DHCPv6 on LAN offering IPs from different interface
-
Issues
- When using ISC, DHCPv6 is responding to requests on my LAN interface with IPs from the WATER interface's pool
- When using Kea instead, DHCPv6 is failing to start with an error: "subnet with the prefix of '2607:f2c0:b1b7:de00::/60' already exists (/usr/local/etc/kea/kea-dhcp6.conf:86:13)"
Most of the following describes my experience with ISC, because Kea DHCPv6 won't start at all (Kea v4 works fine).
Hardware: Netgate 3100
Software: pfsense+ 25.07.1-RELEASE (arm)Configuration
My ISP delegates an /60 ipv6 network prefix, and I've configured my LAN and WATER networks to support ipv6. I'm running RA in "Assisted Mode" on both interfaces (I've also tried other router modes), and DHCPv6 (I've tried both ISC and Kea).
(BTW. I had previously created a bridge between LAN and WATER, but I've since removed it. Not sure if that somehow broke some configuration?)
Interfaces: WAN mvneta2, LAN mvneta0, WATER mvneta1
IPv6 Prefix ID: LAN 0, WATER f
IPv6 Address: LAN 2607:f2c0:b1b7:de00:208:a2ff:fe0d:4fd7, WATER 2607:f2c0:b1b7:de0f:208:a2ff:fe0d:4fd8Clients
LAN clients
Linux
enp9s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.11.5 netmask 255.255.255.0 broadcast 192.168.11.255 inet6 fd2b:590:27bc:35d4:4b89:e6b4:b5dd:a3c0 prefixlen 64 scopeid 0x0<global> inet6 2607:f2c0:b1b7:de0f::4000 prefixlen 128 scopeid 0x0<global> inet6 fd2b:590:27bc:35d4:22cb:b37:3c6c:215a prefixlen 64 scopeid 0x0<global> inet6 fe80::20d3:f44f:798d:722a prefixlen 64 scopeid 0x20<link>macOS
Note that both of these clients are on my LAN but are getting GUAs from the WATER interface's prefix "de0f" and dynamic IP range (from "::3000" to "::4000").
WATER clients
Linux
wlp10s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.12.5 netmask 255.255.255.0 broadcast 192.168.12.255 inet6 2607:f2c0:b1b7:de0f::36e2 prefixlen 128 scopeid 0x0<global> inet6 fe80::51:f9ce:cdca:d229 prefixlen 64 scopeid 0x20<link>macOS
Note that the WATER macOS client's GUA is 2607:f2c0:b1b7:de0f::4000, which is the same as the LAN Linux client's GUA. It's as if both networks are sharing the same pool and yet somehow not conflicting?
Logs
ISC
Oct 10 08:43:56 dhcpd 14131 Sending Reply to fe80::20d3:f44f:798d:722a port 546 Oct 10 08:43:56 dhcpd 14131 Reply NA: address 2607:f2c0:b1b7:de0f::4000 to client with duid 00:04:10:67:d6:7c:2a:6b:13:4c:e8:1f:f5:89:fa:cb:f3:3d iaid = 74879383 valid for 7200 seconds Oct 10 08:43:56 dhcpd 14131 Request message from fe80::20d3:f44f:798d:722a port 546, transaction ID 0xA811A900 Oct 10 08:43:56 dhcpd 14131 Sending Advertise to fe80::20d3:f44f:798d:722a port 546 Oct 10 08:43:56 dhcpd 14131 Advertise NA: address 2607:f2c0:b1b7:de0f::4000 to client with duid 00:04:10:67:d6:7c:2a:6b:13:4c:e8:1f:f5:89:fa:cb:f3:3d iaid = 74879383 valid for 7200 seconds Oct 10 08:43:56 dhcpd 14131 Picking pool address 2607:f2c0:b1b7:de0f::4000 Oct 10 08:43:56 dhcpd 14131 Solicit message from fe80::20d3:f44f:798d:722a port 546, transaction ID 0x345C2700 Oct 10 08:43:53 dhcpd 14131 Server starting service. Oct 10 08:43:53 dhcpd 14131 Sending on Socket/6/mvneta0/2607:f2c0:b1b7:de00::/60 Oct 10 08:43:53 dhcpd 14131 Listening on Socket/6/mvneta0/2607:f2c0:b1b7:de00::/60 Oct 10 08:43:53 dhcpd 14131 Sending on Socket/6/mvneta1/2607:f2c0:b1b7:de00::/60 Oct 10 08:43:53 dhcpd 14131 Listening on Socket/6/mvneta1/2607:f2c0:b1b7:de00::/60 Oct 10 08:43:53 dhcpd 14131 Bound to *:547 Oct 10 08:43:53 dhcpd 14131 Multiple interfaces match the same shared network: mvneta0 mvneta1 Oct 10 08:43:53 dhcpd 14131 Multiple interfaces match the same subnet: mvneta0 mvneta1Notes
- re:"Multiple interfaces match the same shared network: mvneta0 mvneta1", those are my LAN and WATER interfaces. I'm not sure why they're described as shared?
- I expected mvneta0 (LAN) to be listening on de00/64 and mvneta1 (WATER) to be listening on de0f/64, but it's listening on de00/60 for both?
- The client fe80::20d3:f44f:798d:722a is on my LAN network but it's being sent "Reply NA: address 2607:f2c0:b1b7:de0f::4000" which is from my WATER network.
Kea
Kea dhcpv6 fails to start:
Oct 10 09:43:52 kea-dhcp4 14452 WARN [kea-dhcp4.dhcp4.0x2018f000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 2, queue size: 64 Oct 10 09:43:52 kea-dhcp6 14792 ERROR [kea-dhcp6.dhcp6.0x20182000] DHCP6_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp6.conf': subnet with the prefix of '2607:f2c0:b1b7:de00::/60' already exists (/usr/local/etc/kea/kea-dhcp6.conf:86:13) Oct 10 09:43:52 kea-dhcp6 14792 ERROR [kea-dhcp6.dhcp6.0x20182000] DHCP6_CONFIG_LOAD_FAIL configuration error using file: /usr/local/etc/kea/kea-dhcp6.conf, reason: subnet with the prefix of '2607:f2c0:b1b7:de00::/60' already exists (/usr/local/etc/kea/kea-dhcp6.conf:86:13) Oct 10 09:43:52 kea-dhcp6 14792 ERROR [kea-dhcp6.dhcp6.0x20182000] DHCP6_PARSER_FAIL failed to create or run parser for configuration element subnet6: subnet with the prefix of '2607:f2c0:b1b7:de00::/60' already exists (/usr/local/etc/kea/kea-dhcp6.conf:86:13) Oct 10 09:43:52 kea-dhcp6 14792 WARN [kea-dhcp6.dhcp6.0x20182000] DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Oct 10 09:43:52 kea-dhcp6 14792 WARN [kea-dhcp6.dhcpsrv.0x20182000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled. Oct 10 09:43:52 kea-dhcp4 14452 WARN [kea-dhcp4.dhcp4.0x2018f000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Oct 10 09:43:52 kea-dhcp4 14452 WARN [kea-dhcp4.dhcpsrv.0x2018f000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.Notes
- See the error "ERROR [kea-dhcp6.dhcp6.0x20182000] DHCP6_CONFIG_LOAD_FAIL configuration error using file: /usr/local/etc/kea/kea-dhcp6.conf, reason: subnet with the prefix of '2607:f2c0:b1b7:de00::/60' already exists (/usr/local/etc/kea/kea-dhcp6.conf:86:13)"
cat /usr/local/etc/kea/kea-dhcp6.conf { "Dhcp6": { "interfaces-config": { "interfaces": [ "mvneta0", "mvneta1" ] }, "lease-database": { "type": "memfile", "persist": true, "name": "/var/lib/kea/dhcp6.leases" }, "loggers": [ { "name": "kea-dhcp6", "output_options": [ { "output": "syslog" } ], "severity": "WARN" } ], "valid-lifetime": 7200, "max-valid-lifetime": 86400, "host-reservation-identifiers": [ "hw-address", "duid" ], "hooks-libraries": [ { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so" }, { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_options.so" }, { "library": "/usr/local/lib/kea/hooks/libdhcp_run_script.so", "parameters": { "name": "/usr/local/bin/kea_run6", "sync": false } } ], "control-socket": { "socket-type": "unix", "socket-name": "/var/run/kea6-ctrl-socket" }, "sanity-checks": { "lease-checks": "fix-del" }, "client-classes": [ { "name": "pool_lan_0", "test": "member('ALL')" }, { "name": "pool_opt1_0", "test": "member('ALL')" } ], "subnet6": [ { "id": 1, "interface": "mvneta0", "subnet": "2607:f2c0:b1b7:de00::/60", "option-data": [ { "name": "domain-search", "data": "host.example.com" }, { "name": "dns-servers", "data": "2607:f2c0:b1b7:de00:208:a2ff:fe0d:4fd7" } ], "pools": [ { "pool": "2607:f2c0:b1b7:de00::1000 - 2607:f2c0:b1b7:de00::2000", "client-class": "pool_lan_0" } ], "reservations-in-subnet": true }, { "id": 2, "interface": "mvneta1", "subnet": "2607:f2c0:b1b7:de00::/60", "option-data": [ { "name": "domain-search", "data": "host.example.com" }, { "name": "dns-servers", "data": "2607:f2c0:b1b7:de0f:208:a2ff:fe0d:4fd8" } ], "pools": [ { "pool": "2607:f2c0:b1b7:de0f::3000 - 2607:f2c0:b1b7:de0f::4000", "client-class": "pool_opt1_0" } ], "reservations-in-subnet": true } ] } }Notes
- Subnets with id 1 and 2 both specify the same range
"subnet": "2607:f2c0:b1b7:de00::/60",. I would expect mvneta.0 to be de00/64 and mvneta.1 to be de0f/64 - The "dns-servers" and "pools" are properly scoped to each subnet's respective pool, though de00 and de0f for LAN and WATER interfaces respectively
Screenshots of pfSense web admin
-
[Update] I requested a /56 from my ISP (previously, I had requested a /60), and now everything works as expected. LAN gets 2607:f2c0:b031:a00::/64 and WATER gets 2607:f2c0:b031:a01::/64.
ISC and Kea both work as expected - no more overlapping subnets.
Was the previous behavior a bug, or was I missing something?
$ cat /usr/local/etc/kea/kea-dhcp6.conf { "Dhcp6": { "interfaces-config": { "interfaces": [ "mvneta0", "mvneta1" ] }, "lease-database": { "type": "memfile", "persist": true, "name": "/var/lib/kea/dhcp6.leases" }, "loggers": [ { "name": "kea-dhcp6", "output_options": [ { "output": "syslog" } ], "severity": "WARN" } ], "valid-lifetime": 7200, "max-valid-lifetime": 86400, "host-reservation-identifiers": [ "hw-address", "duid" ], "hooks-libraries": [ { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so" }, { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_options.so" }, { "library": "/usr/local/lib/kea/hooks/libdhcp_run_script.so", "parameters": { "name": "/usr/local/bin/kea_run6", "sync": false } } ], "control-socket": { "socket-type": "unix", "socket-name": "/var/run/kea6-ctrl-socket" }, "sanity-checks": { "lease-checks": "fix-del" }, "client-classes": [ { "name": "pool_lan_0", "test": "member('ALL')" }, { "name": "pool_opt1_0", "test": "member('ALL')" } ], "subnet6": [ { "id": 1, "interface": "mvneta0", "subnet": "2607:f2c0:b031:a00::/64", "option-data": [ { "name": "domain-search", "data": "host.example.com" }, { "name": "dns-servers", "data": "2607:f2c0:b031:a00:208:a2ff:fe0d:4fd7" } ], "pools": [ { "pool": "2607:f2c0:b031:a00::1000 - 2607:f2c0:b031:a00::2000", "client-class": "pool_lan_0" } ], "reservations-in-subnet": true }, { "id": 2, "interface": "mvneta1", "subnet": "2607:f2c0:b031:a01::/64", "option-data": [ { "name": "domain-search", "data": "host.example.com" }, { "name": "dns-servers", "data": "2607:f2c0:b031:a01:208:a2ff:fe0d:4fd8" } ], "pools": [ { "pool": "2607:f2c0:b031:a01::3000 - 2607:f2c0:b031:a01::4000", "client-class": "pool_opt1_0" } ], "reservations-in-subnet": true } ] } }Screenshots
(I changed the IPv6 Prefix ID for WATER from "f" to "1", but it also worked with "f". I just mention this to explain this change from the previous logs/screenshots)
-
-
@Gertjan Yep, good call. Done!
I do think the behavior I saw in the original post might be a bug, though.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.