:49ad:ec4:7aff:fe73:3796 prefixlen 64
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

See?

$ ping -c 3 fe80::1:1 && ping -c 3 fe80::ec4:7aff:fe73:3796
PING fe80::1:1(fe80::1:1) 56 data bytes

--- fe80::1:1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2049ms

GUA address responds fine ...

$ ping 2601:603:4d00:49ad:ec4:7aff:fe73:3796
PING 2601:603:4d00:49ad:ec4:7aff:fe73:3796(2601:603:4d00:49ad:ec4:7aff:fe73:3796) 56 data bytes
64 bytes from 2601:603:4d00:49ad:ec4:7aff:fe73:3796: icmp_seq=1 ttl=64 time=4.25 ms . . . 

JKnott

@averyfreeman

You apparently have a few things to learn about IPv6. Addresses that start with fe80 are link local and every IPv6 capable device has one. They're usually based on the MAC address, but can be locally assigned. In IPv6, routing is normally done via the link local address. Also, you don't have to worry about assigning a default route. It's done automagically by Router Advertisements, which also provide the local prefix to the various devices.

You can ping link local addresses, but you generally have to specify which interface you're pinging from.

johnpoz

@averyfreeman said in fe80::1:1 as static route for ipv6 track interface LAN? also LAN link-local no response?:

I can't seem to ping any of my pfSense box's link-local addresses:

Because your prob not allowing it - just went over a sim question where user was wanting to use link-local as their dns.

Lan net rule doesn't include link-local

But what interface is em0? Is that your lan or wan interface?

AveryFreeman

@jknott said in fe80::1:1 as static route for ipv6 track interface LAN? also LAN link-local no response?:

@averyfreeman
You apparently have a few things to learn about IPv6. Addresses that start with fe80 are link local and every IPv6 capable device has one. They're usually based on the MAC address. . .

Not trying to front like I am some subnetting scholar, but I know what v6 link-local addresses are. I also am familiar with how a few conventions, EUI-64's a good example, calculate their address from the MAC.

Then there's fe80::1:1, which doesn't look like it follows any convention I know of, other than being a valid link-local address. I like it, though, it's easy to remember.

I jdkwtf it showed up and disappeared lol. I Googled around and couldn't really find anything about what / why definitions, just people talking about having the address on their gateway and using it (or not).

In IPv6, routing is normally done via the link local address.

Funny, I tend to see v6 routing done with GUA addresses 90% of the time.

I noticed my DCs don't like to keep any ipv6 addresses without their own reverse zone. So that was another odd behavior

Also, you don't have to worry about assigning a default route. It's done automagically by Router Advertisements.

Yeah, that's neat.

You can ping link local addresses, but you generally have to specify which interface you're pinging from.

Not in my experience. I've only seen that on FreeBSD.

Thanks for trying to hold my hand through this experience, but I was really just asking about how/why that particular fe80::1:1 address showed up

JKnott

@averyfreeman said in fe80::1:1 as static route for ipv6 track interface LAN? also LAN link-local no response?:

Then there's fe80::1:1, which doesn't look like it follows any convention I know of, other than being a valid link-local address. I like it, though, it's easy to remember.

Yes, link local addresses can be locally assigned.

Funny, I tend to see v6 routing done with GUA addresses 90% of the time.

You can route with either. In fact, you don't even need an address. On point to point links you only need the interface ID.

Not in my experience. I've only seen that on FreeBSD.

And Linux. I don't think Windows does that. However, a link local address only has to be unique on a link. It's possible to have the same one on more than one link. I don't know how Windows would handle that.

AveryFreeman

So since you've been nice enough to hold my hand through a few of my ipv6 questions (I am rather green with the ipv6es) perhaps I could pick your brain about a few specifics I've been wanting to know? In re: OP:

Then there's fe80::1:1, which doesn't look like it follows any convention I know of, other than being a valid link-local address. I like it, though, it's easy to remember.

Yes, link local addresses can be locally assigned.

In the OP I was trying to track down "where fe80::1:1 came from", since I was surprised "it just showed up at some point and then went away", but maybe that's too ambiguous.

So instead,

• Under what conditions might pfSense create fe80::1:1 address automatically?
• Since it's gone now, where might I assign fe80::1:1 to use with LAN@em1?
• Can fe80::1:1 be added to LAN@em1 without disrupting an assigned link-local address from track [WAN] interface setting?

Funny, I tend to see v6 routing done with GUA addresses 90% of the time.

You can route with either. In fact, you don't even need an address. On point to point links you only need the interface ID.

I'm on Comcast residential cable, our GUA/64 prefix will change when ISP DHCP auto-assigns our modem a new address (after a certain period, a number of reboots, etc.).
This results in pfSense WAN@em0 having new GUA prefix, and track [WAN] interface on LAN@em1 having a new prefix.

I have not found a more stable way to set up pfSense's interpretation of Comcast's res ipv6, unfortunately - I've got the dhcpd box checked not to release the prefix, it might help but it's no silver bullet, we'll always get a new /64 at some point.

I had been using static link-local ipv6 addresses for internal DNS (AD DCs x2) and gateway (pfSense LAN@em1) since they appear to be more stable. Then I realized, the /48 portion of the address is much less likely to change - it's almost always the 4th octet (xxxx:xxxx:xxxx:[this]::) that changes.

What are the implications of using only the /48 portion of the address for local devices? Is it valid, and how should the resolution be configured?

To illustrate, instead of using:

2601:603:4d00:beef::dc01/64

Using:

2601:603:4d00::dc01/64

(can I eliminate the beef without issue?)

Why am I asking this? I'm thinking if that 4th octet doesn't matter - I'm only using the /48 portion (first 3 octets) - Comast can change that 4th octet to their heart's content without making my ipv6 settings take a shit.

Is this, like, totally out of left field, or do you think it might be a reasonable solution?

One other quick question of note: I tried to use a link-local gateway address with GUA IPs for everything else in my DC's ipv6 Network Connections for their adapters, but windows will immediately forget any address without the same /64, even if it's an additional "fall-back" gateway address set under "advanced" tab. Everything must either be link-local or GUA, at least in my recent experience.

Are you familiar with why Windows Server + AD does this? Is it possible to have an all-link-local + an all-GUA connection setting for a single ethernet adapter? (using one or the other as a "fall back")

Not in my experience. I've only seen that on FreeBSD.

And Linux. I don't think Windows does that. However, a link local address only has to be unique on a link. It's possible to have the same one on more than one link. I don't know how Windows would handle that.

I literally started noticing the %14, etc. in ipconfig /all right after we wrote this, so I was totally wrong, it does it in Windows, too. Is there any benefit to using this notation?

Thanks :)

JKnott

@averyfreeman said in fe80::1:1 as static route for ipv6 track interface LAN? also LAN link-local no response?:

In the OP I was trying to track down "where fe80::1:1 came from", since I was surprised "it just showed up at some point and then went away", but maybe that's too ambiguous.
So instead,

Under what conditions might pfSense create fe80::1:1 address automatically?
Since it's gone now, where might I assign fe80::1:1 to use with LAN@em1?
Can fe80::1:1 be added to LAN@em1 without disrupting an assigned link-local address from track [WAN] interface setting?

I seem to recall that too. However, perhaps you could spoof the MAC address to do that. Or maybe use a virtual address.

I'm on Comcast residential cable, our GUA/64 prefix will change when ISP DHCP auto-assigns our modem a new address (after a certain period, a number of reboots, etc.).
This results in pfSense WAN@em0 having new GUA prefix, and track [WAN] interface on LAN@em1 having a new prefix.

I have not found a more stable way to set up pfSense's interpretation of Comcast's res ipv6, unfortunately - I've got the dhcpd box checked not to release the prefix, it might help but it's no silver bullet, we'll always get a new /64 at some point.

If you want consistent addresses for local DNS, you could use Unique Local Addresses.

I had been using static link-local ipv6 addresses for internal DNS (AD DCs x2) and gateway (pfSense LAN@em1) since they appear to be more stable. Then I realized, the /48 portion of the address is much less likely to change - it's almost always the 4th octet (xxxx:xxxx:xxxx:[this]::) that changes.

What are the implications of using only the /48 portion of the address for local devices? Is it valid, and how should the resolution be configured?

You will be using the wrong address. There are 256 possible prefixes within that /48. You use the other prefixes for other interfaces.

I don't know what they do in Windows Active Directory.

The %14 refers to the interface used for link local addresses. Since a link local address doesn't contain a network portion, you have to specify the interface.

AveryFreeman

@averyfreeman said
Since it's gone now, where might I assign fe80::1:1 to use with LAN@em1?
Can fe80::1:1 be added to LAN@em1 without disrupting an assigned link-local address from track [WAN] interface setting?

I seem to recall that too. However, perhaps you could spoof the MAC address to do that. Or maybe use a virtual address.

What do you recall exactly? Do you mean assigning a custom link-local address to a track-interface LAN interfering with traffic from WAN? I might've missed something.

What sort of behavior / outcome is spoofing the MAC meant to achieve? I've seen the option and clicked it to experiment, but was ages ago - I think it borked my connection at the time.

Are we still talking about fe80::1:1, or just being able to assign any custom link-local ipv6 address to a track-interface LAN without borking the WAN?

I'm on Comcast residential cable, our GUA/64 prefix will change . . .
. . . dhcpd box checked not to release the prefix . . . no silver bullet . . .

If you want consistent addresses for local DNS, you could use Unique Local Addresses.

I could, and I've looked into it, and have decided to stick with GUA for a handful of reasons. But thank you :)

What are the implications of using only the /48 portion of the address for local devices?

You will be using the wrong address. There are 256 possible prefixes within that /48. You use the other prefixes for other interfaces.

Are we talking about link-local here? I was talking about GUAs, and the ::/64 prefix of a GUA address is for the network, not a particular interface (right?).

And just to clarify, why would you refer to the last 4-octets of a LL-ipv6 address as a prefix? I thought the prefix for LL is fe80:: (?).

I don't know what they do in Windows Active Directory.
The %14 refers to the interface used for link local addresses. Since a link local address doesn't contain a network portion, you have to specify the interface.

Ah yeah, I think %14 refers to network connection, I seem to remember that's Ethernet 14 IIRC (this DC VM has been through a lot).

This has all been quite helpful, thank you.

JKnott

@jknott said in fe80::1:1 as static route for ipv6 track interface LAN? also LAN link-local no response?:

There are 256 possible prefixes within that /48. You use the other prefixes for other interfaces.

My mistake. That should be 65536, not 256. Better have another beer.