Support for adding link local as ipv6 address on wan config in static dhcp6 config



  • So background to this.

    Setting up pfSense as an expermient for possible future configuration on a hetzner virtual machine.

    Hetzner network configuration as supplied to customer is something like this.

    By default single ipv4 routed to MAC of physical machine, statically configured.
    Additional ipv4 can be requested and MAC can be changed so can be routed to virtual machines.

    This is no problem for the configuration.

    A single ipv6 subnet is supplied, the MAC can be adjusted to route either to the physical machine or an alternative MAC for a virtual machine.

    This is where the problem comes in.

    The limitations are as follows for hetzner ipv6.

    A second ipv6 subnet cannot be supplied only the first.
    The entire subnet can be routed to a MAC of the customer's choosing but is the entire subnet only, not parts of it.
    The supplied gateway is fixed to fe80::1 a link-local address.

    When I checked how things work on my home pfSense, it manages to work with having a link-local fe80 address assigned to the WAN interface, and the routable ipv6 on the LAN interface. The fe80 got assigned via the DHCP6 configuration on WAN but there is no DHCP or SLAAC on hetzner for ipv6, it has to be configured manually as a static configuration.

    I spent an hour trying to get a working config in the GUI, but the showstopper in the end appeared to the GUI will reject a link-local ipv6 address entered in the static ipv6 box.

    But as soon as I ran the ifconfig command manually in the shell to add the fe80 to the WAN interface with the default fe80::1 already configured and the prefix already on the LAN interface then BAM ipv6 came alive.

    Now this may not be a considered good practice, so I am posting for suggestions.

    1 - Is it reasonable to make a feature request on redmine to allow fe80 to be configured as a static ip address to configure this scenario for hosting providers like hetzner?
    2 - Is there an alternative way to get this working within the current GUI implementation on hetzner.

    A previous user a few years ago posted about the same problem, and after a short discussion ended up resorting to using hurricane electric. So was left unresolved. Whilst I have it functioning albeit having to use a command line intervention.

    So a quick recap.

    The virtual machine host simply forwards ipv6 packets and has no routable ipv6 (proxmox).
    The pfSense virtual machine has the ipv6 prefix routed to it from hetzner via proxmox as well as its own ipv4, it is connected to two proxmox bridge interfaces (the original WAN whch has the physical NIC attached and a new LAN bridge which has no physical NIC attached but will have virtual machines attached), to act as NAT for ipv4 and to route ipv6 to invididual VM's.

    Let me know if any questions to understand the setup some more, I will do a diagram if needed.



  • Title should just say static config, but I cannot edit with a flagged as spam error. So I am aware of that error sorry.

    The older post is here from the other user.

    https://forum.netgate.com/topic/88564/esxi-pfsense-and-hetzner-ipv6



  • You don't assign link local addresses. They exist on any IPv6 capable interface, even if IPv6 is otherwise not in use. The only thing you can do is configure a locally assigned MAC, in place of the original. Also, MAC addresses don't route anything. That's the job for IP. MAC addresses are only used on the local link.



  • Thanks

    There was no existing ipv6 link local address.

    However after I rebooted the device one was created, so yes it is not needed to manually assign one, the proper solution it seems was simply to add the ipv6 gateway and then reboot for it to be created.

    As to why there was originally no link local device, I dont know, but this was the first bootup of the device, so I will be aware in future to do a second reboot to get one generated.

    There is now a possible issue with dpinger tho, after bootup (and wan reset) ipv6 stays pending until dpinger is manually restarted and then it works, the issue that I can see is if I goto the status -> gateway screen, the monitoring ip is not populated, but is populated after the service is restarted. I expect this might be because there is no wan ipv6 configured, the configuration is now like this.

    WAN ip4 static configuration.
    LAN ipv4 static configuration.
    LAN ipv6 static configuration using the ipv6 prefix assigned by hetzner.
    Default gateways configured using gateways provided by hetzner for ipv4 and ipv6.