DHCPv6 assigns static IP to both interfaces on my Mac
-
Hello,
I'm trying to configure my network to properly support IPv6. I have a working IPv6 tunnel through HE, and I have set the correct address on my LAN side. Clients do get an IPv6 address with the correct prefix through the DHCPv6 Server, and they are able to get online with that address (ipv6-test.com and similar site report a passing test).I've always managed my V4 networks by setting up static mappings for most if not all of the clients, that way their IP doesn't change and I can easily have DNS hostnames that resolve to them. Also, it makes traffic shaping way easier, and it makes port forwarding possible.
I tried to replicate the same setup with DHCPv6, but somehow my Mac gets the same address both if I connect through wifi or through ethernet, which as you may imagine causes issues when I am connected through both interfaces (as it is often the case, see the attached screenshot).
Is there any way to get different addresses on different interfaces as I do with IPv4?
Thanks and sorry for my (likely) noob question ;)
-
Generally, when you assign an address via DHCP, you map the desired address to the MAC address, which should be different for both interfaces. This means you assign 1 address to the Ethernet port and a different one to the WiFi interface. Incidentally, you don't need to use DHCP to assign an IPv6 address. IPv6 supports something called "SLAAC" which automagically assigns IPv6 addresses by combining the network address, provided via router advertisements and either the MAC address or a random number, could also be both, to obtain 1 or more IPv6 addresses on an interface.
-
Thanks for your reply, but I'd really want all my hosts to have fixed addresses on each interface, and setting them up on each device is far less conveniente than managing everything through pfSense.
I suspect that the issue is that the DUID is unique per-machine, while I'd need it to be unique per-interface. -
No, DUID is not per interface. That's IAID.
-
Thanks for your reply, but I'd really want all my hosts to have fixed addresses on each interface
SLAAC will provide fixed addresses, based on the network address and MAC address and no configuration required at all. Further, should your prefix change, the addresses will follow. With SLAAC, you can have MAC based, random number based or both.
-
Thanks, I'll try SLAAC as soon as I get back home on Saturday.
With SLAAC, though, I won't be able to choose which address the device gets, correct?
So in order to create the proper AAAA record in the DNS server I'll need to connect the device to the network and see what address it assigns itself.
That's pretty inconvenient, though: I always did assign "ranges" to my devices (e.g. 110-119 is for Phones, 120-129 for tablets, etc), it looks like it won't be possibile anymore with IPv6. -
You don't get to choose anything with SLAAC. Depending on how the host is set up you get either one or two addresses out of the prefix the router advertises. First one is directly based on the MAC address of the NIC, this is the static address because it is derived from the MAC address. The second one is a random address and you get it only if you have the IPv6 privacy extensions turned on the host. *)
-
With SLAAC, though, I won't be able to choose which address the device gets, correct?
So in order to create the proper AAAA record in the DNS server I'll need to connect the device to the network and see what address it assigns itself.Wtih SLAAC, you'd have the DNS point to the MAC based address, which will not change, unless your prefix does. The random number based addresses are called "privacy addresses" as they cannot be tied to a specific piece of hardware, the way a MAC based address can. They also change periodically. Normally, a privacy address is used for outgoing connections.
A MAC based SLAAC address is created by taking the MAC address, inserting FFFE in the middle, inverting the 7th bit.and prepending the prefix. However, should you desire to create an address, you can use a locally assigned MAC address of your choosing. Incidentally, here's where we get to why that 7th bit is inverted. When you create a MAC address, that 7th bit is normally a 1. But by inverting it, it becomes a 0 and makes the resulting address a bit simpler, so that if you set the MAC to, for example, 5, the local host portion of the address will also be 5, without worrying about that 7th bit messing things up.
-
Thanks kpa and JKnott!
So, to recap:
-
With DHCPv6 address reservations:
-
I can choose each address (one per machine, though)
-
I have issues on machines with multiple NICs due to the DUID being unique per-machine rather than per-interface
-
I get DNS hostnames "for free"
-
Each machine will use that address to access the internet
-
-
With SLAAC
-
I cannot choose any addresses, they are chosen by the devices themselves, but they are fixed per interface (assuming my prefix doesn't change)
-
No issues with multi-NIC machines: each gets its own address
-
I can manually set up DNS hostnames
-
Each machine will use the random, always changing "privacy" address to access the internet, if that feature is enabled
-
So as long as I disable the privacy feature I should also be able to easily set rules for each client (e.g. no access to certain hosts/ports, etc), which would be impossibile if it used a randomly changing address to get online.
-
-
So as long as I disable the privacy feature I should also be able to easily set rules for each client
If pfSense supported MAC filtering, you could even do that with privacy addresses.
-
You can use both the static address and the random address at the same time. If you need to open any inbound traffic you use the static address based on the MAC address and for all outgoing traffic that is going beyond the pfSense router the random address gets used automatically. Best of the both worlds.
-
@kpa:
You can use both the static address and the random address at the same time. If you need to open any inbound traffic you use the static address based on the MAC address and for all outgoing traffic that is going beyond the pfSense router the random address gets used automatically. Best of the both worlds.
It's the way I think I'm gonna go, the only thing is that I can't set per-host rules and, more importantly, if the Traffic Graph section ever gets updated to support IPv6, I'll have no clue who is hogging my bandwidth, which is something I often rely upon (only 20 down/2 up).
