On LAN no temporarily IPv6 address.
-
Hi,
On my LAN I get a IPv6 address but not a temporarily IPv6 address. Is that something I must configure somewhere?
On my WAN interface I have enabled IPv6 Configuration Type DHCP6. On my LAN interface I have IPv6 Configuration Type Track Interface and IPv6 Interface WAN. Also have I on my LAN DHCPv6 Server enabled with Range ::1000 ::2000
-
Why would you think pfsense should use a temp IPv6 address on its lan?
-
Normally you get a IPv6 address on your device and a temporarily IPv6 address for more privacy.
Here is perhaps better explained what I mean: https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses
When I am connected to my fritz box, this works thisway. But when I connect to the pfsense I only get one "fixed" IPv6 address.
-
I know exactly what a temp address is ;)
So you dhcpv6 clients are not using temp, not pfsense lan? You do understand the differences of when temp are used an not used right.. a dhcpv6 client... Why would it use a temp? Should it get leases for all of the temps it uses, etc..
So in your RA setting for pfsense, if you have it set to managed it will not have the auto flag, so no client would not create its own "temp" addresses..
https://docs.netgate.com/pfsense/en/latest/routing/configuring-ipv6-router-advertisements.html
Managed: Client addresses assigned only via DHCPv6. -
Hi john,
Thanks for your answer. It doesn't matter which option I choose in RA. None of them give me a temporary address. So I probably have to set that somewhere. But I don't see it where.
Regards Colin
-
And what are your client(s) exactly?
Which option are you running for RA?
-
Windows 7 and Windows 10 and Debian. I have tried all options.
-
Well all options are not going to give you want you want... Do you want to run dhcpv6? Do you also want temp? Then you would need to run RA in assisted or stateless dhcp, depending on what you want your dhcpv6 to actually do or not do..
You will also have to learn about your different OSes and setting to use or not use temp address.. I personally turn them off.. Controlling access via a L3 firewall can be more difficult if your clients can just willy nilly use whatever address they want ;) Its fine if your controls are all vlan based.. But if you do any sort of rules where client X is either blocked or allowed to do something while client Y has different set of rules you run into problems when clients can just use any old address they want vs say an assigned IP via dhcpv6.
edit: Notice only had dhcp ipv6 address.. I then changed mode to assisted.. And now got both my dhcpv6 address and stateless.. But still no temp..
Because I had it disabled in the OS... So I then enabled and disable and renabled ipv6 on the interface - and bam.. get dhcpv6 address, stateless address and also temp address.
-
Now back to the way I like it.. Set back to managed. Turned off the temp stuff, disabled, enabled ipv6 on the interface and the temps are gone... But that stateless was still there.. To get rid of that delete the address.
And now only the dhcpv6 address. -
That are the same settings I have. But I don’t get that temporally address :-(
So somewhere I still have something wrong. -
Well make sure your set to assisted on your RA for the correct lan.. You sure ravd restarted when you changed it to assisted.. And your privacy settings are correct?
You should see the solicit go out - you can do a simple sniff.. What build of windows 10 are you using? I am using 1903..
So you don't get auto at all, or no auto and no temp? Only your dhvp6 address?
I don't have windows 7 or debian to easy test with.. I have some ubuntu vms I could use to test there, etc.
-
Yes I am in the right VLAN. And have restarted both the router and computer. I think everything is set correctly. But which privacy settings do you mean?
I do get an IPv6 address 2001: x: x: x: d828: 1c65: ec4: 30cb. I have also a IPv6 DNS address and can access everything on internet with IPv6. Only I don’t get a temp address :-(
"You should see the solicit go out - you can do a simple sniff" How can I do this?
-
@ColinDexter said in On LAN no temporarily IPv6 address.:
But which privacy settings do you mean?
The ones I showed you from my windows 10 box. If you do not have those enabled - then NO your not going to use temp IPv6 address.
That IP your getting.. If only 1 and its from your dhcp, you should also be getting a stateless if your in assisted mode..
As to how to sniff, under diagnostics packet capture.
That IP you got (only 1) its listed in your dhcpv6 leases? Or is its just stateless?
-
I don't even think another solicit needs to go out. In fact I believe there are rules against clients sending gratuitous router solicitations unless certain events occur (like link down-to-up). The client knows what prefix it is on already. All it does is slaac another address. There will be periodic RAs anyway.
The client has to be receiving RAs if anything is working because the "gateway" is not configured by DHCPv6. It is obtained from the RAs.
As long as the LAN is set to unmanaged or assisted there is nothing left to do on the firewall. It is 100% up to the client.
-
@Derelict said in On LAN no temporarily IPv6 address.:
s not configured by DHCPv6. It is obtained from the RAs.
Very true... My guess is he has privacy turned off on this client. As you can see it only takes a minute or two to flip between these modes, etc.
-
Below you can see that I get an IPv6 address from the router. And that privacy is turned on.
-
Did you just enable that - or was it already like that? If you just enabled you will need to bounce the box, or disable/enable ipv6 on the interface..
So look to your RA, do packet capture on pfsense for that interface, icmp6 only - you will see the RAs Validate that the auto flag is set.. Your prefix is using /64 right??
Just open your packet capture with wireshark for example
As long as the Auto flag is set in your RA, and your prefix is not wonky - ie something other than /64 then that is all on your client.
edit: Here I just changed radvd back to managed vs assisted - and you see no Auto Flag in the prefix info of the RA
-
This is what I get:
-
Strange it works now but I don't understand anymore :-(
I have disabled the DHCPv6 server. And on the WAN port under DHCP6 Client Configuration I have adjusted DHCPv6 Prefix Delegation size to 62. And now it works....
-
@ColinDexter << LOL a Morse fan perchance ?
