IPv6 and internal DNS registration
-
@jknott said in IPv6 and internal DNS registration:
Every device on your LAN will then have both ULA and GUA addresses.
But remember you will need to use VIP for that.
-
@jim-bob-the-grand I did exactly (except for a different fd:: fixed address) the same thing. Once I convinced the Windows Server’s (LAG/team) NIC to acquire a global address from DHCP, it worked fine.
I still have the other problem that I hinted at above, but didn’t mention here because… Windows. The Windows Server that runs my DNS throws errors because it does not like the DNS registration being done by pfsense. It complains, but then repairs the registration.
I don’t suppose you have Windows Server expertise or that there is a solution to this. Windows is famous for stuffing the logs with unavoidable errors that obscure other important error reports. :-(
-
@bob-dig Could you give a n00b-teachable version of this comment? How do you create a “VIP for that” plus example?
-
@hmf If you want ULA and GUA on the same interface.
-
@bob-dig said in IPv6 and internal DNS registration:
But remember you will need to use VIP for that.
No, you just enable it on the RA page and it will work automagically.
As soon as you create the 2nd prefix, there will be router advertisements for it and all devices will have ULA addresses, in addition to GUA.Correction, you still have to use a VIP on pfsense, but you don't have to manually add an address elsewhere.
-
No need, if you set up ULA the way I described.
-
@bob-dig said in IPv6 and internal DNS registration:
If you want ULA and GUA on the same interface.
Is there a problem with that? IPv6 was designed to have multiple addresses and prefixes on an interface. It just works. In fact, you could add multiple ULA prefixes to a LAN, though I don't know why you'd do that.
-
@jknott Don’t want to put words in @Bob-Dig ’s mouth, but my problem was that the GUI for the DNS server allows an exclusive choice (‘xor’) between DHCP and ULA configuration; I had to learn about the command-line to enable both.
I have a question about your POV, though. I used DHCP on the appliance so that it would publish several options on the domain (including the ULA of the DNS that caused the original problem). Are you saying that the RA/SLAAC solution accomplishes this and is preferable to or better than the DHCP/ULA solution for some reason?
-
A the stuff that's provided by DHCP is provided by the router advertisements, including RDNSS, which contains the DNS server address. One disadvantage with DHCPv6 is it doesn't work with Android devices, because some genius at Google didn't want to support it.
-
@hmf said in IPv6 and internal DNS registration:
but my problem was that the GUI for the DNS server allows an exclusive choice (‘xor’) between DHCP and ULA configuration; I had to learn about the command-line to enable both
I don't have DHCPv6 enabled on my network, but DHCPv6 server and RA are 2 separate pages in the config. Does it actually prevent you from adding an additional prefix on the RA page when a DHCPv6 server is enabled? You always have router advertisements, no matter what. Also, if you have Android devices, you do not want to run DHCPv6.
-
@jknott Oh, help...
I just upgraded by 6100 appliance and things stopped working again! Now, instead of RA just publishing the DNS ULA (fd...) it is using the IPv6 alias as the source for the network prefix instead of the PD prefix. Now none of the hosts are on the internet unless I remove the alias and exclusively use DNS / IPv4.
How do I get it to publish the PD prefix for SLAAC and the ULA for DNS again?
-
First off, do you still have DHCPv6 enabled on the LAN? If so, get rid of it. The DNS server address is supposed to be the host address for pfsense, unless you've changed it. That would be done in the DNS Configuration on the Router Advertisement page. Those 3 boxes should be empty. Are they?
-
@jknott Thanks for getting back. (just fixed, still confused; See 2nd ppg)
It does not seem to matter whether I disable DHCPv6, but it only exists to set the domain DNS search, and a few windows-specific options anyway. Remember, the whole point was to use the local DNS (and sat-converged NTP, but that is off) for the domain subnet. The unsecured subnet does, in fact, leave all those empty.
I just got things working again! I removed the fixed ULA for the Netgate's LAN, but not the RA subnet. Total accident. Immediately, clients started SLAAC'ing to the PD prefix again, and the Windows clients started registering in DHCP and getting the Domain Controller options! (I set the router's additional IPv6 by rote from your instructions on how to combine ULA with delegation.)
SO... in the latest update, if you assign multiple IPv6 addresses to the LAN, Android clients use that prefix, but if you only set up the subnet, then they get both GUAs with the PD prefix and also ULAs, and (remembering why we are in the swamp in the first place) everybody can get to the LAN's DNS.
I don't understand why the update either broke it, or why it ever worked to assign the router's ULA, depending on your point of view. Isn't it a bug that assigning another IPv6 breaks client SLAAC connection to the ISP delegated prefix? What happens if you ever need a fixed address for the router?
-
@hmf Just noticed the 6100 doesn't have a GUA any more, all the default gateways show as link-local. Not a bad thing... right?
-
I'm beginning to think you've messed up the config so much you might be better off starting from scratch. And no, if you don't have a GUA and only link local addresses, then it's not good. Also, I run 2 prefixes on my LAN, global and unique local. It works fine. Doing that requires providing a 2nd prefix on the RA page and creating a virtual IP for the interface.
-
Thank you again for helping me. Hope my lack of expertise does not annoy you too much…
First, I may have misspoke: The 6100 does have a GUA on the LAN (2601…) but all the other nodes refer to it / prefer its local address (fe80…) now. If you are willing, could you explain why it’s not good that way? (It is my only router; everything here is link local by VLAN).
Anyway, I did what you suggested. After rebuilding, it works the same way: If I set up the ULA subnet in RA, things all (Android, Apple, Windows) work, meaning they can see the local DNS, NTP, etc., and get delegated IPv6 addresses. The minute I assign a full address (virtual IPv6) on the LAN, all the clients lose their delegated addresses and only show addresses with the ULA prefix.
Recap: Add subnet RA — everything works super. Add alias — clients do not get Internet routable (delegated) addresses.
PS: The only remotely unusual thing I do is RA on the VLAN, not the LAN port (which doesn’t seem that unusual).
-
@hmf said in IPv6 and internal DNS registration:
but all the other nodes refer to it / prefer its local address (fe80…)
What do you mean by that? The link local address is used for stuff like router advertisements and routing. Is that what you mean? Do other devices have IPv6 addresses beyond link local?
The minute I assign a full address (virtual IPv6) on the LAN, all the clients lose their delegated addresses and only show addresses with the ULA prefix.
Where are you doing that? You should be adding the new prefix on the RA page. Also, you should only be putting the prefix there, not the full LAN address. Here's what I have in mine: fd48:1a37:2160:0::
This specifies the 64 bit network address, leaving 64 bits to be filled in by SLAAC.Was GUA working properly before you tried adding ULA?
If you do this correctly, you should have both ULA and GUA addresses on all devices.
-
First: The instructions you linked to above said to assign the prefix (not the full address) in the Services/RA section, and a VIP (full address) in the Firewall/Virtual IP section, and that is what I did. If I just do the first part, everything works great. If I do the second part, things fail (no one gets a delegated address).
Now…
@jknott said in IPv6 and internal DNS registration:
What do you mean by that? The link local address is used for stuff like router advertisements and routing. Is that what you mean? Do other devices have IPv6 addresses beyond link local?
Yes and yes. I mean the address starting fe80 used for advertisements gets used as the gateway address by all clients, and yes, they get IPv6 addresses on the ISP-delegated subnet — all good. It doesn’t fail until / unless I add the virtual IPv6 for the ULA subnet (in the Firewall/VIP section)
The minute I assign a full address (virtual IPv6) on the LAN, all the clients lose their delegated addresses and only show addresses with the ULA prefix.
Where are you doing that?
In the Firewall/Virtual IP section
You should be adding the new prefix on the RA page. Also, you should only be putting the prefix there, not the full LAN address. Here's what I have in mine: fd48:1a37:2160:0::
This specifies the 64 bit network address, leaving 64 bits to be filled in by SLAAC.Yes, I do understand your instructions, and I only add the 64-bit prefix there. Mine is: fd4d:fef2:2486:cadf::/64
Was GUA working properly before you tried adding ULA?
Yes. Using “track interface” on the VLAN gets me GUAs on all clients. Adding the ULA subnet on the RA makes everyone see the local DNS. If I stop there everything is wonderful!! Adding the Virtual IP kills the delegation of GUAs. This is what I think is a bug, but since I see no problem with having clients see the gateway through its link local address, I can live without assigning the Virtual IP to the VLAN interface of the Netgate. If I ever have to pre-assign an IPv6 (ULA) to the Netgate for some reason, I’ll be hosed.
If you do this correctly, you should have both ULA and GUA addresses on all devices.
If you do everything except create the virtual IP, that is…
-
Can you run a packet capture on the LAN, filtering on ICMP6? Attach the capture file here.
-
@jknott I can do that sometime in the next day or so… I assume you mean with the “broken” config (after adding the Virtual IP on the ULA subnet).
Are you some kind of network engineer who can actually fix problems like I think this is?
