IPv6 / track interface / pass DNS server to client
-
@JKnott As you know, I am no expert or even close. But I saw it myself (technically not, but someone explained to me via teamspeak, what he saw and I believe him) with the german consumer-router fritzbox, that with every IPv6 change the firewall rules changed automatically and I guess that almost all consumer router with a IPv6 firewall will do it like that. pfSense can't do that right now, although it could theoretically, because unbound knows the new IP-address/prefix (at least a nslookup on pfSense gives a correct result), but the alias-tables don't get updated correctly. And I think with real host agnostic there would be even more possible. Also DDNS-updates for IPv6-hosts via pfSense would be much appreciated.
@jpgpi250
A proof for you. In my example the DNS-Server is pfSense.
-
@Bob-Dig In your 4th (last) screenshot, you have a checkbox 'provide DNS servers to DHCPv6 clients' I don't have that checkbox (or don't know how to enable the option)
-
@jpgpi250 There and also in the RA Options there is a box to tick.
I am on 2.5 but I think it was there before... had to do nothing for it to be there.
-
@Bob-Dig 2.4.4-RELEASE-p3 (amd64), web interface says I'm on the latest version. NO CHECKBOX
-
@Bob-Dig got it (there are no checkboxes, but it appears to almost work), had to set router mode to the same value as in your screenshot.
<edit>
had to change the router mode to 'router only - RA flags[none], Prefix flags [router]', to avoid getting both the DHCPv6 configured DNS server(s) and the DNS servers, defined in general settings.
</edit>Thanks for your time and effort, you've helped me a lot...
-
@jpgpi250 Maybe don't left a field blank? I didn't tried changing the DNS myself.
Saw your edit, if I helped, a thumbs up would be appreciated.
-
@Bob-Dig looks good, thank you, one last thing
could you explain your choice range ::2000 to ::2010
my devices on that specific interface are on a IPv4 subnet with max 64 hosts (192.168.2.192/26)
My knowledge of IPv6 is NOT very high, I'm sorry to have to ask. -
@jpgpi250 My knowledge is even less than yours, it just worked for me.
-
@JKnott said in IPv6 / track interface / pass DNS server to client:
PfSense is also providing the DNS addresses as appropriate, but the devices, such as Android are breaking this.
Offtopic, today I found out, that Android 10 is using "Privat DNS" (by google) by default. I got some bad result as I was testing with FF on my phone but on another PC it was as expected. Android is even showing the correct DNS-servers but is not using them if Privat DNS is not disabled.
-
I also wasn't aware of that Private DNS. I'll have to look into it. I don't like it when companies interfere and don't tell.
-
@Bob-Dig personally, I've setup some IPv4 NAT rules to redirect all DNS traffic, not originating from my local DNS solution, that should overcome the andoid 10 problem, when using IPv4. Unfortunately, pfsense doesn't have IPv6 NAT, so as soon you enable (allow) IPv6 in your network, simply using IPv6 DNS servers bypasses everything. You mentioned you re on pfsense 2.5. Does it have IPv6 NAT (OPNsense does, according to the forum posts)? Is 2.5 already released, If yes, do I need to do something on the pfsense to switch versions?
-
@jpgpi250 I don't think that a NAT Rule will help you, it is probably similar to what Mozilla did with cloudflare, it is not using the DNS-Ports, although I don't know for sure.
2.5 is not released and I don't think it has IPv6 NAT.
-
@Bob-Dig The mozilla DOH feature can be easily disabled with a single dnsmasq (pihole = dnsmasq + extra features) setting: server=/use-application-dns.net/
If pfsense has no intention to support IPv6 NAT, the business case to move to OPNsense just became more solid.
-
@Bob-Dig said in IPv6 / track interface / pass DNS server to client:
@JKnott As you know, I am no expert or even close. But I saw it myself (technically not, but someone explained to me via teamspeak, what he saw and I believe him) with the german consumer-router fritzbox, that with every IPv6 change the firewall rules changed automatically and I guess that almost all consumer router with a IPv6 firewall will do it like that. pfSense can't do that right now, although it could theoretically, because unbound knows the new IP-address/prefix (at least a nslookup on pfSense gives a correct result), but the alias-tables don't get updated correctly. And I think with real host agnostic there would be even more possible.
Today I changed my WAN-IPs (v4&v6) and pfSense was able to update the firewall-aliases of my hosts by itself, bravo.
-
@Bob-Dig said in IPv6 / track interface / pass DNS server to client:
rewall-aliases of my hosts by itself, bravo.
What? What? Really? No joke?
