Should my dhcpv6 clients also get a /64 address?

jarmo

@johnpoz said in Should my dhcpv6 clients also get a /64 address?:

Oh you have it [/128] on your wlp0s20f3 as well - that makes no sense. ... But should be your actual prefix..

Yes indeed, a public /128 address has been handed. To remove clutter,
here it is again:

[jarmo ~]$ ip -6 a | grep "inet6 2"
    inet6 2xxx:xxxx:xxxx:xxxb::1001/128 scope global dynamic noprefixroute 

And yes, it matches specified dhcpv6 address range.

@johnpoz said in Should my dhcpv6 clients also get a /64 address?:

It clearly is a wireless interface since it starts with wl

Network device type does not matter. Here is the situation I described
in my opening post. This is a direct wired connection to netgate
device. The relevant settings for this interface are the same as for
the wireless, except for ipv6 prefix id and router advertisement. For
this wired interface, prefix id is 3, and router advertisement mode is
assisted (providing both dhcpv6 and slaac).

[jarmo ~]$ ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
4: enp86s0u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2xxx:xxxx:xxxx:xxx3::1000/128 scope global dynamic noprefixroute 
       valid_lft 7169sec preferred_lft 4469sec
    inet6 2xxx:xxxx:xxxx:xxx3:ee72:cd8d:3d06:e4e6/64 scope global dynamic noprefixroute 
       valid_lft 86397sec preferred_lft 14397sec
    inet6 fe80::d3ff:2ff0:87b6:93b2/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

As you can see, dhcp client gets two public addresses. One is a /128
matching the address pool range specified in dhcpv6 server
settings. The other is a /64, perhaps coming from slaac?

@johnpoz said in Should my dhcpv6 clients also get a /64 address?:

What OS is that on?

OS is Fedora 42, but I do not think it matters. At least my iOS
devices get similarly multiple ipv6 addresses, one matching dhcpv6
pool range, the others similar to the /64 addresses above. But iOS
does not allow me to see the /128 or /64 specifier, I can only see the
addresses themselves.

I guess the next thing I should try is slaac only? But doing that should not be necessary, right?

jarmo

@JKnott said in Should my dhcpv6 clients also get a /64 address?:

Also, is there some reason you're using DHCP6 on the LAN? Normally SLAAC does all you need and Android devices don't support DHCP6.

I do not know why I should be running one or the other.

But as suspected above, slaac might be the solution: I just changed the router advertisement mode of an interface to slaac only, and in that interface, clients get one /64 address from a correct subnetwork.

So... a solution but no explanation?

Thanks!

Gertjan

@jarmo said in Should my dhcpv6 clients also get a /64 address?:

clients get one /64 address

a /64 addresses isn't an addresses, it's more an 'network' (imho).

I asked my NAS to renew its Ipv6 lease :

10:49:34.954022 00:11:32:a7:d5:88 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 129: (hlim 1, next-header UDP (17) payload length: 75) fe80::211:32ff:fea7:d588.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=123d36 (client-ID hwaddr type 1 001132a7d588) (option-request DNS-server DNS-search-list) (elapsed-time 0) (Client-FQDN) (IA_NA IAID:849859976 T1:3600 T2:5400))
10:49:34.954799 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv6 (0x86dd), length 207: (hlim 64, next-header UDP (17) payload length: 153) fe80::1:1.547 > fe80::211:32ff:fea7:d588.546: [udp sum ok] dhcp6 advertise (xid=123d36 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:849859976 T1:6750 T2:10800 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:13500 vltime:21600)) (DNS-server 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c) (DNS-search-list bhf.tld.) (Client-FQDN))
10:49:34.955219 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv6 (0x86dd), length 207: (hlim 64, next-header UDP (17) payload length: 153) fe80::1:1.547 > fe80::211:32ff:fea7:d588.546: [udp sum ok] dhcp6 advertise (xid=123d36 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:849859976 T1:6750 T2:10800 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:13500 vltime:21600)) (DNS-server 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c) (DNS-search-list bhf.tld.) (Client-FQDN))
10:49:35.965351 00:11:32:a7:d5:88 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 175: (hlim 1, next-header UDP (17) payload length: 121) fe80::211:32ff:fea7:d588.546 > ff02::1:2.547: [udp sum ok] dhcp6 request (xid=ac6158 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (option-request DNS-server DNS-search-list) (elapsed-time 0) (Client-FQDN) (IA_NA IAID:849859976 T1:3600 T2:5400 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:7200 vltime:7500)))
10:49:35.968124 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv6 (0x86dd), length 207: (hlim 64, next-header UDP (17) payload length: 153) fe80::1:1.547 > fe80::211:32ff:fea7:d588.546: [udp sum ok] dhcp6 reply (xid=ac6158 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:849859976 T1:6750 T2:10800 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:13500 vltime:21600)) (DNS-server 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c) (DNS-search-list bhf.tld.) (Client-FQDN))
10:49:35.970710 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv6 (0x86dd), length 207: (hlim 64, next-header UDP (17) payload length: 153) fe80::1:1.547 > fe80::211:32ff:fea7:d588.546: [udp sum ok] dhcp6 reply (xid=ac6158 (client-ID hwaddr type 1 001132a7d588) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:849859976 T1:6750 T2:10800 (IA_ADDR 2a01:dead:beef:a6e2::c2 pltime:13500 vltime:21600)) (DNS-server 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c) (DNS-search-list bhf.tld.) (Client-FQDN))

Windows PC : same thing.
iPhone : same thing.
A ricoh printer : same thing.

No where a /64 to be seen.
It obtained a IPv6 : 2a01:dead:beef:a6e2::c2 for my syno. That could be considered as a /128.
and that's correct as 2a01:dead:beef:a6e2::0 -> 2a01:dead:beef:a6e2::ffff:ffff:ffff:ffff - the entire /64 block) where my 'e2' prefix used on my LAN

My IPv6 DHCP server pool is way shorter, of course :

and I'm using static IPv6 leases for most of my network devices. These leaves are outside of the pool, just above.
Static leases as I don't want them to have these kind of addresses : "2a01:dead:beef:a6e2:92ec:77ff:fe29:392c".

SLAAC : never used it. I'm a DHCP-man, as it worked well for IPv4, so I tend to believe it works fine for my IPv6 stuff also.
Android : never saw or had one ...

All my iPhone, iPad, printers, PCs etc etc that are IPv6 capable, work just fine like this.

A suggestion : maybe you Fedora box is asking for a 'prefix', which would be a /64 ?
(but in that case the pfSense LAN DHCPv6 server would have to be set up to delegate these prefixes downstream.)

johnpoz

Do you have this set?

That should be left empty and it would hand out the /64 that is on your interface.

jarmo

@johnpoz
RA Subnet(s) is empty.

jarmo

Still trying to debug this.

Interesting fact: when those /128 dhcpv6 leases are handed out, pfsense+ status shows that there are no current dhcpv6 leases. Notice that the addresses of those leases match the range specified in dhcpv6 server settings for the interface (::1000 to ::2000).

What could be the reason for this? Addresses from specified pool, but not from this server? So from... ISP server?

Tried to increase priority to "high", no difference.

Gertjan

@jarmo

Services > DHCPv6 Relay isn't active ?

LAN and WAN are VLANs ? Or classic NICs ?

if the pfSense DHCPv6+ server hands out leases, they are listed here :

JKnott

@jarmo said in Should my dhcpv6 clients also get a /64 address?:

clients get one /64 address from a correct subnetwork.

Initially, there should be 2. A consistent address and a privacy address. You get another privacy address each day, up to 7, when the oldest one falls off the list.

jarmo

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

@jarmo

Services > DHCPv6 Relay isn't active ?

I can not activate dhcpv6 relay because dhcpv6 servers are active.

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

LAN and WAN are VLANs ? Or classic NICs ?

LAN is NIC. WANs are VLAN via Ruckus access point.

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

if the pfSense DHCPv6+ server hands out leases, they are listed here :

I know. I can see a /128 ipv6 address in my computer, and the list is empty. Don't know much about ipv6, but doesn't this suggest it is has been handed by another server (ISPs)?

What a mess.

jarmo

@JKnott said in Should my dhcpv6 clients also get a /64 address?:

@jarmo said in Should my dhcpv6 clients also get a /64 address?:

clients get one /64 address from a correct subnetwork.

Initially, there should be 2. A consistent address and a privacy address. You get another privacy address each day, up to 7, when the oldest one falls off the list.

A quick search told me that ipv6 privacy extensions are off in Fedora by default. I will not activate them yet, since having more addresses show up does not help in debugging.

This explains why with slaac some iOS devices had lots of ipv6 addresses. With just dhcpv6 activated, those devices have exactly one ipv6 address, so another difference there.

Learned something new again, thanks!

Gertjan

@jarmo
Thanks.
That explains why all my devices have just one IPv6 in the 2a01:..... range (and a fe80::......).
I'm using the DHCPv6 with and Router advertisement is set to Managed.

jarmo

I ended up browsing some parts of TCP/IP Illustrated by Fall and Stevens. They wrote that

it is expected that stateless DHCPv6 in combination with SLAAC will be the most common deployment option

So I set router advertisement mode to "stateless:" addresses are assigned by slaac and additional info by dhcpv6.

Now ipv6 addressing works as expected: Fedora with no privacy extensions gets one and only one address, from the correct address space, and the obtained address is a /64. My iOS devices get immediately two /64 addresses. No dhcpv6 leases are shown in pfsense+, which is correct, since addresses are slaac assigned.

The only "glitch" is that specified dhcpv6 pool from "::1000" to "::2000" is not respected, but this makes sense since slaac is responsible for addressing. (But I think I still had to speficy this pool range in pfsense+, which would not make sense. Honestly, I have spent so many hours on this that I am no longer sure.)

To summarize, it looks like

• stateful dhcpv6 gives out exactly one /128 address from correct pool (while, based on what I have learned here, it should give out multiple /64 addresses)
• slaac gives out correct number of /64 addresses
• combination of stateful dhcpv6 and slaac gives one /128 and multiple /64s, and those /64s do not respect the dhcpv6-specified pool boundaries.

Gertjan

@jarmo said in Should my dhcpv6 clients also get a /64 address?:

The only "glitch" is that specified dhcpv6 pool from "::1000" to "::2000" is not respected, but this makes sense since slaac is responsible for addressing

In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

Normally you use the DHCPv6 server on an interface so you can assign the IPs you chose with MAC (IPv4) or DUID (IPv6) to the devices. These devices need no intervention form you, the can keep on using DHCP for IPv4 and IPv6, which they normally all are.

You use kea ? Or ISC DHCP ?

Btw : Here : DiagnosticsPacket Capture :

and hit the green Start.
From now on, you see the DHCPv6 lease traffic logged in details.

We are not allowed to compare the good old IPv4 DHCP lease system with the DHCP IPv6 lease system as the IP god will curse us, but for me :
It behaves the same way.

I made a lot of static IPv6 leases like this :

and it is like always a set it and forget it operation.

JKnott

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

I have never enabled it. Just enable RDNSS to provide the DNS server address. That's the Enable DNS setting, under DNS configuration, on the Router Advertisement page.

jarmo

@JKnott said in Should my dhcpv6 clients also get a /64 address?:

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

I have never enabled it. Just enable RDNSS to provide the DNS server address. That's the Enable DNS setting, under DNS configuration, on the Router Advertisement page.

That approach seems to work: just stopped dhcpv6 servers on all interfaces, and addressing and net functionality seems unchanged.

Well, that is simple. Thanks!