• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DHCPv6 assigns static IP to both interfaces on my Mac

Scheduled Pinned Locked Moved IPv6
12 Posts 4 Posters 1.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    LucaTNT
    last edited by Feb 12, 2017, 6:18 PM

    Hello,
    I'm trying to configure my network to properly support IPv6. I have a working IPv6 tunnel through HE, and I have set the correct address on my LAN side. Clients do get an IPv6 address with the correct prefix through the DHCPv6 Server, and they are able to get online with that address (ipv6-test.com and similar site report a passing test).

    I've always managed my V4 networks by setting up static mappings for most if not all of the clients, that way their IP doesn't change and I can easily have DNS hostnames that resolve to them. Also, it makes traffic shaping way easier, and it makes port forwarding possible.

    I tried to replicate the same setup with DHCPv6, but somehow my Mac gets the same address both if I connect through wifi or through ethernet, which as you may imagine causes issues when I am connected through both interfaces (as it is often the case, see the attached screenshot).

    Is there any way to get different addresses on different interfaces as I do with IPv4?

    Thanks and sorry for my (likely) noob question  ;)
    IPv6.jpg_thumb
    IPv6.jpg

    1 Reply Last reply Reply Quote 0
    • J
      JKnott
      last edited by Feb 12, 2017, 8:41 PM

      Generally, when you assign an address via DHCP, you map the desired address to the MAC address, which should be different for both interfaces.  This means you assign 1 address to the Ethernet port and a different one to the WiFi interface.  Incidentally, you don't need to use DHCP to assign an IPv6 address.  IPv6 supports something called "SLAAC" which automagically assigns IPv6 addresses by combining the network address, provided via router advertisements and either the MAC address or a random number, could also be both, to obtain 1 or more IPv6 addresses on an interface.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • L
        LucaTNT
        last edited by Feb 12, 2017, 11:37 PM

        Thanks for your reply, but I'd really want all my hosts to have fixed addresses on each interface, and setting them up on each device is far less conveniente than managing everything through pfSense.
        I suspect that the issue is that the DUID is unique per-machine, while I'd need it to be unique per-interface.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Feb 12, 2017, 11:42 PM

          No, DUID is not per interface. That's IAID.

          1 Reply Last reply Reply Quote 0
          • J
            JKnott
            last edited by Feb 12, 2017, 11:52 PM

            Thanks for your reply, but I'd really want all my hosts to have fixed addresses on each interface

            SLAAC will provide fixed addresses, based on the network address and MAC address and no configuration required at all.  Further, should your prefix change, the addresses will follow.  With SLAAC, you can have MAC based, random number based or both.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • L
              LucaTNT
              last edited by Feb 13, 2017, 5:30 PM

              Thanks, I'll try SLAAC as soon as I get back home on Saturday.

              With SLAAC, though, I won't be able to choose which address the device gets, correct?
              So in order to create the proper AAAA record in the DNS server I'll need to connect the device to the network and see what address it assigns itself.
              That's pretty inconvenient, though: I always did assign "ranges" to my devices (e.g. 110-119 is for Phones, 120-129 for tablets, etc), it looks like it won't be possibile anymore with IPv6.

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by Feb 13, 2017, 5:58 PM

                You don't get to choose anything with SLAAC. Depending on how the host is set up you get either one or two addresses out of the prefix the router advertises. First one is directly based on the MAC address of the NIC, this is the static address because it is derived from the MAC address. The second one is a random address and you get it only if you have the IPv6 privacy extensions turned on the host. *)

                *) https://tools.ietf.org/html/rfc4941

                1 Reply Last reply Reply Quote 0
                • J
                  JKnott
                  last edited by Feb 14, 2017, 3:53 AM

                  With SLAAC, though, I won't be able to choose which address the device gets, correct?
                  So in order to create the proper AAAA record in the DNS server I'll need to connect the device to the network and see what address it assigns itself.

                  Wtih SLAAC, you'd have the DNS point to the MAC based address, which will not change, unless your prefix does.  The random number based addresses are called "privacy addresses" as they cannot be tied to a specific piece of hardware, the way a MAC based address can.  They also change periodically.  Normally, a privacy address is used for outgoing connections.

                  A MAC based SLAAC address is created by taking the MAC address, inserting FFFE in the middle, inverting the 7th bit.and prepending the prefix.  However, should you desire to create an address, you can use a locally assigned MAC address of your choosing.  Incidentally, here's where we get to why that 7th bit is inverted.  When you create a MAC address, that 7th bit is normally a 1.  But by inverting it, it becomes a 0 and makes the resulting address a bit simpler, so that if you set the MAC to, for example, 5, the local host portion of the address will also be 5, without worrying about that 7th bit messing things up.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • L
                    LucaTNT
                    last edited by Feb 14, 2017, 6:03 PM

                    Thanks kpa and JKnott!

                    So, to recap:

                    • With DHCPv6 address reservations:

                      • I can choose each address (one per machine, though)

                      • I have issues on machines with multiple NICs due to the DUID being unique per-machine rather than per-interface

                      • I get DNS hostnames "for free"

                      • Each machine will use that address to access the internet

                    • With SLAAC

                      • I cannot choose any addresses,  they are chosen by the devices themselves, but they are fixed per interface (assuming my prefix doesn't change)

                      • No issues with multi-NIC machines: each gets its own address

                      • I can manually set up DNS hostnames

                      • Each machine will use the random, always changing "privacy" address to access the internet, if that feature is enabled

                    So as long as I disable the privacy feature I should also be able to easily set rules for each client (e.g. no access to certain hosts/ports, etc), which would be impossibile if it used a randomly changing address to get online.

                    1 Reply Last reply Reply Quote 0
                    • J
                      JKnott
                      last edited by Feb 15, 2017, 3:54 AM

                      So as long as I disable the privacy feature I should also be able to easily set rules for each client

                      If pfSense supported MAC filtering, you could even do that with privacy addresses.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • K
                        kpa
                        last edited by Feb 15, 2017, 1:22 PM

                        You can use both the static address and the random address at the same time. If you need to open any inbound traffic you use the static address based on the MAC address and for all outgoing traffic that is going beyond the pfSense router the random address gets used automatically. Best of the both worlds.

                        1 Reply Last reply Reply Quote 0
                        • L
                          LucaTNT
                          last edited by Feb 15, 2017, 6:10 PM

                          @kpa:

                          You can use both the static address and the random address at the same time. If you need to open any inbound traffic you use the static address based on the MAC address and for all outgoing traffic that is going beyond the pfSense router the random address gets used automatically. Best of the both worlds.

                          It's the way I think I'm gonna go, the only thing is that I can't set per-host rules and, more importantly, if the Traffic Graph section ever gets updated to support IPv6, I'll have no clue who is hogging my bandwidth, which is something I often rely upon (only 20 down/2 up).

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received