Unique Local Addresses?
-
Is there any way to get pfSense to provide SLAAC addresses in the ULA FC00::/7 range, in addition to the usual prefix?
-
Sure, just add it to the router advertisements subnets (prefix) list.
-
Sure, just add it to the router advertisements subnets (prefix) list.
Where is that done?
-
Services -> DHCPv6 Server & RA
Select the subnet you want to modify (LAN is selected by default)
Click on Router Advertisements.
Make sure you select one of the Router Modes that has 'auto' listed; this controls whether SLAAC assignments are turned on.
Add your ULA subnet to the list.Check that it is working using wireshark and watching for ICMPv6 Router Advertisement packets.
-
Got it. I created a prefix of fd00::/64 and saw it in the router advertisements. I also see it assigned to this computer. One thing I see though, is the assigned address has nothing to do with the computer's MAC address or any other IPv6 address. I assume it's just a privacy address within the unique local prefix. This is on openSUSE 42.2.
-
I'm not familiar with what OpenSUSE uses for IPv6 address selection, if it doesn't look like an EUI-64 address, then yes, it is probably a privacy temporary address.
As a general best practice for ULA addressing, it is recommended to generate a random 40-bit prefix, using a tool like this one:
https://www.ultratools.com/tools/rangeGenerator
or
https://www.sixxs.net/tools/grh/ula/Either way, you can then do stateless NPT between the ULA subnet(s) and your GUA prefix assigned by your ISP; useful if you change ISPs.
-
I'll have to see if that address sticks over a couple of days. I know about the 40 bit random number. I just wanted to see how this works and I can always add a random number later. BTW, the way I usually generate a random number is with the command "ps aux|md5sum" at the Linux command line. I expect it will also work at the BSD command line in pfSense.
I just generated a703bfe042481766e1dd6cbf546a39c and could pick any 10 digit string from this to get the 40 bits.
Hmmm… For some reason the spell checker doesn't like that random number. ;)
Update. Apparently that command does not work in BSD. md5sum: Command not found.
-
I don't know if it's related or not, but after adding the 40 random bits, I now get both MAC and random number ULA addresses on the computer and the random number has the same 64 bits as the global address. Also, pfSense doesn't appear to use a ULA for itself.
-
Is there anyway for pfSense to assign a ULA to it's LAN interface? I don't see any way to do that.
-
I'm sure there is a nuance here I'm missing…but just set IPv6 configuration type to Static IPv6 and key it in.
-
I'm sure there is a nuance here I'm missing…but just set IPv6 configuration type to Static IPv6 and key it in.
I don't see a static config for IPv6. Also, that interface is tracking the WAN interface for it's global address. What I'm trying to do is have both global and local addresses on the same interface, as happens with other devices on my network. For example, I can use the ULA to connect from my desktop to notebook computer. However, if I try to even ping6 6 from the computer running pfSense to another, using the ULA address, it tells me to use the GUA. It won't even route between the two. It's a "you can't get there from here" situation. ;)
BTW, I'm currently reading RFC7368 (riveting plot :D ) where it says:
When an
IPv6 node in a homenet has both a ULA and a globally unique IPv6
address, it should only use its ULA address internally and use its
additional globally unique IPv6 address as a source address for
external communications.I can't currently use a ULA between pfSense and other devices.
-
On pfSense, any addresses beyond the interface's primary address has to be added in as a virutal IP Alias address.
Once you've done that you can verify with CLI ifconfig -a and see it show up.I added a second address fd33:3e94:8260:4100::1 to my em1 interface.
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1f:5b:46
inet6 fe80::20c:29ff:fe1f:5b46%em1 prefixlen 64 scopeid 0x2
inet 100.64.31.1 netmask 0xffffff00 broadcast 100.64.31.255
inet6 fd33:3e94:8260:3100::1 prefixlen 64
inet6 fd33:3e94:8260:4100::1 prefixlen 128Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface. Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs). Keep in mind they will also get more than 1 gateway this way.
Here is a good place for an improvement to pfSense, configurable router priority per-prefix, so you can say have the "main" prefix with the higher priority and the others with a lower priority.
Right now they will all advertise with the same priority, unless you go tweak the underlying radvd.conf file.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast> -
On pfSense, any addresses beyond the interface's primary address has to be added in as a virutal IP Alias address.
Once you've done that you can verify with CLI ifconfig -a and see it show up.I added a second address fd33:3e94:8260:4100::1 to my em1 interface.
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1f:5b:46
inet6 fe80::20c:29ff:fe1f:5b46%em1 prefixlen 64 scopeid 0x2
inet 100.64.31.1 netmask 0xffffff00 broadcast 100.64.31.255
inet6 fd33:3e94:8260:3100::1 prefixlen 64
inet6 fd33:3e94:8260:4100::1 prefixlen 128Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface. Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs). Keep in mind they will also get more than 1 gateway this way.
Here is a good place for an improvement to pfSense, configurable router priority per-prefix, so you can say have the "main" prefix with the higher priority and the others with a lower priority.
Right now they will all advertise with the same priority, unless you go tweak the underlying radvd.conf file.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>I'll have to try adding it with the command line, as soon as I figure out how. :D I had set an alias IPv4 address in Linux, years ago. I guess this is similar.
Also, it would be nice if the DNS resolver would support multiple IP addresses, the way some web sites do. Then you could have both ULA and GUA addresses for the same host name.
-
I'll have to try adding it with the command line…
Sorry, I wasn't specific enough, no CLI necessary…
Firewall --> Virtual IPs
Click + Add
Select Type: IP Alias
Enter the IPv6 address with /128 mask.Also, it would be nice if the DNS resolver would support multiple IP addresses, the way some web sites do. Then you could have both ULA and GUA addresses for the same host name.
Yeah, the multiple IPs part per hostname in DNS resolver would be a nice touch, since that is pretty much basic functionality of DNS. A good use-case for that would be for round-robin host selection.
-
Yes, I found that way to add the alias and I can see it in ifconfig. I had the prefix set up in RA a couple of weeks ago. Still can't ping though.
-
Still can't ping though.
The thing to realize is that "Interface address" in firewall rules doesn't include any virtual IPs assigned to the interface.
So unless you explicitly allow it it isn't going to work.The minute you start using virtual IPs, it is a good idea to create an Alias, eg: LAN_IPv6 and put all the valid addresses into it, and then use only that object in your rules.
I'll admit that its a bit kludgy, it would be nicer if pfSense had a way of referencing the Virtual IP, so that if you changed it, the Alias would update automatically, so keep that in mind if you make changes after its running. -
Given that ifconfig shows that address, shouldn't I be able to ping it from another computer? It certainly works that way on IPv4 in Linux. Also, I can ping that address from pfSense. I just can't ping between pfSense and another computer.
BTW, the address I used is fd48:1a37:2160::1, which is within my ULA prefix.
I'll have to see what Wireshark shows.
-
Wireshark shows the neighbor solicitation going out, but no response.
-
Did you specifically allow access to that IP in the ruleset? It won't reply, even to the interface IP, if there is no rule.
-
There is an existing rule, with wild cards for source, destination and gateway, for IPv6 on the LAN side. I don't see anything that applies to that ULA prefix. Also, why should it be necessary to have a rule for traffic that will not pass through the firewall? I'm just trying to connect between 2 devices on the same LAN.