Multiple ipv6-nets on LAN with DHCPv6
-
I would like to have 2 ipv6-nets provided to my client-pcs through my local pfsense dhcp-v6-server:
- 2003:1:2:3:: (gua, my fixed ipv6-net from my provider)
- fd73:4:5:6:: (ula)
The LAN-interface has 2 virtual ip-adresses (Firewall - virtual IPs):
- 2003:1:2:3::fe/64 (gua)
- fd73:4:5:6::fe/64 (ula)
In Services - DHCPv6 - LAN-DHCPv6-Server I can only configure ONE range ::d:1000 to ::d:2000. My clients do get IP-Adresses like 2003:1:2:3::d:1001, 2003:1:2:3::d:1002 by NO fd73:4:56:...
Do I have to create a second "virtual" LAN-card on the server?
Thanks,
Richard -
I haven't used DHCPv6 on the LAN side, only SLAAC. However, on the Router Advertisements page, I had to specify the GUA prefix, as well as the ULA. I consider this a bug, as I don't understand why it has to "forget" the GUA prefix, simply because a ULA prefix has been added.
-
@horshack
I found out that the first virtual ip configured in Firewall - virtual ips get the base for dhcpv6-given addresses.- 1st virtual address: fd73:4:5:6:: (ula)
- 2nd virtual address: 2003:1:2:3:: (gua, my fixed ipv6-net from my provider)
All my clients in the LAN geht from DHCPv6: fd73:4:5:6:something and no 2003:1:2:3::...
The next question was how can I "nat" the internal fd73:4:5:6:something to my external 2003:1:2:3:same_something? This can be done with Firewall - NAT - NPT - add
- interface: wan
- internal address: fd73:4:5:6::/64
- external address: 2003:1:2:3::/64
Save - apply changes - try it out with a NEW ping6. Stop the old ping6 and start a new ping6.
Which ipv6-address will be used for outside connections? I tried it out with an "ssh -6 myserver.internet"
me@home.local$ ifconfig |grep inet ... fd73:4:5:6::d:165a ... me@home.local$ ssh -6 root@myserver.internet root@myserver.internet:~# pinky Login Name Where root root 2003:1:2:3::d:165aThe internal fd73::4:5:6::d:165a leads to 2003:1:2:3::d:165a
In ip4 this is called NAT.
-
@horshack said in Multiple ipv6-nets on LAN with DHCPv6:
The next question was how can I "nat" the internal fd73:4:5:6:something to my external 2003:1:2:3:same_something?
Why would you want to do that? The reason for NAT was to get around the IPv4 address shortage and you would have at least 18.4 billion, billion addresses available with IPv6. As I mentioned above, I have both GUA and ULA addresses on my network and every IPv6 capable device gets both.
-
I need ULA for internal communication because when changing my internet-provider I would get net GUA-addresses.
I would love to get 2 IP-adresses at once to all my devices (GUA und ULA). But dhcpv6 gives me only one ipv6-address from an address-space configured first on my pfsense-LAN-device.
Can I convince dhcpv6 to submit two and not only one ip-address to the devices asking it? Links for a better solution welcome.
-
Have you tried adding the ULA prefix to the RA page? If you do that, you will have to also add the GUA prefix. That's what works for me.
-
@JKnott
Yes, I did.https://pfsense.local/services_router_advertisements.php?if=lan
Subnets:
- fd73:4:5:6::/64
- 2003:1:2:3::/64
I restarted pfsense but I only get ipv6-addresse from the first subnet defined in RA, in this case fd73:4:5:6::/64
-
I get both, but I'm not using DHCPv6 on the LAN. Perhaps that's the difference.
-
@JKnott
This was helpful! I switched OFF the DHCPv6 server.These are my settings for Router Advertisements:
- Router mode: Stateless DHCP - RA Flags [other stateful], Prefix Flags [onlink, auto, router]
- Router priority: normal
- Subnets:
** fd73:4:5:6::/64
** 2003:1:2:3::/64
After applying this my test-Linux machine got:
** fd73:4:5:6:somethingcrazy/64
** 2003:1:2:3:something2othercrazy/64
** fe80::something3othercrazy/64When doing this:
ssh me@mymachine.internet
I see with the command "pinky" that I am coming from my crazy 2003:1:2:3:something... ip address.
Problem solved! I don't even need the DHCPv6-server, the DHCPv6 makes my life harder.
-
@horshack said in Multiple ipv6-nets on LAN with DHCPv6:
Problem solved! I don't even need the DHCPv6-server, the DHCPv6 makes my life harder.
That's why I often wonder why people use DHCPv6 when they don't have to. There are some differences with IPv4 vs IPv6 and this is one of them. I guess it's force of habit from IPv4.
-
This is very interesting.
I use DHCPv6 on my OpenWRT router because it's the one responsible for attributing fixed suffixes to each device and also their domain names, both from their MAC.
If I'm not wrong, under RA, each device defines its own suffix, and it's not fixed. Is pfSense able to set each device's domain name?
How do you do for one device to connect to another on the LAN? By their domain names?
-
With RAs and SLAAC, a device will have 1 consistent address, often based on the MAC, and up to 7 privacy addresses, with a new one every day. I assign a host name to the consistent address, using host overrides in the DNS server. It works well.
-
tnx, could you point doc that teaches how to configure it?
Are we able to set the suffix of this consistent address, so we can call devices by their IPv6 address?
Does pfSense support attributing a host name over our LAN domain to each device based on its MAC, so we can call them by their name?
-
There's nothing to configure. It just works that way. Pfsense sends out the RA to provide the prefix and the device provides the lower 64 bits.
Here are my addresses. I used my unique local addresses, instead of GUA, but the principle is the same. Take a look at the last line and see how it compares with the others. That line is the consistent one and is based on the MAC.
inet6 fd48:1a37:2160:0:3c77:80bb:c0cf:522e/64 scope global temporary dynamic
inet6 fd48:1a37:2160:0:5b:1416:435d:a8f5/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:a4fe:df21:d0ee:c629/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:2879:7de0:b225:47ad/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:6c73:9d33:6451:150/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:ecf2:1a5c:e064:3b/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:494a:77f3:e5c0:2ca6/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa/64 scope global dynamic mngtmpaddr -
Wouldn't it be better to be able to use different prefixes with DHCPv6 on the same interface or is this against the DHCP specs?
To have to use host-overrides in the dns-server looks messy to me. How consistent is an ipv6-address not given by DHCPv6 to a machine anyway? -
I don't know about DHCPv6, but with SLAAC, you can have as many prefixes as you want. IPv6 was designed with that in mind.
-
@jknott Ok, but where to make the IP to Hostname or DNS Connection, which is important, right?
-
You pick whatever consistent address you wish and create a DNS entry for it. For most of my devices, I use the unique local address on the pfsense DNS server, but for some of them I also use the GUA address on an external DNS server.
-
@jknott Are those addresses consistent or do you manually define them on those hosts?
-
All the addresses appear automagically. One of each type is consistent, based on the MAC address. The privacy addresses are based on random numbers. The only thing I configure is the DNS entries, which I point to the consistent addresses. I do not ever use a privacy address for DNS, as it would only last for a week. It is also possible to have consistent addresses based on a random number, for those who are worried about someone tracking their MAC address.
