Unique Local Addresses?

awebster · Jul 3, 2017, 8:03 PM

I'm not familiar with what OpenSUSE uses for IPv6 address selection, if it doesn't look like an EUI-64 address, then yes, it is probably a privacy temporary address.
As a general best practice for ULA addressing, it is recommended to generate a random 40-bit prefix, using a tool like this one:
https://www.ultratools.com/tools/rangeGenerator
or
https://www.sixxs.net/tools/grh/ula/

Either way, you can then do stateless NPT between the ULA subnet(s) and your GUA prefix assigned by your ISP; useful if you change ISPs.

JKnott · Jul 3, 2017, 8:17 PM

I'll have to see if that address sticks over a couple of days. I know about the 40 bit random number. I just wanted to see how this works and I can always add a random number later. BTW, the way I usually generate a random number is with the command "ps aux|md5sum" at the Linux command line. I expect it will also work at the BSD command line in pfSense.

I just generated a703bfe042481766e1dd6cbf546a39c and could pick any 10 digit string from this to get the 40 bits.

Hmmm… For some reason the spell checker doesn't like that random number. ;)

Update. Apparently that command does not work in BSD. md5sum: Command not found.

JKnott · Jul 3, 2017, 9:37 PM

I don't know if it's related or not, but after adding the 40 random bits, I now get both MAC and random number ULA addresses on the computer and the random number has the same 64 bits as the global address. Also, pfSense doesn't appear to use a ULA for itself.

JKnott · Jul 19, 2017, 6:05 PM

Is there anyway for pfSense to assign a ULA to it's LAN interface? I don't see any way to do that.

awebster · Jul 19, 2017, 6:15 PM

I'm sure there is a nuance here I'm missing…but just set IPv6 configuration type to Static IPv6 and key it in.

JKnott · Jul 19, 2017, 6:33 PM

@awebster:

I'm sure there is a nuance here I'm missing…but just set IPv6 configuration type to Static IPv6 and key it in.

I don't see a static config for IPv6. Also, that interface is tracking the WAN interface for it's global address. What I'm trying to do is have both global and local addresses on the same interface, as happens with other devices on my network. For example, I can use the ULA to connect from my desktop to notebook computer. However, if I try to even ping6 6 from the computer running pfSense to another, using the ULA address, it tells me to use the GUA. It won't even route between the two. It's a "you can't get there from here" situation. ;)

BTW, I'm currently reading RFC7368 (riveting plot :D ) where it says:

When an
IPv6 node in a homenet has both a ULA and a globally unique IPv6
address, it should only use its ULA address internally and use its
additional globally unique IPv6 address as a source address for
external communications.

I can't currently use a ULA between pfSense and other devices.

awebster · Jul 19, 2017, 6:50 PM

On pfSense, any addresses beyond the interface's primary address has to be added in as a virutal IP Alias address.
Once you've done that you can verify with CLI ifconfig -a and see it show up.

I added a second address fd33:3e94:8260:4100::1 to my em1 interface.
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1f:5b:46
inet6 fe80::20c:29ff:fe1f:5b46%em1 prefixlen 64 scopeid 0x2
inet 100.64.31.1 netmask 0xffffff00 broadcast 100.64.31.255
inet6 fd33:3e94:8260:3100::1 prefixlen 64
inet6 fd33:3e94:8260:4100::1 prefixlen 128

Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface. Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs). Keep in mind they will also get more than 1 gateway this way.

Here is a good place for an improvement to pfSense, configurable router priority per-prefix, so you can say have the "main" prefix with the higher priority and the others with a lower priority.
Right now they will all advertise with the same priority, unless you go tweak the underlying radvd.conf file.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

JKnott · Jul 19, 2017, 6:57 PM

@awebster:

On pfSense, any addresses beyond the interface's primary address has to be added in as a virutal IP Alias address.
Once you've done that you can verify with CLI ifconfig -a and see it show up.

I added a second address fd33:3e94:8260:4100::1 to my em1 interface.
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1f:5b:46
inet6 fe80::20c:29ff:fe1f:5b46%em1 prefixlen 64 scopeid 0x2
inet 100.64.31.1 netmask 0xffffff00 broadcast 100.64.31.255
inet6 fd33:3e94:8260:3100::1 prefixlen 64
inet6 fd33:3e94:8260:4100::1 prefixlen 128

Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface. Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs). Keep in mind they will also get more than 1 gateway this way.

Here is a good place for an improvement to pfSense, configurable router priority per-prefix, so you can say have the "main" prefix with the higher priority and the others with a lower priority.
Right now they will all advertise with the same priority, unless you go tweak the underlying radvd.conf file.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

I'll have to try adding it with the command line, as soon as I figure out how. :D I had set an alias IPv4 address in Linux, years ago. I guess this is similar.

Also, it would be nice if the DNS resolver would support multiple IP addresses, the way some web sites do. Then you could have both ULA and GUA addresses for the same host name.

awebster · Jul 19, 2017, 7:03 PM

I'll have to try adding it with the command line…

Sorry, I wasn't specific enough, no CLI necessary…
Firewall --> Virtual IPs
Click + Add
Select Type: IP Alias
Enter the IPv6 address with /128 mask.

Also, it would be nice if the DNS resolver would support multiple IP addresses, the way some web sites do. Then you could have both ULA and GUA addresses for the same host name.

Yeah, the multiple IPs part per hostname in DNS resolver would be a nice touch, since that is pretty much basic functionality of DNS. A good use-case for that would be for round-robin host selection.

JKnott · Jul 19, 2017, 7:10 PM

Yes, I found that way to add the alias and I can see it in ifconfig. I had the prefix set up in RA a couple of weeks ago. Still can't ping though.

awebster · Jul 19, 2017, 7:14 PM

Still can't ping though.

The thing to realize is that "Interface address" in firewall rules doesn't include any virtual IPs assigned to the interface.
So unless you explicitly allow it it isn't going to work.

The minute you start using virtual IPs, it is a good idea to create an Alias, eg: LAN_IPv6 and put all the valid addresses into it, and then use only that object in your rules.
I'll admit that its a bit kludgy, it would be nicer if pfSense had a way of referencing the Virtual IP, so that if you changed it, the Alias would update automatically, so keep that in mind if you make changes after its running.

JKnott · Jul 19, 2017, 7:22 PM

Given that ifconfig shows that address, shouldn't I be able to ping it from another computer? It certainly works that way on IPv4 in Linux. Also, I can ping that address from pfSense. I just can't ping between pfSense and another computer.

BTW, the address I used is fd48:1a37:2160::1, which is within my ULA prefix.

I'll have to see what Wireshark shows.

JKnott · Jul 19, 2017, 7:29 PM

Wireshark shows the neighbor solicitation going out, but no response.

awebster · Jul 19, 2017, 7:30 PM

Did you specifically allow access to that IP in the ruleset? It won't reply, even to the interface IP, if there is no rule.

JKnott · Jul 19, 2017, 7:45 PM

There is an existing rule, with wild cards for source, destination and gateway, for IPv6 on the LAN side. I don't see anything that applies to that ULA prefix. Also, why should it be necessary to have a rule for traffic that will not pass through the firewall? I'm just trying to connect between 2 devices on the same LAN.

JKnott · Jul 19, 2017, 8:45 PM

Can you show me your LAN rules?

tnx

JKnott · Jul 19, 2017, 9:01 PM

One other thing I've noticed. If I put an alias on the LAN and then reboot the firewall, I lose the global address.

awebster · Jul 20, 2017, 12:44 AM

Yeah, I think there are a lot of gotcha's with the Track Interface.
It makes sense because the Alias gets set on the interface before the Track Interface address, which then would make it need to provision as a 2nd address, so the logic is broken.
Additionally, my "alias" trick doesn't work well either because you don't know beforehand what prefix you'll get on the interface in addition to any additional ones you want to create.

More feature improvements required for this to work. This is infact a known issue, see: https://redmine.pfsense.org/issues/6678 and https://redmine.pfsense.org/issues/5999

For now, you'll need to stick with static IPv6 prefix allocations to make it work as expected.

JKnott · Jul 20, 2017, 12:52 AM

Oh well. I was planning on learning a few things, but not these bugs.

JKnott · Jul 20, 2017, 2:23 AM

That problem with an alias pretty much eliminates pfSense from routing ULA networks.