Multiple ipv6-nets on LAN with DHCPv6

horshack

@JKnott
This was helpful! I switched OFF the DHCPv6 server.

These are my settings for Router Advertisements:

• Router mode: Stateless DHCP - RA Flags [other stateful], Prefix Flags [onlink, auto, router]
• Router priority: normal
• Subnets:
  ** fd73:4:5:6::/64
  ** 2003:1:2:3::/64

After applying this my test-Linux machine got:

** fd73:4:5:6:somethingcrazy/64
** 2003:1:2:3:something2othercrazy/64
** fe80::something3othercrazy/64

When doing this:

ssh me@mymachine.internet

I see with the command "pinky" that I am coming from my crazy 2003:1:2:3:something... ip address.

Problem solved! I don't even need the DHCPv6-server, the DHCPv6 makes my life harder.

JKnott

@horshack said in Multiple ipv6-nets on LAN with DHCPv6:

Problem solved! I don't even need the DHCPv6-server, the DHCPv6 makes my life harder.

That's why I often wonder why people use DHCPv6 when they don't have to. There are some differences with IPv4 vs IPv6 and this is one of them. I guess it's force of habit from IPv4.

Hikari

This is very interesting.

I use DHCPv6 on my OpenWRT router because it's the one responsible for attributing fixed suffixes to each device and also their domain names, both from their MAC.

If I'm not wrong, under RA, each device defines its own suffix, and it's not fixed. Is pfSense able to set each device's domain name?

How do you do for one device to connect to another on the LAN? By their domain names?

JKnott

@Hikari

With RAs and SLAAC, a device will have 1 consistent address, often based on the MAC, and up to 7 privacy addresses, with a new one every day. I assign a host name to the consistent address, using host overrides in the DNS server. It works well.

Hikari

tnx, could you point doc that teaches how to configure it?

Are we able to set the suffix of this consistent address, so we can call devices by their IPv6 address?

Does pfSense support attributing a host name over our LAN domain to each device based on its MAC, so we can call them by their name?

JKnott

@Hikari

There's nothing to configure. It just works that way. Pfsense sends out the RA to provide the prefix and the device provides the lower 64 bits.

Here are my addresses. I used my unique local addresses, instead of GUA, but the principle is the same. Take a look at the last line and see how it compares with the others. That line is the consistent one and is based on the MAC.

inet6 fd48:1a37:2160:0:3c77:80bb:c0cf:522e/64 scope global temporary dynamic
inet6 fd48:1a37:2160:0:5b:1416:435d:a8f5/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:a4fe:df21:d0ee:c629/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:2879:7de0:b225:47ad/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:6c73:9d33:6451:150/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:ecf2:1a5c:e064:3b/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:494a:77f3:e5c0:2ca6/64 scope global temporary deprecated dynamic
inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa/64 scope global dynamic mngtmpaddr

Bob.Dig

Wouldn't it be better to be able to use different prefixes with DHCPv6 on the same interface or is this against the DHCP specs?
To have to use host-overrides in the dns-server looks messy to me. How consistent is an ipv6-address not given by DHCPv6 to a machine anyway?

JKnott

@bob-dig

I don't know about DHCPv6, but with SLAAC, you can have as many prefixes as you want. IPv6 was designed with that in mind.

Bob.Dig

@jknott Ok, but where to make the IP to Hostname or DNS Connection, which is important, right?

JKnott

@bob-dig

You pick whatever consistent address you wish and create a DNS entry for it. For most of my devices, I use the unique local address on the pfsense DNS server, but for some of them I also use the GUA address on an external DNS server.

Bob.Dig

@jknott Are those addresses consistent or do you manually define them on those hosts?

JKnott

@bob-dig

All the addresses appear automagically. One of each type is consistent, based on the MAC address. The privacy addresses are based on random numbers. The only thing I configure is the DNS entries, which I point to the consistent addresses. I do not ever use a privacy address for DNS, as it would only last for a week. It is also possible to have consistent addresses based on a random number, for those who are worried about someone tracking their MAC address.