Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ULA address only?

    Scheduled Pinned Locked Moved IPv6
    16 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ
      JKnott
      last edited by

      Is there any way to configure pfSense so that a network gets only ULA addresses?  I tried changing IPv6 Configuration Type from Tracking to SLAAC, but devices on the network still get global addresses, as well as ULA.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Services > DHCPv6 and RA, Router Advertisements in unmanaged mode with just the ULA subnet specified?

        ![Screen Shot 2017-08-25 at 1.28.21 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-25 at 1.28.21 PM.png)
        ![Screen Shot 2017-08-25 at 1.28.21 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-25 at 1.28.21 PM.png_thumb)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott
          last edited by

          I was looking at that.  It says "LAN".  The interface I want to do this with is VLAN3.  I don't see any way to separate the behaviour of the 2 interfaces.  I don't want to lose global addresses on my main LAN.  The idea is to set up a separate network, with ULA only.  At the moment, the VLAN has both ULA and global addresses, just like the main LAN.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            So do it on Services > DHCPv6 and RA, Router Advertisements and select VLAN3 there. There are separate RA settings for each broadcast domain.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              @Derelict:

              So do it on Services > DHCPv6 and RA, Router Advertisements and select VLAN3 there. There are separate RA settings for each broadcast domain.

              I had to change IPv6 Configuration Type back to Track Interface, before VLAN3 could be selected.  Regardless, selecting unmanaged does not turn off the global addresses.  VLAN3 still has both ULA and global addresses.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You probably want to set the VLAN3 interface to be Static IPv6, give it the ::1 on the ULA /64, and go from there.

                If you want the interface to have both track subnet and a ULA subnet and only RA for the ULA subnet things are going to be more difficult.

                Track interface turns on  things like DHCPv6. That is going to make it difficult to do what you want to do.

                If you can set it to track, then turn off DHCPv6, put a VIP on it on the ULA /64 then set the RA as I described above it might work.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott
                  last edited by

                  What I want is to be able to use RA for the ULA and no global addresses.  However, based on what I saw, it may not be possible.  This is only an experiment, as I recently read that ULA is a good idea for IoT devices, which you might not want to be directly accessible from the Internet.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    So set the interface Static IPv6, not Track, and set it to be the appropriate ::1 address in the ULA /64 and set up the RA.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Or just don't give them an IPv6 address at all.. Clearly you have isolated your iot devices to their own vlan, so why run any ipv6 on that vlan at all?  Only reason to give them a ULA would be to prevent them from internet on IPv6.  This is easier done by just not giving them ipv6 at all..

                      If you need to talk to them via IPv6 (I would question why)…  To be honest the iot devices I have seen have really crappy ipv6 support anyway ;)  If the goal is just keep them off the internet on ipv6 wouldn't it just be cleaner solution to not give them internet at your firewall from their global IPv6 address that you get from track or how ever else your running you IPv6?  This way you could talk to them via IPv6 without any issues, and they don't have internet via ipv6..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott
                        last edited by

                        First off, as I mentioned this is to learn.  I won't actually be building a network for IoT.

                        However, the goal is to use IPv6 as much as possible, including ULA when appropriate.  I was hoping that pfSense would provide some control over what addresses it provides in RAs.  Apparently not.  There may be many reasons why one might want a network of devices that can't directly access the Internet, but can be access via some sort of gateway.  IoT would certainly fall into that category, as would those cameras I mentioned in another thread.  One nice thing about RAs & SLAAC is no configuration required.  As I mentioned, those cameras were "fun" to configure for an IPv4 address.  Incidentally, those cameras have supported IPv6, including SLAAC, for years.

                        So, this has been a learning experience for me and it pointed out something that may be lacking in psSense.  I suppose the work around would be to use the firewall to block global addresses from that network, though that shouldn't be necessary.

                        My question is why would someone not want to use IPv6, considering it's the future and superior to IPv4 in many respects.

                        Funny thing, I actually knew of IPv6, before I learned about IPv4.  I recall sitting in the TCP/IP class thinking about how 32 bit addresses were so limiting.  I read about IPv6 in the April 1995 issue of Byte magazine and took my first TCP/IP course in June 1995.  Ever since then, I've been anxiously waiting for IPv6 to "take over the world".  ;)
                        I started using it in May 2012, with a 6in4 tunnel, again to learn about it.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          However, the goal is to use IPv6 as much as possible, including ULA when appropriate.  I was hoping that pfSense would provide some control over what addresses it provides in RAs.  Apparently not.

                          Did you even try my suggestions? It's right there in the subnets section of the RA settings.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott
                            last edited by

                            @Derelict:

                            However, the goal is to use IPv6 as much as possible, including ULA when appropriate.  I was hoping that pfSense would provide some control over what addresses it provides in RAs.  Apparently not.

                            Did you even try my suggestions? It's right there in the subnets section of the RA settings.

                            Yes I did try and also mentioned it didn't work.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              Looks like it works to me.

                              screenshot-d7b23cc3-a557-4e45-b21d-c285096fcc02-2017-08-26-12-53-21.png
                              screenshot-d7b23cc3-a557-4e45-b21d-c285096fcc02-2017-08-26-12-53-21.png_thumb
                              ![Screen Shot 2017-08-26 at 12.54.05 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.54.05 PM.png)
                              ![Screen Shot 2017-08-26 at 12.54.05 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.54.05 PM.png_thumb)
                              ![Screen Shot 2017-08-26 at 12.52.06 PM.png](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.52.06 PM.png)
                              ![Screen Shot 2017-08-26 at 12.52.06 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-08-26 at 12.52.06 PM.png_thumb)
                              screenshot-d7b23cc3-a557-4e45-b21d-c285096fcc02-2017-08-26-12-55-26.png
                              screenshot-d7b23cc3-a557-4e45-b21d-c285096fcc02-2017-08-26-12-55-26.png_thumb

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott
                                last edited by

                                That seems work now.  Not sure why it didn't before.

                                tnx

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  It does not look like there is a way to disable RA for the interface subnet if it is defined. You can add a subnet to it on the RA page but it will advertise both that subnet and the interface subnet. I'll bring that up and see if that should be able to be disabled.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • JKnottJ
                                    JKnott
                                    last edited by

                                    I don't want to disable RAs.  They're used to assign the prefix.  Also, ULAs are routeable, just not over the Internet.

                                    Here's how it looks on a Linux system:

                                    vlan3    Link encap:Ethernet  HWaddr 74:D4:35:5A:F5:FB 
                                              inet addr:172.16.3.10  Bcast:172.16.3.255  Mask:255.255.255.0
                                              inet6 addr: fd48:1a37:2160:1:5c0b:a1d3:1ff8:7224/64 Scope:Global
                                              inet6 addr: fe80::76d4:35ff:fe5b:f5fa/64 Scope:Link
                                              inet6 addr: fd48:1a37:2160:1:76d4:35ff:fe5a:f5fb/64 Scope:Global
                                              UP BROADCAST RUNNING MULTICAST  MTU:1300  Metric:1
                                              RX packets:1478 errors:0 dropped:0 overruns:0 frame:0
                                              TX packets:1204 errors:0 dropped:0 overruns:0 carrier:0
                                              collisions:0 txqueuelen:1000
                                              RX bytes:307424 (300.2 Kb)  TX bytes:247592 (241.7 Kb)

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.