DHCPv6-PD + HE.net tunnel possible??



  • I'm using pfSense 2.4.4 with a residential Comcast connection. I have IPv6 set up via DHCPv6-PD on my WAN. I have several internal subnets (VLANs) that are set up as "IPv6 Configuration Type" of "Track Interface". This works well and I have global IPv6 addresses working on my different subnets.

    My main disappointment with this setup is that my IPv6 addresses are dynamic (being ultimately derived from the /60 delegated to me on my WAN interface). I would like some static IP addresses to assign to servers on my "servers" subnet. (I'm happy to have clients on my other subnets have dynamic addresses.) So, I thought I could get a static assignment via a Hurricane Electric IPv6 tunnel. I've used the HE.net tunnel broker to provide IPv6 connectivity on another pfSense system, but it was the only source of IPv6 connectivity. It worked well.

    I tried to add a HE.net tunnel routed /48 to my Comcast-connected system but I am having issues with IPv6 routing, presumably due to the multiple WANs in such a setup (the "Comcast-connected" WAN and the HE.net WAN). Is such a setup feasible? I've read the IPv6 multi-WAN document and it says in a brightly coloured warning box, "This does not work for dynamic IPv6 types where the subnet is not static, such as DHCP6-PD." That sort of shouts, "no, this setup won't work?"

    Do I basically have to bite the bullet and just choose one or the other: HE.net with my static routed /48 or Comcast IPv6 via DHCPv6-PD but not both? If folks with more pfSense and IPv6 knowledge than I know this to be "yes" then it would be great to know that now than spend a lot of time and effort wasted finding that out myself. :-)

    Cheers,

    Paul.



  • I'm sorry that I cannot answer to your question per se, but I have maybe another approach.
    What you could do is to update your DNS records every time your IP addresses change and automate that process.
    That way your IP addresses will change but you would have static DNS records that always point to the updated IP.

    The downside of this is you would need to be able to send dynamic Updates to the zone you would want to use for that. Have a look into "Services - DHCPv6 Server - Dynamic DNS".

    I personally would prefer such a solution so you would not have to mess around with multi WAN.


  • Rebel Alliance Global Moderator

    What do you want to do exactly?
    You want some of your vlans to use comcast ipv6, and others to use HE tunnel that is part of your /48... Say for example IOT device vlan gets their IPv6 from comcast and go out comcast connection.

    And then your server vlan uses part of your /48 and goes out HE tunnel?

    If that is the case that should not be a problem.. Just don't set one of those as default and just policy route those specific subnets out the specific tunnel.. If understanding you... Its really no different than using a vpn connection which is a tunnel..

    Where you would have a problem is if you were wanting to use both on the same clients.. Or have one be failover for the other.

    If making a choice - would be HE all the way.. The static /48 gives you way more flexibility in deployment.. And you can take it with you no matter if you move ISPs or not..

    I was on comcast for many many years - I always used HE vs the comcast IPv6 because for starters the prefix could change out of the blue.. Which is just nonsense and makes it impossible to do anything really. Other than typical user access.



  • @johnpoz said in DHCPv6-PD + HE.net tunnel possible??:

    What do you want to do exactly?
    You want some of your vlans to use comcast ipv6, and others to use HE tunnel that is part of your /48... Say for example IOT device vlan gets their IPv6 from comcast and go out comcast connection.

    And then your server vlan uses part of your /48 and goes out HE tunnel?

    Yes, that's exactly what I want to do, except maybe with the wrinkle you point out later.

    If that is the case that should not be a problem.. Just don't set one of those as default and just policy route those specific subnets out the specific tunnel.. If understanding you... Its really no different than using a vpn connection which is a tunnel..

    When you say "policy route" do you mean adding a firewall rule on the interface I want to route IPv6 traffic out of a particular IPv6 gateway and using the advanced "Gateway" option to designate that gateway? Or do you mean something else? (I've not used policy routing in pfSense before.)

    Where you would have a problem is if you were wanting to use both on the same clients.. Or have one be failover for the other.

    I think this is where I might have been having the problem. I wanted just to add an HE.net static IPv6 address to those systems on my "servers" VLAN that I wanted to reach from outside but otherwise just have the rest keep using Comcast IPv6 SLAAC-assigned addresses.

    If I'm understanding you correctly above, if I want any system on a particular VLAN to use HE.net addresses then they all have to use HE.net addresses---I can't mix and match? (I.e., a VLAN either has to be using Comcast IPv6 or HE.net IPv6 but not both.)

    If making a choice - would be HE all the way.. The static /48 gives you way more flexibility in deployment.. And you can take it with you no matter if you move ISPs or not..

    Actually, this is what I have ended up doing, at least for now. It feels sad to have to use a tunnel vs. native IPv6 but the static /48 is a big plus and the deciding factor for me at this stage.

    I was on comcast for many many years - I always used HE vs the comcast IPv6 because for starters the prefix could change out of the blue.. Which is just nonsense and makes it impossible to do anything really. Other than typical user access.

    Well, this is exactly what I've experienced, too. I may look into the policy routing solution you mention in the future as a project to learn more about advanced routing scenarios, but for now the HE.net tunnel for all my IPv6 is working well as a solution.

    Thank you for the help and suggestions.

    Cheers,

    Paul.


  • Rebel Alliance Global Moderator

    There is nothing wrong with using a tunnel when the ISP can not do IPv6 correctly.. It would be very simple for them to say oh here you go mr customer here is your /48... Setup your router this way.. DONE! Oh you just have a bunch of end devices and are simple end user that wants to get on the net.. Nothing to do you get a dhcpv6 or slaac, etc. etc..

    Or just as simple hey you ask for this /56 or /32 PD - fine here you go you are the only DUID that will ever get this PD and we will not hand it out to anyone else.. So pretty much static... Unless you change your duid, etc.

    I say F um -- I personally don't give 2 shits if my current ISP ever gets native ipv6 since HE is so easy and stable..



  • @pmisch said in DHCPv6-PD + HE.net tunnel possible??:

    I'm sorry that I cannot answer to your question per se, but I have maybe another approach.
    What you could do is to update your DNS records every time your IP addresses change and automate that process.
    That way your IP addresses will change but you would have static DNS records that always point to the updated IP.

    The downside of this is you would need to be able to send dynamic Updates to the zone you would want to use for that. Have a look into "Services - DHCPv6 Server - Dynamic DNS".

    I had considered this approach initially but ultimately decided against it because I'd have to install Dynamic DNS client updater software on all the systems for which I wanted to have global DNS entries. That seemed a lot of extra work and moving parts compared to being able to use static IPv6 addresses via HE.net.

    Also, alas, support for dynamic updating of AAAA records appears patchy across different registrars/DNS providers and Dynamic DNS client updater software. (Though it's a lot better than it used to be.)

    Thank you for the suggestion.

    Cheers,

    Paul.



  • @gromit said in DHCPv6-PD + HE.net tunnel possible??:

    My main disappointment with this setup is that my IPv6 addresses are dynamic (being ultimately derived from the /60 delegated to me on my WAN interface). I would like some static IP addresses to assign to servers on my "servers" subnet.

    One thing about IPv6 is something called DUID, which an ISP is supposed to use to assign a consistent prefix to your block of addresses. However, there is a setting "Do not allow PD/Address release" on the WAN page that must be selected. I believe it's not by default. With this, the prefix should not change, unless the ISP makes network changes that require it to. Prior to enabling that setting, I found just disconnecting/reconnecting the WAN side Ethernet cable was enough to cause a prefix change.



  • @jknott said in DHCPv6-PD + HE.net tunnel possible??:

    @gromit said in DHCPv6-PD + HE.net tunnel possible??:

    My main disappointment with this setup is that my IPv6 addresses are dynamic (being ultimately derived from the /60 delegated to me on my WAN interface). I would like some static IP addresses to assign to servers on my "servers" subnet.

    One thing about IPv6 is something called DUID, which an ISP is supposed to use to assign a consistent prefix to your block of addresses. However, there is a setting "Do not allow PD/Address release" on the WAN page that must be selected. I believe it's not by default. With this, the prefix should not change, unless the ISP makes network changes that require it to. Prior to enabling that setting, I found just disconnecting/reconnecting the WAN side Ethernet cable was enough to cause a prefix change.

    Oddly enough, it's been my impression that my Comcast IPv6 delegated prefix has changed more often than the dynamic IPv4 address I get via DHCP. It's good to know about the "do not release" check box option. I'm not sure whether "the prefix should not change" is a strong enough guarantee where Comcast is concerned vs. using actual static IPv6 addresses. 😃

    Thank you for the suggestion.

    Cheers,

    Paul.



  • @gromit said in DHCPv6-PD + HE.net tunnel possible??:

    I'm not sure whether "the prefix should not change" is a strong enough guarantee where Comcast is concerned

    I can't guarantee it's strong enough, but the prefix will change frequently if you don't set it. Give it a try and see what happens.



  • I'm going to add the data point that with Comcast, I've had amazing stability with my IPv6 prefix. Thanks to pfSense keeping the DUID in the config file, I was even able to change my pfSense box hardware and keep the same IPv6 prefix (though the IPv4 address changed, since that's MAC-based).

    I had the same IPv6 prefix for over a year until I changed the DUID during 2.4.4 testing since I was running into other issues with IPv6 on 2.4.4 at that time.