Use of both dhcp and slaac, advanced configuration
-
Hello,
i am new of ipv6, so I don't know if what I am trying to do is possible.
I want to use the dhcpv6 to assign a range of ULA's addresses (to easily manage the devices addresses even if I switch the isp) and use the slaac for the internet connection (using the /56 network given by the isp).It works... partially
I get the ULA and slaac ip, but since I set the network gateway to the ULA address my slaac can't access to internet.If I try to ping google it gives me: no route to host.
Is it possible to assign a gateway for the slaac addresses?
-
You don't have to use DHCPv6 for ULA. Use them the same way as global addresses, as described. I have that here, even though my prefix does not change. Also, Android devices don't work with DHCPv6.
As for your prefix, ensure Do not allow PD/Address release, on the WAN page, is selected. With many ISPs, this prevents the prefix from changing.
-
And, while fc00::/7 is technically reserved, fc00::/8 is undefined. fd00::/8 is currently defined for ULA. Choose a site-specific /48 using RFC4193.
-
@Derelict
Actually, both blocks are for ULA, with fc00 /8 supposed to use some central server to assign prefixes. However, that never went anywhere.From RFC 4193, section 3.1:
Prefix FC00::/7 prefix to identify Local IPv6 unicast
addresses.L Set to 1 if the prefix is locally assigned. Set to 0 may be defined in the future. See Section 3.2 for additional information.Bottom line, the entire fc00 /7 block is ULA, though it's best to stick with fd00 /8, unless a single /8 isn't big enough for you.
-
Thank you for your reply and the very useful link.
So from what I've understand, I must disable the dhcpv6 and use only the slaac, is it correct?But.. since wth slaac the addresses are generated by the devices itself, how router can statically assign an ULA ip to each devices (like iot devices, etc)?
As said above, my goal is to use the ULA's addresses to each devices, like now I am using the ipv4 (pfsense assign a name and a static ip) and the temporary addresses (from isp) to let some of these to get the internet access without having worry if the ipv6 prefix from the isp changes (or if I move to another isp))
-
Why do you need the router to assign an address? With SLAAC, there will be one consistent address, which does not change. You use that address for DNS. It may be MAC or random number based. Either way, it doesn't change.
In fact, I went through this recently. I bought a new tablet last week and I had to determine which was the consistent address, as it wasn't MAC based. It's now in my DNS.
-
frankly speacking I don't know, maybe i am too ipv4-focused, so i tought that dhcp was the right way to go...
I don't know enough about how slaac works, I tought that the address are randomly generated.. but in this case I can leave the dhcp on the shelf and take the slaac as you suggested.
Unfortunately the documents I found are only for sys admins and are too advanced for my home-user skills
...anyway, I can follow the guide you posted on your first reply and use the isp address / ula and virtual ip in combination (i am semplifing) to solve my issues.. right?
-
With SLAAC, the router provides the prefix and the device, the suffix. The consistent suffix can be based on the MAC address or a random number. In addition, there are privacy addresses, where the suffix changes daily and you can have up to 7 of them. As I mentioned, the consistent address is the one used for DNS and the privacy addresses are used to connect to servers, etc.. The purpose for them is so that a device can't be tracked, if it moves around, such as to public WiFi.
Yes, you can use my guide for using both global and ULA on your network. It's also possible to use just ULA for things like IoT, where you don't want Internet access. One other thing to remember is you have 256 /64s from your ISP, so you can set up multiple networks, such as my guest WiFi and more.
If you have more questions, just ask here. I have been using IPv6 for 13 years and there are others who can also help.
-
@JKnott
Thanks, when I'll back to home I'll do some tests about.On the ipv4 side I already have different vlan for different purposes (iot, gaming, test, etc).
So I think I will use the same ula's prefix, something like /48 for all the vlans + 16 bytes that represent each subnet, and the suffix for the remain /64.Last question: for the lan suffix you think that random number are better than mac? (because it is always the same even if the network card changes, etc).
This must be done on each devices I want it have a "static" ip? right?Thanks ;)
-
It makes no difference whether you use MAC or random number for the suffix. The only thing is the MAC can be tied to a piece of hardware, but the random number can't.
My IPv4 addresses are within the 172.16 block. I match the 3rd octet to the IPv6 prefix ID, to keep things straight. I even did the same for the VLAN ID for my guest WiFi. Since you only have a /56 prefix from your ISP, you might as well use the same prefix IDs for ULA, just to help keep things straight.
One thing you may have noticed, with IPv6, is you have a LOT more addresses than with IPv4. A single /64 contains 18.4 billion, billion addresses.
-
Hello, I think I did something wrong because following your guide I can't get any ipv6 addresses..
I have tried with all the RA combination, also with enable dhcpv6 but nothing works.. on pc side I always have the auto-generated local link
Where am I going wrong?
[EDIT] there was an error on the firewall rules on screenshot (the rule is for ipv4 instead ipv6). Anyway even with the right setting it doesn't work..
This is the vlan 219 (test) configuration
-
[EDIT 2] i am an idiot, it is official..
It wasn't working because I did some hw modifications (I removed the nic where the vlan was assigned) but I didn't change the assignment.. So the network was up on a nic that doesn't exist..I don't know if leave the upper post of my post or remove it.. anyway..
now I get the address end :1451 that is the temporary address used for internet, the 63c7 (i don't know) and the ULA.
now I have 2 questions:
-
how can I assign statically the ULA's if it is generated from the client?
-
If I set 7200 seconds on "Default valid lifetime" and "Default preferred lifetime", after 2 hours should I get another temporary address? right?
-
-
@crc_error_79 said in Use of both dhcp and slaac, advanced configuration:
I don't know if leave the upper post of my post or remove it.. anyway..
now I get the address end :1451 that is the temporary address used for internet, the 63c7 (i don't know) and the ULA.
now I have 2 questions:how can I assign statically the ULA's if it is generated from the client?
If I set 7200 seconds on "Default valid lifetime" and "Default preferred lifetime", after 2 hours should I get another temporary address? right?
One thing I noticed is you were assigning a static IPv6 address on a VLAN. You should use track interface and SLAAC to assign addresses. Also, what are you still doing with DHCP? Unless you have a specific need for it, don't use it.
As for the static ULA, it works exactly the same as global addresses. You get one consistent address and one or more dynamic addresses. Just create your prefix, as described, and then do the same as with your global addresses.
I have never found a need to change the lifetime. I get a new address every day and that's good enough for me.
-
@JKnott said in Use of both dhcp and slaac, advanced configuration:
One thing I noticed is you were assigning a static IPv6 address on a VLAN. You should use track interface and SLAAC to assign addresses. Also, what are you still doing with DHCP? Unless you have a specific need for it, don't use it.
Ciao
I can't because the isp gives me a local link address on the wan, and a prefix /56 to use on the lans
I must to set it in that way in order to get it work..
The only way is set that /56 and create a gateway address on a /64 lan
Also dhcpv6 is disabled and RA is set to "assisted"@JKnott said in Use of both dhcp and slaac, advanced configuration:
As for the static ULA, it works exactly the same as global addresses. You get one consistent address and one or more dynamic addresses. Just create your prefix, as described, and then do the same as with your global addresses.
I am a little bit lost.. Do I have to do it on the client side or in pfSense?
Because the only way I found is on the dhcpv6 (also requires a DUID [i don't know what it is and how get it])About your guide: may I ask what the virtual ip on the same lan specified on the RA subnet is used for?
@JKnott said in Use of both dhcp and slaac, advanced configuration:
I have never found a need to change the lifetime. I get a new address every day and that's good enough for me.
Yes after many reboot of the mac the address remain, even the temporary.. maybe 7200 second is a too short time?
-
@crc_error_79 said in Use of both dhcp and slaac, advanced configuration:
I can't because the isp gives me a local link address on the wan, and a prefix /56 to use on the lans
Does your ISP not use DHCPv6-PD? If so, you should be able to get the proper prefix for each interface. Have you set a unique prefix ID for each interface? With a /56 your choices are 0 - ff. Also, link local addresses are often used for routing, as a router only has to know how to reach the next hop. My ISP provides a global address for the WAN, but it's not used for routing. It can be used for things like a VPN or connecting directly to pfSense with SSH, etc., but it's not necessary even for that.
Also dhcpv6 is disabled and RA is set to "assisted"
I use unmanaged.
I am a little bit lost.. Do I have to do it on the client side or in pfSense?
Because the only way I found is on the dhcpv6 (also requires a DUID [i don't know what it is and how get it])You don't do anything on the client. It all happens automagically there. The DUID just happens on it's own.
About your guide: may I ask what the virtual ip on the same lan specified on the RA subnet is used for?
It's used to provide an address for the interface. It will not assign one for itself with SLAAC.
Yes after many reboot of the mac the address remain, even the temporary.. maybe 7200 second is a too short time?
As I said, I've had no reason to change it.
-
@JKnott said in Use of both dhcp and slaac, advanced configuration:
It's used to provide an address for the interface. It will not assign one for itself with SLAAC.
Thank you, this was the key to do what I want to do.
I found this video about the ipv6
Youtube: pfsense Setting Multiple Static WAN IP Addresses / Using Virtual IP's NAT Firewall RulesBelow how I set the dhcpv6 and slaac
interface
🔒 Log in to viewdhcpv6
🔒 Log in to viewRA and slaac
🔒 Log in to viewvirtual IP
🔒 Log in to viewfirewall (temporary rules, I have to set the correct ones)
🔒 Log in to viewand finally
-
@crc_error_79 This will not work for long if your IPv6 is dynamic... unless it never changes like JKnott's.
-
@Bob-Dig
what do you mean?
If my isp changes the prefix I can still have the dhcpv6 with the ULAs addresses defined by me.
The only thing I have to do is to change the virtual IP prefix as well as the slaac with the new one
Also, for the some devices I can set a static address like I did with my mac mini ::500 -
@crc_error_79 said in Use of both dhcp and slaac, advanced configuration:
what do you mean?
This, kinda:
The only thing I have to do is to change the virtual IP prefix as well as the slaac with the new one
-
@Bob-Dig
ah ok..
to me it is not a big deal, better change 2 parameters than at least 20 dhcpv6 static assigments..
Also I think that in this way I could have a public network and private one, I don't know if for security it is better..but as I said before maybe am I still too ipv4 focused
