Delegate IPv6 subnet to only specific MAC addresses

Bob.Dig · Oct 15, 2024, 7:53 AM

@SteveITS said in Delegate IPv6 subnet to only specific MAC addresses:

In pfSense can I assign specific subnets to specific MAC addresses?

I am not sure what is meant by that. Also a small network diagram could help. Is your IPv6 dynamic or static? If it is dynamic, I wouldn't bother in a business environment.

SteveITS · Oct 15, 2024, 10:07 PM

@Bob-Dig Hi Bob, let me back up a bit...we currently have it set up so DHCPv4 allows only defined MAC addresses. Anyone else plugging in to one of our jacks can't get an IP and can't get out (there are also firewall rules).

If I just enable IPv6 we need to do the same. DHCPv6 server has an option to deny unknown clients but I only see an option to reserve a single IPv6. What we'd need to do is assign each tenant router LAN a /64.

If it doesn't/can't work to do that I'd like to enable IPv6 at least for our office.

[Comcast router] -- [building router] -- [tenant office router] -- [tenant PCs]

Assume, a couple dozen tenants.

Thanks,

johnpoz · Oct 16, 2024, 2:07 PM

@SteveITS what prefix delegation are you getting from your ISP do you have like a /56 from them.. This is way less complicated if you actually have a prefix from them like a /56 or /48 vs trying to then delegate a sub prefix from your prefix and then having their routers use what you delegate to them for their clients or segments

If you had say a /56, you could sub that down and route up to 256 /64s to your different clients.

Problem is if your delegated /56 changes from your isp its a whole pita.. for everything to change to whatever your new delegation is.

If me and your goal is to give your tenets IPv6 space - and you don't have an actual assignment from your isp that is not going to change, and you don't want to get an say a /32 from arin, which isn't free for sure.. Is get a /48 from hurricane electric and break that up how ever you want to assign to your tenants.

Are they bugging you for IPv6? If not I wouldn't bother with it.

Gertjan · Oct 16, 2024, 6:04 AM

@SteveITS said in Delegate IPv6 subnet to only specific MAC addresses:

In pfSense can I assign specific subnets to specific MAC addresses?

"IPv6" attribution has little to do with the MAC.
It's all DUID based, some magic number generated by the client based on the position of the moon, the date, maybe the MAC, and other hardware present, and some other numbers that can be static, or less static.

For pfSense you can actually set the DUID and this might be important so it gets it's own 'static' IPv6 and/or prefixes :

login-to-view

My leases :

login-to-view

My prefix is right now 'eb', one of the 256, out of a /56 range.
It's 'eb' for at least a year now, and so is the leading "2a01:cb19:xxxx:yy__ which means my allocated IPv6 for my LAN devices are rather static.
I've heard (seen) that other ISP change the leading part and /or the prefix very often. Like in the good old days where the WAN IPv4 changed every day or week.

SteveITS · Oct 16, 2024, 2:07 PM

Tenants aren't asking. I'm not particularly concerned about them. But it would be nice.

I did discover a handful of things not working properly when we enabled IPv6 via Hurricane Electric so that would be nice to know that. Unfortunately at least here we found HE throttles the speed, I think it was to around 35 Mbps download. And there are sites that don't work because of video rights or whatever since they consider HE like a VPN and block access. I mean, it's free, so... We still have HE enabled but it's a better experience telling my browser to prefer IPv4.

We do get a /56 as noted. I just need to ensure someone can't plug in a router and get free Internet.

Is the answer to not try to do anything automatically, and just use two /64s from our /56 to set up IPv6 manually? (for the building router LAN, our office router LAN) That would work for us I suppose but the goal for the tenants was hands-off router config.

And no I don't know how often the /56 changes, it's been 1.5 days since they replaced their router.

Bob.Dig · Oct 16, 2024, 5:13 PM

@SteveITS I know Plus has some MAC-Filtering-Features, maybe you can achieve something with that. Going with the DHCPv6 Server doesn't make much sense because most clients (people) will expect more than one address, so SLAAC. Now if you are in control of all the routers, you can block or not allow IPv6 for subnets, so I would use that (if you have VLANs etc). But it sounds like maybe you don't?
Technically you would use the DHCPv6 Server for Prefix Delegation though. At least I guess, never done it. Also this has to be supported by the router from comcast in the first place.

SteveITS · Oct 16, 2024, 3:10 PM

@Bob-Dig I keep forgetting about the Ethernet rules, despite using it this year for my son's school Chromebook...they have no controls on it in 6th grade.

In a quick look we can allow/block IPv6 by MAC, so maybe. So that would be to allow everyone to get an IP, but only allow known MACs to pass IPv6 traffic.

So, on building router LAN, Track Interface, configure a Prefix Delegation Pool, and let it rip?

Or else the manual approach of configuring a static IPv6 for the "building LAN" and assigning a /64 to our LAN. Then we would have to manually config each tenant router, if they ever wanted IPv6.

JKnott · Oct 16, 2024, 8:27 PM

@SteveITS

I believe with some switches, such as from Cisco, you can assign a device to a specific LAN/VLAN according to the MAC supplier, not individual MACs. This would be typically be used with VoIP phones and computers sharing a connection to the switch. I don't think pfSense can do that.

SteveITS · Oct 16, 2024, 10:20 PM

@JKnott I did not know that, however, I don't think that helps me much...maybe we could assume we have the only Netgate router but the MAC I think is generic.

johnpoz · Oct 17, 2024, 2:18 AM

@JKnott said in Delegate IPv6 subnet to only specific MAC addresses:

you can assign a device to a specific LAN/VLAN according to the MAC supplier

You could do this with freerad more than likely.. radius can be used to assign vlan related to auth.. But not sure how that would come into play in this scenario..

SteveITS · Oct 18, 2024, 7:35 AM

hmmm

https://business.comcast.com/support/article/internet/comcast-business-internet-learn-about-ipv6
"To date, Comcast has launched dynamic and static IPv6 support for all Business Internet customers. The static IPv6 addresses are included in any IPv4 lease and those addresses can all be found by logging in to My Account. Static IPv6 is also supported and available for Ethernet Dedicated Internet customers."

So our /56 is static per their page.

[edit: which I found out because I'm there because it went down ]

Bob.Dig · Oct 18, 2024, 7:36 AM

@SteveITS With static IPv6 it is way more easy and reliable with pfSense (not with the ISP though ).
Now their wording is interesting, it sounds they would do both for business customers (at the same time?).

SteveITS · Oct 18, 2024, 2:15 PM

@Bob-Dig Yes, it specifically says static if you view your IP ranges:
login-to-view

I am not sure we have a client with a dynamic WAN IP for which we also have the Comcast account credentials to log in and look directly, so unclear if this is only for accounts with static IPv4. But it doesn't say so.

SteveITS · Oct 26, 2024, 6:38 AM

So if we let IPv6 auto assign to tenant routers, at what point could the subnet assigned to a tenant router change? Obviously if they replace it, but outside of that...?

I'm thinking this might work:

set building router to hand out IPv6 blocks
create firewall rule on LAN to only allow IPv6 from known MAC addresses (one rule per MAC)
create a firewall rule on LAN to assign each subnet to the correct limiter

It's a bunch of extra steps though.

In pfSense how do I find out the subnet a given tenant router is using? Can I connect the Status/DHCPv6 Leases, Delegated Prefixes info to the known MAC?

Option 2 is we set it up for us and wait until someone asks for IPv6. :)

SteveITS · Oct 26, 2024, 6:38 AM

Just to follow up, I set it up for us, with static IPv6. It took me longer than I'd care to admit to add firewall rules to allow IPv6 ICMP since we'd never set up IPv6 rules on the building router.

Bob.Dig · Oct 26, 2024, 10:08 AM

@SteveITS Never done it with pfSense but with my first router (fritzbox) towards my pfSense. It says something like this: Allow Ping6, open firewall for the delegated prefix, make this host the exposed host.

SteveITS · Oct 26, 2024, 12:27 PM

@Bob-Dig I realized my comment might be unclear so I came back to edit it but you beat me… IPv6 was allowed on the inner router due to the HE tunnel but it had never been allowed outbound on the building/outer router LAN interface since that wasn’t necessary (due to the tunneling).

#ComputersDoExactlyWhatYouTellThemNotWhatYouWant

SteveITS · Nov 15, 2024, 6:25 AM

I'm back again. After our Comcast router restarted last night we lost IPv6 to the inner subnet. I am pretty sure it lost the route back. However the Comcast router only allows me to configure an IPv4 static route. Thinking back, possibly it had set up the route while I was experimenting with the various delegation/DHCP settings, and lost it upon restart. Boo.

So I started all over, and set it up using Track Interface and prefix delegation, with the building router DHCPv6 Server set with "Deny Unknown Clients" to allow only known clients. I had to allow any temporarily just to find the DUID of our router.

By the time I got back to set it to allow only known clients again, the building router had allocated another IP and prefix. However, it added a route to this other prefix and would not add a route for our office router prefix. So eventually I gave up and added a static route in our building router, pointing the subnet that had been delegated to our office router, to our office router.

So overall it looks like it should have worked with "deny unknown clients" except there was no route created from the outer pfSense to the inner pfSense, like there was for other routers in the building. ٩(͡๏̯͡๏)۶

Side note: the "Start DHCP6 client in debug mode" option seen referenced on this forum several places does not seem to exist on either of these routers' WAN interface settings? I thought I'd enabled that before, was that removed? Is there a trick to displaying that?

Gertjan · Nov 15, 2024, 6:32 AM

@SteveITS said in Delegate IPv6 subnet to only specific MAC addresses:

Side note: the "Start DHCP6 client in debug mode"

Hidden here :

login-to-view

SteveITS · Nov 15, 2024, 3:37 PM

@Gertjan D'oh! I knew I had seen it, thanks.

Unfortunately this was broken twice this morning.

my static route was no longer in the routing table
DHCPv6 started handing out IPs again despite being set to allow only known clients.

In limited testing it looks like the problems were:

DHCPv6 Server does not add a route for delegated prefixes to reserved IPs
if I restart DHCPv6 Server, my static route is removed from the routing table
I had to edit and save the route, to get it to work again

I kept banging on it. I set Router Advertisement to Managed so clients couldn't get an IP. However RA is still advertising prefixes to other routers, they are just failing.

At some point I re-saved the office router WAN interface and now that Delegated Prefix shows on the DHCPv6 Leases page. So maybe it was in some weird limbo state from above? I didn't try deleting the static route yet since we're into the workday.

However DHCPv6 Leases still shows leases and prefixes for other routers. Does it just not honor the "Deny Unknown Clients" setting?

Confused about the path forward, do I need to turn off DHCPv6 Server on the building router, and use a static route?