Multiple ipv6-nets on LAN with DHCPv6



  • I would like to have 2 ipv6-nets provided to my client-pcs through my local pfsense dhcp-v6-server:

    • 2003:1:2:3:: (gua, my fixed ipv6-net from my provider)
    • fd73:4:5:6:: (ula)

    The LAN-interface has 2 virtual ip-adresses (Firewall - virtual IPs):

    • 2003:1:2:3::fe/64 (gua)
    • fd73:4:5:6::fe/64 (ula)

    In Services - DHCPv6 - LAN-DHCPv6-Server I can only configure ONE range ::d:1000 to ::d:2000. My clients do get IP-Adresses like 2003:1:2:3::d:1001, 2003:1:2:3::d:1002 by NO fd73:4:56:...

    Do I have to create a second "virtual" LAN-card on the server?

    Thanks,
    Richard



  • @horshack

    I haven't used DHCPv6 on the LAN side, only SLAAC. However, on the Router Advertisements page, I had to specify the GUA prefix, as well as the ULA. I consider this a bug, as I don't understand why it has to "forget" the GUA prefix, simply because a ULA prefix has been added.



  • @horshack
    I found out that the first virtual ip configured in Firewall - virtual ips get the base for dhcpv6-given addresses.

    • 1st virtual address: fd73:4:5:6:: (ula)
    • 2nd virtual address: 2003:1:2:3:: (gua, my fixed ipv6-net from my provider)

    All my clients in the LAN geht from DHCPv6: fd73:4:5:6:something and no 2003:1:2:3::...

    The next question was how can I "nat" the internal fd73:4:5:6:something to my external 2003:1:2:3:same_something? This can be done with Firewall - NAT - NPT - add

    • interface: wan
    • internal address: fd73:4:5:6::/64
    • external address: 2003:1:2:3::/64

    Save - apply changes - try it out with a NEW ping6. Stop the old ping6 and start a new ping6.

    Which ipv6-address will be used for outside connections? I tried it out with an "ssh -6 myserver.internet"

    me@home.local$ ifconfig |grep inet   
    ...
    fd73:4:5:6::d:165a
    ...
    
    me@home.local$ ssh -6 root@myserver.internet
    
    root@myserver.internet:~# pinky
    Login    Name  Where
    root     root  2003:1:2:3::d:165a
    

    The internal fd73::4:5:6::d:165a leads to 2003:1:2:3::d:165a

    In ip4 this is called NAT.



  • @horshack said in Multiple ipv6-nets on LAN with DHCPv6:

    The next question was how can I "nat" the internal fd73:4:5:6:something to my external 2003:1:2:3:same_something?

    Why would you want to do that? The reason for NAT was to get around the IPv4 address shortage and you would have at least 18.4 billion, billion addresses available with IPv6. As I mentioned above, I have both GUA and ULA addresses on my network and every IPv6 capable device gets both.



  • @JKnott

    I need ULA for internal communication because when changing my internet-provider I would get net GUA-addresses.

    I would love to get 2 IP-adresses at once to all my devices (GUA und ULA). But dhcpv6 gives me only one ipv6-address from an address-space configured first on my pfsense-LAN-device.

    Can I convince dhcpv6 to submit two and not only one ip-address to the devices asking it? Links for a better solution welcome.



  • @horshack

    Have you tried adding the ULA prefix to the RA page? If you do that, you will have to also add the GUA prefix. That's what works for me.



  • @JKnott
    Yes, I did.

    https://pfsense.local/services_router_advertisements.php?if=lan

    Subnets:

    • fd73:4:5:6::/64
    • 2003:1:2:3::/64

    I restarted pfsense but I only get ipv6-addresse from the first subnet defined in RA, in this case fd73:4:5:6::/64



  • @horshack

    I get both, but I'm not using DHCPv6 on the LAN. Perhaps that's the difference.



  • @JKnott
    This was helpful! I switched OFF the DHCPv6 server.

    These are my settings for Router Advertisements:

    • Router mode: Stateless DHCP - RA Flags [other stateful], Prefix Flags [onlink, auto, router]
    • Router priority: normal
    • Subnets:
      ** fd73:4:5:6::/64
      ** 2003:1:2:3::/64

    After applying this my test-Linux machine got:

    ** fd73:4:5:6:somethingcrazy/64
    ** 2003:1:2:3:something2othercrazy/64
    ** fe80::something3othercrazy/64

    When doing this:

    ssh me@mymachine.internet

    I see with the command "pinky" that I am coming from my crazy 2003:1:2:3:something... ip address.

    Problem solved! I don't even need the DHCPv6-server, the DHCPv6 makes my life harder.



  • @horshack said in Multiple ipv6-nets on LAN with DHCPv6:

    Problem solved! I don't even need the DHCPv6-server, the DHCPv6 makes my life harder.

    That's why I often wonder why people use DHCPv6 when they don't have to. There are some differences with IPv4 vs IPv6 and this is one of them. I guess it's force of habit from IPv4.