pfsense 2.4.4 Route Lifetime not changable w/O static IPv6

junicast

I assume not to be the only one having problems understanding your question.
Also I have the feeling that you mix up DHCPv6 and Router Advertisement Daemon.

When you don't want to use DHCPv6 then just leave it disabled. When you don't want to send Router Advertisement, just disable it. Beyond that I really have problems to figure out why you would want to have a second pfSense machine in your network then doesn't route / firewall. Why do you have it?

johnpoz

Concur not sure what your asking to be honest..

When the daemon is shutdown - it should actually send the router lifetime 0s so that any clients using it know that is no longer valid.. Are you saying that is not happening when you shutdown the daemon?

But you can adjust router lifetime in the RA gui

pfadmin

Hi,
0_1540472166109_06d6e074-00f6-4d23-ae88-45899c231166-grafik.png

This is what I get if I want to reach the RA gui. I can not change Router Lifetime, becaus it wont let me. The Error message tells me, I can not turn on dhcpv6, but I wont do this. I want to see RA Option to set Route Lifetime to 0 because it is 60 as you see.

@pmisch I want to use a second DNS resolver that is independent from pfsense. there was a time it stopps working and so on. Next I played with proxy things and so I decided to use the same base

@johnpoz I say that is not happening, it sends 60s. And I can not reach the RA gui to change it.

Hope I could explain the problem

johnpoz

Hmmm - let me try to duplicate that. Why would you be running a lan side interface in slaac mode? Confused..

JKnott

If you don't want to use DHCPv6, don't turn it on. SLAAC is normally used anyway. Also, if you manage to set the RA router lifetime to 0, you will not have a valid prefix, let alone a route.

What exactly is it you're trying to do? Your post doesn't make a lot of sense.

pfadmin

@johnpoz My pfsense#1 is doing routing, firwalling, dns resolver, radius and gets from WAN a dynamic /56 Prefix from Deutsche Telekom. Just a normal internetrouter. Works.

my pfsense#2 is just for a second DNS Resolver, and a proxy and a freeradius server in the future. I could use a debian installation but I choose to use pfsense. pfsense#2 is only an other serving thing on my LAN side, so WAN port is disabled and not configured and LAN port gets an IPv6 via SLAAC from pfsense#1, how else? pfsense#2 should advertise via RA the RDNSS and I think it does. But it advertise a Route Lifetime at 60s too.

@JKnott I don't turned it on. Why you are thinking this? The error message is confusing because I don't want to turn on any dhcpv6, it comes on the way to the RA GUI I want to reach. Is it a language problem and I discribe it in a stupid way? My problem is clear to me and I'm wondering that nobody see it ;-) I'm sorry, will try to describe the whole thing:

I have a internetconnection where a router is at the edge. this router does routing, firewalling, dns resolving, gets dynamic IPv6 prefix for the LAN-side. Pretty good. I call it "pfsense#1".

I want to have a DNS Resolver at my LAN. Maybe in future a radius. No router or fw nessessary because there is only one interface/port, the port to the LAN. I choose to use a virtuell pfsense installation and call it "pfsense#2". Thats it. Should be a normal thing, is'nt it? How can I use it with IPv6 if I get only dynamic IPv6? How can I tell the LAN clients about this DNS Resolver via IPv6? RDNSS? Ddhcpv6? I'm right or totaly wrong?

Why propagates pfsense#2 a Route Lifetime of 60s? Why can I not turn on an dhcpv6 with a valid but dynamic IPv6, if dhcpv6 should only propagate the DNS Resolver at pfsense#2? Why can I not reach the RA GUI to change Route Lifetime to 0s (there is nothing to tell from pfsense#2 because there is no route to nowhere).

Thank you for your time !

johnpoz

@pfadmin said in pfsense 2.4.4 Route Lifetime not changable w/O static IPv6:

Thats it. Should be a normal thing, is'nt it?

No not really... Your trying to use a firewall/router distro as a standalone server - For what point.. If you want 2nd dns fire it up on some min linux distro.. You can then run whatever other services you want on this box.. If you wanted to use it as a downstream router - ok. But pfsense not really meant to be some standalone box to run unbound on ;)

This second pfsense has only 1 interface right? I can try and duplicate what your doing.. But if the pfsense box only has 1 interface it would be considered its wan.. Since it would have a gateway.. Pfsense shouldn't be sending RA into its lan with any sort of prefix on it. Can we see your radvd.conf

pfadmin

@johnpoz this point is really good, but I wanted to use the same base, gui and so on. Could be, that this never work, but what else should one do with this weather outside :-)

johnpoz

See my edit - does this pfsense only have 1 interface? What is your conf file look like.. Why would radvd even be running?

I will try firing up a pfsense Vm on my lan and see if I can duplicate what your doing as just a stand along box.

I would think there only 1 interface and it would be pfsense WAN.. which would have its IPv6 setup as slaac in your first pfsense lan network.

JKnott

@pfadmin said in pfsense 2.4.4 Route Lifetime not changable w/O static IPv6:

@JKnott I don't turned it on. Why you are thinking this? The error message is confusing because I don't want to turn on any dhcpv6, it comes on the way to the RA GUI I want to reach. Is it a language problem and I discribe it in a stupid way? My problem is clear to me and I'm wondering that nobody see it ;-) I'm sorry, will try to describe the whole thing:

The issue is your plans were not clear to us and based on what you've posted since, it appears you're trying to use the wrong tool for the job. Just because pfSense provides a DNS server, doesn't mean it's the best tool for what you want to do. You'd have to turn off DHCP, DHCPv6, SLAAC, etc.. Perhaps you'd have to set up a fully static config and more. Your job is trying to force a square peg into a round hole, because you're using the wrong tool. Sure, you may be able to use a bigger hammer, but it won't be pretty.

pfadmin

@johnpoz

0_1540481099149_a54241d3-6d81-4692-85ab-a772a544761e-grafik.png

/var/etc/radvd.conf

Automatically Generated, do not edit

Generated for DHCPv6 Server lan

interface vtnet0 {
AdvSendAdvert on;
MinRtrAdvInterval 5;
MaxRtrAdvInterval 20;
AdvLinkMTU 1500;
AdvDefaultPreference medium;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix 2003:xxxx:xxxx:8c00::/64 {
DeprecatePrefix on;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
AdvValidLifetime 86400;
AdvPreferredLifetime 14400;
};
route ::/0 {
AdvRoutePreference medium;
RemoveRoute on;
};
RDNSS 2003:xxxx:xxxx:8c00:1406:ddff:fe6f:464 { };
DNSSL example.lan { };

pfadmin

@jknott Thank you for your opinion. If I turn on an other interface so pfsense#2 can work as router/firewall, whats the difference? pfsense#1 has no static IPv6, why can I turn on dhcpv6 on LAN side? Why can I reach the RA GUI? Only difference is the way they get an IPv6, in the end there is a Ipv6 on the interface which could propagate. Ok, if I'm the only one with this usecase nobody would code this and I understand this.

I think the whole world gets static IPv6 and live in peace and harmony but in germany only dynamic IPv6 is for the people. In so much threads this is every time the point things not work. I which I could code myself :-)

Thanks again!

johnpoz

If you want to use pfsense as standalone box it would only have 1 interface it would call its wan.. You have it with 2 and just have its wan disable.. So it thinks its router - and then then it would need to run RA, etc. To provide to its clients..

When you install pfsense and only bring up 1 interface it gears itself more as standalone box.. But again its not really a great choice of just running unbound..

pfadmin

@johnpoz Its not only running unbound. there is pfblocker, radius, maybe a proxy in future. thats the idea.

And RA should running for advertising the DNS Server at pfsense#2. I think, dhcpv6 should also be running for advertising DNS. Or doesnt like the clients RAs from different servers in the network?

johnpoz

Here I fired up pfsense with just WAN in my lan network, using slaac.. So its standalone mode so to speak. As you can see NO radvd even there... no dhcpd or dhcpdv6 etc etc...

If you want to use it as standalone - then there should be only 1 interface - and it will be wan... Then no RA will never be sent at all.. Because its not a router ;)

NO!!! RA should not be running on pfsense #2... Hand out your other dns at your ROUTER running RA..

Which is prob going to be hard to do since you have your 2nd dns running slaac to get its IPv6 address :) Not really a great choice for a server that is going to be running services like proxy, unbound, freerad.. Your going to want said server to have a STATIC IP... Or running dhcpv6 so it can get the same IPv6 address all the time via reservation based upon its duid.

pfadmin

Hey thanks for your trying. Static is easy said but hard to do with dynamic IPv6. pfsense#1 could assign a semistatic IPv6 adress, knows the prefix from ISP and I tell the Interface Identifier of pfsense#2 wich is static. There are some threads about it, think fritzbox does it easily. Slaac would give also the same Interface Identifier part and the dynamic prefix is also known - semi static. But no one does this in productiv environment so privat user are a little bit lost.

ULA is a problem [https://forum.netgate.com/topic/130319/ipv6-track-interface-unique-local-virtual-ip-no-go/13](Link Adresse) because I see the same problem like UlfMerbold after reboot.

Anyway, I understand that RA is really not build for advertising a DNS Server by himself. And pfsense is confused if I use it not as gateway.

Thank you all to understand a little bit more whats going on.

johnpoz

Then get your own IPv6 space - or just use HE which is STATIC... Problems freaking solved with the nonsense that is floating prefixes that change on whim..

Or for that matter.. .Just don't use it... There is ZERO anything saying you have to use IPv6 on your lan..

JKnott

@pfadmin said in pfsense 2.4.4 Route Lifetime not changable w/O static IPv6:

Anyway, I understand that RA is really not build for advertising a DNS Server by himself.

RDNSS is part of RA, which iss one way DNS addresses are distributed. You can also use DHCPv6. When I look at RAs here, I see RDNSS included, complete with DNS server addresses.