Configuring radvd when using ULA with NPT?

ianc1215

I am looking for a way to use the IPv6 GUAs I get from my ISP to route to the internet but also keep my server and other devices on a ULA prefix. My reason being I run a DNS server for my stuff but since the IP addresses are not mine and belong to the ISP I cannot reliably build a zonefile of addresses perceived to be dynamic.

My idea was to use the GUAs that I get from the ISP via my WAN interface requesting a /60 prefix. Each router router interface is set to "Track Interface". This part works and has been working just fine. What I want to do is use a ULA prefix for my network then use NPT to translate to the GUA given to each interface.

The problem I am running into is the router advertisements on the internal interfaces still tries to advertise the GUA even when I have assigned a ULA in the "additional subnets" field. I don't see any way in the GUI to change the default prefix that is advertised. Since pfSense doesn't use static config files I am hesitant to change anything under the hood in the CLI.

Any ideas how I can do this? A better question might even be is there a way to do this right? I am not 100% my implementation is the correct way to approach this.

Bob.Dig

@ianc1215 said in Configuring radvd when using ULA with NPT?:

What I want to do is use a ULA prefix for my network then use NPT to translate to the GUA given to each interface.

Sadly this isn't working for dynamic prefixes that haven't been assigned and I haven't seen any plans for changing this yet.
But if you you use both at the same time on each interface it might work although there is no real benefit.

What does work is you can have both at the same time, but also you have to set one ULA on every pfSense interface via VIP.

ianc1215

@bob-dig I upgraded to pfSense Plus, it supports dynamic prefixes.

Bob.Dig

@ianc1215 said in Configuring radvd when using ULA with NPT?:

@bob-dig I upgraded to pfSense Plus, it supports dynamic prefixes.

Good for you... then do what I have said and look if this is working for you.

ianc1215

@bob-dig Ok, so I assign a Virtual IP to each interface I want a ULA on? How would I get radvd to advertise the ULA prefix but not the GUA prefix?

Bob.Dig

@ianc1215 I don't think you can do that, you will have both.

ianc1215

@bob-dig I assume there is no way to override radvd's config file without breaking the way pfSense configures it?

Bob.Dig

@ianc1215 I don't know.

If you look at the NPt-dialog, you can see that it makes more sense if you don't put that GUA-prefix on the same interface to begin with because it is "applied" at the WAN-Interface. This also means you could have two WANs with separate prefixes and the routing would dictate which GUA-prefix would be used by NPt.

So I guess the best way to do it at present is to create VLANs for every GUA-prefix and don't use them for anything other than the NPt-dialog.
In the future I would like to see that integrated there without setting up those VLANs.

JKnott

@ianc1215

You can have both GUA and ULA on your network. Then you can use the ULA in your DNS.

JKnott

@ianc1215

You advertise both for local devices and use the ULA for your DNS.

ianc1215

@jknott Oh! Never looked at it that way. So in a sort of analogy its like split tunneling with a vpn. GUA would be used for non-local traffic bound for beyond the WAN interface but the ULA would be used for local resources and local name resolution?

JKnott

@ianc1215

Yes. People have to stop thinking about the way they did things with IPv4. With IPv6, you can have multiple GUA and ULA on the same interface. Some people also use ULA because they don't get a stable prefix from their ISP, which makes it difficult to use DNS. With ULA, it works fine.

ianc1215

@jknott Well I just learned something new today, thanks!