ULA address only?

JKnott

What I want is to be able to use RA for the ULA and no global addresses. However, based on what I saw, it may not be possible. This is only an experiment, as I recently read that ULA is a good idea for IoT devices, which you might not want to be directly accessible from the Internet.

Derelict

So set the interface Static IPv6, not Track, and set it to be the appropriate ::1 address in the ULA /64 and set up the RA.

johnpoz

Or just don't give them an IPv6 address at all.. Clearly you have isolated your iot devices to their own vlan, so why run any ipv6 on that vlan at all? Only reason to give them a ULA would be to prevent them from internet on IPv6. This is easier done by just not giving them ipv6 at all..

If you need to talk to them via IPv6 (I would question why)… To be honest the iot devices I have seen have really crappy ipv6 support anyway ;) If the goal is just keep them off the internet on ipv6 wouldn't it just be cleaner solution to not give them internet at your firewall from their global IPv6 address that you get from track or how ever else your running you IPv6? This way you could talk to them via IPv6 without any issues, and they don't have internet via ipv6..

JKnott

First off, as I mentioned this is to learn. I won't actually be building a network for IoT.

However, the goal is to use IPv6 as much as possible, including ULA when appropriate. I was hoping that pfSense would provide some control over what addresses it provides in RAs. Apparently not. There may be many reasons why one might want a network of devices that can't directly access the Internet, but can be access via some sort of gateway. IoT would certainly fall into that category, as would those cameras I mentioned in another thread. One nice thing about RAs & SLAAC is no configuration required. As I mentioned, those cameras were "fun" to configure for an IPv4 address. Incidentally, those cameras have supported IPv6, including SLAAC, for years.

So, this has been a learning experience for me and it pointed out something that may be lacking in psSense. I suppose the work around would be to use the firewall to block global addresses from that network, though that shouldn't be necessary.

My question is why would someone not want to use IPv6, considering it's the future and superior to IPv4 in many respects.

Funny thing, I actually knew of IPv6, before I learned about IPv4. I recall sitting in the TCP/IP class thinking about how 32 bit addresses were so limiting. I read about IPv6 in the April 1995 issue of Byte magazine and took my first TCP/IP course in June 1995. Ever since then, I've been anxiously waiting for IPv6 to "take over the world". ;)
I started using it in May 2012, with a 6in4 tunnel, again to learn about it.

Derelict

However, the goal is to use IPv6 as much as possible, including ULA when appropriate. I was hoping that pfSense would provide some control over what addresses it provides in RAs. Apparently not.

Did you even try my suggestions? It's right there in the subnets section of the RA settings.

JKnott

@Derelict:

However, the goal is to use IPv6 as much as possible, including ULA when appropriate. I was hoping that pfSense would provide some control over what addresses it provides in RAs. Apparently not.

Did you even try my suggestions? It's right there in the subnets section of the RA settings.

Yes I did try and also mentioned it didn't work.

Derelict

Looks like it works to me.

screenshot-d7b23cc3-a557-4e45-b21d-c285096fcc02-2017-08-26-12-53-21.png

![Screen Shot 2017-08-26 at 12.54.05 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.54.05 PM.png)
![Screen Shot 2017-08-26 at 12.54.05 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.54.05 PM.png_thumb)
![Screen Shot 2017-08-26 at 12.52.06 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.52.06 PM.png)
![Screen Shot 2017-08-26 at 12.52.06 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.52.06 PM.png_thumb)
screenshot-d7b23cc3-a557-4e45-b21d-c285096fcc02-2017-08-26-12-55-26.png

JKnott

That seems work now. Not sure why it didn't before.

tnx

Derelict

It does not look like there is a way to disable RA for the interface subnet if it is defined. You can add a subnet to it on the RA page but it will advertise both that subnet and the interface subnet. I'll bring that up and see if that should be able to be disabled.

JKnott

I don't want to disable RAs. They're used to assign the prefix. Also, ULAs are routeable, just not over the Internet.

Here's how it looks on a Linux system:

vlan3 Link encap:Ethernet HWaddr 74:D4:35:5A:F5:FB
inet addr:172.16.3.10 Bcast:172.16.3.255 Mask:255.255.255.0
inet6 addr: fd48:1a37:2160:1:5c0b:a1d3:1ff8:7224/64 Scope:Global
inet6 addr: fe80::76d4:35ff:fe5b:f5fa/64 Scope:Link
inet6 addr: fd48:1a37:2160:1:76d4:35ff:fe5a:f5fb/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1
RX packets:1478 errors:0 dropped:0 overruns:0 frame:0
TX packets:1204 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:307424 (300.2 Kb) TX bytes:247592 (241.7 Kb)