Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SLAAC versus DHCPv6

    Scheduled Pinned Locked Moved IPv6
    40 Posts 9 Posters 12.5k Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bschapendonk
      last edited by bschapendonk

      I have been using SLAAC only for a few month now (Windows 24h2 now picks up the DNS server using RDNSS in dualstack mode).

      It just works, just add the IPv4/6 addresses to the DNS Resolver by hand using host overrides (this also bypasses al the "no ready yet" for private stuff and in a public DNS for public stuff (SLAAC has been stable for me), issues with KEA dhcpv4 so KEA also works fine for v4, excpet if you have vlan's and moves host between them that requires a manual deletion of the leases)

      I see no reason to use dhcpv6, rather have a speudo random addres then a sequential one (dhcpv6 does this), just add it to DNS and be done with it.

      1 Reply Last reply Reply Quote 0
      • R Offline
        ronv42 @eagle61
        last edited by

        @eagle61 said in SLAAC versus DHCPv6:

        So only if you run a server behind your pfsense it makes sense to use and activate the DHCPv6-Server of the sense and make this way sure the server will get always a IPv6-Adress depending on its MAC address even if the IPv6-Prefix will change every day, because your ISP wants it so.

        Just remember that DHCPv6 uses DUID for assigning the IPv6 address not the MAC address. Other than that, you are correct DHCPv6 is mostly for us that want static addresses. As for those darn ISP that think switching out IP's every 24 hours is a great way to manage a network all this does is bring a lot of problems with IPv6. I have been lucky that AT&T hasn't touched my IP address in 12 years.

        E 1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @eagle61
          last edited by

          @eagle61 said in SLAAC versus DHCPv6:

          You will need to use DHCPv6 if you have Servers that shall be reachable via IPv6 from Internet for example in DMZ-local Network of your sense.

          In all other cases is SLAAC sufficient.

          Nonsense. SLAAC works fine for servers. Just use the consistent address.

          Next is the IPv6 Privacy Extension. This means IPv6-Address will be changed every 2 hours or so. Privacy Extension is default on most OS like Windows, Linux, MAC, Android, etc. So this OS do not want a fixed IPv6-Adress by default settings at all, to keep you private while surfing the net.

          You get a new privacy address every day, up to 7.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • E Offline
            eagle61 @ronv42
            last edited by

            @ronv42 said in SLAAC versus DHCPv6:

            Just remember that DHCPv6 uses DUID for assigning the IPv6 address not the MAC address

            It depends on the OS. Debian (12) Server still generates the IPv6-Adress based on MAC-Address. First /64 based on IPv6-Prefix, the last /64 on the MAC

            Example:
            inet6 XXXX:XXXX:XXXX:XXXX:5052:11ff:fe98:bb16
            MAC 52:52:11:98:bb:16
            The ff:fe is always same added to the middle part
            So if you know that ff:fe is always same you know the MAC-Address by recording the IPv6-Adress.This is default using network/interfaces in auto or dhcp6 mode for ipv6

            Using Ubuntu-Server instead of Debian it might be different and it may use the DUID since Ubuntu-Server uses not network Interfaces but Netplan. Since i never use any Windows no idea what this OS do or not. Its anyway the most worthless OS ever

            J 1 Reply Last reply Reply Quote 1
            • J Offline
              Jung-Fernmelder @eagle61
              last edited by

              @eagle61 said in SLAAC versus DHCPv6:

              Debian (12) Server

              Is there a special release of Debian for servers? I just use Debian stable for both servers and personal computers. It's the best operating system I've ever used, much better than any release of Windows.

              @eagle61 said in SLAAC versus DHCPv6:

              Debian (12) Server still generates the IPv6-Adress based on MAC-Address

              Privacy extensions can be enabled by editing the /etc/network/interfaces if needed. I think that you can add "privext 2" to the according interface.

              E 1 Reply Last reply Reply Quote 0
              • E Offline
                eagle61 @Jung-Fernmelder
                last edited by eagle61

                @Jung-Fernmelder said in SLAAC versus DHCPv6:

                Is there a special release of Debian for servers?

                Not a special release of Debian for servers, but deffrent option to install Debian. If you choose in the installation Routine to install Debian as Server you will have /network/interface as tool to manage your Networtk-Connections
                If you choose in the installation Routine to install Debian with full Desktop (ie XFCE, KDE, Gnome) then it will not only install much more packages out of the box, like LibreOffice, Firefox and such, but also Network Manager to manage your Networtk-Connections.

                I do use Debian only as Server OS, so in Server Mode.
                As OS on Notebooks i do use Ubuntu instead. Ubuntu also use Network Manager to manage your Networtk-Connections if installed with full Desktop (in my case XFCE).
                The behavior of Network Manager, Netplan and /etc/Network/interfaces regarding IPv6 are by default different, not same. That's why i mentioned the Installation as Sever to make sure its not a desktop installation with different behavior.

                But for the Network Interface of my pfsense i use to connect Devices via WIFI i do not use DHCPv6-Server but SLAAC (Router Advise = Unmanaged) only, since i also use Android devices to connect there. On the Network Interface of my pfsense i use to connect my Debian-Server i do use DHCPv6-Server not SLAAC (Router Advise = Managed).
                The reason is one of the Debian Server is a server with a Nextcloud i want to reach via IPv6 from all over the Internet.
                Since my ISP forces every 24 hours a reconnect i get every 24 hours a new IPv6-Prefix. So i use pfsenses KEA IPv6-Server and a DYNdns-Service to manage that resulting every 24 hour change of IPv6-Adress.

                Privacy extensions can be enabled by editing the /etc/network/interfaces if needed.

                Yes, but in case of a server that shall be reached from Internet that does not make much sense.I keep the last /64 of the IPv6-Adress static and KEA manage to change the prefix only after the 24 hours reconnect. So i can use on side of the DYNdns-Service Provider the to manage the AAAA-Record the Format: "Interface-ID" (ex. ::6743:12::f9aa::44a1) and the DYNdns-Service Provider just receives from pfsense the changed Prefix to create the full new IPv6-Adress every 24 hours of the Nextcloud. This would also work with Format: "EUI-64 MAC" (ex. 3C:49:37:12:26:B3) if MAC is used not DUID

                1 Reply Last reply Reply Quote 0
                • T Offline
                  tibere86
                  last edited by

                  I have debated SLAAC vs. DHCPv6 myself. At the end, I prefer SLAAC as it's "hands off" easy management.

                  The issue I have ran into is with RA. When I enable SLAAC (fully disable DHCPv6) and set the router priority to HIGH and advertise my Pihole instance for IPv4 + IPv6 DNS server, the Pihole instance gets inundated with new IPv6 clients to the point of where there will be thousands of clients registered in Pihole, bogging it down, even though there are only ~30 devices on my network. Is this due to the SLAAC privacy IP rotation?

                  I have never been able to solve this. I have no issues when I leave RA DNS servers as default (router).

                  1 Reply Last reply Reply Quote 0
                  • keyserK Offline
                    keyser Rebel Alliance @Jung-Fernmelder
                    last edited by keyser

                    @Jung-Fernmelder Honestly, IPv6 client side is just not industry mature yet. It works fine - if you can control everything on the clients, but there are WAY to many options/standards or OS/vendor specific issues to make IPv6 really easy to use AND manage.

                    It’s a pita that they cock’ed up IPv6 so much. There was a lot of potential in IPv6 before all the petty squables and lack of unified standards broke everything.

                    As long as an IPv4 address is required to reach all corners of the Internet, just disable IPv6, and make your life A LOT easier.

                    Love the no fuss of using the official appliances :-)

                    JKnottJ 1 Reply Last reply Reply Quote 0
                    • R Offline
                      ronv42
                      last edited by

                      I think the real issue is that for consumers SLAAC was supposed to make provisioning of single segment home networks "just work". But then ISP's being the center of all control didn't follow the outlined best practice that a /54 or /60 is the base prefix and allowing the IPv6 addresses to be "persistent". Too many ISP's only will issue a /64 for one segment, expire the address every 24 hours forcing the network and devices to re-address each time.

                      If things were different, I would have engineered IPv6 internet where I pay per year for a block of IPv6 addresses /54 and that would be portable to any ISP and the ISP just becomes a pipe. The ISP shouldn't have the power to revoke address's based on a policy that blows in the wind.

                      One the client side there would be only two rules SLAAC or DHCPv6 assisted by SLAAC for router and DNS information for static addressing.

                      P 1 Reply Last reply Reply Quote 0
                      • JKnottJ Offline
                        JKnott @keyser
                        last edited by

                        @keyser said in SLAAC versus DHCPv6:

                        It’s a pita that they cock’ed up IPv6 so much.

                        No. It was Google that didn't enable DHCPv6 on Android or Chrome devices.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        keyserK 1 Reply Last reply Reply Quote 0
                        • keyserK Offline
                          keyser Rebel Alliance @JKnott
                          last edited by

                          @JKnott said in SLAAC versus DHCPv6:

                          No. It was Google that didn't enable DHCPv6 on Android or Chrome devices.

                          It’s a little more complicated than that - I have yet to successfully directly attach pfSense to an ISP and have IPv6 working (tried 4 different ISPs that all “supports” IPv6 now). If you set it up behind the ISPs router where they have made sure basic Windows/Linux clients work, then pfSense will also work. But anything directly linked to the ISP fiber/bridgemode box is a PITA to get IPv6 working properly.

                          The problems comes from the MILLIONS of options both the SLAAC and the DHCP 6 proces offers, and if the client does not send the right parameters, use the correct intervals or accepts persistence, something/everything IPv6 related stops working.
                          On top of that the DHCP6c Client in pfSense doesn’t support many of the DHCPv6 options that I have seen ISP’s require to get IPv6 going - Or it doesn’t support the specific combo of settings/intervals needed to keep it going after the intial lease is accepted.

                          Granted - this is mainly the ISPs that are cock’ing up things, but the fact that it CAN require so much special config with very specific settings and configurations to get basic DHCPv6 going just shows it’s not matured yet (or standardized properly)

                          Love the no fuss of using the official appliances :-)

                          E 1 Reply Last reply Reply Quote 0
                          • P Offline
                            Patch @ronv42
                            last edited by Patch

                            @ronv42 said in SLAAC versus DHCPv6:

                            Too many ISP's only will issue a /64 for one segment, expire the address every 24 hours forcing the network and devices to re-address each time.

                            If things were different, I would have engineered IPv6 internet where I pay per year for a block of IPv6 addresses /54

                            You are describing the difference between a static and dynamic IP address.

                            • Static is better for a public or at least internet accessible server (dynamic Domain name not required)

                            • Dynamic is better for user privacy (IP with mask shows ISP user has used to access internet rather than which user internet account was used).

                            JKnottJ 1 Reply Last reply Reply Quote 1
                            • JKnottJ Offline
                              JKnott @Patch
                              last edited by

                              @Patch said in SLAAC versus DHCPv6:

                              You are describing the difference between a static and dynamic IP address.

                              If the ISP honours the DUID the prefix should be essentially static. I've had the same prefix for well over 5 years. That's "static" enough for me. 😉

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              P R 2 Replies Last reply Reply Quote 0
                              • P Offline
                                Patch @JKnott
                                last edited by

                                @JKnott
                                Not sure why that was addressed to me. I was describing the different use case for static and dynamic IP, not how to get a static IP.

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • JKnottJ Offline
                                  JKnott @Patch
                                  last edited by

                                  @Patch

                                  Well, I did respond to your post. However, the last line about dynamic is better for privacy is wrong. With SLAAC you get up to 7 privacy addresses, based on a random number. You get a new one every day, with the oldest falling off the list. The most recent is the address used for outgoing connections. The consistent address, which can be based on either the MAC address or a random number, can be used for things like VPN access to your network. Unless the DHCPv6 address changes every day, it's actually worse for privacy.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  P 1 Reply Last reply Reply Quote 0
                                  • R Offline
                                    ronv42 @JKnott
                                    last edited by

                                    @JKnott I don't know if you have Comcast or not. I am fighting them for a site I just hooked up in Northbrook, Illinois. Every 24 hours they re-allocate the darn IPv6. They are handing out a /60 but it's a PITA I will be removing their Xfinity gateway and going with a vanilla cable modem and seeing if this gets rid of the IP address swaps they are doing. Comcast plays so many games to upsell features you will never use though their crappy gateway to get a discount.

                                    JKnottJ 1 Reply Last reply Reply Quote 0
                                    • JKnottJ Offline
                                      JKnott @ronv42
                                      last edited by

                                      @ronv42

                                      I'm on Rogers and they use the same equipment as Comcast. However, there is a setting in pfSense that may affect this. It's System / Advanced / Networking / Do not allow PD/Address release. If that's not selected, the prefix will change frequently.

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      1 Reply Last reply Reply Quote 1
                                      • P Offline
                                        Patch @JKnott
                                        last edited by Patch

                                        @JKnott said in SLAAC versus DHCPv6:

                                        line about dynamic is better for privacy is wrong. With SLAAC you get up to 7 privacy addresses, based on a random number.

                                        they are all in the same range provided by the ISP, readily revealed by masking the address of any one of these addresses.

                                        • A dynamic ISP address range publishes which ISP the user is connected to the internet by
                                        • A static ISP address publishes your personal address range

                                        Then if one of the devices on your network has location services enabled for "Network & Wireless" or through your browser then the "privacy" addresses have your street address encoded in every internet communication.

                                        Recording addresses over time is likely to reveal what the 7 "private" addresses are for each device.

                                        So a static IP address range is not really very private at all in my opinion.

                                        JKnottJ 1 Reply Last reply Reply Quote 0
                                        • JKnottJ Offline
                                          JKnott @Patch
                                          last edited by JKnott

                                          @Patch said in SLAAC versus DHCPv6:

                                          they are all in the same range provided by the ISP, readily revealed by masking the address of any one of these addresses.

                                          A dynamic ISP address range publishes which ISP the user is connected to the internet by
                                          A static ISP address publishes your personal address range
                                          recording addresses over time is likely to reveal what the 7 "private" addresses are for each device

                                          My WAN address is provided by DHCPv6, along with my prefix. It makes no difference whether I use SLAAC or DHCPv6 on my LAN, with regard to my prefix. It will be the same either way. The only issue is whether the ISP will honour the DUID.

                                          One other thing, with the huge address block within a /64, an attacker would have a hard time finding something to attack, even if they knew the prefix. A single /64 contains 18.4 billion, billion addresses. Compare this to a bit over 4 billion for the entire IPv4 address range. Of course there's a firewall called pfSense that goes a long way to keeping attackers out! 😉

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          R P 2 Replies Last reply Reply Quote 0
                                          • R Offline
                                            ronv42 @JKnott
                                            last edited by

                                            @JKnott said in SLAAC versus DHCPv6:

                                            One other thing, with the huge address block within a /64, an attacker would have a hard time finding something to attack, even if they knew the prefix. A single /64 contains 18.4 billion, billion addresses. Compare this to a bit over 4 billion for the entire IPv4 address range. Of course, there's a firewall called pfSense that goes a long way to keeping attackers out!

                                            Now do the math with a /60: 16 x 18.4 billion - There is a reason I never see IPv6 address scans, but I still see port scans once a nefarious site logs your IPv6 they have the basic IP subnet, and it would take forever to scan through all those addresses.

                                            JKnottJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.