On LAN no temporarily IPv6 address.



  • Hi,

    On my LAN I get a IPv6 address but not a temporarily IPv6 address. Is that something I must configure somewhere?

    On my WAN interface I have enabled IPv6 Configuration Type DHCP6. On my LAN interface I have IPv6 Configuration Type Track Interface and IPv6 Interface WAN. Also have I on my LAN DHCPv6 Server enabled with Range ::1000 ::2000


  • LAYER 8 Global Moderator

    Why would you think pfsense should use a temp IPv6 address on its lan?



  • Normally you get a IPv6 address on your device and a temporarily IPv6 address for more privacy.

    Here is perhaps better explained what I mean: https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses

    When I am connected to my fritz box, this works thisway. But when I connect to the pfsense I only get one "fixed" IPv6 address.


  • LAYER 8 Global Moderator

    I know exactly what a temp address is ;)

    So you dhcpv6 clients are not using temp, not pfsense lan? You do understand the differences of when temp are used an not used right.. a dhcpv6 client... Why would it use a temp? Should it get leases for all of the temps it uses, etc..

    So in your RA setting for pfsense, if you have it set to managed it will not have the auto flag, so no client would not create its own "temp" addresses..

    https://docs.netgate.com/pfsense/en/latest/routing/configuring-ipv6-router-advertisements.html
    Managed: Client addresses assigned only via DHCPv6.



  • Hi john,

    Thanks for your answer. It doesn't matter which option I choose in RA. None of them give me a temporary address. So I probably have to set that somewhere. But I don't see it where.

    Regards Colin


  • LAYER 8 Global Moderator

    And what are your client(s) exactly?

    Which option are you running for RA?



  • Windows 7 and Windows 10 and Debian. I have tried all options.


  • LAYER 8 Global Moderator

    Well all options are not going to give you want you want... Do you want to run dhcpv6? Do you also want temp? Then you would need to run RA in assisted or stateless dhcp, depending on what you want your dhcpv6 to actually do or not do..

    You will also have to learn about your different OSes and setting to use or not use temp address.. I personally turn them off.. Controlling access via a L3 firewall can be more difficult if your clients can just willy nilly use whatever address they want ;) Its fine if your controls are all vlan based.. But if you do any sort of rules where client X is either blocked or allowed to do something while client Y has different set of rules you run into problems when clients can just use any old address they want vs say an assigned IP via dhcpv6.

    edit: Notice only had dhcp ipv6 address.. I then changed mode to assisted.. And now got both my dhcpv6 address and stateless.. But still no temp..

    Because I had it disabled in the OS... So I then enabled and disable and renabled ipv6 on the interface - and bam.. get dhcpv6 address, stateless address and also temp address.

    ipv6temp.png


  • LAYER 8 Global Moderator

    Now back to the way I like it.. Set back to managed. Turned off the temp stuff, disabled, enabled ipv6 on the interface and the temps are gone... But that stateless was still there.. To get rid of that delete the address.

    managedonly.png
    And now only the dhcpv6 address.



  • That are the same settings I have. But I don’t get that temporally address :-(
    So somewhere I still have something wrong.


  • LAYER 8 Global Moderator

    Well make sure your set to assisted on your RA for the correct lan.. You sure ravd restarted when you changed it to assisted.. And your privacy settings are correct?

    You should see the solicit go out - you can do a simple sniff.. What build of windows 10 are you using? I am using 1903..

    So you don't get auto at all, or no auto and no temp? Only your dhvp6 address?

    I don't have windows 7 or debian to easy test with.. I have some ubuntu vms I could use to test there, etc.



  • Yes I am in the right VLAN. And have restarted both the router and computer. I think everything is set correctly. But which privacy settings do you mean?

    I do get an IPv6 address 2001: x: x: x: d828: 1c65: ec4: 30cb. I have also a IPv6 DNS address and can access everything on internet with IPv6. Only I don’t get a temp address :-(

    "You should see the solicit go out - you can do a simple sniff" How can I do this?


  • LAYER 8 Global Moderator

    @ColinDexter said in On LAN no temporarily IPv6 address.:

    But which privacy settings do you mean?

    The ones I showed you from my windows 10 box. If you do not have those enabled - then NO your not going to use temp IPv6 address.

    That IP your getting.. If only 1 and its from your dhcp, you should also be getting a stateless if your in assisted mode..

    As to how to sniff, under diagnostics packet capture.

    That IP you got (only 1) its listed in your dhcpv6 leases? Or is its just stateless?

    dhcpv6lease.png


  • LAYER 8 Netgate

    I don't even think another solicit needs to go out. In fact I believe there are rules against clients sending gratuitous router solicitations unless certain events occur (like link down-to-up). The client knows what prefix it is on already. All it does is slaac another address. There will be periodic RAs anyway.

    The client has to be receiving RAs if anything is working because the "gateway" is not configured by DHCPv6. It is obtained from the RAs.

    As long as the LAN is set to unmanaged or assisted there is nothing left to do on the firewall. It is 100% up to the client.


  • LAYER 8 Global Moderator

    @Derelict said in On LAN no temporarily IPv6 address.:

    s not configured by DHCPv6. It is obtained from the RAs.

    Very true... My guess is he has privacy turned off on this client. As you can see it only takes a minute or two to flip between these modes, etc.



  • Below you can see that I get an IPv6 address from the router. And that privacy is turned on.

    Capture1.PNG
    Capture2.PNG
    Capture3.PNG
    Capture4.png


  • LAYER 8 Global Moderator

    Did you just enable that - or was it already like that? If you just enabled you will need to bounce the box, or disable/enable ipv6 on the interface..

    So look to your RA, do packet capture on pfsense for that interface, icmp6 only - you will see the RAs Validate that the auto flag is set.. Your prefix is using /64 right??

    RA.png

    Just open your packet capture with wireshark for example

    download.png

    As long as the Auto flag is set in your RA, and your prefix is not wonky - ie something other than /64 then that is all on your client.

    edit: Here I just changed radvd back to managed vs assisted - and you see no Auto Flag in the prefix info of the RA
    noAuto.png



  • This is what I get:
    packet.png



  • Strange it works now but I don't understand anymore :-(

    I have disabled the DHCPv6 server. And on the WAN port under DHCP6 Client Configuration I have adjusted DHCPv6 Prefix Delegation size to 62. And now it works....


  • Galactic Empire

    @ColinDexter << LOL a Morse fan perchance ?


  • LAYER 8 Global Moderator

    62 prefix is borked that is for sure. /64 is what your interface should have on it



  • I have been testing past time. But don't get it working the way it should be. If I put DHCPv6 Prefix Delegation size back to 64 on the WAN interface and enable DHCPv6 Server I only get a fixed IPv6 address again. Still not the temporary :-(

    And it should not be that difficult in my opinion. But probably I have a setting somewhere not right.

    RouterAdvertisements.png InterfacesWAN.png Interfaces.png DHCPv6 Server.png



  • prefix delegation size 48 ?
    shouldn't it be /64 ?
    IPv6 subnets must really be a /64 for stateless autoconfiguration to work afaik


  • LAYER 8 Global Moderator

    @kiokoman said in On LAN no temporarily IPv6 address.:

    IPv6 subnets must really be a /64 for stateless autoconfiguration to work afaik

    Exactly!!!

    IPv6 is not all that difficult - its just "different" then how stuff works in ipv4... I suggest you go get your cert over at hurricane electric.. The research required to answer the questions on the tests will walk you thru learning what you need to know. And when you finish and get sage level they will send you a FREE tshirt!



  • this one? 😀
    tshirt.jpg



  • This value was still there from testing. It makes no difference if I put /64 there. If I enter there /64 I still don't get a temporary IPv6 address.

    Could this be because I use a bridge?

    [Edit]
    I have now found the solution. Below the settings with which it now works
    settings.PNG


  • LAYER 8 Netgate

    53b3bf14-95d7-4627-8efe-76c02c296ff8-image.png

    Check that box.

    Edit/Save WAN

    Look at Status > System Logs, DHCP

    Filter on command dhcp6c

    Look at the prefix delegation you are actually getting.

    What does your ISP say you should be getting? /64, /60, /56, /48?

    Make the request match. You will probably need to change the DUID (**System > Advanced, Networking) to get a new delegation. I would save what's there then increment the last digit to make changes. Your ISP might also have some sort of rate-limiting in place on leases/delegations. You'll need to talk to them about it if it doesn't work. But the settings on the DHCP6 WAN client page need to match the delegation you actually receive.

    The Prefix Delegation size in the DHCP6 Server page does not matter unless you set the PD range there. That does not have anything to do with the DHCP6 server giving addresses in the interface's /64 prefix. That is for delegating prefixes to downstream routers (like your ISP is doing for you).


  • LAYER 8 Global Moderator

    @kiokoman said in On LAN no temporarily IPv6 address.:

    this one?

    Yup! That looks pretty fresh - mines showing its age.. But got mine back in 2011 ;)



  • Hi Derelict,
    Thanks for the answer. I get a / 64 from my ISP and that is also true when I look in the log you mention. And after I have set these check boxes mention above it is working :-)


Log in to reply