ipv6 problems, confusion with SLAAC, firewall rules, dhcpv6, pinging
-
I have found a ton of posts which I read most of them but could not apply to my use case or I am too stupid to understand this.
My ISP does not provide ipv6, and until now I was fine with using only ipv4 for my local stuff. However, the IoT matter devices advises me to enable ipv6 for at least the local network.
I went ahead and enabled ipv6.
Then changed none to static ipv6 on the IoT vlan interface
I choose fd8a:4e3b:9c9c:25::/64 as my ipv6 static address
then enabled RA for IoT with Assisted mode
Then enabled DHCPv6 Server on IoT Vlan Interface (as well as some other interfaces since I am at it to enable ipv6 communications). I know I don't exactly need dhcpv6 with SLAAC but wanted to keep my options open.
I have disabled the dns since I was not sure if this will make clients try to use the ipv6 dns for internet and fail due to no wan ipv6.
LAN interface has a rule to allow all ipv4 and ipv6 so it should access everything.
some questions:
- Why does nslookup does not return the ipv6 address for the specified hostnames? The ipv6 addresses issued by dhcpv6 are listed under the dhcpv6 leases but the hostnames are blank on the dhcpv6 leases page. Is it because I do not provide dns server information on RA and DHCPv6?
- I cannot ping a device on the different interface with the ipv6 address from LAN, it times out despite the allow all firewall rule. Why? I can ping other devices on the same ipv6 subnet as LAN.
- I cannot tell which ipv6 belong to which host unless I manually check the MAC from dhcpv6 leases since the hostnames are blank; but what about SLAAC self-assigned addresses where dhcpv6 did not assign anything? This is important for firewall rules since I need to create a firewall to allow some ipv6 devices on IoT to access some other parts of the network. Sure, I can assign a static ipv6 with dhcpv6 but what about the devices using SLAAC?
What am I missing here? Could anyone enlighten me? What would be your suggestions?
-
@Laxarus said in ipv6 problems, confusion with SLAAC, firewall rules, dhcpv6, pinging:
I have disabled the dns since I was not sure if this will make clients try to use the ipv6 dns for internet and fail due to no wan ipv6.
It doesn't matter whether IPv4 or IPv6 is used for DNS. The same info will be returned either way.
Is it because I do not provide dns server information on RA and DHCPv6?
You need DNS to map between an address and host name. Do you have DNS enabled on pfSense? If so, it should be added to the RA automatically, provided you enabled it on the Router Advertisement page.
Sure, I can assign a static ipv6 with dhcpv6 but what about the devices using SLAAC?
Is there some reason you're using dhcp6? SLAAC is normally all you need. With it, you get one consistent address, which you use in the DNS server along with up to 7 privacy addresses. The consistent address can be either MAC based or a random number.
I have disabled the dns since I was not sure if this will make clients try to use the ipv6 dns for internet and fail due to no wan ipv6.
Actually, IPv6 is good at figuring that out. It uses something called scope, which determines what an address can reach. Try it and see what happens.
-
@JKnott thanks for the suggestions and I really appreciate it.
@JKnott said in ipv6 problems, confusion with SLAAC, firewall rules, dhcpv6, pinging:
You need DNS to map between an address and host name. Do you have DNS enabled on pfSense? If so, it should be added to the RA automatically, provided you enabled it on the Router Advertisement page.
Unbound resolver is enabled on the firewall, so yes. I have also enabled dns on RA as per your suggestion.
but still nslookups by local hostnames do not return ipv6 addresses only ipv4. Do I need to manually register them one by one on the resolver?
@JKnott said in ipv6 problems, confusion with SLAAC, firewall rules, dhcpv6, pinging:
Is there some reason you're using dhcp6? SLAAC is normally all you need. With it, you get one consistent address, which you use in the DNS server along with up to 7 privacy addresses. The consistent address can be either MAC based or a random number.
I guess I enabled it by habit coming from ipv4 to have some measure of control over my clients and choose assisted RA for SLAAC for compatibility reasons but still how can I find out which ipv6 address clients choose when using SLAAC? NDP table is good enough for that? Additionally, are these SLAAC ipv6 addresses going to persist? Can I use these SLAAC ipv6 addresses for firewall rules?
For the ping issue, I think this is some weird windows ipv6 configuration issue since I tested pinging from a RPI to another vlan and it works.
-
@Laxarus said in ipv6 problems, confusion with SLAAC, firewall rules, dhcpv6, pinging:
but still nslookups by local hostnames do not return ipv6 addresses only ipv4. Do I need to manually register them one by one on the resolver?
I use the DNS resolver host overrides to map IPv6 host names to addresses. Do you do that? Or do you use dhcp6 static mapping? You need one or the other.
but still how can I find out which ipv6 address clients choose when using SLAAC?
That depends. If you're using MAC based address, then you'll recognize the MAC address in the IPv6 address, though it will have fffe in the middle of it. If using a random number based address, you'll have to check on the device. For example, in Windows, with the ipconfig command, you'll see a line with "IPv6 Address" for the consistent address and the privacy ones will say "Temporary IPv6 Address"
The consistent address will last forever and you get a new privacy address every day, up to 7 of them.
-
@JKnott I see, thanks for the explanations. I am still trying to get used to it. It seems to be overly complicated for a home a setup so I will try to keep ipv6 to minimum.
Another thing I noticed is with ipv6 HAproxy, I use DNS names on my backend and it appears that haproxy resolves both ipv4 and ipv6. However, it seems to prefer to use ipv6. Is there a way to force HAProxy to use ipv4 even with ipv6 present?
-
Actually, it's easier to use than IPv4. You don't have to configure anything, it just works, if you're using SLAAC. With a router, such as pfSense, you also have to pick which prefix IDs you use. For example, with my /56 I have 256 of them. Each interface needs a unique prefix ID, but it's just a matter of selecting one.
-
@JKnott Yeah, it seems simple enough provided I manually manage DNS, otherwise I wont be able to create firewall rules as I like it using SLAAC. Anyway, thank you for all your explanations.
There are some weird things going on with ipv6 that I cannot make sense for my config.
- My windows pcs cannot ping by ipv6 to other machines in another vlan despite the firewall rules allowing communication. After testing further, I have noticed that unplugging and replugging the ethernet cable to the pcs, will allow me to perform this ping but they lose communication after 5-10 minutes.
The linux machine on another vlan can ping the same ipv6 with no problem at all times. (same firewall rules) - For some reason, pfsense cannot ping home assistant when HA is assigned ipv6 via dhcpv6 reservation but the same linux machine can still ping HA. How is that possible that the firewall cannot ping its own dhcpv6 client while another client can ping?
Since HA cannot be pinged by pfsense, the haproxy also fails the ipv6 healthcheck. That is why I wanted to disable to ipv6 on HAproxy.
From pfsense
ping6 fd8a:4e3b:9c9c:25::30 fails
From linux machine on VLAN NAS
ping6 fd8a:4e3b:9c9c:25::30 success - My windows pcs cannot ping by ipv6 to other machines in another vlan despite the firewall rules allowing communication. After testing further, I have noticed that unplugging and replugging the ethernet cable to the pcs, will allow me to perform this ping but they lose communication after 5-10 minutes.
-
Sometimes the problems with Windows are because it's Windows. I have no experience with HAproxy.
