Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 manual PD

    Scheduled Pinned Locked Moved IPv6
    26 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PeekP
      Peek
      last edited by

      WAN interface is set to

      • PPPoE for IPv4 and
      • DHCP6 for IPv6.

      DHCP6 client is set to

      • Request a IPv6 prefix/information through the IPv4 connectivity link
      • Only request an IPv6 prefix, do not request an IPv6 address
      • DHCPv6 Prefix - 56

      Multiple VLANs (i.e. ADMIN & SERVERS) interfaces' IPv6 is set to

      • Track Interface with
      • IPv6 Interface pointed to WAN

      IPv6 worked great and all was well for a few months... until the WAN link went down... being ongoing for 2 days already.

      IPv6 machines, as registered within the DNS resolver cannot be reached as the IPv6 Prefix isn't presented due to the link being down. Though machines within the same VLAN can be reached via link-local (fe80::) addresses, this is a problem across VLANs.

      What would be the most sane way to manually specify the IPv6 prefix in the interim, allowing at least internal access to all machines, whilst waiting for the WAN link to be restored ?

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @Peek
        last edited by

        @Peek said in IPv6 manual PD:

        What would be the most sane way to manually specify the IPv6 prefix in the interim, allowing at least internal access to all machines, whilst waiting for the WAN link to be restored ?

        I use Unique Local Addresses (ULA), in addition to the global ones. I have the ULA address listed in DNS.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        PeekP 1 Reply Last reply Reply Quote 1
        • PeekP
          Peek @JKnott
          last edited by

          @JKnott. Wasn't aware of ULA's until you mentioned it. Brilliant. Thanks.

          It's thus as simple as defining an additional subnet under the RA per VLAN?

          i.e.

          fd00:: with prefix /64 on the 0 VLAN
          fd10:: with prefix /64 on the 10 VLAN
          fd20:: with prefix /64 on the 20 VLAN
          etc ...

          followed by a restart of pfsense.

          Then adding the specific ULA's to the DNS resolver.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Peek
            last edited by

            @Peek

            Yes, though a restart shouldn't be needed.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            PeekP 1 Reply Last reply Reply Quote 0
            • PeekP
              Peek @JKnott
              last edited by Peek

              @JKnott ... reboot or no reboot, It's not working ๐Ÿ˜• ...

              I only get link-local (fe80::) addresses per interface.

              Is DHCPv6 required ?

              JKnottJ 1 Reply Last reply Reply Quote 0
              • PeekP
                Peek
                last edited by

                DHCPv6 not enabled.

                RA set to Assisted.

                Subnet to advertise added.

                Rebooted pfsense. Unplugged & replugged switch. Still only getting link-local addresses.

                Which memo didn't I get ?

                d506052e-e0d8-4f93-8be2-b46c1d9fd874-image.png

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  What do you get if you set the interface IPv6 address to a static fd50::1/64 and use unmanaged mode?

                  Setting Assisted mode and disabling the DHCPv6 server doesn't make a lot of sense to me. If you only want SLAAC, use Unmanaged.

                  I'll just drop this here for the record since seeing fd50::/64 burns my eyes: https://tools.ietf.org/html/rfc4193#page-3

                  PeekP 1 Reply Last reply Reply Quote 0
                  • JeGrJ
                    JeGr LAYER 8 Moderator
                    last edited by

                    @Derelict said in IPv6 manual PD:

                    I'll just drop this here for the record since seeing fd50::/64 burns my eyes: https://tools.ietf.org/html/rfc4193#page-3

                    Dito. Could use sth like this: https://cd34.com/rfc4193/

                    Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    1 Reply Last reply Reply Quote 1
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      $ randomlan
                      10.75.255.0
                      172.20.147.0
                      192.168.192.0
                      fdc5:eb06:dac6::/48
                      
                      1 Reply Last reply Reply Quote 1
                      • JKnottJ
                        JKnott @Peek
                        last edited by JKnott

                        @Peek said in IPv6 manual PD:

                        @JKnott ... reboot or no reboot, It's not working ๐Ÿ˜• ...

                        I only get link-local (fe80::) addresses per interface.

                        Is DHCPv6 required ?

                        Assuming you're connect to an ISP that provided IPv6, you should get a valid prefix. You'd normally use DHCPv6-PD to connect to the ISP and the local LAN can use SLAAC or DHCPv6 to assign addresses to the devices.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        PeekP 1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Does not need any cooperation or service from upstream.

                          Static ULA will work just fine locally.

                          JKnottJ 1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott @Derelict
                            last edited by

                            @Derelict said in IPv6 manual PD:

                            Does not need any cooperation or service from upstream.

                            Static ULA will work just fine locally.

                            I was thinking he should have both ULA and GUA. If he doesn't have either, there's some other problem.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            PeekP 1 Reply Last reply Reply Quote 0
                            • PeekP
                              Peek @Derelict
                              last edited by

                              @Derelict said in IPv6 manual PD:

                              What do you get if you set the interface IPv6 address to a static fd50::1/64 and use unmanaged mode?

                              Setting the IPv6 address statically unmanaged mode created a SLAAC with the prefix defines on a machine.

                              Setting Assisted mode and disabling the DHCPv6 server doesn't make a lot of sense to me. If you only want SLAAC, use Unmanaged.

                              Our broadband is still down and I'm a bit concerned about static IPv6's once we're receiving the ISP's PD again. Will it route correctly over pfsense and the VLANs when pfsense's IPv6 interface is not tracking the WAN interface anymore ?

                              I'll just drop this here for the record since seeing fd50::/64 burns my eyes: https://tools.ietf.org/html/rfc4193#page-3

                              I can understand the emphasis on a globally unique prefix with LUA (Local Unicast Addresses or is it ULA Unique Local Addresses) IPv6 addresses for larger multi-nationals. However, as it's not supposed to ever be globally routable, what would it break in small setups ?

                              As such, is

                              fd00::10: /64 for vlan 10
                              fd00::20: /64 for vlan 20
                              fd00::30: /64 for vlan 30
                              fd00::40: /64 for vlan 40
                              fd00::50: /64 for vlan 50
                              

                              therefore a more acceptable approach ?

                              ** Noted that the format above is seen as invalid in pfsense, though specifying fd00:0:0:50:: is acceptable **

                              1 Reply Last reply Reply Quote 0
                              • PeekP
                                Peek @JKnott
                                last edited by Peek

                                @JKnott said in IPv6 manual PD:

                                Assuming you're connect to an ISP that provided IPv6, you should get a valid prefix. You'd normally use DHCPv6-PD to connect to the ISP and the local LAN can use SLAAC or DHCPv6 to assign addresses to the devices.

                                I am receiving a DHCPv6-PD from the ISP. The vLAN interfaces is then tracking the WAN interface and machines' interfaces is generally configured via SLAAC.

                                However, some machines (servers) have their IPv6 addresses statically assigned.

                                Once the broadband line went down, we cannot reach the machines unless using IPv4 due to the link-local addresses not being routeable over the VLANS.

                                I therefore need a ULA and GUA per interface, for when the PD isn't available for whatever reason. At present an interface is configured as follows:

                                # SLAAC
                                 iface eth0 inet6 auto
                                
                                or
                                
                                # DHCPv6
                                 iface eth0 inet6 dhcp
                                
                                or
                                
                                # Static 
                                 iface eth0 inet6 static
                                  address 2001:db8:3:4::8888
                                  netmask 64
                                

                                How do I thus ensure an interface acquires both a GUA (via the ISP's PD) and a LUA (via pfsense) ... ?

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  No. You will want to delete everything if you are getting a DHCP6 PD and using tracking interfaces.

                                  What, exactly, is your goal.

                                  When you deal with NATting IPsec connections because both sides chose the same RFC1918 subnet and nobody wants to renumber you will see the value of doing a globally-unique local /48 at every site from the beginning.

                                  PeekP 1 Reply Last reply Reply Quote 0
                                  • PeekP
                                    Peek @Derelict
                                    last edited by

                                    @Derelict said in IPv6 manual PD:

                                    No. You will want to delete everything if you are getting a DHCP6 PD and using tracking interfaces.

                                    Delete everything ... Sorry, I totally lost you there.

                                    What, exactly, is your goal.

                                    Local IPv6 addresses registered in the DNS resolver to allow contacting machines from the internal LAN when the Global prefix isn't being delegated.

                                    When you deal with NATting IPsec connections because both sides chose the same RFC1918 subnet and nobody wants to renumber you will see the value of doing a globally-unique local /48 at every site from the beginning.

                                    The idea is to move away from anything IPv4 related. IPv4 is only used as a backup and in some scenarios where IPv6 isn't fully supported.

                                    1 Reply Last reply Reply Quote 0
                                    • PeekP
                                      Peek @JKnott
                                      last edited by Peek

                                      @JKnott said in IPv6 manual PD:

                                      I was thinking he should have both ULA and GUA. If he doesn't have either, there's some other problem.

                                      Which is what I believe as well.

                                      ff33e5c9-13fd-49db-9803-86b9018a463c-image.png

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by Derelict

                                        This post is deleted!
                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          There are problems with that.

                                          https://redmine.pfsense.org/issues/5999

                                          When I have to reboot I:

                                          1. Delete the ULA IP Alias VIPs from LAN and DMZ
                                          2. Edit/Save WAN to kick off DHCP6 and Track interface
                                          3. Put the ULA VIPs back on LAN and DMZ

                                          After that I am good until I have to reboot the firewall again. That is the current state of things. If that is unacceptable for you then pfSense, as it exists right now, might not be a good fit for your requirements.

                                          $ ifconfig vlan0
                                          vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
                                          	options=3<RXCSUM,TXCSUM>
                                          	ether a8:60:b6:19:15:fe 
                                          	inet6 fe80::18f3:9042:2cd0:8d8%vlan0 prefixlen 64 secured scopeid 0xd 
                                          	inet6 2600:face:0ff:9501:ca2:7504:b2dc:4842 prefixlen 64 autoconf secured 
                                          	inet6 2600:face:0ff:9501:b567:3b2f:300f:398c prefixlen 64 deprecated autoconf temporary 
                                          	inet6 fd8c:9857:66db:1:4c9:e132:ee:396a prefixlen 64 autoconf secured 
                                          	inet6 fd8c:9857:66db:1:10d2:3eb7:aefc:d655 prefixlen 64 deprecated autoconf temporary 
                                          	inet 192.168.223.6 netmask 0xffffff00 broadcast 192.168.223.255
                                          	inet6 2600:face:0ff:9501::145a prefixlen 64 dynamic 
                                          	inet6 2600:face:0ff:9501:1123:95df:fb97:3e4c prefixlen 64 deprecated autoconf temporary 
                                          	inet6 fd8c:9857:66db:1:1123:95df:fb97:3e4c prefixlen 64 deprecated autoconf temporary 
                                          	inet6 2600:face:0ff:9501:b529:c61f:f4f5:ba3a prefixlen 64 deprecated autoconf temporary 
                                          	inet6 fd8c:9857:66db:1:b529:c61f:f4f5:ba3a prefixlen 64 deprecated autoconf temporary 
                                          	inet6 2600:face:0ff:9501:1dd:5877:4758:d9d2 prefixlen 64 deprecated autoconf temporary 
                                          	inet6 fd8c:9857:66db:1:1dd:5877:4758:d9d2 prefixlen 64 deprecated autoconf temporary 
                                          	inet6 2600:face:0ff:9501:551d:4e96:bb81:e2f7 prefixlen 64 deprecated autoconf temporary 
                                          	inet6 fd8c:9857:66db:1:551d:4e96:bb81:e2f7 prefixlen 64 deprecated autoconf temporary 
                                          	inet6 2600:face:0ff:9501:ecb6:32ad:85b6:8a8e prefixlen 64 deprecated autoconf temporary 
                                          	inet6 fd8c:9857:66db:1:ecb6:32ad:85b6:8a8e prefixlen 64 deprecated autoconf temporary 
                                          	inet6 2600:face:0ff:9501:3c69:b7aa:a84:284 prefixlen 64 autoconf temporary 
                                          	inet6 fd8c:9857:66db:1:3c69:b7aa:a84:284 prefixlen 64 autoconf temporary 
                                          	nd6 options=201<PERFORMNUD,DAD>
                                          	vlan: 223 parent interface: en0
                                          	media: autoselect (1000baseT <full-duplex>)
                                          	status: active
                                          
                                          PeekP 1 Reply Last reply Reply Quote 0
                                          • DerelictD
                                            Derelict LAYER 8 Netgate
                                            last edited by

                                            LAN:

                                            56c52b50-4688-4574-bb8e-551981c03df6-image.png

                                            And:

                                            61ae8da4-b39e-4b71-a602-1954dbb55692-image.png

                                            PeekP 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.