WAN with /64 Delegation

Bob.Dig · Aug 15, 2024, 3:25 PM

@JKnott said in WAN with /64 Delegation:

The gateway should be provided automagically by pfSense, using router advertisements.

That is true, you should activate Services>Router Advertisement on all interfaces with IPv6. Unmanaged probably will do.

meluvalli · Aug 15, 2024, 3:35 PM

@Bob-Dig
I'm using RA in Managed mode. I also have enabled DHCPv6 Relay. I have a DHCP server that hands out IPv6 addresses because I prefer to have managed IPv6 addresses so I know the IPv6 address of each client statically. I then assign IPv6 addresses based on UUID.

My servers I have set for STATIC IPv6 addresses instead of DHCP.

Only problem I have seen with this setup is some devices (Like Google Display Hub) do not get an IPv6 address. I am not really sure as to why though since all my Windows/Linux devices can get an IP via my IPv6 DHCP Server.

Bob.Dig · Aug 15, 2024, 3:38 PM

@meluvalli said in WAN with /64 Delegation:

I have a DHCP server that hands out IPv6 addresses because I prefer to have managed IPv6 addresses so I know the IPv6 address of each client statically.

I only do that for my servers. But in a NAT scenario I wouldn't care.

Thanks to @JKnott everyone around here knows that Android is not supporting DHCPv6.

meluvalli · Aug 15, 2024, 3:44 PM

@Bob-Dig

Yah. I think I remember reading that somewhere :) But, my AppleTV doesn't either (Odd considering my Macbook and iPhone both do though.). So... Google isn't alone...

JKnott · Aug 15, 2024, 3:46 PM

@meluvalli said in WAN with /64 Delegation:

I have a DHCP server that hands out IPv6 addresses because I prefer to have managed IPv6 addresses so I know the IPv6 address of each client statically.

Use SLAAC. It just works. Thanks to some genius at Google, Android doesn't support DHCPv6. Also, with SLAAC, you get 1 consistent address, which can be based on the MAC address or a random number. You also get up to 7 privacy addresses, with a new one every day. The most recent is used for outgoing connections. Use the consistent address as static, as it is, unless you change the prefix.

meluvalli · Aug 15, 2024, 4:04 PM

@JKnott
On my network I am using dnsdist and use specific DNS servers based on source Address (local client). If I use SLAAC and the IPv6 address changes on the client, then dnsdist wouldn't be able to determine the client and would use the wrong DNS server for that client. That's why I am using DHCPv6 with assigned IPv6 addresses based on UUID.

Bob.Dig · Aug 15, 2024, 4:56 PM

OT: Maybe you don't want IPv6...
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063

meluvalli · Aug 15, 2024, 5:06 PM

@Bob-Dig
Why not? They apparently fixed it! ROFL :)

JKnott · Aug 15, 2024, 6:17 PM

@meluvalli said in WAN with /64 Delegation:

If I use SLAAC and the IPv6 address changes on the client, then dnsdist wouldn't be able to determine the client and would use the wrong DNS server for that client.

Make sure Advanced / Networking / Do not allow PD/Address release is selected. Otherwise your prefix will change. If your prefix is changing, it makes no difference whether you're using SLAAC or DHCPv6. As I mentioned, with SLAAC, you get a consistent address, which is what you point your DNS to. If your prefix still changes, despite that setting, then you may want to consider Unique Local Address, as they won't change unless you change them. You can have both global and ULA addresses on the same interface.

BTW, I've had the same prefix for around 5.5 years. It has survived changing, at different times, both my pfSense computer and modem.

JKnott · Aug 15, 2024, 6:18 PM

@Bob-Dig said in WAN with /64 Delegation:

OT: Maybe you don't want IPv6...

Yeah, well who uses Windows anyway?

Bob.Dig · Aug 15, 2024, 6:24 PM

@JKnott said in WAN with /64 Delegation:

BTW, I've had the same prefix for around 5.5 years.

I have the same prefix since my parents met.