• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Configure IPv6 on multiple LAN interfaces

Scheduled Pinned Locked Moved IPv6
43 Posts 4 Posters 6.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JKnott @DrPhil
    last edited by Jan 12, 2024, 12:23 AM

    @DrPhil

    No, what I need is the actual capture file, which I can then examine with Wireshark. Here's the sort of thing I'd be able to find:

    710165b7-9685-4535-bf12-591d88c0b293-image.png

    This shows I am requesting a /56 prefix and the prefix I was asking for. I'd be able to see similar for the reply from the ISP.

    PfSense running on Qotom mini PC
    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
    UniFi AC-Lite access point

    I haven't lost my mind. It's around here...somewhere...

    1 Reply Last reply Reply Quote 1
    • J
      johnpoz LAYER 8 Global Moderator @DrPhil
      last edited by johnpoz Jan 12, 2024, 1:15 AM Jan 12, 2024, 1:13 AM

      @DrPhil yeah vis posting what is in the window, download the capture and post the pcap file here.

      download.jpg

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      D 1 Reply Last reply Jan 12, 2024, 4:24 PM Reply Quote 1
      • D
        DrPhil @johnpoz
        last edited by DrPhil Jan 12, 2024, 4:26 PM Jan 12, 2024, 4:24 PM

        @johnpoz

        I downloaded the pcap file, and ran the output through tshark. (I didn't want to post the whole pcap here for privacy reasons - fear of the unknown).

        From the tshark output, I have copied below the relevant sections of two packets - a request from my router and a reply from the ISP server. Based on my layperson reading of this, it seems like pfsense is requesting a /56 prefix (even though in my settings I said /60). And that the ISP is in fact giving a /56 prefix.

        Please take a look and let me know if you would like to see any other sections or packets.

        DHCPv6
            Message type: Request (3)
            Transaction ID: 0x996ddc
            Client Identifier
                Option: Client Identifier (1)
                Length: 14
                DUID: 000100012ceadexxxxxxxxxxxxxx
                DUID Type: link-layer address plus time (1)
                Hardware type: Ethernet (1)
                DUID Time: Nov 17, 2023 21:31:59.000000000 EST
                Link-layer address: 00:90:0b:xx:xx:xx
            Server Identifier
                Option: Server Identifier (2)
                Length: 26
                DUID: 00020000058366343a62353a32663a30353axxxxxxxxxxxxxxxx
                DUID Type: assigned by vendor based on Enterprise number (2)
                Enterprise ID: Juniper Networks/Funk Software (1411)
                Identifier: 66343a62353a32663a30353axxxxxxxxxxxxxxxx
            Identity Association for Non-temporary Address
                Option: Identity Association for Non-temporary Address (3)
                Length: 18
                IAID: 00000000
                T1: 0
                T2: 0
                Status code
                    Option: Status code (13)
                    Length: 2
                    Status Code: NoAddrAvail (2)
            Elapsed time
                Option: Elapsed time (8)
                Length: 2
                Elapsed time: 0ms
            Option Request
                Option: Option Request (6)
                Length: 4
                Requested Option code: DNS recursive name server (23)
                Requested Option code: Domain Search List (24)
            Identity Association for Prefix Delegation
                Option: Identity Association for Prefix Delegation (25)
                Length: 41
                IAID: 00000000
                T1: 0
                T2: 0
                IA Prefix
                    Option: IA Prefix (26)
                    Length: 25
                    Preferred lifetime: 7200
                    Valid lifetime: 7200
                    Prefix length: 56
                    Prefix address: 2600:4040:xxxx:xx00::
        
        ================
        
        DHCPv6
            Message type: Reply (7)
            Transaction ID: 0x996ddc
            Client Identifier
                Option: Client Identifier (1)
                Length: 14
                DUID: 000100012ceadexxxxxxxxxxxxxx
                DUID Type: link-layer address plus time (1)
                Hardware type: Ethernet (1)
                DUID Time: Nov 17, 2023 21:31:59.000000000 EST
                Link-layer address: 00:90:0b:xx:xx:xx
            Server Identifier
                Option: Server Identifier (2)
                Length: 26
                DUID: 00020000058366343a62353a32663a30353axxxxxxxxxxxxxxxx
                DUID Type: assigned by vendor based on Enterprise number (2)
                Enterprise ID: Juniper Networks/Funk Software (1411)
                Identifier: 66343a62353a32663a30353axxxxxxxxxxxxxxxx
            Identity Association for Non-temporary Address
                Option: Identity Association for Non-temporary Address (3)
                Length: 59
                IAID: 00000000
                T1: 0
                T2: 0
                Status code
                    Option: Status code (13)
                    Length: 43
                    Status Code: NoAddrAvail (2)
                    Status Message: No addresses have been assigned for IA_NA
            Identity Association for Prefix Delegation
                Option: Identity Association for Prefix Delegation (25)
                Length: 41
                IAID: 00000000
                T1: 3600
                T2: 5760
                IA Prefix
                    Option: IA Prefix (26)
                    Length: 25
                    Preferred lifetime: 7200
                    Valid lifetime: 7200
                    Prefix length: 56
                    Prefix address: 2600:4040:xxxx:xx00::
        
        
        J J 2 Replies Last reply Jan 12, 2024, 4:51 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @DrPhil
          last edited by johnpoz Jan 12, 2024, 5:01 PM Jan 12, 2024, 4:51 PM

          @DrPhil like I said the ISP doesn't always pay attention to what you ask for..

          if your getting a /56 and your tracking and using the 0 and 1 you sure shouldn't have a /128 on the actual interface.. So when you look on pfsense it shows the /64 ?

          Was that IP you showed with the /128 from a client on the network?

          Under status interfaces what does the pfsense interface show - I don't use track, but it should show you a /64

          mask.jpg

          edit, did you maybe set something odd in your RA?

          whatdoyouhaveRA.jpg

          edit: none of my linux boxes are currently using Ipv6, but I enabled it real quick on my windows pc, and via netstat -rn showing the routes I can see that its a /64

          windows.jpg

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          D 1 Reply Last reply Jan 12, 2024, 6:23 PM Reply Quote 1
          • J
            JKnott @DrPhil
            last edited by Jan 12, 2024, 5:06 PM

            @DrPhil

            It would appear you're requesting and receiving a /56. I agree with @johnpoz there's something strange. When you're trying to resolve a problem, try to keep things simple. For example, use only SLAAC on the LAN.

            As for the /128, that's fine on the WAN interface, but nowhere else. Your LAN should definitely be a /64.

            BTW, why are you worried about revealing your prefix? Each /64 contains 18.4 billion, billion addresses, which means it's virtually impossible for an attacker to find anything. When disguising an actual device address, I will often just change some of the characters. In the capture I provided above, it was a capture I did years ago and has a different prefix from what I have now.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            J 1 Reply Last reply Jan 12, 2024, 5:40 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @JKnott
              last edited by Jan 12, 2024, 5:40 PM

              @JKnott said in Configure IPv6 on multiple LAN interfaces:

              Each /64 contains 18.4 billion

              While I agree with you there, might as well hide part of my prefix.. I have been seeing quite a bit of IPv6 noise of late.. To an address that yeah is in my space but I don't use - while scanning all of ipv6 space is an exercise in futility I agree..

              But they find a way to scope out IP space to what is being used and then trim down the address space they query for.. For example I see bunch of scans to this IP.

              ipv6scans.jpg

              not sure where they came up with this IP, maybe it use to be someone elses? But while that is in the prefix for my tunnel network to HE, and I have an IP on my gif interface in that prefix, it isn't that..

              https://www.shadowserver.org/news/hello-ipv6-scanning-world/

              So while scanning all of Ipv6 is pretty impossible - they find stuff to narrow down the search.. So makes sense not to spread your IPv6 or even its prefixes about.. Just to hope to keep the scanning to your prefixes down, even if it falls on deaf ears on yourside.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                DrPhil @johnpoz
                last edited by Jan 12, 2024, 6:23 PM

                @johnpoz

                I don't show a subnet mask IPv6 on my WAN interface.

                194498c6-e81f-4e53-b43c-1b6d53c9dad1-image.png

                I don't think I picked anything on Router Advertisement other than default.
                Here's the one for LAN.
                68d3c651-ebf9-464f-ad63-aaa58976b02a-image.png
                Here's my DMZ (called WWW).
                d27c55c6-ce5e-4509-b343-a495d8faecdf-image.png

                Here's my LAN config. It shows a /60 (probably because that's what I put in the settings).
                f9666663-f9ce-47c5-a8c5-e1f69c5f4c95-image.png

                My windows (netstat -rn) shows a /60 as well.

                J 1 Reply Last reply Jan 12, 2024, 6:29 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @DrPhil
                  last edited by johnpoz Jan 12, 2024, 6:32 PM Jan 12, 2024, 6:29 PM

                  @DrPhil well that is wrong.. A /60 on an interface is wrong, the only thing that should be on a interface unless like a wan link should be a /64

                  If you want a simple solution - I always got frustrated with isp deployment of IPv6, is just run a HE tunnel.. You get a /48 and stuff is static assigned by you ;)

                  And my current isp doesn't even have IPv6, but I still do via HE.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  D 1 Reply Last reply Jan 12, 2024, 7:05 PM Reply Quote 1
                  • D
                    DrPhil @johnpoz
                    last edited by DrPhil Jan 12, 2024, 7:24 PM Jan 12, 2024, 7:05 PM

                    @johnpoz

                    I think my /60 DHCPv6 Prefix Delegation size on the WAN interface was causing some issues. I changed it to 56.

                    4c2971ec-ae7e-429d-b11a-875b02a7aa96-image.png

                    And also the 0 prefix ID for LAN was throwing someone off. I changed it to 1 (and just for fun, DMZ to f).

                    0b615548-3f60-44d9-89f2-2f2b56f7e08c-image.png

                    Now my LAN and DMZ are both showing a subnet mask of 64.

                    8956f25f-a857-4107-91c8-a9b7d8744e1f-image.png

                    6c05b6ba-24f6-4fac-866d-0d5aab4b7891-image.png

                    Now all seems to be working fine (I've thought that before as well, so can't be too sure).

                    My clients on LAN show three global dynamic v6 IPs. One is /64, two are /128.

                    My Linux client on DMZ shows two global dynamic v6 IPs. One is /64, other is /128. Both show as noprefixroute.

                    I am able to ping from LAN to DMZ (by default it's v6 now), and access websites hosted on the Linux server from LAN (besides browser, also checked with curl -6).

                    I'll test some more, but I think I got where I wanted to. Thank you @johnpoz and @JKnott so much!

                    J J 2 Replies Last reply Jan 12, 2024, 7:29 PM Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator @DrPhil
                      last edited by johnpoz Jan 12, 2024, 7:29 PM Jan 12, 2024, 7:29 PM

                      @DrPhil yeah temp IPv6 ips can come up with those /128.. I always disable using temp Ipv6.. Not a fan ;)

                      So your all sorted - good to hear!

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • J
                        JKnott @DrPhil
                        last edited by Jan 12, 2024, 7:39 PM

                        @DrPhil said in Configure IPv6 on multiple LAN interfaces:

                        My clients on LAN show three global dynamic v6 IPs. One is /64, two are /128.

                        I have never seen a /128 on my LAN, only on the WAN interface.

                        Here are my ULA addresses:

                        ifconfig|grep fd48
                        inet6 fd48:1a37:2160:0:9d7c:5104:f34a:6866 prefixlen 64 scopeid 0x0<global>
                        inet6 fd48:1a37:2160:0:b9f:591:2bc7:d579 prefixlen 64 scopeid 0x0<global>
                        inet6 fd48:1a37:2160:0:ef38:748:d8d8:af1a prefixlen 64 scopeid 0x0<global>
                        inet6 fd48:1a37:2160:0:8799:673:5d34:d481 prefixlen 64 scopeid 0x0<global>
                        inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa prefixlen 64 scopeid 0x0<global>
                        inet6 fd48:1a37:2160:0:10a7:8006:82e8:8b9e prefixlen 64 scopeid 0x0<global>

                        Not a single /128 among them. Same with my GUA.

                        Do you have something else that's assigning those /128s?

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        D J 2 Replies Last reply Jan 12, 2024, 8:11 PM Reply Quote 0
                        • D
                          DrPhil @JKnott
                          last edited by Jan 12, 2024, 8:11 PM

                          Do you have something else that's assigning those /128s?

                          What could it be?

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator @JKnott
                            last edited by Jan 12, 2024, 8:12 PM

                            @JKnott said in Configure IPv6 on multiple LAN interfaces:

                            have never seen a /128 on my LAN

                            See my output above - while I get my /64, there are 2 temp addresses there that are /128

                            This is a windows 10 machine, I normally would disable temp addresses on them.. But was playing with something a while back with Ipv6 and had reset windows network stack, etc.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            J 1 Reply Last reply Jan 12, 2024, 8:25 PM Reply Quote 0
                            • J
                              JKnott @johnpoz
                              last edited by Jan 12, 2024, 8:25 PM

                              @johnpoz

                              I just checked on Windows 10 and also see /128, where I should see /64. I guess this is another example of where Microsoft does something weird (stupid?). Again, you should not see /128 on a LAN. Linux & pfSense (FreeBSD) show the correct /64.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              J 1 Reply Last reply Jan 12, 2024, 8:29 PM Reply Quote 0
                              • J
                                johnpoz LAYER 8 Global Moderator @JKnott
                                last edited by Jan 12, 2024, 8:29 PM

                                @JKnott not going to disagree with you.. Was just pointing out that you can see that.. In MS infinite wisdom they don't even show you the prefix just looking at the IPs.. with say ipconfig, to see the prefix for IPv6 you have to look at the routing table..

                                I mean - sure the prefix should pretty much always be a /64, so I could see maybe leaving it off - but why not just show it.. So its easy to see there is a 64 on there and not some issue like what the OP was having with a /60 etc.

                                BTW if you couldn't tell my MS comment and wisdom is being sarcastic - heheh

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • L
                                  ler762 @DrPhil
                                  last edited by Jan 24, 2024, 7:36 PM

                                  @DrPhil said in Configure IPv6 on multiple LAN interfaces:

                                  Hi,

                                  I am trying to configure IPv6 on multiple LAN interfaces (LAN and DMZ).

                                  Did you ever get this sorted? The thread seemed to peter out at the end...

                                  What works for me on Verizon FIOS

                                  Interfaces / Wan

                                  • IPv4 Configuration Type dhcp
                                  • IPv6 Configuration Type dhcp6
                                  • DHCPv6 Prefix Delegation size 56
                                  • Send IPv6 prefix hint checked
                                  • Do not wait for a RA checked

                                  it ends up looking a bit weird -- only a link local (FE80::something) configured on the Wan interface, but it works (you can probably find the RFC about using only ipv6 link local addresses on routers - I'm not going to bother searching)

                                  Then on the LAN interfaces

                                  • IPv6 Configuration Type Track interface
                                    and under "Track IPv6 Interface"
                                  • IPv6 Interface WAN
                                  • IPv6 Prefix ID <pick a unique number -- I like using the vlan #>

                                  Then under "Services / DHCPv6 Server"

                                  • DHCPv6 Server gets checked
                                  • Range pick something
                                  • Prefix Delegation Size is 64
                                  • Default lease time I used the 7200 default
                                  • Max lease time I went with 28800. I started with one day but the dhcpv6 address occasionally showed up as deprecated and 'valid_lft forever preferred_lft 0sec'

                                  Hopefully that's a good enuf description :)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                    This community forum collects and processes your personal information.
                                    consent.not_received