ULA address only?



  • Is there any way to configure pfSense so that a network gets only ULA addresses?  I tried changing IPv6 Configuration Type from Tracking to SLAAC, but devices on the network still get global addresses, as well as ULA.


  • Netgate

    Services > DHCPv6 and RA, Router Advertisements in unmanaged mode with just the ULA subnet specified?

    ![Screen Shot 2017-08-25 at 1.28.21 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-25 at 1.28.21 PM.png)
    ![Screen Shot 2017-08-25 at 1.28.21 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-25 at 1.28.21 PM.png_thumb)



  • I was looking at that.  It says "LAN".  The interface I want to do this with is VLAN3.  I don't see any way to separate the behaviour of the 2 interfaces.  I don't want to lose global addresses on my main LAN.  The idea is to set up a separate network, with ULA only.  At the moment, the VLAN has both ULA and global addresses, just like the main LAN.


  • Netgate

    So do it on Services > DHCPv6 and RA, Router Advertisements and select VLAN3 there. There are separate RA settings for each broadcast domain.



  • @Derelict:

    So do it on Services > DHCPv6 and RA, Router Advertisements and select VLAN3 there. There are separate RA settings for each broadcast domain.

    I had to change IPv6 Configuration Type back to Track Interface, before VLAN3 could be selected.  Regardless, selecting unmanaged does not turn off the global addresses.  VLAN3 still has both ULA and global addresses.


  • Netgate

    You probably want to set the VLAN3 interface to be Static IPv6, give it the ::1 on the ULA /64, and go from there.

    If you want the interface to have both track subnet and a ULA subnet and only RA for the ULA subnet things are going to be more difficult.

    Track interface turns on  things like DHCPv6. That is going to make it difficult to do what you want to do.

    If you can set it to track, then turn off DHCPv6, put a VIP on it on the ULA /64 then set the RA as I described above it might work.



  • What I want is to be able to use RA for the ULA and no global addresses.  However, based on what I saw, it may not be possible.  This is only an experiment, as I recently read that ULA is a good idea for IoT devices, which you might not want to be directly accessible from the Internet.


  • Netgate

    So set the interface Static IPv6, not Track, and set it to be the appropriate ::1 address in the ULA /64 and set up the RA.


  • Rebel Alliance Global Moderator

    Or just don't give them an IPv6 address at all.. Clearly you have isolated your iot devices to their own vlan, so why run any ipv6 on that vlan at all?  Only reason to give them a ULA would be to prevent them from internet on IPv6.  This is easier done by just not giving them ipv6 at all..

    If you need to talk to them via IPv6 (I would question why)…  To be honest the iot devices I have seen have really crappy ipv6 support anyway ;)  If the goal is just keep them off the internet on ipv6 wouldn't it just be cleaner solution to not give them internet at your firewall from their global IPv6 address that you get from track or how ever else your running you IPv6?  This way you could talk to them via IPv6 without any issues, and they don't have internet via ipv6..



  • First off, as I mentioned this is to learn.  I won't actually be building a network for IoT.

    However, the goal is to use IPv6 as much as possible, including ULA when appropriate.  I was hoping that pfSense would provide some control over what addresses it provides in RAs.  Apparently not.  There may be many reasons why one might want a network of devices that can't directly access the Internet, but can be access via some sort of gateway.  IoT would certainly fall into that category, as would those cameras I mentioned in another thread.  One nice thing about RAs & SLAAC is no configuration required.  As I mentioned, those cameras were "fun" to configure for an IPv4 address.  Incidentally, those cameras have supported IPv6, including SLAAC, for years.

    So, this has been a learning experience for me and it pointed out something that may be lacking in psSense.  I suppose the work around would be to use the firewall to block global addresses from that network, though that shouldn't be necessary.

    My question is why would someone not want to use IPv6, considering it's the future and superior to IPv4 in many respects.

    Funny thing, I actually knew of IPv6, before I learned about IPv4.  I recall sitting in the TCP/IP class thinking about how 32 bit addresses were so limiting.  I read about IPv6 in the April 1995 issue of Byte magazine and took my first TCP/IP course in June 1995.  Ever since then, I've been anxiously waiting for IPv6 to "take over the world".  ;)
    I started using it in May 2012, with a 6in4 tunnel, again to learn about it.


  • Netgate

    However, the goal is to use IPv6 as much as possible, including ULA when appropriate.  I was hoping that pfSense would provide some control over what addresses it provides in RAs.  Apparently not.

    Did you even try my suggestions? It's right there in the subnets section of the RA settings.



  • @Derelict:

    However, the goal is to use IPv6 as much as possible, including ULA when appropriate.  I was hoping that pfSense would provide some control over what addresses it provides in RAs.  Apparently not.

    Did you even try my suggestions? It's right there in the subnets section of the RA settings.

    Yes I did try and also mentioned it didn't work.


  • Netgate

    Looks like it works to me.



    ![Screen Shot 2017-08-26 at 12.54.05 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.54.05 PM.png)
    ![Screen Shot 2017-08-26 at 12.54.05 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.54.05 PM.png_thumb)
    ![Screen Shot 2017-08-26 at 12.52.06 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.52.06 PM.png)
    ![Screen Shot 2017-08-26 at 12.52.06 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.52.06 PM.png_thumb)



  • That seems work now.  Not sure why it didn't before.

    tnx


  • Netgate

    It does not look like there is a way to disable RA for the interface subnet if it is defined. You can add a subnet to it on the RA page but it will advertise both that subnet and the interface subnet. I'll bring that up and see if that should be able to be disabled.



  • I don't want to disable RAs.  They're used to assign the prefix.  Also, ULAs are routeable, just not over the Internet.

    Here's how it looks on a Linux system:

    vlan3    Link encap:Ethernet  HWaddr 74:D4:35:5A:F5:FB 
              inet addr:172.16.3.10  Bcast:172.16.3.255  Mask:255.255.255.0
              inet6 addr: fd48:1a37:2160:1:5c0b:a1d3:1ff8:7224/64 Scope:Global
              inet6 addr: fe80::76d4:35ff:fe5b:f5fa/64 Scope:Link
              inet6 addr: fd48:1a37:2160:1:76d4:35ff:fe5a:f5fb/64 Scope:Global
              UP BROADCAST RUNNING MULTICAST  MTU:1300  Metric:1
              RX packets:1478 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1204 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:307424 (300.2 Kb)  TX bytes:247592 (241.7 Kb)