Configure IPv6 on multiple LAN interfaces

JKnott

@DrPhil

No, what I need is the actual capture file, which I can then examine with Wireshark. Here's the sort of thing I'd be able to find:

This shows I am requesting a /56 prefix and the prefix I was asking for. I'd be able to see similar for the reply from the ISP.

johnpoz

@DrPhil yeah vis posting what is in the window, download the capture and post the pcap file here.

DrPhil

@johnpoz

I downloaded the pcap file, and ran the output through tshark. (I didn't want to post the whole pcap here for privacy reasons - fear of the unknown).

From the tshark output, I have copied below the relevant sections of two packets - a request from my router and a reply from the ISP server. Based on my layperson reading of this, it seems like pfsense is requesting a /56 prefix (even though in my settings I said /60). And that the ISP is in fact giving a /56 prefix.

Please take a look and let me know if you would like to see any other sections or packets.

DHCPv6
    Message type: Request (3)
    Transaction ID: 0x996ddc
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        DUID: 000100012ceadexxxxxxxxxxxxxx
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Nov 17, 2023 21:31:59.000000000 EST
        Link-layer address: 00:90:0b:xx:xx:xx
    Server Identifier
        Option: Server Identifier (2)
        Length: 26
        DUID: 00020000058366343a62353a32663a30353axxxxxxxxxxxxxxxx
        DUID Type: assigned by vendor based on Enterprise number (2)
        Enterprise ID: Juniper Networks/Funk Software (1411)
        Identifier: 66343a62353a32663a30353axxxxxxxxxxxxxxxx
    Identity Association for Non-temporary Address
        Option: Identity Association for Non-temporary Address (3)
        Length: 18
        IAID: 00000000
        T1: 0
        T2: 0
        Status code
            Option: Status code (13)
            Length: 2
            Status Code: NoAddrAvail (2)
    Elapsed time
        Option: Elapsed time (8)
        Length: 2
        Elapsed time: 0ms
    Option Request
        Option: Option Request (6)
        Length: 4
        Requested Option code: DNS recursive name server (23)
        Requested Option code: Domain Search List (24)
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000000
        T1: 0
        T2: 0
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Preferred lifetime: 7200
            Valid lifetime: 7200
            Prefix length: 56
            Prefix address: 2600:4040:xxxx:xx00::

================

DHCPv6
    Message type: Reply (7)
    Transaction ID: 0x996ddc
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        DUID: 000100012ceadexxxxxxxxxxxxxx
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Nov 17, 2023 21:31:59.000000000 EST
        Link-layer address: 00:90:0b:xx:xx:xx
    Server Identifier
        Option: Server Identifier (2)
        Length: 26
        DUID: 00020000058366343a62353a32663a30353axxxxxxxxxxxxxxxx
        DUID Type: assigned by vendor based on Enterprise number (2)
        Enterprise ID: Juniper Networks/Funk Software (1411)
        Identifier: 66343a62353a32663a30353axxxxxxxxxxxxxxxx
    Identity Association for Non-temporary Address
        Option: Identity Association for Non-temporary Address (3)
        Length: 59
        IAID: 00000000
        T1: 0
        T2: 0
        Status code
            Option: Status code (13)
            Length: 43
            Status Code: NoAddrAvail (2)
            Status Message: No addresses have been assigned for IA_NA
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000000
        T1: 3600
        T2: 5760
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Preferred lifetime: 7200
            Valid lifetime: 7200
            Prefix length: 56
            Prefix address: 2600:4040:xxxx:xx00::

johnpoz

@DrPhil like I said the ISP doesn't always pay attention to what you ask for..

if your getting a /56 and your tracking and using the 0 and 1 you sure shouldn't have a /128 on the actual interface.. So when you look on pfsense it shows the /64 ?

Was that IP you showed with the /128 from a client on the network?

Under status interfaces what does the pfsense interface show - I don't use track, but it should show you a /64

edit, did you maybe set something odd in your RA?

edit: none of my linux boxes are currently using Ipv6, but I enabled it real quick on my windows pc, and via netstat -rn showing the routes I can see that its a /64

JKnott

@DrPhil

It would appear you're requesting and receiving a /56. I agree with @johnpoz there's something strange. When you're trying to resolve a problem, try to keep things simple. For example, use only SLAAC on the LAN.

As for the /128, that's fine on the WAN interface, but nowhere else. Your LAN should definitely be a /64.

BTW, why are you worried about revealing your prefix? Each /64 contains 18.4 billion, billion addresses, which means it's virtually impossible for an attacker to find anything. When disguising an actual device address, I will often just change some of the characters. In the capture I provided above, it was a capture I did years ago and has a different prefix from what I have now.

johnpoz

@JKnott said in Configure IPv6 on multiple LAN interfaces:

Each /64 contains 18.4 billion

While I agree with you there, might as well hide part of my prefix.. I have been seeing quite a bit of IPv6 noise of late.. To an address that yeah is in my space but I don't use - while scanning all of ipv6 space is an exercise in futility I agree..

But they find a way to scope out IP space to what is being used and then trim down the address space they query for.. For example I see bunch of scans to this IP.

not sure where they came up with this IP, maybe it use to be someone elses? But while that is in the prefix for my tunnel network to HE, and I have an IP on my gif interface in that prefix, it isn't that..

https://www.shadowserver.org/news/hello-ipv6-scanning-world/

So while scanning all of Ipv6 is pretty impossible - they find stuff to narrow down the search.. So makes sense not to spread your IPv6 or even its prefixes about.. Just to hope to keep the scanning to your prefixes down, even if it falls on deaf ears on yourside.

DrPhil

@johnpoz

I don't show a subnet mask IPv6 on my WAN interface.

I don't think I picked anything on Router Advertisement other than default.
Here's the one for LAN.

Here's my DMZ (called WWW).

Here's my LAN config. It shows a /60 (probably because that's what I put in the settings).

My windows (netstat -rn) shows a /60 as well.

johnpoz

@DrPhil well that is wrong.. A /60 on an interface is wrong, the only thing that should be on a interface unless like a wan link should be a /64

If you want a simple solution - I always got frustrated with isp deployment of IPv6, is just run a HE tunnel.. You get a /48 and stuff is static assigned by you ;)

And my current isp doesn't even have IPv6, but I still do via HE.

DrPhil

@johnpoz

I think my /60 DHCPv6 Prefix Delegation size on the WAN interface was causing some issues. I changed it to 56.

And also the 0 prefix ID for LAN was throwing someone off. I changed it to 1 (and just for fun, DMZ to f).

Now my LAN and DMZ are both showing a subnet mask of 64.

Now all seems to be working fine (I've thought that before as well, so can't be too sure).

My clients on LAN show three global dynamic v6 IPs. One is /64, two are /128.

My Linux client on DMZ shows two global dynamic v6 IPs. One is /64, other is /128. Both show as noprefixroute.

I am able to ping from LAN to DMZ (by default it's v6 now), and access websites hosted on the Linux server from LAN (besides browser, also checked with curl -6).

I'll test some more, but I think I got where I wanted to. Thank you @johnpoz and @JKnott so much!

johnpoz

@DrPhil yeah temp IPv6 ips can come up with those /128.. I always disable using temp Ipv6.. Not a fan ;)

So your all sorted - good to hear!

JKnott

@DrPhil said in Configure IPv6 on multiple LAN interfaces:

My clients on LAN show three global dynamic v6 IPs. One is /64, two are /128.

I have never seen a /128 on my LAN, only on the WAN interface.

Here are my ULA addresses:

ifconfig|grep fd48
inet6 fd48:1a37:2160:0:9d7c:5104:f34a:6866 prefixlen 64 scopeid 0x0<global>
inet6 fd48:1a37:2160:0:b9f:591:2bc7:d579 prefixlen 64 scopeid 0x0<global>
inet6 fd48:1a37:2160:0:ef38:748:d8d8:af1a prefixlen 64 scopeid 0x0<global>
inet6 fd48:1a37:2160:0:8799:673:5d34:d481 prefixlen 64 scopeid 0x0<global>
inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa prefixlen 64 scopeid 0x0<global>
inet6 fd48:1a37:2160:0:10a7:8006:82e8:8b9e prefixlen 64 scopeid 0x0<global>

Not a single /128 among them. Same with my GUA.

Do you have something else that's assigning those /128s?

DrPhil

Do you have something else that's assigning those /128s?

What could it be?

johnpoz

@JKnott said in Configure IPv6 on multiple LAN interfaces:

have never seen a /128 on my LAN

See my output above - while I get my /64, there are 2 temp addresses there that are /128

This is a windows 10 machine, I normally would disable temp addresses on them.. But was playing with something a while back with Ipv6 and had reset windows network stack, etc.

JKnott

@johnpoz

I just checked on Windows 10 and also see /128, where I should see /64. I guess this is another example of where Microsoft does something weird (stupid?). Again, you should not see /128 on a LAN. Linux & pfSense (FreeBSD) show the correct /64.

johnpoz

@JKnott not going to disagree with you.. Was just pointing out that you can see that.. In MS infinite wisdom they don't even show you the prefix just looking at the IPs.. with say ipconfig, to see the prefix for IPv6 you have to look at the routing table..

I mean - sure the prefix should pretty much always be a /64, so I could see maybe leaving it off - but why not just show it.. So its easy to see there is a 64 on there and not some issue like what the OP was having with a /60 etc.

BTW if you couldn't tell my MS comment and wisdom is being sarcastic - heheh

ler762

@DrPhil said in Configure IPv6 on multiple LAN interfaces:

Hi,

I am trying to configure IPv6 on multiple LAN interfaces (LAN and DMZ).

Did you ever get this sorted? The thread seemed to peter out at the end...

What works for me on Verizon FIOS

Interfaces / Wan

• IPv4 Configuration Type dhcp
• IPv6 Configuration Type dhcp6
• DHCPv6 Prefix Delegation size 56
• Send IPv6 prefix hint checked
• Do not wait for a RA checked

it ends up looking a bit weird -- only a link local (FE80::something) configured on the Wan interface, but it works (you can probably find the RFC about using only ipv6 link local addresses on routers - I'm not going to bother searching)

Then on the LAN interfaces

• IPv6 Configuration Type Track interface
  and under "Track IPv6 Interface"
• IPv6 Interface WAN
• IPv6 Prefix ID <pick a unique number -- I like using the vlan #>

Then under "Services / DHCPv6 Server"

• DHCPv6 Server gets checked
• Range pick something
• Prefix Delegation Size is 64
• Default lease time I used the 7200 default
• Max lease time I went with 28800. I started with one day but the dhcpv6 address occasionally showed up as deprecated and 'valid_lft forever preferred_lft 0sec'

Hopefully that's a good enuf description :)