Unique Local Addresses?
-
On pfSense, any addresses beyond the interface's primary address has to be added in as a virutal IP Alias address.
Once you've done that you can verify with CLI ifconfig -a and see it show up.I added a second address fd33:3e94:8260:4100::1 to my em1 interface.
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1f:5b:46
inet6 fe80::20c:29ff:fe1f:5b46%em1 prefixlen 64 scopeid 0x2
inet 100.64.31.1 netmask 0xffffff00 broadcast 100.64.31.255
inet6 fd33:3e94:8260:3100::1 prefixlen 64
inet6 fd33:3e94:8260:4100::1 prefixlen 128Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface. Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs). Keep in mind they will also get more than 1 gateway this way.
Here is a good place for an improvement to pfSense, configurable router priority per-prefix, so you can say have the "main" prefix with the higher priority and the others with a lower priority.
Right now they will all advertise with the same priority, unless you go tweak the underlying radvd.conf file.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast> -
On pfSense, any addresses beyond the interface's primary address has to be added in as a virutal IP Alias address.
Once you've done that you can verify with CLI ifconfig -a and see it show up.I added a second address fd33:3e94:8260:4100::1 to my em1 interface.
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1f:5b:46
inet6 fe80::20c:29ff:fe1f:5b46%em1 prefixlen 64 scopeid 0x2
inet 100.64.31.1 netmask 0xffffff00 broadcast 100.64.31.255
inet6 fd33:3e94:8260:3100::1 prefixlen 64
inet6 fd33:3e94:8260:4100::1 prefixlen 128Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface. Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs). Keep in mind they will also get more than 1 gateway this way.
Here is a good place for an improvement to pfSense, configurable router priority per-prefix, so you can say have the "main" prefix with the higher priority and the others with a lower priority.
Right now they will all advertise with the same priority, unless you go tweak the underlying radvd.conf file.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>I'll have to try adding it with the command line, as soon as I figure out how. :D I had set an alias IPv4 address in Linux, years ago. I guess this is similar.
Also, it would be nice if the DNS resolver would support multiple IP addresses, the way some web sites do. Then you could have both ULA and GUA addresses for the same host name.
-
I'll have to try adding it with the command line…
Sorry, I wasn't specific enough, no CLI necessary…
Firewall --> Virtual IPs
Click + Add
Select Type: IP Alias
Enter the IPv6 address with /128 mask.Also, it would be nice if the DNS resolver would support multiple IP addresses, the way some web sites do. Then you could have both ULA and GUA addresses for the same host name.
Yeah, the multiple IPs part per hostname in DNS resolver would be a nice touch, since that is pretty much basic functionality of DNS. A good use-case for that would be for round-robin host selection.
-
Yes, I found that way to add the alias and I can see it in ifconfig. I had the prefix set up in RA a couple of weeks ago. Still can't ping though.
-
Still can't ping though.
The thing to realize is that "Interface address" in firewall rules doesn't include any virtual IPs assigned to the interface.
So unless you explicitly allow it it isn't going to work.The minute you start using virtual IPs, it is a good idea to create an Alias, eg: LAN_IPv6 and put all the valid addresses into it, and then use only that object in your rules.
I'll admit that its a bit kludgy, it would be nicer if pfSense had a way of referencing the Virtual IP, so that if you changed it, the Alias would update automatically, so keep that in mind if you make changes after its running. -
Given that ifconfig shows that address, shouldn't I be able to ping it from another computer? It certainly works that way on IPv4 in Linux. Also, I can ping that address from pfSense. I just can't ping between pfSense and another computer.
BTW, the address I used is fd48:1a37:2160::1, which is within my ULA prefix.
I'll have to see what Wireshark shows.
-
Wireshark shows the neighbor solicitation going out, but no response.
-
Did you specifically allow access to that IP in the ruleset? It won't reply, even to the interface IP, if there is no rule.
-
There is an existing rule, with wild cards for source, destination and gateway, for IPv6 on the LAN side. I don't see anything that applies to that ULA prefix. Also, why should it be necessary to have a rule for traffic that will not pass through the firewall? I'm just trying to connect between 2 devices on the same LAN.
-
Can you show me your LAN rules?
tnx
-
One other thing I've noticed. If I put an alias on the LAN and then reboot the firewall, I lose the global address.
-
Yeah, I think there are a lot of gotcha's with the Track Interface.
It makes sense because the Alias gets set on the interface before the Track Interface address, which then would make it need to provision as a 2nd address, so the logic is broken.
Additionally, my "alias" trick doesn't work well either because you don't know beforehand what prefix you'll get on the interface in addition to any additional ones you want to create.More feature improvements required for this to work. This is infact a known issue, see: https://redmine.pfsense.org/issues/6678 and https://redmine.pfsense.org/issues/5999
For now, you'll need to stick with static IPv6 prefix allocations to make it work as expected.
-
Oh well. I was planning on learning a few things, but not these bugs.
-
That problem with an alias pretty much eliminates pfSense from routing ULA networks.
-
"I'm just trying to connect between 2 devices on the same LAN."
If your on the same L2 what does pfsense have to do with anything?
"Wireshark shows the neighbor solicitation going out, but no response."
Pfsense could be OFF if your devices are on the same L2..
Are you wanting pfsense to route between 2 different ULA/64s that are attached to pfsense - or these 2 hosts on the same network that are not using their ULA addresses?
-
Routing ULAs is completely appropriate, other than onto the Internet. They're just like RFC1918 addressesin that respect. Suppose you have 2 corporate locations, each with ULAs. Might you not want to route between them? In fact that's the reason for the random number part of the /48 prefix, so that you can route between ULA networks, with little risk of address collision. I have experienced address collision on IPv4, when I wanted to VPN home from hotels.
Other than keeping them off the Internet, pfSense, like any other router should be able to route ULA.
So, it all boils down to why pfSense doesn't create a usable ULA on the LAN interface. Without that, it can't route ULAs.
-
"Routing ULAs is completely appropriate, other than onto the Internet. "
Completely agree.. But your posts sounds like your issue with devices on the same layer 2..
""I'm just trying to connect between 2 devices on the same LAN.""
""Wireshark shows the neighbor solicitation going out, but no response.""So your saying your not getting answer from pfsense for its ULA you placed on the interface as a neighbor to your device as its gateway? So it can get to other ULA /64's on your local network.. I can try and fire up ULA addresses on pfsense interfaces and see if I can route between them. If that is the case.. But maybe I just needed more coffee, but sounded like you were talking about devices talking to each other on the same L2 which pfsense would give 2 shits about..
-
I guess I should have clarified. ULA works fine, except for the LAN interface on the pfSense firewall. I have no problem connecting from my desktop computer to notebook, etc. It's just I can't access the firewall. While it won't impact me in my situation, pfSense is also sold for use in corporate environments, where it may be an issue.
BTW, I'm doing a lot of this stuff to learn and it's frustrating to come across problems such as this, where poor design keeps things from working.
-
I just tested this..
So gave pfsense a VIP ipv6 ULA of fd31:8d49:5cc9:5133::1
I then gave my PC a ipv6 ula address of fd31:8d49:5cc9:5133::100
I can ping pfsense just fine
ping fd31:8d49:5cc9:5133::1
Pinging fd31:8d49:5cc9:5133::1 with 32 bytes of data:
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1msPing statistics for fd31:8d49:5cc9:5133::1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msNow I had to edit the lan firewall rule on pfsense to not be "lan net" for ipv6 since the ULA is not the actual lan net its a vip sitting on the lan interface..
-
Did you use an alias to create that address on pfSense? When I did that and rebooted, I lost my GUA on the LAN interface. I had no problem setting RA to provide the ULA prefix.
I then gave my PC a ipv6 ula address of fd31:8d49:5cc9:5133::100
I didn't have to do that. With RA configured for the ULA, all my devices got an address automagically.
