Should my dhcpv6 clients also get a /64 address?

jarmo

Still trying to debug this.

Interesting fact: when those /128 dhcpv6 leases are handed out, pfsense+ status shows that there are no current dhcpv6 leases. Notice that the addresses of those leases match the range specified in dhcpv6 server settings for the interface (::1000 to ::2000).

What could be the reason for this? Addresses from specified pool, but not from this server? So from... ISP server?

Tried to increase priority to "high", no difference.

Gertjan

@jarmo

Services > DHCPv6 Relay isn't active ?

LAN and WAN are VLANs ? Or classic NICs ?

if the pfSense DHCPv6+ server hands out leases, they are listed here :

JKnott

@jarmo said in Should my dhcpv6 clients also get a /64 address?:

clients get one /64 address from a correct subnetwork.

Initially, there should be 2. A consistent address and a privacy address. You get another privacy address each day, up to 7, when the oldest one falls off the list.

jarmo

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

@jarmo

Services > DHCPv6 Relay isn't active ?

I can not activate dhcpv6 relay because dhcpv6 servers are active.

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

LAN and WAN are VLANs ? Or classic NICs ?

LAN is NIC. WANs are VLAN via Ruckus access point.

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

if the pfSense DHCPv6+ server hands out leases, they are listed here :

I know. I can see a /128 ipv6 address in my computer, and the list is empty. Don't know much about ipv6, but doesn't this suggest it is has been handed by another server (ISPs)?

What a mess.

jarmo

@JKnott said in Should my dhcpv6 clients also get a /64 address?:

@jarmo said in Should my dhcpv6 clients also get a /64 address?:

clients get one /64 address from a correct subnetwork.

Initially, there should be 2. A consistent address and a privacy address. You get another privacy address each day, up to 7, when the oldest one falls off the list.

A quick search told me that ipv6 privacy extensions are off in Fedora by default. I will not activate them yet, since having more addresses show up does not help in debugging.

This explains why with slaac some iOS devices had lots of ipv6 addresses. With just dhcpv6 activated, those devices have exactly one ipv6 address, so another difference there.

Learned something new again, thanks!

Gertjan

@jarmo
Thanks.
That explains why all my devices have just one IPv6 in the 2a01:..... range (and a fe80::......).
I'm using the DHCPv6 with and Router advertisement is set to Managed.

jarmo

I ended up browsing some parts of TCP/IP Illustrated by Fall and Stevens. They wrote that

it is expected that stateless DHCPv6 in combination with SLAAC will be the most common deployment option

So I set router advertisement mode to "stateless:" addresses are assigned by slaac and additional info by dhcpv6.

Now ipv6 addressing works as expected: Fedora with no privacy extensions gets one and only one address, from the correct address space, and the obtained address is a /64. My iOS devices get immediately two /64 addresses. No dhcpv6 leases are shown in pfsense+, which is correct, since addresses are slaac assigned.

The only "glitch" is that specified dhcpv6 pool from "::1000" to "::2000" is not respected, but this makes sense since slaac is responsible for addressing. (But I think I still had to speficy this pool range in pfsense+, which would not make sense. Honestly, I have spent so many hours on this that I am no longer sure.)

To summarize, it looks like

• stateful dhcpv6 gives out exactly one /128 address from correct pool (while, based on what I have learned here, it should give out multiple /64 addresses)
• slaac gives out correct number of /64 addresses
• combination of stateful dhcpv6 and slaac gives one /128 and multiple /64s, and those /64s do not respect the dhcpv6-specified pool boundaries.

Gertjan

@jarmo said in Should my dhcpv6 clients also get a /64 address?:

The only "glitch" is that specified dhcpv6 pool from "::1000" to "::2000" is not respected, but this makes sense since slaac is responsible for addressing

In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

Normally you use the DHCPv6 server on an interface so you can assign the IPs you chose with MAC (IPv4) or DUID (IPv6) to the devices. These devices need no intervention form you, the can keep on using DHCP for IPv4 and IPv6, which they normally all are.

You use kea ? Or ISC DHCP ?

Btw : Here : DiagnosticsPacket Capture :

and hit the green Start.
From now on, you see the DHCPv6 lease traffic logged in details.

We are not allowed to compare the good old IPv4 DHCP lease system with the DHCP IPv6 lease system as the IP god will curse us, but for me :
It behaves the same way.

I made a lot of static IPv6 leases like this :

and it is like always a set it and forget it operation.

JKnott

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

I have never enabled it. Just enable RDNSS to provide the DNS server address. That's the Enable DNS setting, under DNS configuration, on the Router Advertisement page.

jarmo

@JKnott said in Should my dhcpv6 clients also get a /64 address?:

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

I have never enabled it. Just enable RDNSS to provide the DNS server address. That's the Enable DNS setting, under DNS configuration, on the Router Advertisement page.

That approach seems to work: just stopped dhcpv6 servers on all interfaces, and addressing and net functionality seems unchanged.

Well, that is simple. Thanks!