ULA address in addition to tracking interface

pixel24 · Feb 28, 2024, 1:47 PM

Hi@all,

I am running a pfSense (2.7.2) behind a Fritz!Box (6690). The connection is a DS-Light (cable) from Vodafone.

I get a PD /59 from the provider

In the FB I have configured that the prefix is passed on to the pfSense. In the pfSense, the interfaches (IPv6) are configured as follows:

WAN: DHCP6
LAN: Tracking Interface

In the LAN, all VMs have an address from the provider via SLAAC as well as an additional ULA address. I can also reach my servers in the LAN (behind the pfSense) externally using their public IPv6. For internal use, all servers should also have a fixed ULA address in addition to the SLAAC. I have set this up on all servers.

How can I setup this on the pfSense?

with best
pixel24

the other · Feb 28, 2024, 2:04 PM

@pixel24
hey there,
I don't understand this statement:
@pixel24 said in ULA address in addition to tracking interface:

all servers should also have a fixed ULA address in addition to the SLAAC

Do you mean in addition to their global unique address (GUA)?
SLAAC meaning the "build" their own host-part of the address instead of getting them via dhcpv6?

In pfsense, you can configure ULAs under
Service > Router advertisements...
Here I go with router = unmanaged
Then (same place) set you ULA prefix (RA subnets) and that should be enough...
In case you have different subnets (not just 1 LAN) you can set your subnet ID under
Interfaces > here Track IPv6 Interface > IPv6 Prefix ID

Have it running here (also behind Fritzbox) in 3 VLANs...no fixed IP but reserved and with SLAAC (no DHCPv6).
Hope that helps a little bit. :)

edit: btw...in case you are German (speaking) there is a site for homenetworks with tutorials....https://www.heimnetz.de/anleitungen/router/avm-fritzbox/fritzbox-ipv6-pfsense/
(hope it is okay to post a link here, if not -dear moderators- let me know and I delete it)...

Bob.Dig · Feb 28, 2024, 2:38 PM

@pixel24 said in ULA address in addition to tracking interface:

with best

what?

the other · Feb 28, 2024, 2:40 PM

@Bob-Dig ...intentions? Whishes for the season (a bit early)? Regards?

pixel24 · Feb 28, 2024, 2:47 PM

Perhaps I have expressed myself badly or I am making a mistake. The router advertisements work. All devices in the LAN whose head configuration for IPv6 is set to "auto" receive an IPv6 address from the Proviser.

From the provider comes:

IPv6-Präfix: 2a02:xxxx:2180:8e00::/59

I do the forwarding (FB -> pfSense):

-> 2a02:xxxx:2180:8e10::/62

The pfSense settings:

pfSense now has the addresses:

At Strato, a subdomain is set up for each host and the public IPv6 address is entered in the AAA record.

I can reach all hosts that I have enabled in the firewall from outside. Everything works so far.

Should the provider fail or even be changed, the internal LAN with IPv6 no longer works.

I have therefore configured a fixed ULA address on all servers in addition to SLAAC.

On the pfSense, I would now also like to have a static ULA address on the LAN interface in addition to the automatically set one.

Can I configure this somewhere?

pixel24 · Feb 28, 2024, 2:49 PM

This is what it looks like on an Ubuntu server VM:

2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    altname enp6s18
    inet 192.168.xx.10/24 brd 192.168.xx.255 scope global dynamic ens18
       valid_lft 42827sec preferred_lft 42827sec
    inet6 2a02:xxxx:xxxx:8e1c:5c20:3aff:fef7:e3ee/64 scope global dynamic mngtmpaddr 
       valid_lft 86303sec preferred_lft 14303sec
    inet6 fdd0:xxxx:f4c::a/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5c20:3aff:fef7:e3ee/64 scope link 
       valid_lft forever preferred_lft forever

pst · Feb 28, 2024, 3:05 PM

@pixel24 said in ULA address in addition to tracking interface:

On the pfSense, I would now also like to have a static ULA address on the LAN interface in addition to the automatically set one.

Can I configure this somewhere?

You can add a virtual IP, go to / Firewall / Virtual IPs / Add / IP Alias for the required interface(s)

the other · Feb 28, 2024, 3:07 PM

@pixel24 hey there,
so you want to use SLAAC and in addition fixed IPv6?

In case your provider stops working (or pauses) your clients still have their link locale. Since you have just 1 LAN (no subnets) that should work as a fallback, since these are working in ONE network (but will not be routed > between networks). So ULA is nice but not really necessary.

You could use SLAAC only. This will grant you a host suffix by generating that part of the address from device's MAC. It can be used for ULA and GUA. It is not that nice, as those addresses are configured out of MAC, so something easy to remember as "fd::a" won't show, it would be something more complicated. Here: just use hostnames, set under your DNS resolver host overrides. I do not remember the ULA but the hostname (or fqdn).
Another approach would be to enter your host suffix in your dhcpv6. Here: https://docs.netgate.com/pfsense/en/latest/interfaces/configure-ipv6.html

But I might not get your point (which must be my fault since it's been a rough workday so far). :)

JKnott · Feb 28, 2024, 3:17 PM

@pixel24 said in ULA address in addition to tracking interface:

How can I setup this on the pfSense?

Using Unique Local Addresses

Bob.Dig · Feb 28, 2024, 5:10 PM

You need a patch for this to work fully. But this patch is buggy. You will not be able to turn on IPv6 via track on another interface with this patch applied.

pixel24 · Feb 28, 2024, 4:37 PM

I have now configured the ULA address as described in the instructions:

I can reach a server in the LAN at its IPv6 ULA address via the diagnostics:

Do I understand the linked article (ULA bug) correctly that the problem is that it does not appear here? :

The network (ULA) is missing here. A patch is mentioned in the article on the ULA bug.

I have never applied a patch, can anyone tell me how it works?

JKnott · Feb 28, 2024, 8:47 PM

@pixel24

Why is part of this in English and part of some other language? It makes it hard to know what I'm looking at.

BTW, there's no need to hide part of the ULA address. Like RFC 1918 IPv4 addresses, they can't be reached from elsewhere.

the other · Feb 28, 2024, 8:52 PM

@JKnott
It's pfsense GUI with German language setting.
Might be a good idea for the original poster to switch to english and post those shots again to reach mor ppl here (*winkwink)

pixel24 · Feb 29, 2024, 8:15 AM

@the-other said in ULA address in addition to tracking interface:

@JKnott
It's pfsense GUI with German language setting.
Might be a good idea for the original poster to switch to english and post those shots again to reach mor ppl here (*winkwink)

Sorry! I switch my UI to english

pixel24 · Feb 29, 2024, 8:34 AM

I have

Services -> Router Advertisement

RA subnet(s): fdd0:a044:0f4c:0000:: /64

Firewall -> Virtual IP's -A Add

Type: IP alias
Interface: LAN
Address type: Single address
Address(es): fdd0:a044:f4c::fe
Description: ULA address LAN

configured. Do I understand the problem correctly that now under: DiagnosticsTables -> LAN_NETWORK

the IPv6 ULA network (fdd0:a044:0f4c:0000::) should appear?

JKnott · Feb 29, 2024, 2:29 PM

@pixel24 said in ULA address in addition to tracking interface:

the IPv6 ULA network (fdd0:a044:0f4c:0000::) should appear?

Where do you find that? I don't see anything like that.

I see you're running 2.7.2 and I have 2.7.0, but I wouldn't expect that to cause the difference.

pixel24 · Feb 29, 2024, 4:12 PM

@pixel24 said in ULA address in addition to tracking interface:

the IPv6 ULA network (fdd0:a044:0f4c:0000::) should appear?

I asked this question because I was given the hint in the post above that I need a patch and also a link to a longer post here in the forum. In this post it was written that the ULA network is not under: DiagnosticsTables -> LAN_NETWORK.

I wanted to know if this should be the case. Maybe I didn't understand the problem in the linked post correctly :-(

the other · Feb 29, 2024, 6:22 PM

@pixel24 hey there,
nope: that patch mentioned was thought to fix a bug (vip IPs in rules stopped working after pfsense update > bug > patch > another problem occurred). Besides (!) that pfsense does not show ulas only gua and link locale (if I recall that right).

Now: you could add a new ula and it seems to be working (ping gets thru).
In tables (=tabellen) it shows your local IPv4 and your (?) gua...I assume you have rules including those two on that interface, so they show. No rule for ula yet? Won't show there then.

So: Dashboard won't show ula, tables will show in case you set a rule including it, status > interfaces only shows gua and local link but no ula...but it is working.

What did do? For example: go to diagnostics > command prompt and type "ipconfig" enter....tadaaaa....you should now see your interfaces and any assigned IP including ulas.
So you can see if and what address(es) interfaces use. I do not know of any other way under GUI to get pfsense to show its ula addresses.

BTW: IF you have a firewall rule including a GUA in LAN and your prefix changes (if your ISP is giving you dynamic ones) then your rule might become obsolet...that's one of the real messy things with IPv6, dynamic prefixes and pfsense IMHO...

pixel24 · Mar 1, 2024, 8:57 AM

Thank you for the explanation! Then I don't need this patch :-)

With ifconfig on the console I see all addresses :-)

Yes, I still have the problem with the dynamic IPv6 prefix. To "work around" this, I tried to "route" the incoming IPv6 connections with the HA proxy to the appropriate ULA address based on the URL called:

https://forum.netgate.com/topic/186422/provider-prefix-delegation-prefix-changes-ha-proxy/3

which unfortunately does not work :-(