• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Use of both dhcp and slaac, advanced configuration

Scheduled Pinned Locked Moved IPv6
48 Posts 4 Posters 21.0k Views 5 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C Offline
    crc_error_79 @JKnott
    last edited by crc_error_79 May 28, 2023, 1:55 PM May 28, 2023, 1:53 PM

    @JKnott said in Use of both dhcp and slaac, advanced configuration:

    @crc_error_79

    You seem to be creating your own problems. Use SLAAC to get the prefix for each interface for global addresses. Use my instructions for ULA and forget about DHCPv6, you don't need it.

    On my post 16 my problems were solved, that was exactly my goal, then I asked if there were a better or more security / efficient etc way to do it.

    I used your guide and it worked to, but in that way (with my skills) I can't easy manage the devices connected to the network since with slaac all devices get only the prefix and not the entire address.
    So on router side if I don't know which ip has a device how can I manage it (firewall rules etc)

    I think that with slaac I can't do a thing like this below. I have to use dns with the hope that the address doesn't change.

    b5d08d40-3054-446d-a8a8-f15d328a133f-image.png

    Also if the prefix changes (for any reason) how can I be sure that the remaining part will stay the same?

    @JKnott said in Use of both dhcp and slaac, advanced configuration:

    With DHCPv6-PD, your prefix is assigned to you.

    To configure the wan, I followed this guide from my isp link, ok it is in Italian but you can look at the pictures, they said to use "static ipv6", add the given /56 + the remain part to create the network and the gateway, and that is what I initially did.

    @JKnott said in Use of both dhcp and slaac, advanced configuration:

    I believe he said he gets a /56, so that's what he would use.

    yes I get a /56

    @JKnott said in Use of both dhcp and slaac, advanced configuration:

    Where are you getting this nonsense from?

    If I set "track interface" -> WAN instead of "static" but that interface has a local link it don't work, at least to me.

    [edit] correct the post link (16, not 15)

    B J 2 Replies Last reply May 28, 2023, 2:20 PM Reply Quote 0
    • C crc_error_79 referenced this topic on May 28, 2023, 1:53 PM
    • B Offline
      Bob.Dig LAYER 8 @crc_error_79
      last edited by Bob.Dig May 28, 2023, 2:49 PM May 28, 2023, 2:20 PM

      @crc_error_79 It looks like you get a static prefix, that is great, so forget "track interface".

      Also you can use the DHCPv6 Server for static mappings, it is almost the same as with IPv4.

      If you really think that you will switch ISPs in the near future, use NPt. It is not regular NAT and will work just fine with ULAs, as long as you have (only) one ISP.

      C 1 Reply Last reply May 28, 2023, 2:59 PM Reply Quote 1
      • C Offline
        crc_error_79 @Bob.Dig
        last edited by May 28, 2023, 2:59 PM

        @Bob-Dig
        Thanks I will read something about (because the only thing I know about is that it is a sort of nat)

        B 1 Reply Last reply May 28, 2023, 3:49 PM Reply Quote 0
        • B Offline
          Bob.Dig LAYER 8 @crc_error_79
          last edited by May 28, 2023, 3:49 PM

          @crc_error_79 said in Use of both dhcp and slaac, advanced configuration:

          (because the only thing I know about is that it is a sort of nat)

          It doesn't has the problem of being only one address everything has to be NATed to but maybe don't start your IPv6 journey with that. 😱

          1 Reply Last reply Reply Quote 0
          • J Offline
            JKnott @crc_error_79
            last edited by May 28, 2023, 5:22 PM

            @crc_error_79 said in Use of both dhcp and slaac, advanced configuration:

            I used your guide and it worked to, but in that way (with my skills) I can't easy manage the devices connected to the network since with slaac all devices get only the prefix and not the entire address.

            What is it you're trying to manage? When you use the consistent address for DNS, you will always be able to reach it, no matter what the privacy addresses are.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            C 1 Reply Last reply May 28, 2023, 5:28 PM Reply Quote 0
            • C Offline
              crc_error_79 @JKnott
              last edited by May 28, 2023, 5:28 PM

              @JKnott
              you are right but how can I set an host override on the dns resolver if I don't know the ipv6 address?
              I must go around the house and check every devices.. If I use dhcpv6 all is "centralized" since the router knows every ip it leases
              Or am I wrong? 🙄

              J 1 Reply Last reply May 28, 2023, 5:33 PM Reply Quote 0
              • J Offline
                JKnott @crc_error_79
                last edited by May 28, 2023, 5:33 PM

                @crc_error_79

                You don't set a host override. You just use the address as is. I mentioned I had to determine the consistent address recently for a new tablet. The way I did that was set up Packet Capture to capture the tablet MAC address and only IPv6. Then whatever address turned up when I used a browser to access the Internet was not the persistent address. Since there was only 2 address displayed in the settings, I had a good idea which one was persistent. You can easily grab the MAC address when you convert an IPv4 DHCP address, found in the DHCP log, to host override.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                J C 2 Replies Last reply May 28, 2023, 5:41 PM Reply Quote 0
                • J Offline
                  JKnott @JKnott
                  last edited by May 28, 2023, 5:41 PM

                  @crc_error_79

                  Here's another way to determine the persistent address. This is on Linux, using the ip -6 address show command.

                  inet6 fd48:1a37:2160:0:90b4:60da:a900:2997/64 scope global temporary dynamic
                  inet6 fd48:1a37:2160:0:d37b:1ca2:4d85:a38d/64 scope global temporary deprecated dynamic
                  inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa/64 scope global dynamic mngtmpaddr

                  I used grep to display only my ULA addresses. You can tell by reading the text which is the persistent address. It's the last one. Similar can be done with the ifconfig command on Linux and FreeBSD or ipconfig on Windows.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • C Offline
                    crc_error_79 @JKnott
                    last edited by May 28, 2023, 5:46 PM

                    @JKnott

                    It is a valid option, but to me is more complicated than what I used..
                    Since it requires packet capture (I know what it is but I don't know how to use it) or the physical access.
                    As said many times maybe it is because I am comfortable with dhcp and ipv4.

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      JKnott
                      last edited by May 28, 2023, 5:53 PM

                      @crc_error_79

                      It's no more complicated than setting up a DHCPv6 server. Also, packet capture is a very useful tool for solving problems. I frequently use either Packet Capture or Wireshark.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      C 1 Reply Last reply May 29, 2023, 11:51 AM Reply Quote 0
                      • C Offline
                        crc_error_79 @JKnott
                        last edited by May 29, 2023, 11:51 AM

                        @JKnott
                        I will take a look about it.

                        This morning I had a strange problem I never had with the ipv4.
                        The state table size was completely filled (198000 rows), cpu at 100% (proxmox i7 7700 with 4 cores assigned) and internet down.
                        What could be the cause? What do you think?

                        Firewall rules are the same for both ipv4 and ipv6, only block inter-vlan traffic and allow anyware (unless pfBlocker says no) on internet

                        J 1 Reply Last reply May 29, 2023, 1:51 PM Reply Quote 0
                        • J Offline
                          JKnott @crc_error_79
                          last edited by May 29, 2023, 1:51 PM

                          @crc_error_79

                          I have no idea what would cause that.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          C 1 Reply Last reply May 29, 2023, 1:53 PM Reply Quote 0
                          • C Offline
                            crc_error_79 @JKnott
                            last edited by May 29, 2023, 1:53 PM

                            @JKnott
                            I am not in front of the pfsense (because I am at work now) but could it be the virtual ip or something related to the internal lan that tries to access to internet?

                            J 1 Reply Last reply May 29, 2023, 5:13 PM Reply Quote 0
                            • J Offline
                              JKnott @crc_error_79
                              last edited by May 29, 2023, 5:13 PM

                              @crc_error_79

                              I don't think so. I have a virtual IP as described in my ULA article and it's used all the time. However, I am not using pfBlocker.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              C 1 Reply Last reply May 29, 2023, 6:58 PM Reply Quote 0
                              • C Offline
                                crc_error_79 @JKnott
                                last edited by May 29, 2023, 6:58 PM

                                @JKnott
                                I will check tomorrow, after the reboot I did the issue has gone. Maybe it was caused by the temporary nic I am using (an usb 2.5 gb) for the wan

                                Thanks again ;)

                                1 Reply Last reply Reply Quote 0
                                48 out of 48
                                • First post
                                  48/48
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received