Does “Static IPv6” LAN interface break the ISP GUA prefix delegation router advertisements?
-
Hallo guys.
Unfortunately, I cannot test the Pfsense software, so I need your help to clarify the software behavior in the next scenarios.
I thank a lot in advance anyone who will take his/her time to test the next scenarios.
I have two scenarios, in one there’s an ISP that’s able to give a native IPV6 connection delegating a /64 prefix, in the other there’s an ISP that’s able to give native IPV4 connection together with a 6RD tunnel.
The next ones are the settings for the Lan interface in both the above scenarios:
-
The Lan interface type is set to “Static IPv6” and the Lan interface address is set statically with a random ULA address.
-
No additional VIP is set for the Lan interface.
-
The “Router Advertisement Modes” is set to “Assisted”.
-
The DHCPv6 server is enabled on the Lan interface and the subnet of the Dhcpv6 server is equal to the static ULA prefix statically set for the Lan interface.
My aim is to assign, through the Dhcpv6 server, the ULA addresses to the Lan clients that are Dhcpv6 capable, but I also want that LAN clients get the ISP public prefix from the Router Advertisements in order to assign themselves a GUA address through SLAAC.
So, my question is, will the above scenarios break the ISP GUA prefix delegation advertisements?
If it breaks the ISP GUA prefix delegation advertisements, can anyone suggest me some ideas to get what I want, that is ULA though Dhcpv6 and GUA through PD RA (possibly without using any VIP)?
Thanks really a lot for any help.
Best regards
-
-
Is that first ISP providing only a single /64? That's unusual.
Why do you want to use DHCPv6 on the LAN? You normally use SLAAC
You cannot use ULA to access the Internet
Nothing wrong with using a tunnel I did for 6 years, though he.net is popular with some here. They'll provide a /48, which is only 65536 /64s.BTW, if you want to use ULA as well as GUA on the LAN, you might want to read this article.
To properly use pfsense, you want to put your modem in bridge mode.
-
@jknott Thanks for the answer.
Yes, the ISP is giving a single /64.
I know I can't reach the Internet with ULA, in fact in my post I have made it clear that I need ULA (through Dhcpv6) as well as GUA through PD RA.
I want to use DHCPv6 because I want to use Pfsense Dns Resolver to resolve local IPV6 hostnames and with SLAAC that is not possible.
The article you posted is about adding ULA through RA but, again, I need to use ULA through Dhcpv6 in order to resolve local IPV6 hostnames.
Thanks anyway
-
@evolve-0 said in Does “Static IPv6” LAN interface break the ISP GUA prefix delegation router advertisements?:
I want to use Pfsense Dns Resolver to resolve local IPV6 hostnames and with SLAAC that is not possible.
It most certainly is. I do that here. With SLAAC you get a consistent address, often based on the MAC, and privacy addresses. You get a new privacy address every day, to a max of 7, with the oldest falling off the end. You point the DNS to your consistent address, not the privacy addresses. Those are used for outgoing connections and use the consistent address for incoming. Also, it makes no difference to ULA whether you use SLAAC or DHCPv6. A benefit of ULA occurs if your prefix changes. With ULA, your local addresses won't change, so you can keep the DNS working.
-
@jknott
But are you talking about manual editing the host override file?If this is the case, I don't want to do manual actions, that is editing the host override file in order to let the DNS resolver resolve the IPV6 hostnames, this is because this implies that I need to get every stable SLAAC address from every device on the network and add it to host override file, if you have many devices in the network this is a nightmare.
With Dhcpv6 the resolving of the IPV6 hostnames would be automatic. (Given that the network device sends a hostname in the dhcpv6 request, clearly)
-
Here's what I'm talking about. Here's a list of my current ULA addresses, though the exact same thing applies to my GUA.
inet6 fd48:1a37:2160:0:c14e:be6f:20c0:6239/64 scope global temporary dynamic inet6 fd48:1a37:2160:0:dd35:5608:b18a:aceb/64 scope global temporary deprecated dynamic inet6 fd48:1a37:2160:0:649a:3a35:f820:e971/64 scope global temporary deprecated dynamic inet6 fd48:1a37:2160:0:88bc:3344:47:9e2/64 scope global temporary deprecated dynamic inet6 fd48:1a37:2160:0:d053:5e35:4415:af6b/64 scope global temporary deprecated dynamic inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa/64 scope global dynamic mngtmpaddr
The last one, ending in f5fa, is my consistent address and is based on the MAC address. All the rest are privacy addresses and only the latest isn't deprecated. I don't yet have seven, as I updated the linux version a few days ago, and there hasn't been enough time since then to get them.
-
@jknott
Ok, but do you put the f5fa ending address in the Pfsense host override file manually in order to let the Pfsense dns resolver resolve the f5fa hostname? -
No, that address is based on the MAC address of the interface. Optionally, I could have used a random number. Either way, that particular address doesn't change. As I mentioned, the privacy addresses change daily, which make them useless for using with DNS.
Also, these addresses are on my Linux desktop system. Pfsense does not use privacy addresses. In the DNS resolver I used that consistent address with the host name for a host override. You will see those things on your system, once you have it working.
-
So, you finally confirmed that you manually put that address in the host override.
The whole point is to avoid this “manual” action.
With the Dhcpv6 server Pfsense saves an association between a IPV6 address and its hostname and It is able to automatically resolve it without any manual intervention.
-
How does that host name get configured? I bet at some point it's manually configured. If you're doing that, does it really matter where you configure it?
-
I am not talking about the configuring of the host name.
I am talking about automatic resolution of IPV6 hostnames.
If you use the Pfsense Dhcpv6 server, Pfsense has all the data to resolve the client hostname since It gives the client the IPV6 address and has also its host name because it (the host name) has been sent by the client in the dhcpv6 request.
I cannot explain cleaner that that.
-
And how does the dhcp server get the host name? Unless random names are used, at some point, someone has to configure a host name somewhere. It doesn't just happen automagically.
-
@jknott It is part of the Dhcpv6 specifications, when a client requests a IPv6 address to a Dhcpv6 server it sends the hostname in its request.
-
And how is that host name originally configured. If I want to call a computer "Bob", at some point I have to enter that name somewhere. Sure, with DHCP, it can pass a host name to the server, nothing new there, but it's still manually configured at some point. Well, why not do that at the server, where you're already doing more. What happens if you take that computer to another network, where a different name is expected?
-
@jknott
That's a good point.So I think that with Pfsense I have only two ways to achieve what I want but both aren't without problems:
-
Do what you suggested, so manual overriding the Pfsense host override with the stable ULA addresses. With this approach the biggest annoyance that I see is that some devices use privacy extensions and in case of os reinstall the stable ULA would be different since it's randomly generated so I would have to update the host override file with the new ULA
-
Use a static Dhcpv6 mapping but this has the same annoyance because I need the DUID in order to create a static Dhcpv6 mapping and unfortunately DUID is not guaranteed to be the same on os reinstall
-
-
Whether a device uses privacy extensions is irrelevant. It will still have a consistent address. You can enable or disable privacy addresses. You cannot disable the consistent address. All you can do is choose whether it will be MAC based or random number. Either way, it does not change until you change it.
-
@jknott
Yes but if it is random based and you have to reset the device a new different random based consistent address will be generated. -
No, when the random number is selected, it does not change. It's as though you pulled a number out of a hat and used that number to configure the interface. The random numbers used for the privacy addresses do change daily.
With SLAAC, you will have one consistent address that doesn't change and up to 7 privacy addresses that do.
Take a look at my ULA prefix. Other than the first 7 bits, that is a random number. I generated the number and pasted it into the configuration and it hasn't changed since I did that.
-
@jknott
Are you telling me that if the device was reset (os reinstall) the stable ULA addresses would be identical to the one ending with f5fa? -
@jknott
Wow, I didn't know that, I am reading RFC 7217( stable private addresses), I guess it's what you refer to, I didn't know that, it's cool..