• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DUID and IPv6 - static IP mapping best practice

IPv6
4
19
1.2k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CatSpecial202
    last edited by Dec 18, 2024, 7:39 PM

    I recently had an experience installing Ubuntu in my home lab where I needed to reinstall it a few times. I setup both my DHCPv4 static IP mapping and the DHCPv6. This allowed me to pretty much skip the network portion of the setup after I initially set everything up. It worked for IPv4, however, this did not work for IPv6.

    As far as I understand DHCP static IP mapping with IPv6 works by using the DUID to regenerate the same IP. I believe this was caused by the DUID being regenerated with each OS installation? Isn't this prohibitive? IPv4 uses the MAC address, which always stays with the device regardless of OS installation.

    What is the best practice for using static IP mapping with DHCPv6?

    Why is the DUID regenerated with each OS installation? Isn't this prohibitive? IPv4 uses the MAC address, which always stays with the device

    PS:

    I also couldn't find my new DUID through Ubuntu's default configuration info tab. I eventually found it by using the temporary shell available during installation:

    networkctl status <interface_name>
    

    I know I can retrieve it through the pfSense GUI, but I wanted to see where it was in Ubuntu itself.

    J S D 3 Replies Last reply Dec 18, 2024, 8:20 PM Reply Quote 0
    • J
      JKnott @CatSpecial202
      last edited by Dec 18, 2024, 8:20 PM

      @CatSpecial202

      I use SLAAC, not DHCPv6 and it just works. Nothing to configure. Also, Android devices don't support DHCPv6.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      C 1 Reply Last reply Dec 18, 2024, 8:24 PM Reply Quote 0
      • C
        CatSpecial202 @JKnott
        last edited by Dec 18, 2024, 8:24 PM

        @JKnott how does SLAAC just work?

        When configuring the network interfaces in the ubuntu installer for instance there is only DHCPv6 and manual. there is no option for SLAAC.

        What is the procedure here?

        J 1 Reply Last reply Dec 18, 2024, 10:36 PM Reply Quote 0
        • S
          SteveITS Galactic Empire @CatSpecial202
          last edited by Dec 18, 2024, 9:54 PM

          @CatSpecial202 I think the goal is to not use the MAC, for privacy...?

          Quick search shows Ubuntu uses Link-layer address plus time (DUID-LLT).

          pfSense has multiple options to choose on its WAN: https://docs.netgate.com/pfsense/en/latest/config/advanced-networking.html#dhcp6-duid.

          There is a note somewhere in the pfSense docs to manually set a DUID if using a RAM disk, otherwise pfSense will not retain the DUID between restarts. The last one I was working on, when I tried to set it to Raw, upon saving it would change to DUID-LLT, which was frustrating but I was able to get it to use DUID-LL as I recall...though still had to figure out exactly what value was being used. But I digress...

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          S C 2 Replies Last reply Dec 18, 2024, 10:00 PM Reply Quote 0
          • D
            dennypage @CatSpecial202
            last edited by dennypage Dec 18, 2024, 10:00 PM Dec 18, 2024, 9:56 PM

            @CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

            As far as I understand DHCP static IP mapping with IPv6 works by using the DUID to regenerate the same IP. I believe this was caused by the DUID being regenerated with each OS installation? Isn't this prohibitive? IPv4 uses the MAC address, which always stays with the device regardless of OS installation.

            Not on Apple devices. Apple devices use a randomly generated MAC address as a privacy measure. You can turn it off, but it's on by default.

            As to IPv6 mappings, I run fully managed (RA) and assign addresses (DHCPv6) to clients using '::1', '::2', etc. This is essentially required when using track interface addresses. FWIW, I use the same last octet for IPv4 and IPv6 to make identification easier.

            YMMV

            J 1 Reply Last reply Dec 18, 2024, 10:39 PM Reply Quote 1
            • S
              SteveITS Galactic Empire @SteveITS
              last edited by Dec 18, 2024, 10:00 PM

              Also of note for anyone finding this, pfSense has a "debug mode" which among lots of other log info will show the DUID pfSense is trying to use when it connects out.

              https://docs.netgate.com/pfsense/en/latest/config/advanced-networking.html#dhcp6-debug

              AFAICT it does require a pfSense restart to toggle on/off. Or at least it doesn't seem to do so by just toggling the checkbox.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • J
                JKnott @CatSpecial202
                last edited by Dec 18, 2024, 10:36 PM

                @CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

                When configuring the network interfaces in the ubuntu installer for instance there is only DHCPv6 and manual. there is no option for SLAAC.

                What is the procedure here?

                I run openSUSE and the only thing I had to do was enable IPv6. This is the beauty of SLAAC, there is no configuration required on the clients. It just works.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • J
                  JKnott @dennypage
                  last edited by Dec 18, 2024, 10:39 PM

                  @dennypage said in DUID and IPv6 - static IP mapping best practice:

                  Not on Apple devices. Apple devices use a randomly generated MAC address as a privacy measure. You can turn it off, but it's on by default.

                  It's the same with openSUSE Linux. With SLAAC, you have a consistent address, which can be based on either the MAC address or a random number. There will also be up to 7 privacy addresses, with a new one every day. The privacy addresses are used for outgoing connections and the consistent address for incoming connections.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • C
                    CatSpecial202 @SteveITS
                    last edited by CatSpecial202 Dec 19, 2024, 12:46 AM Dec 19, 2024, 12:46 AM

                    @SteveITS I'm talking about my LAN with DHCPv6. What is the DUID-LLT used for? My firewall WAN has a link local address

                    fe80::21c:73ff:fe00:99%mvneta0
                    

                    So, this is used to generate the DUID for each of my interfaces?

                    How would someone use Static IP mapping w/ DHCPv6 for IPv6 if it's relying on an impermanent DUID?

                    @JKnott where is the SLAAC managed from? This is for my internal LAN. While installing ubunutu I do have to enable the interface but only have those two options. You're saying it should just be configured regardless of what i select?

                    D J S 3 Replies Last reply Dec 19, 2024, 2:23 AM Reply Quote 0
                    • D
                      dennypage @CatSpecial202
                      last edited by Dec 19, 2024, 2:23 AM

                      @CatSpecial202

                      IPv6 wise, SlAAC is the opposite of managed. It's what happens when a network isn't actively managed.

                      See Services / Router Advertisement / LAN Router Mode. Further documentation may be found here.

                      1 Reply Last reply Reply Quote 0
                      • J
                        JKnott @CatSpecial202
                        last edited by Dec 19, 2024, 3:00 AM

                        @CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

                        @JKnott where is the SLAAC managed from?

                        On the Router Advertisement page, select Unmanaged for Router Mode

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        C 1 Reply Last reply Dec 20, 2024, 1:48 AM Reply Quote 0
                        • S
                          SteveITS Galactic Empire @CatSpecial202
                          last edited by Dec 19, 2024, 2:45 PM

                          @CatSpecial202 I understand, I was just kind of venting/discussing in general.

                          The DUID is also supposed to be unique to the device, not to the NIC, notably when multiple NICs are in a device.

                          There are several ways to generate a DUID but it's basically just random and up to the device to generate its own. Using the MAC address and factoring in time helps make it unique, is all. Generally it's saved on the device but if you format/reinstall, that file/data is lost. (or if you have pfSense set to use a RAM disk its DUID file is lost on boot, unless saved as noted above). Or I suppose an admin on the device can delete/create a new file.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote 👍 helpful posts!

                          1 Reply Last reply Reply Quote 0
                          • C
                            CatSpecial202 @JKnott
                            last edited by CatSpecial202 Dec 20, 2024, 1:49 AM Dec 20, 2024, 1:48 AM

                            @JKnott I found this link stateless address autoconfiguration slaac that was helpful in my understanding. I keep thinking of this like a local thing and not a global thing, but i guess all IPv6 are designed to be discoverable on the global internet. SLAAC will always resolve an address that can route to the WAN port?

                            @SteveITS So, i guess this is a known issue with static IP mapping using DHCPv6 that if you reinstall the OS static IP mapping wont work. It's applying old methods to new ideas.

                            J S 2 Replies Last reply Dec 20, 2024, 2:08 PM Reply Quote 0
                            • J
                              JKnott @CatSpecial202
                              last edited by Dec 20, 2024, 2:08 PM

                              @CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

                              SLAAC will always resolve an address that can route to the WAN port?

                              Depending on what you configure pfSense to provide, it will get global addresses which can be routed to the Internet and also, if configured, Unique Local Addresses which, like RFC1918 addresses on IPv4, are routeable, but not to the Internet.

                              There is one error in that article. SLAAC can provide the DNS address, with RDNSS. You use the Enable DNS setting on the Router Advertisement page to enable it.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              C 1 Reply Last reply Dec 20, 2024, 2:43 PM Reply Quote 0
                              • C
                                CatSpecial202 @JKnott
                                last edited by Dec 20, 2024, 2:43 PM

                                @JKnott It mentions this in the article

                                If the O-flag is set to 1, it indicates that DNS information is available via DHCPv6. The router is basically telling the nodes to auto-configure an address via SLAAC and ask the DHCP server for DNS information.

                                Isn't it the DHCPv6 that will always have to provide that? SLAAC doesn't do this it just tells the service where to look.

                                J 1 Reply Last reply Dec 20, 2024, 6:37 PM Reply Quote 0
                                • S
                                  SteveITS Galactic Empire @CatSpecial202
                                  last edited by Dec 20, 2024, 3:15 PM

                                  @CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

                                  known issue with static IP mapping using DHCPv6 that if you reinstall the OS static IP mapping wont work

                                  I suppose it's semantics whether it's a "known issue" or "by design" but it is up to the administrator/person to keep the DUID between drive wipes.

                                  Note this can also be an issue when cloning VMs if the DUID isn't changed.

                                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                  Upvote 👍 helpful posts!

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JKnott @CatSpecial202
                                    last edited by Dec 20, 2024, 6:37 PM

                                    @CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

                                    @JKnott
                                    about 4 hours ago

                                    @JKnott It mentions this in the article

                                    If the O-flag is set to 1, it indicates that DNS information is available via DHCPv6. The router is basically telling the nodes to auto-configure an address via SLAAC and ask the DHCP server for DNS information.

                                    Isn't it the DHCPv6 that will always have to provide that? SLAAC doesn't do this it just tells the service where to look.

                                    Here's a capture of the relevant bits:

                                    login-to-view

                                    You'll see that the O bit is not set, which means DHCPv6 is not used. SLAAC provides all you need, including the DNS address.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    C 1 Reply Last reply Dec 21, 2024, 3:28 PM Reply Quote 0
                                    • C
                                      CatSpecial202 @JKnott
                                      last edited by Dec 21, 2024, 3:28 PM

                                      @JKnott thanks. that is cool. I'm going to keep experimenting.

                                      J 1 Reply Last reply Dec 22, 2024, 1:32 AM Reply Quote 0
                                      • J
                                        JKnott @CatSpecial202
                                        last edited by Dec 22, 2024, 1:32 AM

                                        @CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

                                        @JKnott thanks. that is cool. I'm going to keep experimenting.

                                        A very useful tool for that is Wireshark.

                                        PfSense running on Qotom mini PC
                                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                        UniFi AC-Lite access point

                                        I haven't lost my mind. It's around here...somewhere...

                                        1 Reply Last reply Reply Quote 0
                                        1 out of 19
                                        • First post
                                          1/19
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.