Configure fixed IP with PPPoE and /56 assignment
-
The MAC or permanent random number based addresses do not change. However, before an IPv6 address configures it's address, it uses Duplicate Address Detection (DAD), to prevent using an address that's already taken.
Yes. That is what I was asking about re SLAAC. If it fails at DAD, does it fail at SLAAC or does it choose another Interface ID by some method? If the former, then all hosts have a fixed, constant address but some may not work. If the latter, then most hosts have a fixed, constant address but the ones that fail DAD will have a fixed, non-constant address.
Any comments from anyone else about the address assignment process?
-
^^^^
DAD is used, no matter how the address is assigned, even with manual configuration. I seem to recall something about priority, based on how the address is assigned, that is MAC based vs temporary random, but I don't recall where I saw that or how accurate it is. BTW, the same often happens with IPv4 now, where DAD is frequently used. -
DAD is used, no matter how the address is assigned, even with manual configuration.
Excellent point!!! The real issue is that if DAD fails, it is almost certainly a config error.
Now as far as how to accomplish this, does this work (remember it is an IPv4 PPPoE with IPv6 traffic over it and I can get a static /56 but not a static WAN /127 address)?
What I would like to do (failing automatic capability of static WAN /127 assignment by ISP) is to assign (by me or my router) the WAN a link local address and WAN would get an RA from the ISP giving the WAN default gateway. As well, I would assign the WAN one of the prefix IDs from the static (known) /56 and use that to assign the WAN interface a static IP. This would be my global, static WAN address (YAY!!). Then I would assign the LAN another of the prefix IDs from the static (known) /56 and I would assign the LAN interface a static IP and that would be advertised RA for the LAN and I would use the rest of the LAN /64 for the LAN connected hosts (DHCPv6). Similarly I could use more of the /64s for other interfaces.
Note that as far as IPv6 goes, this scenario gets only one piece of info from the ISP automatically: the default gateway address (link local). Since all IPv6 traffic goes through IPv4 PPPoE link, it is inherently authenticated by the ISP.
Does this work? If so, I will check if it works on my end.
-
Now as far as how to accomplish this, does this work (remember it is an IPv4 PPPoE with IPv6 traffic over it and I can get a static /56 but not a static WAN /127 address)?
Your prefix is not dependent on how it gets to you. I used to use a 6in4 tunnel to get a /56, now it's native from my ISP. Either way, my prefix was consistent and the LAN addresses were determined by the MAC address, with random privacy addresses. Are you really worried about your WAN address? You won't be using it for anything, other than perhaps VPN or SSH, as routing is done via link local address. You certainly don't need it to be consistent, for accessing your LAN.
My WAN address is consistent, though DHCPv6, so I can point a DNS to it for my VPN. Also, while I don't know how your ISP does things, PPPoE isn't just for IPv4. Like Ethernet, it can handle just about any layer 3 protocol.
-
I do wish to have remote access to pfSense. Currently my OpenVPN server is on WAN (IP4 only). If I want it IPV4 and IPV6, they would be on different interfaces (LAN and WAN resp). Also, in the future, I may want to support CARP, which would require a fixed WAN IP.
Also, good point about PPPoE being (effectively) layer 2. I could have said (more accurately) that I established the PPPoE connection through the configuration of the IP4 and used that established connection for the IP6 traffic.
-
You should still be able to access your firewall through it's LAN access. As for a VPN, I run OpenVPN. While it runs on IPv4, it carries both IPv4 and IPv6. So, I connect the VPN using my IPv4 address. That address, while DHCP, is virtually static. It also has a host name based on firewall and modem MAC addresses, which does not change, unless I change hardware. So, I set up my VPN using the host name.
-
Yes: Firewall / Virtual IPs, add, Type: "IP Alias"
I missed this one!!! What if I allow the WAN to be configured DHCPv6 (as I think I must re ISP), giving me a dynamic WAN /127 and a static /54. I use one Prefix ID of my static assignment for LAN and use a single address of another prefix ID of same to assign a WAN address as an IPv6 alias. Would this give me exactly what I want –- a fully static setup (totally ignoring the dynamic global WAN address as traffic to/from ISP uses the link local anyway). Can I make the alias the default address of the WAN? what address gets used as source if I ping from pfSense or issue DNS forward requests? What address gets used if OpenVPN is bound to WAN? Am I asking for trouble?
Ooh. I'm very hopeful... Anyone know the answers?
-
I just tried it. I created an alias out of the known static pool and specified /64 in the alias. I rebooted.
The WAN interface ONLY shows the alias as the IPv6 address (though it continues to show a LL address) in the GUI. ifconfig shows both dlobal addresses (alias and ISP provided /128). In other words, my adding an alias to that interface seems to have made it the default WAN IPv6. I tried to ping from "WAN" and it used my static address as source. It seems this accomplished EXACTLY what I want.
I don't want to simply accept that the problem is solved as it could have been due to the timing of events during boot (somewhat random) that could be different next boot. Or it could be that it picks one by some other means (lowest numerical value, smallest prefix len, who knows?) If someone could confirm that this is designed to do exactly what I see (alias takes precedence over dynamic), I'm thrilled.
Haven't yet tried to make the OpenVPN server link to WAN IPv4+IPv6. I see that I have the choice of interface with three good choices: WAN, <alias>or "multi-homed. Since I want v4+v6 I can't use <alias>as it doesn't support v4. I would prefer not to use multihomed as it would bind to every interface address and I don't like that (can't really see harm, but I don't like managing the firewall rules for this scenario). That leaves WAN which would be great if someone can confirm that the v6 WAN address it will choose is always the alias! [edit] Just saw that if I want v4+v6 it is always multihomed, so that settles the case of OpenVPN but still leave the general case (e.g. what source address it uses for DNS forwarding etc.). [/edit]</alias></alias>
-
The WAN interface ONLY shows the alias as the IPv6 address (though it continues to show a LL address) in the GUI. ifconfig shows both dlobal addresses (alias and ISP provided /128). In other words, my adding an alias to that interface seems to have made it the default WAN IPv6. I tried to ping from "WAN" and it used my static address as source. It seems this accomplished EXACTLY what I want.
It would be interesting to see what traceroute shows for traffic to that address. As far as your ISP and beyond is concerned, that address is on the LAN side of your firewall. That means the ISP will route packets to that address over the WAN link local address to the firewall and then pfSense will route it to the WAN interface. In this respect it's no different than assigning that address to a LAN interface, which in turn means it's no different than just using the LAN interface in the first place.
-
Well a followup to let others know the final outcome.
First, many thanks to all who helped me. I truly appreciate spending your time on my problems!
As it turns out, all I could get from my ISP was
1. A (pseudo) static IPv4 which I get by PPPoE (same address guaranteed but always assigned through PPPoE negotiation.
2. A dynamic /128 assigned by DHCPv6 over the PPPoE connection
3. A (pseudo) static /56 assigned by DHCPv6-PD over the PPPoE connection
Note that the IPv6 communication between the router and the ISP uses a link local address, NOT the /128. In fact, the /128 is not needed at all (as you will see)!Here is how I configured:
1. Per the requirements of my ISP, I configured the WAN IPv4 as PPPoE and the WAN IPv6 as DHCP over the IP4 link with a /56 prefix. From this I found out my /56.
2. I then chose a prefix ID of ff for WAN addresses, 00 for LAN and 01 for VoIP (another inside LAN).
3. I created a WAN virtual IP/IP alias from the WAN /64 I chose and the mac address of the WAN adapter.
4. I made the LAN and VoIP interface IPv6 assignment to be Track Interface tracking the WAN /56 using prefix IDs 00 and 01 respectively
5. I enabled DHCPv6 and RA on LAN and VoIP
6. "normal" firewall rules (especially adding ICMPv6 req on WAN)Kinda simple.
The amazing thing is that the IPv6 "WAN address" as known by pfSense (e.g. for binding OpenVPN etc) IS THE ALIAS!!! This, it turns out, is ideal for me. The ONLY dynamic address (the DHCPv6 assigned global WAN address) is totally irrelevant as I now have a static IPv6 global address!! In fact the dynamic WAN address doesn't even show up in the GUI Status|Interfaces though it does show in command line ifconfig.
The only place I have hardcoded an address (which I don't particularly like to do) is the alias. One place. Just one.
Finally, I added other things I use such as OpenVPN servers, OpenVPN clients etc. etc.
All told, I'm very happy with what you people helped me set up and I'm testing it extensively.