Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Struggling to set static mappings

    Scheduled Pinned Locked Moved IPv6
    15 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mewsense
      last edited by

      My ISP has just switched on IPv6 for me and it works fine with the default configuration. I now want to set some static public IPs for some local machines running Windows 10 and Windows 11. Here's the information I was given (obfuscated):

      (I'm obfuscating the second and third hextet groups with x and y for privacy, and blurred them out in the screenshots.)

      ND Prefix: 2a02:****:****:****::/64
      Delegation Prefix: 2a02:x:y::/48

      My pfsense+ LAN interface has a Static v6 IP of 2a02:x:y::1

      2022-09-29_13-07-52.jpg

      2022-09-29_13-08-37.jpg

      I want the DHCPv6 dynamic range to be 2a02:x:y::d:0 to 2a02:x:y::d:ffff and I want to set some static IPv6 addresses handed out by DHCPv6 reservation using the DUID in range 2a02:x:y::a:0 to 2a02:x:y::a:ffff.

      DHCPv6 server is set up like this:
      2022-09-29_13-10-34.jpg

      Router Advertisements on the LAN interface is set to Assisted.

      2022-09-29_14-55-05.jpg

      And I have a couple of test static IPs assigned with the DUID of two machines on my LAN.

      2022-09-29_13-11-19.jpg

      However when I go to https://api64.ipify.org/ on my desktop I get this address 2a02:x:y:0:1865:af2c:3857:e0bc when I was expecting 2a02:x:y::a:4f

      I also can't ping the laptop on address 2a02:x:y::a:39 from my desktop. The laptop has a public address of 2a02:x:y:0:50b8:5e15:62b6:d596. Why don't they have the static address in the DHCP reservation table? I don't want to have to set them in each individual host.

      I'm also confused as to why my desktop has two public IPs, but neither of them match the DHCPv6 reservation assigned to that DUID.

      2022-09-29_13-23-28.jpg

      I tried a ipconfig /release and ipconfig /renew and also rebooted my desktop PC but nothing changed. Thanks for any insights.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @mewsense
        last edited by

        @mewsense

        Any reason why you're using DHCPv6 instead of SLAAC? With SLAAC, you will have a consistent address that you can use for DNS and random privacy addresses for outgoing connections. Also, Android does not work with DHCPv6, thanks to some genius at Google.

        You'll also want Do not allow PD/Address release to be selected, though not all ISPs respect it.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        M 1 Reply Last reply Reply Quote 1
        • M
          mewsense @JKnott
          last edited by

          @jknott

          Any reason why you're using DHCPv6 instead of SLAAC?

          I'm new to IPv6 so no specific reason. My requirement is that I want some of my machines to have the same outbound public IP every time across reboots. Some machines on my network I don't care what the outbound public IP is even if it changes across reboots.

          I tested disabling DHCPv6 but my machine gets a different IP across reboots, so not sure what I'm doing wrong.

          You'll also want Do not allow PD/Address release to be selected, though not all ISPs respect it.

          I couldn't find this setting anywhere, which page is it on?

          I'm finding it confusing, do router advertisements get sent even if DHCP is not enabled? If so, why is it in the DHCPv6 section of pfsense?

          JKnottJ 2 Replies Last reply Reply Quote 0
          • JKnottJ
            JKnott @mewsense
            last edited by

            @mewsense

            SLAAC is the simplest configuration. It just works. With it, you have a consistent address that's often based on the MAC address and you can also have privacy addresses that change every day. However, you can disable the privacy addresses in the computer operating system. that setting is on the WAN page.

            Which part of the address changes? The most significant 64 bits? Or the least? If the most, your prefix from your ISP may be changing, but that's what that setting is supposed to stop. Why do you need the outgoing address to stay the same? What you're trying to do might be doable is some other way.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            M 1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @mewsense
              last edited by

              @mewsense said in Struggling to set static mappings:

              I'm finding it confusing, do router advertisements get sent even if DHCP is not enabled? If so, why is it in the DHCPv6 section of pfsense?

              RAs are always sent, including with DHCPv6. There are different DHCPv6 modes, depending on what you need.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • M
                mewsense @JKnott
                last edited by

                @jknott

                I'm just testing things out really and trying to understand. I am connecting to some servers in Azure that have a firewall to my home IPv4 public IP and I'm wondering how that would work with IPv6. It works fine by adding a rule to the network prefix assigned to me by my ISP like 2a02:1234:5678::/64

                But I wondered if I could lock it down to just one PC on my home network by using a Static IPv6. The only way I can figure out how to do this is to set it manually on my PC because DHCPv6 static mappings don't seem to work, and to switch off temporary addresses on my OS with Set-NetIPv6Protocol -UseTemporaryAddresses Disabled.

                I should probably be using Bastion or point to site VPN to connect to servers in Azure rather than using IPv6 for the routing? I don't know.

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @mewsense
                  last edited by

                  @mewsense

                  Do want the locked down address to be for a server? Or a user? With the SLAAC consistent address, you point the DNS server at it. You don't normally worry about outgoing connections. However, as I mentioned, you can disable privacy addresses on a computer and it will then use the consistent address for both incoming and outgoing. Instead of specifying the solution you want, try telling us what you want to do. For example, are you trying to run a server? Then the consistent address is exactly what you want.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • M
                    mewsense
                    last edited by

                    @jknott

                    Thanks for the help, on my home network SLAAC seems fine for everything except for my work PC which I use to connect to servers in Azure, but maybe SLAAC is fine for that too.

                    Using IPv4 I would set a firewall rule in Azure to allow my home pfsense ipv4 WAN interface IP, access to Azure VMs, and I'm wondering if it's possible to use a static IPv6 IP. Maybe not a good idea just for privacy reasons but then I thought that's not a good reason anyway because everyone will know my network prefix which is the same thing.

                    I switched off temporary addresses on Windows 10 and 11 and rebooted, and now SLAAC isnt' working at all, I only get FE80 address for my interfaces. If I try and ping the pfsense LAN interface IPv6 IP, I get transmit failed. General Failure. error

                    Lots to learn here lol

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      mewsense @mewsense
                      last edited by

                      @mewsense Seems I'm just impatient. After 2-5 mins my PCs did get a consistent IPv6 address across reboots, but it's not there immediately on boot, it takes a few minutes, any ideas why?

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @mewsense
                        last edited by

                        @mewsense

                        What do you get in the mean time? When a computer boots up, it will send a router solicitation to get the info immediately and then relies on periodic RAs. The RA will provide the network prefix and the computer will add the suffix, to create the address. Your privacy addresses will be different and if you leave the computer running long enough, you will get a new one every day, up to 7, with the oldest falling off the list. Can you configure that firewall to allow any address within your prefix?

                        With SLAAC, you should have one consistent address, often based on the MAC and up to 7 privacy addresses. The most recent privacy address will be used for outgoing connections. As I mentioned, you should be able to turn off the privacy addresses. Watch your addresses for a few days to see what's happening.

                        Are you sure it's the privacy addresses you turned off? Here are the instructions. However, I haven't tried this myself, as I'm a Linux user.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          mewsense @JKnott
                          last edited by

                          @jknott

                          I think I'm getting somewhere! I have set pfSense RA to Unmanaged. I disabled the network interface on my Windows machine, then ran wireshark on the Windows machine, then enabled the interface. I also switched off Windows Defender Firewall for this test.

                          I can see that the Windows machine sends a Router Solicitation packet three times, one second apart, to ff02::2. but doesn't get a response from pfSense. It also sends Neighbor Solicitation packets.

                          At this time it only has a link-local IPv6 address and remained this way for ten minutes!

                          The Windows PC gets a public IP when pfSense sends a Router Advertisement message, but not before. Seems wrong? Why isn't pfSense responding to Router Solicitation messages from my Windows PC?

                          I tested this by changing the Minimum RA interval and Maximum RA interval in pfSense to 5 and 10, and then my Windows machine got a public address quickly. Do I really want pfSense to be sending RA messages so frequently?

                          I understand all the temporary IP address stuff now, thanks.

                          JKnottJ 1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott @mewsense
                            last edited by

                            @mewsense said in Struggling to set static mappings:

                            I disabled the network interface on my Windows machine, then ran wireshark on the Windows machine, then enabled the interface.

                            ????

                            If you disable the interface, how do you run Wireshark?

                            I suspect your problems may be self induced, as you've been messing with things when you don't know what you're doing.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            M 3 Replies Last reply Reply Quote 0
                            • M
                              mewsense @JKnott
                              last edited by

                              @jknott
                              A bit unfair tbh, maybe you missed the bit where I said I enabled it immediately after starting Wireshark. I wanted to be sure of no traffic when I started Wireshark.

                              1 Reply Last reply Reply Quote 0
                              • M
                                mewsense @JKnott
                                last edited by mewsense

                                @jknott

                                I also did a Packet Capture on pfSense, disabled my network interface, enabled it again to force it to send a Router Solicitation and I can see it is received by pfSense, but it seems that pfSense doesn't reply. Or the reply is not received somehow.

                                16:24:54.258743 IP6 fe80::8d91:ba6b:b24d:8a3f > ff02::2: ICMP6, router solicitation, length 8
                                16:24:55.251083 IP6 fe80::8d91:ba6b:b24d:8a3f > ff02::1: ICMP6, neighbor advertisement, tgt is fe80::8d91:ba6b:b24d:8a3f, length 32
                                16:24:58.260537 IP6 fe80::8d91:ba6b:b24d:8a3f > ff02::2: ICMP6, router solicitation, length 16
                                16:25:02.251761 IP6 fe80::8d91:ba6b:b24d:8a3f > ff02::2: ICMP6, router solicitation, length 16

                                If I restart radvd on pfSense my Windows machine gets an IPv6 address. So I suspect something up with pfsense here.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mewsense @JKnott
                                  last edited by

                                  @jknott

                                  I went for the nuclear option and rebooted pfSense and it's working fine now.

                                  5293d4c1-c90f-469b-a961-d55af208eeec-image.png

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.