pfSense static ipv6 address on LAN tracking delegated prefix?

jhg

I get a delegated /64 from Comcast, and am able to assign reserved DHCP LAN IPs within this prefix for some a few hosts on my LAN that need a static IP. For example an ssh bastion host gets a reserved LAN IP of (for example) [delegated-prefix]::10.

However, the LAN address for the firewall itself is a random 64-bit string, such as [delegated-prefix]:203:21f5:fe70:3cfe.

What I'd like to do is assign to the gateway's LAN interface the address [delegated-prefix]::1. It's not clear how the firewall's IPv6 LAN address is generated.

I tried adding a DHCPv6 reservation with the firewall's DUID. This doesn't actually assign the static IP, but surprisingly DOES create a DNS entry.

Is there a way to give the firewall's LAN interface a static IPv6 address within the delegated prefix?

jhg

Anyone...? Bueller...? Bueller...?

pst

@jhg A good question, and one that came to me a couple of days ago as I was tinkering with DHCPv6. I haven't been able to find an answer either, but from what I can see the the address is based on the MAC address of the interface with few additional bytes thrown as fillers.

SteveITS

@jhg I believe in some (all?) places an incomplete IP will be expanded, so ::153 would use the prefix. Though ::1 is localhost so that doesn’t help you with the LAN IP but if you are looking to reference LAN devices it should help.

Bob.Dig

@jhg said in pfSense static ipv6 address on LAN tracking delegated prefix?:

Is there a way to give the firewall's LAN interface a static IPv6 address within the delegated prefix?

If that prefix is really static, you could create the LAN-address on your own I think. Or better create it as a VIP.
But in the end, why do you want to do all of that in the first place. And getting only one /64 is bad anyways.

Gertjan

@jhg said in pfSense static ipv6 address on LAN tracking delegated prefix?:

Is there a way to give the firewall's LAN interface a static IPv6 address within the delegated prefix?

I know of one 'official' way : you have to do this if you are really get an /64 (probably way bigger) to assign to your LAN(s).
Normally, ISP don't do this, you need to have the dhcp6c on WAN asking for at least one 'prefix', and have that assigned to your LAN using Tracking mode.

Create a free account here : https://tunnelbroker.net

From here on, it's easy :
Assign statically the xxx:5c0:2 to you WAN IPv6.

Because they give you a /48, don't even bother with the announced /64 = xxx:5c0::/64
Assign statically the first 2001:471:c8xx:0::/64 (from the /48 pool) to your first LAN.
Assign statically the first 2001:471:c8xx:1::/64 (from the /48 pool) to your second LAN.
Etc, continue like that 65533 times for 65535 LAN's ^^

I've been using this 'setup' for nearly a decade, and it was just perfect.
Well, close to perfect, as a IPv6 over Ipv4 tunnel is used to the closest he;net access point, Paris for me (216.66.84.42). My IPv4 WAN speed was about 25 Mbits/sec back then, and I'm not sure they will follow my current speed, > 1 Gbits right now.
But again : it worked flawlessly.