Struggling to set static mappings
-
My ISP has just switched on IPv6 for me and it works fine with the default configuration. I now want to set some static public IPs for some local machines running Windows 10 and Windows 11. Here's the information I was given (obfuscated):
(I'm obfuscating the second and third hextet groups with x and y for privacy, and blurred them out in the screenshots.)
ND Prefix:
2a02:****:****:****::/64
Delegation Prefix:2a02:x:y::/48My pfsense+ LAN interface has a Static v6 IP of
2a02:x:y::1
I want the DHCPv6 dynamic range to be
2a02:x:y::d:0to2a02:x:y::d:ffffand I want to set some static IPv6 addresses handed out by DHCPv6 reservation using the DUID in range2a02:x:y::a:0to2a02:x:y::a:ffff.DHCPv6 server is set up like this:
Router Advertisements on the LAN interface is set to Assisted.
And I have a couple of test static IPs assigned with the DUID of two machines on my LAN.
However when I go to https://api64.ipify.org/ on my desktop I get this address
2a02:x:y:0:1865:af2c:3857:e0bcwhen I was expecting2a02:x:y::a:4fI also can't ping the laptop on address
2a02:x:y::a:39from my desktop. The laptop has a public address of2a02:x:y:0:50b8:5e15:62b6:d596. Why don't they have the static address in the DHCP reservation table? I don't want to have to set them in each individual host.I'm also confused as to why my desktop has two public IPs, but neither of them match the DHCPv6 reservation assigned to that DUID.
I tried a
ipconfig /releaseandipconfig /renewand also rebooted my desktop PC but nothing changed. Thanks for any insights. -
Any reason why you're using DHCPv6 instead of SLAAC? With SLAAC, you will have a consistent address that you can use for DNS and random privacy addresses for outgoing connections. Also, Android does not work with DHCPv6, thanks to some genius at Google.
You'll also want Do not allow PD/Address release to be selected, though not all ISPs respect it.
-
Any reason why you're using DHCPv6 instead of SLAAC?
I'm new to IPv6 so no specific reason. My requirement is that I want some of my machines to have the same outbound public IP every time across reboots. Some machines on my network I don't care what the outbound public IP is even if it changes across reboots.
I tested disabling DHCPv6 but my machine gets a different IP across reboots, so not sure what I'm doing wrong.
You'll also want Do not allow PD/Address release to be selected, though not all ISPs respect it.
I couldn't find this setting anywhere, which page is it on?
I'm finding it confusing, do router advertisements get sent even if DHCP is not enabled? If so, why is it in the DHCPv6 section of pfsense?
-
SLAAC is the simplest configuration. It just works. With it, you have a consistent address that's often based on the MAC address and you can also have privacy addresses that change every day. However, you can disable the privacy addresses in the computer operating system. that setting is on the WAN page.
Which part of the address changes? The most significant 64 bits? Or the least? If the most, your prefix from your ISP may be changing, but that's what that setting is supposed to stop. Why do you need the outgoing address to stay the same? What you're trying to do might be doable is some other way.
-
@mewsense said in Struggling to set static mappings:
I'm finding it confusing, do router advertisements get sent even if DHCP is not enabled? If so, why is it in the DHCPv6 section of pfsense?
RAs are always sent, including with DHCPv6. There are different DHCPv6 modes, depending on what you need.
-
I'm just testing things out really and trying to understand. I am connecting to some servers in Azure that have a firewall to my home IPv4 public IP and I'm wondering how that would work with IPv6. It works fine by adding a rule to the network prefix assigned to me by my ISP like
2a02:1234:5678::/64But I wondered if I could lock it down to just one PC on my home network by using a Static IPv6. The only way I can figure out how to do this is to set it manually on my PC because DHCPv6 static mappings don't seem to work, and to switch off temporary addresses on my OS with
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled.I should probably be using Bastion or point to site VPN to connect to servers in Azure rather than using IPv6 for the routing? I don't know.
-
Do want the locked down address to be for a server? Or a user? With the SLAAC consistent address, you point the DNS server at it. You don't normally worry about outgoing connections. However, as I mentioned, you can disable privacy addresses on a computer and it will then use the consistent address for both incoming and outgoing. Instead of specifying the solution you want, try telling us what you want to do. For example, are you trying to run a server? Then the consistent address is exactly what you want.
-
Thanks for the help, on my home network SLAAC seems fine for everything except for my work PC which I use to connect to servers in Azure, but maybe SLAAC is fine for that too.
Using IPv4 I would set a firewall rule in Azure to allow my home pfsense ipv4 WAN interface IP, access to Azure VMs, and I'm wondering if it's possible to use a static IPv6 IP. Maybe not a good idea just for privacy reasons but then I thought that's not a good reason anyway because everyone will know my network prefix which is the same thing.
I switched off temporary addresses on Windows 10 and 11 and rebooted, and now SLAAC isnt' working at all, I only get FE80 address for my interfaces. If I try and ping the pfsense LAN interface IPv6 IP, I get
transmit failed. General Failure.errorLots to learn here lol
-
@mewsense Seems I'm just impatient. After 2-5 mins my PCs did get a consistent IPv6 address across reboots, but it's not there immediately on boot, it takes a few minutes, any ideas why?
-
What do you get in the mean time? When a computer boots up, it will send a router solicitation to get the info immediately and then relies on periodic RAs. The RA will provide the network prefix and the computer will add the suffix, to create the address. Your privacy addresses will be different and if you leave the computer running long enough, you will get a new one every day, up to 7, with the oldest falling off the list. Can you configure that firewall to allow any address within your prefix?
With SLAAC, you should have one consistent address, often based on the MAC and up to 7 privacy addresses. The most recent privacy address will be used for outgoing connections. As I mentioned, you should be able to turn off the privacy addresses. Watch your addresses for a few days to see what's happening.
Are you sure it's the privacy addresses you turned off? Here are the instructions. However, I haven't tried this myself, as I'm a Linux user.
-
I think I'm getting somewhere! I have set pfSense RA to Unmanaged. I disabled the network interface on my Windows machine, then ran wireshark on the Windows machine, then enabled the interface. I also switched off Windows Defender Firewall for this test.
I can see that the Windows machine sends a Router Solicitation packet three times, one second apart, to
ff02::2. but doesn't get a response from pfSense. It also sends Neighbor Solicitation packets.At this time it only has a link-local IPv6 address and remained this way for ten minutes!
The Windows PC gets a public IP when pfSense sends a Router Advertisement message, but not before. Seems wrong? Why isn't pfSense responding to Router Solicitation messages from my Windows PC?
I tested this by changing the Minimum RA interval and Maximum RA interval in pfSense to 5 and 10, and then my Windows machine got a public address quickly. Do I really want pfSense to be sending RA messages so frequently?
I understand all the temporary IP address stuff now, thanks.
-
@mewsense said in Struggling to set static mappings:
I disabled the network interface on my Windows machine, then ran wireshark on the Windows machine, then enabled the interface.
????
If you disable the interface, how do you run Wireshark?
I suspect your problems may be self induced, as you've been messing with things when you don't know what you're doing.
-
@jknott
A bit unfair tbh, maybe you missed the bit where I said I enabled it immediately after starting Wireshark. I wanted to be sure of no traffic when I started Wireshark. -
I also did a Packet Capture on pfSense, disabled my network interface, enabled it again to force it to send a Router Solicitation and I can see it is received by pfSense, but it seems that pfSense doesn't reply. Or the reply is not received somehow.
16:24:54.258743 IP6 fe80::8d91:ba6b:b24d:8a3f > ff02::2: ICMP6, router solicitation, length 8
16:24:55.251083 IP6 fe80::8d91:ba6b:b24d:8a3f > ff02::1: ICMP6, neighbor advertisement, tgt is fe80::8d91:ba6b:b24d:8a3f, length 32
16:24:58.260537 IP6 fe80::8d91:ba6b:b24d:8a3f > ff02::2: ICMP6, router solicitation, length 16
16:25:02.251761 IP6 fe80::8d91:ba6b:b24d:8a3f > ff02::2: ICMP6, router solicitation, length 16If I restart radvd on pfSense my Windows machine gets an IPv6 address. So I suspect something up with pfsense here.
-
