DHCPv6 + SLAAC

zarje

Hi All

Started rolling out IPv6 at home today. I'm using autoconfig (SLAAC) for automatic IP configuration of my machines and am using DHCPv6 to provide the DNS server to the machines. I'm running "Assisted" mode under the Router Advertisements tab. I basically want SLAAC to configure ALL dynamically configured machines and to use DHCPv6 for the DNS server.

So when I setup the DHCPv6 in pfsense I added in my DNS server along with my domain name but it wouldn't allow me to save this setup UNTIL I had entered something in the range from and to section. So to get past this I entered the same IPv6 address in the from AND the to box but now my first test machine on the LAN has 4 IPv6 addresses:

1 link local
2 global addresses from SLAAC (autoconfig)
1 global address from DHCPv6 (the single IP I entered in the from and to box in DHCPv6).

So my question is, how do you correctly configure DHCPv6 to ONLY give out the DNS server IP and to NOT give out any actual IPv6 addresses? Is there a way to enter something in the from and to field under the range section so that it lets you save the config but only hands out a DNS server IP address when using SLAAC?

Thanks!

Inq

On the Router Advertisements tab set Router mode to Unmanaged.

zarje

That won't help me. I need to assign DNS servers to my machines and Unmanaged doesn't do this.

gnhb

I would say set a proper range for DHCPv6 and don't sweat it that your machines have 4 IPv6 addresses. That's by design in IPv6. I think each one serves a niche purpose from my perspective.

Ideally, in my opinion one would have an IPv6 address that changed randomly and frequently (within the prefix range) to use for outgoing web/etc requests to give quasi-privacy for browsing and the address derived from the host MAC address is never used for outgoing traffic, but can be used for publicly hosted services and published to public DNS if necessary.

In addition, each host would get a DHCPv6 address that is resolvable in DNS so that one can access the host by name over IPv6 without manually created DNS AAAA records for every device on the network.

It appears from my prior searching that no devices/OS's have Dynamic DNS functions built into their networking stacks by default yet, so I'm waiting for that personally. DHCPv6 servers don't have any functionality for building a list of hostnames and their associated addresses.

Good luck.

zarje

@gnhb:

I would say set a proper range for DHCPv6 and don't sweat it that your machines have 4 IPv6 addresses. That's by design in IPv6. I think each one serves a niche purpose from my perspective.

Ideally, in my opinion one would have an IPv6 address that changed randomly and frequently (within the prefix range) to use for outgoing web/etc requests to give quasi-privacy for browsing and the address derived from the host MAC address is never used for outgoing traffic, but can be used for publicly hosted services and published to public DNS if necessary.

In addition, each host would get a DHCPv6 address that is resolvable in DNS so that one can access the host by name over IPv6 without manually created DNS AAAA records for every device on the network.

It appears from my prior searching that no devices/OS's have Dynamic DNS functions built into their networking stacks by default yet, so I'm waiting for that personally. DHCPv6 servers don't have any functionality for building a list of hostnames and their associated addresses.

Good luck.

Thanks for the reply.

Thats the thing, I don't want to set a DHCPv6 range as I don't/won't use these IP address on the clients. From an IP configuraiton point of view I want SLAAC to take care of all that and then assign DNS servers to my machines using DHCPv6. I though there may be a "special" way of entering a range in DHCPv6 in pfsense so that it doesn't hand out any IP addresses? I should only have 3 IPv6 addresses on the client machines: link local, global (public) address and global (private which changes).

Speaking of Dynamic DNS  :) I did an interesting test yesterday. I have a Windows 10 desktop (in a workgroup and it wasn't registering itself in my Active Direcory DNS server. Turned out I had to enabled unsecure updates in DNS AND set a primary DNS suffix to match my AD domain name on the Windows 10 machine. After that my workgroup machine created and updated the IPv6 address in DNS.

David_W

@zarje:

That won't help me. I need to assign DNS servers to my machines and Unmanaged doesn't do this.

Unmanaged can assign DNS servers, as radvd supports RDNSS and pfSense configures radvd's RDNSS functionality. Unfortunately many common clients do not support RDNSS, including all versions of Windows 'out of the box'.

As things stand, pfSense 2.3 requires you to configure an IPv6 range if you enable the DHCPv6 server. I believe the underlying server is capable of running in a DNS server only mode by omitting any range6 statement, but I haven't tested this.

As gnhb noted, there is some advantage in clients having a semi-frequently changed address allocated by SLAAC with privacy extensions enabled for outgoing traffic, as well as a quasi-static address allocated by DHCPv6 for incoming traffic. By default, most client operating systems work in this way.

Toady

Another thing you can do is set option 7 in DHCPv6 to 255, this will reduce the priority of the DHCP assigned IPv6 address, yes clients will still end up with 4x IPv6 addresses but they will prefer to use the SLAAC temporary address over the DHCPv6 assignment.

With so many addresses in a /64 assignment - 3x per host plus a link local still isn't many!

zarje

Unmanaged can assign DNS servers, as radvd supports RDNSS and pfSense configures radvd's RDNSS functionality. Unfortunately many common clients do not support RDNSS, including all versions of Windows 'out of the box'.

I did read about RDNSS but most of my network comprises of Windows clients so this isn't useful for me. Pity!

As things stand, pfSense 2.3 requires you to configure an IPv6 range if you enable the DHCPv6 server. I believe the underlying server is capable of running in a DNS server only mode by omitting any range6 statement, but I haven't tested this.

I need to test this still. I'd like to avoide DHCPv6 handing out IP addresses as I think having two (private and public) global addresses is enough.

Another thing you can do is set option 7 in DHCPv6 to 255, this will reduce the priority of the DHCP assigned IPv6 address, yes clients will still end up with 4x IPv6 addresses but they will prefer to use the SLAAC temporary address over the DHCPv6 assignment.

If you end up with 4 IPv6 addresses (3 of which are global) then I assume the public address is permanent (if the MAC address doesn't change)? I Know the privacy address can change daily (or whenever).

With so many addresses in a /64 assignment - 3x per host plus a link local still isn't many!

I'm just loving the power and flexibility of my IPv6 range!! Although I have two ranges from HE, I currently use the /48 which I have subnetted using a /64. I even have my reverse DNS (PTR) setup with HE and it all works great so far. I plan on setting up a new IPv4/IPv6 network from scratch in 6 months so I can't wait. Of course, pfsense has been amazing in all this too. My old Draytek had no chance of establishing an IPv6 tunnel with HE. I even had one of our comms guys at work setup and configure a loan Cisco router for me and the tunnel still dodn't work. When I received my pfsense box I had it up and running in about 30min  :)