DHCPv6 assigns static IP to both interfaces on my Mac

LucaTNT

Thanks for your reply, but I'd really want all my hosts to have fixed addresses on each interface, and setting them up on each device is far less conveniente than managing everything through pfSense.
I suspect that the issue is that the DUID is unique per-machine, while I'd need it to be unique per-interface.

doktornotor

No, DUID is not per interface. That's IAID.

JKnott

Thanks for your reply, but I'd really want all my hosts to have fixed addresses on each interface

SLAAC will provide fixed addresses, based on the network address and MAC address and no configuration required at all.  Further, should your prefix change, the addresses will follow.  With SLAAC, you can have MAC based, random number based or both.

LucaTNT

Thanks, I'll try SLAAC as soon as I get back home on Saturday.

With SLAAC, though, I won't be able to choose which address the device gets, correct?
So in order to create the proper AAAA record in the DNS server I'll need to connect the device to the network and see what address it assigns itself.
That's pretty inconvenient, though: I always did assign "ranges" to my devices (e.g. 110-119 is for Phones, 120-129 for tablets, etc), it looks like it won't be possibile anymore with IPv6.

kpa

You don't get to choose anything with SLAAC. Depending on how the host is set up you get either one or two addresses out of the prefix the router advertises. First one is directly based on the MAC address of the NIC, this is the static address because it is derived from the MAC address. The second one is a random address and you get it only if you have the IPv6 privacy extensions turned on the host. *)

*) https://tools.ietf.org/html/rfc4941

JKnott

With SLAAC, though, I won't be able to choose which address the device gets, correct?
So in order to create the proper AAAA record in the DNS server I'll need to connect the device to the network and see what address it assigns itself.

Wtih SLAAC, you'd have the DNS point to the MAC based address, which will not change, unless your prefix does.  The random number based addresses are called "privacy addresses" as they cannot be tied to a specific piece of hardware, the way a MAC based address can.  They also change periodically.  Normally, a privacy address is used for outgoing connections.

A MAC based SLAAC address is created by taking the MAC address, inserting FFFE in the middle, inverting the 7th bit.and prepending the prefix.  However, should you desire to create an address, you can use a locally assigned MAC address of your choosing.  Incidentally, here's where we get to why that 7th bit is inverted.  When you create a MAC address, that 7th bit is normally a 1.  But by inverting it, it becomes a 0 and makes the resulting address a bit simpler, so that if you set the MAC to, for example, 5, the local host portion of the address will also be 5, without worrying about that 7th bit messing things up.

LucaTNT

Thanks kpa and JKnott!

So, to recap:

• With DHCPv6 address reservations:

  • I can choose each address (one per machine, though)

  • I have issues on machines with multiple NICs due to the DUID being unique per-machine rather than per-interface

  • I get DNS hostnames "for free"

  • Each machine will use that address to access the internet

• With SLAAC

  • I cannot choose any addresses,  they are chosen by the devices themselves, but they are fixed per interface (assuming my prefix doesn't change)

  • No issues with multi-NIC machines: each gets its own address

  • I can manually set up DNS hostnames

  • Each machine will use the random, always changing "privacy" address to access the internet, if that feature is enabled

So as long as I disable the privacy feature I should also be able to easily set rules for each client (e.g. no access to certain hosts/ports, etc), which would be impossibile if it used a randomly changing address to get online.

JKnott

So as long as I disable the privacy feature I should also be able to easily set rules for each client

If pfSense supported MAC filtering, you could even do that with privacy addresses.

kpa

You can use both the static address and the random address at the same time. If you need to open any inbound traffic you use the static address based on the MAC address and for all outgoing traffic that is going beyond the pfSense router the random address gets used automatically. Best of the both worlds.

LucaTNT

@kpa:

You can use both the static address and the random address at the same time. If you need to open any inbound traffic you use the static address based on the MAC address and for all outgoing traffic that is going beyond the pfSense router the random address gets used automatically. Best of the both worlds.

It's the way I think I'm gonna go, the only thing is that I can't set per-host rules and, more importantly, if the Traffic Graph section ever gets updated to support IPv6, I'll have no clue who is hogging my bandwidth, which is something I often rely upon (only 20 down/2 up).