Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    On LAN no temporarily IPv6 address.

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    29 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ColinDexter
      last edited by

      Hi,

      On my LAN I get a IPv6 address but not a temporarily IPv6 address. Is that something I must configure somewhere?

      On my WAN interface I have enabled IPv6 Configuration Type DHCP6. On my LAN interface I have IPv6 Configuration Type Track Interface and IPv6 Interface WAN. Also have I on my LAN DHCPv6 Server enabled with Range ::1000 ::2000

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Why would you think pfsense should use a temp IPv6 address on its lan?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          ColinDexter
          last edited by

          Normally you get a IPv6 address on your device and a temporarily IPv6 address for more privacy.

          Here is perhaps better explained what I mean: https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses

          When I am connected to my fritz box, this works thisway. But when I connect to the pfsense I only get one "fixed" IPv6 address.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            I know exactly what a temp address is ;)

            So you dhcpv6 clients are not using temp, not pfsense lan? You do understand the differences of when temp are used an not used right.. a dhcpv6 client... Why would it use a temp? Should it get leases for all of the temps it uses, etc..

            So in your RA setting for pfsense, if you have it set to managed it will not have the auto flag, so no client would not create its own "temp" addresses..

            https://docs.netgate.com/pfsense/en/latest/routing/configuring-ipv6-router-advertisements.html
            Managed: Client addresses assigned only via DHCPv6.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • C
              ColinDexter
              last edited by

              Hi john,

              Thanks for your answer. It doesn't matter which option I choose in RA. None of them give me a temporary address. So I probably have to set that somewhere. But I don't see it where.

              Regards Colin

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                And what are your client(s) exactly?

                Which option are you running for RA?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • C
                  ColinDexter
                  last edited by

                  Windows 7 and Windows 10 and Debian. I have tried all options.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Well all options are not going to give you want you want... Do you want to run dhcpv6? Do you also want temp? Then you would need to run RA in assisted or stateless dhcp, depending on what you want your dhcpv6 to actually do or not do..

                    You will also have to learn about your different OSes and setting to use or not use temp address.. I personally turn them off.. Controlling access via a L3 firewall can be more difficult if your clients can just willy nilly use whatever address they want ;) Its fine if your controls are all vlan based.. But if you do any sort of rules where client X is either blocked or allowed to do something while client Y has different set of rules you run into problems when clients can just use any old address they want vs say an assigned IP via dhcpv6.

                    edit: Notice only had dhcp ipv6 address.. I then changed mode to assisted.. And now got both my dhcpv6 address and stateless.. But still no temp..

                    Because I had it disabled in the OS... So I then enabled and disable and renabled ipv6 on the interface - and bam.. get dhcpv6 address, stateless address and also temp address.

                    ipv6temp.png

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Now back to the way I like it.. Set back to managed. Turned off the temp stuff, disabled, enabled ipv6 on the interface and the temps are gone... But that stateless was still there.. To get rid of that delete the address.

                      managedonly.png
                      And now only the dhcpv6 address.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • C
                        ColinDexter
                        last edited by

                        That are the same settings I have. But I don’t get that temporally address :-(
                        So somewhere I still have something wrong.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          Well make sure your set to assisted on your RA for the correct lan.. You sure ravd restarted when you changed it to assisted.. And your privacy settings are correct?

                          You should see the solicit go out - you can do a simple sniff.. What build of windows 10 are you using? I am using 1903..

                          So you don't get auto at all, or no auto and no temp? Only your dhvp6 address?

                          I don't have windows 7 or debian to easy test with.. I have some ubuntu vms I could use to test there, etc.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • C
                            ColinDexter
                            last edited by

                            Yes I am in the right VLAN. And have restarted both the router and computer. I think everything is set correctly. But which privacy settings do you mean?

                            I do get an IPv6 address 2001: x: x: x: d828: 1c65: ec4: 30cb. I have also a IPv6 DNS address and can access everything on internet with IPv6. Only I don’t get a temp address :-(

                            "You should see the solicit go out - you can do a simple sniff" How can I do this?

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              @ColinDexter said in On LAN no temporarily IPv6 address.:

                              But which privacy settings do you mean?

                              The ones I showed you from my windows 10 box. If you do not have those enabled - then NO your not going to use temp IPv6 address.

                              That IP your getting.. If only 1 and its from your dhcp, you should also be getting a stateless if your in assisted mode..

                              As to how to sniff, under diagnostics packet capture.

                              That IP you got (only 1) its listed in your dhcpv6 leases? Or is its just stateless?

                              dhcpv6lease.png

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                I don't even think another solicit needs to go out. In fact I believe there are rules against clients sending gratuitous router solicitations unless certain events occur (like link down-to-up). The client knows what prefix it is on already. All it does is slaac another address. There will be periodic RAs anyway.

                                The client has to be receiving RAs if anything is working because the "gateway" is not configured by DHCPv6. It is obtained from the RAs.

                                As long as the LAN is set to unmanaged or assisted there is nothing left to do on the firewall. It is 100% up to the client.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  @Derelict said in On LAN no temporarily IPv6 address.:

                                  s not configured by DHCPv6. It is obtained from the RAs.

                                  Very true... My guess is he has privacy turned off on this client. As you can see it only takes a minute or two to flip between these modes, etc.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    ColinDexter
                                    last edited by

                                    Below you can see that I get an IPv6 address from the router. And that privacy is turned on.

                                    Capture1.PNG
                                    Capture2.PNG
                                    Capture3.PNG
                                    Capture4.png

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      Did you just enable that - or was it already like that? If you just enabled you will need to bounce the box, or disable/enable ipv6 on the interface..

                                      So look to your RA, do packet capture on pfsense for that interface, icmp6 only - you will see the RAs Validate that the auto flag is set.. Your prefix is using /64 right??

                                      RA.png

                                      Just open your packet capture with wireshark for example

                                      download.png

                                      As long as the Auto flag is set in your RA, and your prefix is not wonky - ie something other than /64 then that is all on your client.

                                      edit: Here I just changed radvd back to managed vs assisted - and you see no Auto Flag in the prefix info of the RA
                                      noAuto.png

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        ColinDexter
                                        last edited by

                                        This is what I get:
                                        packet.png

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          ColinDexter
                                          last edited by ColinDexter

                                          Strange it works now but I don't understand anymore :-(

                                          I have disabled the DHCPv6 server. And on the WAN port under DHCP6 Client Configuration I have adjusted DHCPv6 Prefix Delegation size to 62. And now it works....

                                          NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                          • NogBadTheBadN
                                            NogBadTheBad @ColinDexter
                                            last edited by NogBadTheBad

                                            @ColinDexter << LOL a Morse fan perchance ?

                                            Andy

                                            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.