Unique Local Addresses?

JKnott

Is there any way to get pfSense to provide SLAAC addresses in the ULA FC00::/7 range, in addition to the usual prefix?

awebster

Sure, just add it to the router advertisements subnets (prefix) list.

JKnott

@awebster:

Sure, just add it to the router advertisements subnets (prefix) list.

Where is that done?

awebster

Services -> DHCPv6 Server & RA
Select the subnet you want to modify (LAN is selected by default)
Click on Router Advertisements.
Make sure you select one of the Router Modes that has 'auto' listed; this controls whether SLAAC assignments are turned on.
Add your ULA subnet to the list.

Check that it is working using wireshark and watching for ICMPv6 Router Advertisement packets.

JKnott

Got it.  I created a prefix of fd00::/64 and saw it in the router advertisements.  I also see it assigned to this computer.  One thing I see though, is the assigned address has nothing to do with the computer's MAC address or any other IPv6 address.  I assume it's just a privacy address within the unique local prefix.  This is on openSUSE 42.2.

awebster

I'm not familiar with what OpenSUSE uses for IPv6 address selection, if it doesn't look like an EUI-64 address, then yes, it is probably a privacy temporary address. 
As a general best practice for ULA addressing, it is recommended to generate a random 40-bit prefix, using a tool like this one:
https://www.ultratools.com/tools/rangeGenerator
or
https://www.sixxs.net/tools/grh/ula/

Either way, you can then do stateless NPT between the ULA subnet(s) and your GUA prefix assigned by your ISP; useful if you change ISPs.

JKnott

I'll have to see if that address sticks over a couple of days.  I know about the 40 bit random number.  I just wanted to see how this works and I can always add a random number later.  BTW, the way I usually generate a random number is with the command "ps aux|md5sum" at the Linux command line.  I expect it will also work at the BSD command line in pfSense.

I just generated a703bfe042481766e1dd6cbf546a39c and could pick any 10 digit string from this to get the 40 bits.

Hmmm…  For some reason the spell checker doesn't like that random number.  ;)

Update.  Apparently that command does not work in BSD.  md5sum: Command not found.

JKnott

I don't know if it's related or not, but after adding the 40 random bits, I now get both MAC and random number ULA addresses on the computer and the random number has the same 64 bits as the global address.  Also, pfSense doesn't appear to use a ULA for itself.

JKnott

Is there anyway for pfSense to assign a ULA to it's LAN interface?  I don't see any way to do that.

awebster

I'm sure there is a nuance here I'm missing…but just set IPv6 configuration type to Static IPv6 and key it in.

JKnott

@awebster:

I'm sure there is a nuance here I'm missing…but just set IPv6 configuration type to Static IPv6 and key it in.

I don't see a static config for IPv6.  Also, that interface is tracking the WAN interface for it's global address.  What I'm trying to do is have both global and local addresses on the same interface, as happens with other devices on my network.  For example, I can use the ULA to connect from my desktop to notebook computer.  However, if I try to even ping6 6 from the computer running pfSense to another, using the ULA address, it tells me to use the GUA.  It won't even route between the two.  It's a "you can't get there from here" situation.  ;)

BTW, I'm currently reading RFC7368 (riveting plot  :D ) where it says:

When an
  IPv6 node in a homenet has both a ULA and a globally unique IPv6
  address, it should only use its ULA address internally and use its
  additional globally unique IPv6 address as a source address for
  external communications.

I can't currently use a ULA between pfSense and other devices.

awebster

On pfSense, any addresses beyond the interface's primary address has to be added in as a virutal IP Alias address.
Once you've done that you can verify with CLI ifconfig -a and see it show up.

I added a second address fd33:3e94:8260:4100::1 to my em1 interface.
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1f:5b:46
inet6 fe80::20c:29ff:fe1f:5b46%em1 prefixlen 64 scopeid 0x2
inet 100.64.31.1 netmask 0xffffff00 broadcast 100.64.31.255
inet6 fd33:3e94:8260:3100::1 prefixlen 64
inet6 fd33:3e94:8260:4100::1 prefixlen 128

Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface.  Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs).  Keep in mind they will also get more than 1 gateway this way.

Here is a good place for an improvement to pfSense, configurable router priority per-prefix, so you can say have the "main" prefix with the higher priority and the others with a lower priority.
Right now they will all advertise with the same priority, unless you go tweak the underlying radvd.conf file.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

JKnott

@awebster:

On pfSense, any addresses beyond the interface's primary address has to be added in as a virutal IP Alias address.
Once you've done that you can verify with CLI ifconfig -a and see it show up.

I added a second address fd33:3e94:8260:4100::1 to my em1 interface.
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:1f:5b:46
inet6 fe80::20c:29ff:fe1f:5b46%em1 prefixlen 64 scopeid 0x2
inet 100.64.31.1 netmask 0xffffff00 broadcast 100.64.31.255
inet6 fd33:3e94:8260:3100::1 prefixlen 64
inet6 fd33:3e94:8260:4100::1 prefixlen 128

Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface.  Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs).  Keep in mind they will also get more than 1 gateway this way.

Here is a good place for an improvement to pfSense, configurable router priority per-prefix, so you can say have the "main" prefix with the higher priority and the others with a lower priority.
Right now they will all advertise with the same priority, unless you go tweak the underlying radvd.conf file.</rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

I'll have to try adding it with the command line, as soon as I figure out how.  :D  I had set an alias IPv4 address in Linux, years ago.  I guess this is similar.

Also, it would be nice if the DNS resolver would support multiple IP addresses, the way some web sites do.  Then you could have both ULA and GUA addresses for the same host name.

awebster

I'll have to try adding it with the command line…

Sorry, I wasn't specific enough, no CLI necessary…
Firewall --> Virtual IPs
Click + Add
Select Type: IP Alias
Enter the IPv6 address with /128 mask.

Also, it would be nice if the DNS resolver would support multiple IP addresses, the way some web sites do.  Then you could have both ULA and GUA addresses for the same host name.

Yeah, the multiple IPs part per hostname in DNS resolver would be a nice touch, since that is pretty much basic functionality of DNS.  A good use-case for that would be for round-robin host selection.

JKnott

Yes, I found that way to add the alias and I can see it in ifconfig.  I had the prefix set up in RA a couple of weeks ago.  Still can't ping though.

awebster

Still can't ping though.

The thing to realize is that "Interface address" in firewall rules doesn't include any virtual IPs assigned to the interface.
So unless you explicitly allow it it isn't going to work.

The minute you start using virtual IPs, it is a good idea to create an Alias, eg: LAN_IPv6 and put all the valid addresses into it, and then use only that object in your rules.
I'll admit that its a bit kludgy, it would be nicer if pfSense had a way of referencing the Virtual IP, so that if you changed it, the Alias would update automatically, so keep that in mind if you make changes after its running.

JKnott

Given that ifconfig shows that address, shouldn't I be able to ping it from another computer?  It certainly works that way on IPv4 in Linux.  Also, I can ping that address from pfSense.  I just can't ping between pfSense and another computer.

BTW, the address I used is fd48:1a37:2160::1, which is within my ULA prefix.

I'll have to see what Wireshark shows.

JKnott

Wireshark shows the neighbor solicitation going out, but no response.

awebster

Did you specifically allow access to that IP in the ruleset?  It won't reply, even to the interface IP, if there is no rule.

JKnott

There is an existing rule, with wild cards for source, destination and gateway, for IPv6 on the LAN side.  I don't see anything that applies to that ULA prefix.  Also, why should it be necessary to have a rule for traffic that will not pass through the firewall?  I'm just trying to connect between 2 devices on the same LAN.

JKnott

Can you show me your LAN rules?

tnx

JKnott

One other thing I've noticed.  If I put an alias on the LAN and then reboot the firewall, I lose the global address.

awebster

Yeah, I think there are a lot of gotcha's with the Track Interface.
It makes sense because the Alias gets set on the interface before the Track Interface address, which then would make it need to provision as a 2nd address, so the logic is broken.
Additionally, my "alias" trick doesn't work well either because you don't know beforehand what prefix you'll get on the interface in addition to any additional ones you want to create.

More feature improvements required for this to work.  This is infact a known issue, see: https://redmine.pfsense.org/issues/6678 and https://redmine.pfsense.org/issues/5999

For now, you'll need to stick with static IPv6 prefix allocations to make it work as expected.

JKnott

Oh well.  I was planning on learning a few things, but not these bugs.

JKnott

That problem with an alias pretty much eliminates pfSense from routing ULA networks.

johnpoz

"I'm just trying to connect between 2 devices on the same LAN."

If your on the same L2 what does pfsense have to do with anything?

"Wireshark shows the neighbor solicitation going out, but no response."

Pfsense could be OFF if your devices are on the same L2..

Are you wanting pfsense to route between 2 different ULA/64s that are attached to pfsense - or these 2 hosts on the same network that are not using their ULA addresses?

JKnott

Routing ULAs is completely appropriate, other than onto the Internet.  They're just like RFC1918 addressesin that respect.  Suppose you have 2 corporate locations, each with ULAs.  Might you not want to route between them?  In fact that's the reason for the random number part of the /48 prefix, so that you can route between ULA networks, with little risk of address collision.  I have experienced address collision on IPv4, when I wanted to VPN home from hotels.

Other than keeping them off the Internet, pfSense, like any other router should be able to route ULA.

So, it all boils down to why pfSense doesn't create a usable ULA on the LAN interface.  Without that, it can't route ULAs.

johnpoz

"Routing ULAs is completely appropriate, other than onto the Internet.  "

Completely agree.. But your posts sounds like your issue with devices on the same layer 2..
""I'm just trying to connect between 2 devices on the same LAN.""
""Wireshark shows the neighbor solicitation going out, but no response.""

So your saying your not getting answer from pfsense for its ULA you placed on the interface as a neighbor to your device as its gateway?  So it can get to other ULA /64's on your local network.. I can try and fire up ULA addresses on pfsense interfaces and see if I can route between them.  If that is the case.. But maybe I just needed more coffee, but sounded like you were talking about devices talking to each other on the same L2 which pfsense would give 2 shits about..

JKnott

I guess I should have clarified.  ULA works fine, except for the LAN interface on the pfSense firewall.  I have no problem connecting from my desktop computer to notebook, etc.  It's just I can't access the firewall.  While it won't impact me in my situation, pfSense is also sold for use in corporate environments, where it may be an issue.

BTW, I'm doing a lot of this stuff to learn and it's frustrating to come across problems such as this, where poor design keeps things from working.

johnpoz

I just tested this..

So gave pfsense a VIP ipv6 ULA of  fd31:8d49:5cc9:5133::1

I then gave my PC a ipv6 ula address of  fd31:8d49:5cc9:5133::100

I can ping pfsense just fine

ping  fd31:8d49:5cc9:5133::1

Pinging fd31:8d49:5cc9:5133::1 with 32 bytes of data:
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1ms

Ping statistics for fd31:8d49:5cc9:5133::1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Now I had to edit the lan firewall rule on pfsense to not be "lan net" for ipv6 since the ULA is not the actual lan net its a vip sitting on the lan interface..

JKnott

Did you use an alias to create that address on pfSense?  When I did that and rebooted, I lost my GUA on the LAN interface.  I had no problem setting RA to provide the ULA prefix.

I then gave my PC a ipv6 ula address of  fd31:8d49:5cc9:5133::100

I didn't have to do that.  With RA configured for the ULA, all my devices got an address automagically.

johnpoz

That is fine I did not go that route for a simple test, this is not something I would setup on my network.  I just use my global IPs I get from HE that fall under my /48

Its quite possible you have problems with creating an alias if your using tracking for your IPv6 on your lan side interfaces and your prefix changes from your ISP.  Wouldn't a simple solution to just be create an alias for your ULA only.  Then just create multiple rules 1 for your global that you get from tracking "lan net" "optX net" etc.. and your alias with your ULA network(s) in them.

The scenarios where you want want the same rules for your global and your ula would be rare that you would want them in the same alias isn't it?  Why not just use ANY on your lan side for your source if that is the case that you just want to allow IPv6..

Other than play/learning - what exactly are you looking to accomplish?

JKnott

Regardless of rules etc., it shouldn't be difficult/impossible to set up an alias, along with RA for the ULA prefix.  Also, setting up an alias shouldn't kill the GUA on the LAN interface.  As I mentioned, RA works fine for ULA, but an address is not assigned to the LAN interface and creating an alias kills the router for IPv6.  A business user may have reasons for routing ULA between sites via VPN.  PfSense won't allow that, as far as I can see.

johnpoz

"A business user may have reasons for routing ULA between sites via VPN.  PfSense won't allow that, as far as I can see."

Why is that.. I just created a gateway to my ULA box the 5133::100 address, I then created a route saying hey if you want to go to 5134::/64 talk to the gateway… I then did a sniff and pinged from pfsense to a 5134::100 address and it sent the traffic from its vip 5133::1 address to 5134:100 to the mac of my 5133:100 box..  So sure looks like that is routing to me.

If it was via a vpn connection, then would have its own vpn interface, etc. any could for sure create routes that go down that tunnel to get to a ULA range.

So I am still confused as to what is not working, or then trying to create some alias that has both your Global address that you got via a TRACK interface network?  And this is changing on you??  Are you saying you can not create a alias with your IPv6 global address and your ULA..

Sorry not seeing what your issue is.

awebster

So I am still confused as to what is not working

Have a look at https://redmine.pfsense.org/issues/5999, that is just the tip of the iceberg.
But more specifically having a virtual IP set on an interface that is also tracking the WAN.  Similarly if an interface is a DHCP client and also needs a VIP we get into the same situation.

Basically, as has been discussed before, IPv6 is fundamentally different than IPv4 in some of the basic principles, starting with the fact that an interface can and does have more than one IP address, this is defined in the RFCs.  It can have a mixture of any number of ULAs, GUAs and a link-local addresses. Consequently, the software needs to be aware of this and make intelligent choices, or allow the user to dictate, based on this fact.
Many of the functionalities in pfSense, and quite possibly the underlying FreeBSD OS, are just "enhanced" versions of their IPv4 counterpart and haven't necessarily taken this requirement to heart.  As the redmine ticket indicates, there is much work to be done to bring the code base up-to full to par so that expected IPv6 behavior works.

I'm thinking that a work-around in JKnott's case might be to assign the ULA range to a separate interface and plug it into the same L2 as the LAN interface.

JKnott

So I am still confused as to what is not working, or then trying to create some alias that has both your Global address that you got via a TRACK interface network?  And this is changing on you??  Are you saying you can not create a alias with your IPv6 global address and your ULA..

Once again.  I can set up ULA with RA, no problem, but the pfSense LAN interface doesn't get an IPv6 address.  When I create an alias on the pfSense LAN port, for the ULA, I cannot even ping it.  It simply doesn't respond.  Worse, when I reboot the firewall, I lose the GUA address on the WAN port.  Up the thread, someone else posted some links that showed problems with alias addresses on pfSense.

So, what I'm trying to do is
a) create the ULA with RA - this works
b) get a working ULA address on the LAN interface.  This doesn't work.

Can you ping from a device on a ULA only to the firewall?  And to the VPN?

I spent all yesterday afternoon, trying to just be able to ping a ULA address on the pfSense LAN interface, without success.  This is decribed further up the list.

However, I'll try again and see what happens.

JKnott

I just tried it and the same thing happens.  I cannot even ping the firewall ULA and after rebooting it, I lose IPv6 to my network.  PfSense is busted!!!

JKnott

One thing I just thought of.  It may not be necessary for pfSense to have a ULA to route from the ULA prefix.  Routing is still done via the link local address.  I'll have to see if I can figure out some way to test this.  I may have to dust off my Cisco 2600 router.

johnpoz

" just tried it and the same thing happens.  I cannot even ping the firewall ULA and after rebooting it, I lose IPv6 to my network.  PfSense is busted!!!"

Maybe your pfsense is busted.. But this is not the case with mine.. Add ULA address as VIP.. Works as it should - can ping it to that address (if firewall rules allow it) and routes just fine..

What your saying makes ZERO sense - how would adding a vip cause such an issue??  Be it a ula or another global, etc..

JKnott

I don't know why it's happening, but it happened twice.  Also, as mentioned in other posts, there apparently is a problem.  And I created the alias by clicking on Firewall > Virtual IPs.