Configure fixed IP with PPPoE and /56 assignment
-
Begin with saying my config is reasonably simple: PPPoE connection to ISP and 2 local LANs. I have had it working for a long time on (static) IPv4 completely successfully. I have an OpenVPN server running to allow me to remote in.
So now I want to add IPv6 to the equation. I've successfully got it working with a (dynamic) /127 assigned through the IPv4 connection and a (dynamic) /56 assignment received through DHCPv6. I have used the /56 on LAN as Track Interface. I now have V4 + v6 access to the Net and V4 remote VPN.
Now I asked my ISP about fixed IP for v6. I was offered two choices:
1. One static /64 and one static /56
2. One dynamic /127 and one static /56Specifically missing from my options is one static /127 and one static /56.
Now I start to wonder about the config and don't quite have the answers.
1. Do I really care about the WAN address? If OpenVPN can listen to V4 WAN and V6 LAN addresses, I don't really care, do I? Is there any other reason I would care about WAN address? If the answer is no, I don't need a static /127
2. If I can get by with a dynamic /127, I still don't get how to assign a static LAN address. I hate the idea of hard coding it based on my knowledge of the Routing Prefix (extremely bad practice). So I prefer to use the configuration to enter the Routing prefix and Prefix ID via Track Interface on the LAN interface but the Interface ID seems to be beyond my control. Can I force it to a static value? Is it static given a static MAC? Can I assign an additional address?
3. If a static WAN is the choice, how do I assign the WAN interface given that my ISP will only give me a /64 if I want a static WAN. Don't quite understand (again without hard coding) how to use a /64 to configure my WAN interface.
Or, am I totally missing the obvious config choice?
Keith
-
1. Do I really care about the WAN address? If OpenVPN can listen to V4 WAN and V6 LAN addresses, I don't really care, do I? Is there any other reason I would care about WAN address? If the answer is no, I don't need a static /127
E.g. I do care about the static WAN IP addresses because of having IPsec and CARP on them. The static IP address is referred on my DNS server. For me it is simpler than having dynamic WAN addresses. And in case of CARP I need bigger range than /127 and an assurance, that the CARP address will not be dynamically assigned to one of my firewalls.
2. If I can get by with a dynamic /127, I still don't get how to assign a static LAN address. I hate the idea of hard coding it based on my knowledge of the Routing Prefix (extremely bad practice). So I prefer to use the configuration to enter the Routing prefix and Prefix ID via Track Interface on the LAN interface but the Interface ID seems to be beyond my control. Can I force it to a static value? Is it static given a static MAC? Can I assign an additional address?
You can assign any static LAN address from your /56 (in fact, /64) range. It is the recommended way. Do not ask me why - I do not understand it, especially when I think about changing of the external IPv6 addresses.
You can also use IP addresses from the unique local range fc00::/7 - I use this way. Then NPt must be configured, your local prefix must be mapped to a global one, e.g. fc00::/64 -> 1234:5678::/64
As far as I understand, you cannot use Track Interface feature, because your routing prefixes for WAN and LAN are different. E.g. I cannot use it primarily because of static WAN address and secondary because of the different routing prefixes.3. If a static WAN is the choice, how do I assign the WAN interface given that my ISP will only give me a /64 if I want a static WAN. Don't quite understand (again without hard coding) how to use a /64 to configure my WAN interface.
"Hard coding" only. Just assign any IPv6 address from the given /64 range (excluding the router address if you do not use PPPoE). The same as for IPv4 if you have a static WAN.
Regards
yarick123 -
While your ISP may offer dynamic addresses, they're likely going to be very consistent. DHCPv6-PD uses something called a DUID to assign addresses to a specific device. Once you have your prefix, it will likely be virtually static. I use a DNS to point to my addresses and it works fine.
https://en.wikipedia.org/wiki/DHCPv6#DHCP_Unique_Identifier
You can assign any static LAN address from your /56 (in fact, /64) range. It is the recommended way. Do not ask me why -
Why? ;)
On IPv6, something called SLAAC is often used to provide addresses to devices. This works only with a /64 prefix. A /56 is normally divided into 256 /64s, each of which can be assigned to a network or VLAN.
https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_(SLAAC)
-
You can assign any static LAN address from your /56 (in fact, /64) range. It is the recommended way. Do not ask me why -
Why? ;)
On IPv6, something called SLAAC is often used to provide addresses to devices. This works only with a /64 prefix. A /56 is normally divided into 256 /64s, each of which can be assigned to a network or VLAN.
https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_(SLAAC)
;) I thought, that it was not recommended to have the server LAN interfaces addresses dynamically assigned. This is why I do not use SLAAC for them. Do I understand something wrong?
As far as I understand, it goes about the pfSense LAN interface address. I would not use SLAAC to assign an IP address to it.
P.S.
@GeekGoneOld:2. … Can I assign an additional address?
Yes: Firewall / Virtual IPs, add, Type: "IP Alias"
-
I thought, that it was not recommended to have the server LAN interfaces addresses dynamically assigned. This is why I do not use SLAAC for them. Do I understand something wrong?
With SLAAC, there is one address that is based on the MAC address, though on Windows a consistent random number will be used. This provides a fixed address for the device. SLAAC will provide the first 64 bits of the address, as determined by the prefix, and the device provides the last 64 bits. That address will not change, unless you do something that causes it to change, such as replacing the NIC.
-
E.g. I do care about the static WAN IP addresses because of having IPsec and CARP on them.
Hmm. CARP and IPSec. Yes, of course. Makes it very desirable to have fixed IP on WAN.
You can assign any static LAN address from your /56 (in fact, /64) range. It is the recommended way. Do not ask me why - I do not understand it, especially when I think about changing of the external IPv6 addresses.
You can also use IP addresses from the unique local range fc00::/7 - I use this way. Then NPt must be configured, your local prefix must be mapped to a global one, e.g. fc00::/64 -> 1234:5678::/64
As far as I understand, you cannot use Track Interface feature, because your routing prefixes for WAN and LAN are different. E.g. I cannot use it primarily because of static WAN address and secondary because of the different routing prefixes.Hmm (again). I think I don't have a clear enough understanding of the address assignment trail. I have IP4 PPPoE. I have IP6 defined as DHCP with request through IP4 and size /56 (though send prefix hint is unchecked). Somehow I get a global 2607: a link local fe80: but my gateway IP is an fe80:. How would each of those be assigned? Presumably global by DHCP, link local by pfSense and gateway by RA? Then I end up with an additional /56 for the other interfaces assigned by DHCP as well. Can a single DHCP transaction yield me a /127 and a /56?
Now I believe you are suggesting I hard code all. If I do that, I would not use DHCP on the WAN, instead assume the assignment of a /56 and use that for different /64s for each of the interfaces I want. If I don't use DHCP, though, is it possible that the ISP would not allow the use (i.e. DHCP triggers activation)?
"Hard coding" only. Just assign any IPv6 address from the given /64 range (excluding the router address if you do not use PPPoE). The same as for IPv4 if you have a static WAN.
Actually, my fixed IP4 is not hard coded, it is assigned each time by PPPoE
While your ISP may offer dynamic addresses, they're likely going to be very consistent. DHCPv6-PD uses something called a DUID to assign addresses to a specific device. Once you have your prefix, it will likely be virtually static. I use a DNS to point to my addresses and it works fine.
Sadly, my ISP assigns a random /56 each time! I'm on DSL (PPPoE). I've found that on IP4 cable (DHCP) the addresses were stable for years!
With SLAAC, there is one address that is based on the MAC address, though on Windows a consistent random number will be used. This provides a fixed address for the device. SLAAC will provide the first 64 bits of the address, as determined by the prefix, and the device provides the last 64 bits. That address will not change, unless you do something that causes it to change, such as replacing the NIC.
So SLAAC addresses are deterministic? What if (unlikely) a SLAAC assignment conflicts when it is tested for uniqueness during the assignment process. Does SLAAC fail to assign or does it assign something different?
OK. I definitely need to know more about the assignment process. How I currently get both a /127 and a /56 via DHCP through the PPPoE IP4. How I would use a single /56 acquired though DHCP (is that even possible) to fix my WAN address (LAN hardcoded). My guess is you guys can tell me better than my ISP as most ISP tech supports are still learning IPv6.
-
So SLAAC addresses are deterministic? What if (unlikely) a SLAAC assignment conflicts when it is tested for uniqueness during the assignment process. Does SLAAC fail to assign or does it assign something different?
The MAC or permanent random number based addresses do not change. However, before an IPv6 address configures it's address, it uses Duplicate Address Detection (DAD), to prevent using an address that's already taken.
-
The MAC or permanent random number based addresses do not change. However, before an IPv6 address configures it's address, it uses Duplicate Address Detection (DAD), to prevent using an address that's already taken.
Yes. That is what I was asking about re SLAAC. If it fails at DAD, does it fail at SLAAC or does it choose another Interface ID by some method? If the former, then all hosts have a fixed, constant address but some may not work. If the latter, then most hosts have a fixed, constant address but the ones that fail DAD will have a fixed, non-constant address.
Any comments from anyone else about the address assignment process?
-
^^^^
DAD is used, no matter how the address is assigned, even with manual configuration. I seem to recall something about priority, based on how the address is assigned, that is MAC based vs temporary random, but I don't recall where I saw that or how accurate it is. BTW, the same often happens with IPv4 now, where DAD is frequently used. -
DAD is used, no matter how the address is assigned, even with manual configuration.
Excellent point!!! The real issue is that if DAD fails, it is almost certainly a config error.
Now as far as how to accomplish this, does this work (remember it is an IPv4 PPPoE with IPv6 traffic over it and I can get a static /56 but not a static WAN /127 address)?
What I would like to do (failing automatic capability of static WAN /127 assignment by ISP) is to assign (by me or my router) the WAN a link local address and WAN would get an RA from the ISP giving the WAN default gateway. As well, I would assign the WAN one of the prefix IDs from the static (known) /56 and use that to assign the WAN interface a static IP. This would be my global, static WAN address (YAY!!). Then I would assign the LAN another of the prefix IDs from the static (known) /56 and I would assign the LAN interface a static IP and that would be advertised RA for the LAN and I would use the rest of the LAN /64 for the LAN connected hosts (DHCPv6). Similarly I could use more of the /64s for other interfaces.
Note that as far as IPv6 goes, this scenario gets only one piece of info from the ISP automatically: the default gateway address (link local). Since all IPv6 traffic goes through IPv4 PPPoE link, it is inherently authenticated by the ISP.
Does this work? If so, I will check if it works on my end.
-
Now as far as how to accomplish this, does this work (remember it is an IPv4 PPPoE with IPv6 traffic over it and I can get a static /56 but not a static WAN /127 address)?
Your prefix is not dependent on how it gets to you. I used to use a 6in4 tunnel to get a /56, now it's native from my ISP. Either way, my prefix was consistent and the LAN addresses were determined by the MAC address, with random privacy addresses. Are you really worried about your WAN address? You won't be using it for anything, other than perhaps VPN or SSH, as routing is done via link local address. You certainly don't need it to be consistent, for accessing your LAN.
My WAN address is consistent, though DHCPv6, so I can point a DNS to it for my VPN. Also, while I don't know how your ISP does things, PPPoE isn't just for IPv4. Like Ethernet, it can handle just about any layer 3 protocol.
-
I do wish to have remote access to pfSense. Currently my OpenVPN server is on WAN (IP4 only). If I want it IPV4 and IPV6, they would be on different interfaces (LAN and WAN resp). Also, in the future, I may want to support CARP, which would require a fixed WAN IP.
Also, good point about PPPoE being (effectively) layer 2. I could have said (more accurately) that I established the PPPoE connection through the configuration of the IP4 and used that established connection for the IP6 traffic.
-
You should still be able to access your firewall through it's LAN access. As for a VPN, I run OpenVPN. While it runs on IPv4, it carries both IPv4 and IPv6. So, I connect the VPN using my IPv4 address. That address, while DHCP, is virtually static. It also has a host name based on firewall and modem MAC addresses, which does not change, unless I change hardware. So, I set up my VPN using the host name.
-
Yes: Firewall / Virtual IPs, add, Type: "IP Alias"
I missed this one!!! What if I allow the WAN to be configured DHCPv6 (as I think I must re ISP), giving me a dynamic WAN /127 and a static /54. I use one Prefix ID of my static assignment for LAN and use a single address of another prefix ID of same to assign a WAN address as an IPv6 alias. Would this give me exactly what I want –- a fully static setup (totally ignoring the dynamic global WAN address as traffic to/from ISP uses the link local anyway). Can I make the alias the default address of the WAN? what address gets used as source if I ping from pfSense or issue DNS forward requests? What address gets used if OpenVPN is bound to WAN? Am I asking for trouble?
Ooh. I'm very hopeful... Anyone know the answers?
-
I just tried it. I created an alias out of the known static pool and specified /64 in the alias. I rebooted.
The WAN interface ONLY shows the alias as the IPv6 address (though it continues to show a LL address) in the GUI. ifconfig shows both dlobal addresses (alias and ISP provided /128). In other words, my adding an alias to that interface seems to have made it the default WAN IPv6. I tried to ping from "WAN" and it used my static address as source. It seems this accomplished EXACTLY what I want.
I don't want to simply accept that the problem is solved as it could have been due to the timing of events during boot (somewhat random) that could be different next boot. Or it could be that it picks one by some other means (lowest numerical value, smallest prefix len, who knows?) If someone could confirm that this is designed to do exactly what I see (alias takes precedence over dynamic), I'm thrilled.
Haven't yet tried to make the OpenVPN server link to WAN IPv4+IPv6. I see that I have the choice of interface with three good choices: WAN, <alias>or "multi-homed. Since I want v4+v6 I can't use <alias>as it doesn't support v4. I would prefer not to use multihomed as it would bind to every interface address and I don't like that (can't really see harm, but I don't like managing the firewall rules for this scenario). That leaves WAN which would be great if someone can confirm that the v6 WAN address it will choose is always the alias! [edit] Just saw that if I want v4+v6 it is always multihomed, so that settles the case of OpenVPN but still leave the general case (e.g. what source address it uses for DNS forwarding etc.). [/edit]</alias></alias>
-
The WAN interface ONLY shows the alias as the IPv6 address (though it continues to show a LL address) in the GUI. ifconfig shows both dlobal addresses (alias and ISP provided /128). In other words, my adding an alias to that interface seems to have made it the default WAN IPv6. I tried to ping from "WAN" and it used my static address as source. It seems this accomplished EXACTLY what I want.
It would be interesting to see what traceroute shows for traffic to that address. As far as your ISP and beyond is concerned, that address is on the LAN side of your firewall. That means the ISP will route packets to that address over the WAN link local address to the firewall and then pfSense will route it to the WAN interface. In this respect it's no different than assigning that address to a LAN interface, which in turn means it's no different than just using the LAN interface in the first place.
-
Well a followup to let others know the final outcome.
First, many thanks to all who helped me. I truly appreciate spending your time on my problems!
As it turns out, all I could get from my ISP was
1. A (pseudo) static IPv4 which I get by PPPoE (same address guaranteed but always assigned through PPPoE negotiation.
2. A dynamic /128 assigned by DHCPv6 over the PPPoE connection
3. A (pseudo) static /56 assigned by DHCPv6-PD over the PPPoE connection
Note that the IPv6 communication between the router and the ISP uses a link local address, NOT the /128. In fact, the /128 is not needed at all (as you will see)!Here is how I configured:
1. Per the requirements of my ISP, I configured the WAN IPv4 as PPPoE and the WAN IPv6 as DHCP over the IP4 link with a /56 prefix. From this I found out my /56.
2. I then chose a prefix ID of ff for WAN addresses, 00 for LAN and 01 for VoIP (another inside LAN).
3. I created a WAN virtual IP/IP alias from the WAN /64 I chose and the mac address of the WAN adapter.
4. I made the LAN and VoIP interface IPv6 assignment to be Track Interface tracking the WAN /56 using prefix IDs 00 and 01 respectively
5. I enabled DHCPv6 and RA on LAN and VoIP
6. "normal" firewall rules (especially adding ICMPv6 req on WAN)Kinda simple.
The amazing thing is that the IPv6 "WAN address" as known by pfSense (e.g. for binding OpenVPN etc) IS THE ALIAS!!! This, it turns out, is ideal for me. The ONLY dynamic address (the DHCPv6 assigned global WAN address) is totally irrelevant as I now have a static IPv6 global address!! In fact the dynamic WAN address doesn't even show up in the GUI Status|Interfaces though it does show in command line ifconfig.
The only place I have hardcoded an address (which I don't particularly like to do) is the alias. One place. Just one.
Finally, I added other things I use such as OpenVPN servers, OpenVPN clients etc. etc.
All told, I'm very happy with what you people helped me set up and I'm testing it extensively.