IPv6 / track interface / pass DNS server to client

jpgpi250

I have a 4 port device, running pfsense.
1 interface is used for WAN, getting IPv4 and IPv6 addresses from my provider, using DHCP. Every time the cable modem is reset (by me or the provider), the IPv6 address changes (the IPv4 address hasn't changed for years now).
The 3 other interfaces (LAN, OPT, DNS) have a static IPv4 address '192.168.2.x, no problems here. The DHCP server v4 is setup to serve IPv4 addresses to clients, including specific IPv4 DNS server.
I've configured the LAN and DNS interface to use IPv6 configuration type 'track interface', so the devices on LAN and DNS get an IPv6 address based on the IPv6 WAN interface (track IPv6 interface WAN).
So far so good, the devices get an IPv6 address, no connectivity problems.

Question: Is it possible to push an IPv6 DNS server address to the clients, using this (track interface) configuration? I cannot use the pfsense DHCP v6 server, because it apparently needs a fixed IP address and that is not how track interface works.

JKnott

On the WAN interface, enable Do not allow PD/Address release, so that the prefix doesn't change.

jpgpi250

Thank you for this, this probably prevents my IPv6 address from changing on the WAN interface, but doesn't help me to push an IPv6 DNS address to my clients.

Bob.Dig

@jpgpi250 It is working here. Not always right from the start because it is not that easy, that the clients get an address from the dhcp6-server, but once they got, it is working for sure with Track Interface. In the DHCP-Server you only define the interface identifier and not the whole address anyway. Also you might have to check the corresponding boxes at DHCPv6 Server and Router Advertisements to provide DNS over IPv6.

JKnott

@jpgpi250

There's a bit of an issue with DNS on IPv6. There are a couple of ways to push it, DHCPv6 and RDNSS. For some idiotic reason, Android does not use DHCPv6 and some devices don't respond to RDNSS. Regardless, you can still use the IPv4 DNS addresses provided by IPv4 DHCP. You don't need IPv6 DNS to get IPv6 addresses. Both IPv4 and IPv6 DNS provide exactly the same info.

jpgpi250

@Bob-Dig I'm sorry, I don't understand. I'm using track interface, you say you do also use this. You say that your clients get an address from the dhcp6-server, but as I said before, I cannot run a dhcp6-server, because the interfaces don't have a fixed IPv6 address.
I think I'm missing something here (In the DHCP-Server you only define the interface identifier and not the whole address anyway)
Would you care to explain in detail how you have set it up and got it to work?

Thanks for your reply.

JKnott

@jpgpi250

You mentioned pushing DNS addresses, but the network address changes, making those DNS addresses wrong. I provided a suggestion about keeping the prefix the same. That should resolve the changing prefix problem. Regardless, depending on what device you're using, you might have difficulties in getting IPv6 DNS addresses. However, you still have DNS available via IPv4. You will often find that a device running IPv6 still uses the IPv4 address to reach the DNS server. It makes no difference whatever, whether you use the IPv4 or IPv6 address to reach the server, as it will always return the same info.

Bob.Dig

Yes, I think this is a general problem with pfSense, that it isn't host agnostic, which means you always have to change stuff manually, if the address/prefix changes. So best is that it doesn't change. Also are you sure your IPv6 is given to both interfaces? Anyway, here are some screenshots, although I doubt that they will help much. Because I only get a /64 prefix from my ISP, I only can have one interface with IPv6, in my case not named LAN but PRIVAT.

JKnott

@Bob-Dig

????

No, the problem is not pfSense. As I mentioned, there's a setting to prevent the prefix from changing. PfSense is also providing the DNS addresses as appropriate, but the devices, such as Android are breaking this. For example, the guy in charge of Android point blank refuses to use DHCPv6, despite requests from business customers to use it and the reasons he gave for not using DHCPv6 were nonsense. There are also some devices that will not accept RDNSS to provide DNS server addresses. This is not a pfSense problem, it's a client problem. For those instances, where DNS addresses are not available via IPv6, then the normal IPv4 DHCP can also provide the DNS addresses. Of course, static DNS configuration remains an option.

Perhaps it might be nice if pfSense allowed the current prefix to be used as part of an address, but the situation that would require that is not due to pfSense.

Bob.Dig

@JKnott As you know, I am no expert or even close. But I saw it myself (technically not, but someone explained to me via teamspeak, what he saw and I believe him) with the german consumer-router fritzbox, that with every IPv6 change the firewall rules changed automatically and I guess that almost all consumer router with a IPv6 firewall will do it like that. pfSense can't do that right now, although it could theoretically, because unbound knows the new IP-address/prefix (at least a nslookup on pfSense gives a correct result), but the alias-tables don't get updated correctly. And I think with real host agnostic there would be even more possible. Also DDNS-updates for IPv6-hosts via pfSense would be much appreciated.

@jpgpi250
A proof for you. In my example the DNS-Server is pfSense.

jpgpi250

@Bob-Dig In your 4th (last) screenshot, you have a checkbox 'provide DNS servers to DHCPv6 clients' I don't have that checkbox (or don't know how to enable the option)

Bob.Dig

@jpgpi250 There and also in the RA Options there is a box to tick.

I am on 2.5 but I think it was there before... had to do nothing for it to be there.

jpgpi250

@Bob-Dig 2.4.4-RELEASE-p3 (amd64), web interface says I'm on the latest version. NO CHECKBOX

jpgpi250

@Bob-Dig got it (there are no checkboxes, but it appears to almost work), had to set router mode to the same value as in your screenshot.

<edit>
had to change the router mode to 'router only - RA flags[none], Prefix flags [router]', to avoid getting both the DHCPv6 configured DNS server(s) and the DNS servers, defined in general settings.
</edit>

Thanks for your time and effort, you've helped me a lot...

Bob.Dig

@jpgpi250 Maybe don't left a field blank? I didn't tried changing the DNS myself.
Saw your edit, if I helped, a thumbs up would be appreciated.

jpgpi250

@Bob-Dig looks good, thank you, one last thing

could you explain your choice range ::2000 to ::2010
my devices on that specific interface are on a IPv4 subnet with max 64 hosts (192.168.2.192/26)
My knowledge of IPv6 is NOT very high, I'm sorry to have to ask.

Bob.Dig

@jpgpi250 My knowledge is even less than yours, it just worked for me.

Bob.Dig

@JKnott said in IPv6 / track interface / pass DNS server to client:

PfSense is also providing the DNS addresses as appropriate, but the devices, such as Android are breaking this.

Offtopic, today I found out, that Android 10 is using "Privat DNS" (by google) by default. I got some bad result as I was testing with FF on my phone but on another PC it was as expected. Android is even showing the correct DNS-servers but is not using them if Privat DNS is not disabled.

JKnott

@Bob-Dig

I also wasn't aware of that Private DNS. I'll have to look into it. I don't like it when companies interfere and don't tell.

jpgpi250

@Bob-Dig personally, I've setup some IPv4 NAT rules to redirect all DNS traffic, not originating from my local DNS solution, that should overcome the andoid 10 problem, when using IPv4. Unfortunately, pfsense doesn't have IPv6 NAT, so as soon you enable (allow) IPv6 in your network, simply using IPv6 DNS servers bypasses everything. You mentioned you re on pfsense 2.5. Does it have IPv6 NAT (OPNsense does, according to the forum posts)? Is 2.5 already released, If yes, do I need to do something on the pfsense to switch versions?