IPv6 and internal DNS registration
-
@hmf Just noticed the 6100 doesn't have a GUA any more, all the default gateways show as link-local. Not a bad thing... right?
-
I'm beginning to think you've messed up the config so much you might be better off starting from scratch. And no, if you don't have a GUA and only link local addresses, then it's not good. Also, I run 2 prefixes on my LAN, global and unique local. It works fine. Doing that requires providing a 2nd prefix on the RA page and creating a virtual IP for the interface.
-
Thank you again for helping me. Hope my lack of expertise does not annoy you too much…
First, I may have misspoke: The 6100 does have a GUA on the LAN (2601…) but all the other nodes refer to it / prefer its local address (fe80…) now. If you are willing, could you explain why it’s not good that way? (It is my only router; everything here is link local by VLAN).
Anyway, I did what you suggested. After rebuilding, it works the same way: If I set up the ULA subnet in RA, things all (Android, Apple, Windows) work, meaning they can see the local DNS, NTP, etc., and get delegated IPv6 addresses. The minute I assign a full address (virtual IPv6) on the LAN, all the clients lose their delegated addresses and only show addresses with the ULA prefix.
Recap: Add subnet RA — everything works super. Add alias — clients do not get Internet routable (delegated) addresses.
PS: The only remotely unusual thing I do is RA on the VLAN, not the LAN port (which doesn’t seem that unusual).
-
@hmf said in IPv6 and internal DNS registration:
but all the other nodes refer to it / prefer its local address (fe80…)
What do you mean by that? The link local address is used for stuff like router advertisements and routing. Is that what you mean? Do other devices have IPv6 addresses beyond link local?
The minute I assign a full address (virtual IPv6) on the LAN, all the clients lose their delegated addresses and only show addresses with the ULA prefix.
Where are you doing that? You should be adding the new prefix on the RA page. Also, you should only be putting the prefix there, not the full LAN address. Here's what I have in mine: fd48:1a37:2160:0::
This specifies the 64 bit network address, leaving 64 bits to be filled in by SLAAC.Was GUA working properly before you tried adding ULA?
If you do this correctly, you should have both ULA and GUA addresses on all devices.
-
First: The instructions you linked to above said to assign the prefix (not the full address) in the Services/RA section, and a VIP (full address) in the Firewall/Virtual IP section, and that is what I did. If I just do the first part, everything works great. If I do the second part, things fail (no one gets a delegated address).
Now…
@jknott said in IPv6 and internal DNS registration:
What do you mean by that? The link local address is used for stuff like router advertisements and routing. Is that what you mean? Do other devices have IPv6 addresses beyond link local?
Yes and yes. I mean the address starting fe80 used for advertisements gets used as the gateway address by all clients, and yes, they get IPv6 addresses on the ISP-delegated subnet — all good. It doesn’t fail until / unless I add the virtual IPv6 for the ULA subnet (in the Firewall/VIP section)
The minute I assign a full address (virtual IPv6) on the LAN, all the clients lose their delegated addresses and only show addresses with the ULA prefix.
Where are you doing that?
In the Firewall/Virtual IP section
You should be adding the new prefix on the RA page. Also, you should only be putting the prefix there, not the full LAN address. Here's what I have in mine: fd48:1a37:2160:0::
This specifies the 64 bit network address, leaving 64 bits to be filled in by SLAAC.Yes, I do understand your instructions, and I only add the 64-bit prefix there. Mine is: fd4d:fef2:2486:cadf::/64
Was GUA working properly before you tried adding ULA?
Yes. Using “track interface” on the VLAN gets me GUAs on all clients. Adding the ULA subnet on the RA makes everyone see the local DNS. If I stop there everything is wonderful!! Adding the Virtual IP kills the delegation of GUAs. This is what I think is a bug, but since I see no problem with having clients see the gateway through its link local address, I can live without assigning the Virtual IP to the VLAN interface of the Netgate. If I ever have to pre-assign an IPv6 (ULA) to the Netgate for some reason, I’ll be hosed.
If you do this correctly, you should have both ULA and GUA addresses on all devices.
If you do everything except create the virtual IP, that is…
-
Can you run a packet capture on the LAN, filtering on ICMP6? Attach the capture file here.
-
@jknott I can do that sometime in the next day or so… I assume you mean with the “broken” config (after adding the Virtual IP on the ULA subnet).
Are you some kind of network engineer who can actually fix problems like I think this is?
-
@hmf
What is the purpose of the virtual IP with IPv6?RA should pump out the link local fe80 address for routing and pump out the ULA/GUA subnets used in the network.
Are you trying to use a GUA, ULA or link local as a VIP?
-
What the packet capture will show is the contents of the RAs so I can see what's being sent out. You appear to be miss configured somewhere.
I am a Cisco CCNA with a fair bit of experience with IPv6, going back over 11 years. I also seem to be the IPv6 expert around here.
Let the capture run for a few minutes.
-
@jim-bob-the-grand said in IPv6 and internal DNS registration:
What is the purpose of the virtual IP with IPv6?
If you're adding a ULA prefix, the VIP is used to provide an address within that prefix for the interface, though you can get by without it.
-
Hi,
Literally, the VIP is to provide a ULA in the DNS/DC/NTP subnet being RA’d. I don’t need to have a well-known address for the Netgate in my current configuration, so the more pointed answer is “just for symmetry.”
I can (probably) think of a configuration where having a well-known ULA for the Netgate would be helpful (e.g., an intermediate router), but it’s not necessary here; it’s just something that should work.
I would also put money on the chances that this is a problem having nothing to do with ULAs… I bet if you assign a second IPv6 on a delegating interface (it being common to have multiple IPv6’s on an interface), it will mess up delegation.
…and I see that @JKnott just gave you a much shorter and probably better answer.
-
-
@jknott, That is the exact post I used to set it up when we started this conversation, and exactly what was working before I installed the last update (to shut off the blinking yellow light, and for no good reason like a neat new feature, ironically).
-
Did you mention the update before? I don't recall it. However, if that's where your problem started, you should have said so. I thought you were just trying to set it up for the first time. What versions did you update from and to?
-
I did! (See below)
I have the current version now:
Version 21.05.2-RELEASE (amd64)
built on Fri Oct 22 15:24:02 UTC 2021I don’t know how to get the previous version, but it was obviously current until a couple weeks ago (when the yellow light started annoying me).
@hmf said in IPv6 and internal DNS registration:
@jknott Oh, help...
I just upgraded by 6100 appliance and things stopped working again! Now, instead of RA just publishing the DNS ULA (fd...) it is using the IPv6 alias as the source for the network prefix instead of the PD prefix. Now none of the hosts are on the internet unless I remove the alias and exclusively use DNS / IPv4.
How do I get it to publish the PD prefix for SLAAC and the ULA for DNS again?
-
@hmf said in IPv6 and internal DNS registration:
Version 21.05.2-RELEASE (amd64)
I'm on 2.5.2 (amd64), which is the latest for non Netgate gear. I didn't know there was a version 21 for AMD.