RA Daemon "Assisted" Bug Fix (maybe, I'm not sure if this was by design)
-
In IPv6, clients requesting an IP need to have two conditions fulfilled. One is to have a DHCP server and the second is to receive a Router Advertisement packet with the Managed flag SET. Clients will NOT get an IP, if either of these conditions are not met.
I'm not sure how that relates to my post?!
In any case, I guess I'm simply not sure why you think that the existing "assisted" setting is somehow not workable for your purposes; specifically, why do you feel that it's a problem that your clients get both a stateless and a stateful address? You can still do your port forwarding based on the SLAAC addresses if you want?! Why do you think you need to actively prevent your clients from getting a stateful address as well?
-
Al, the only change I could think of suggesting was the rewording of Managed. Maybe something like:-
Managed: For assignment through any (does not have to be THIS pfSense box) DHCPv6 server.
Sorry I could not manage better than that. :D
razzfazz, I am sorry I could not understand your question before. I do now. And I was completely stumped and taken aback by your question. Coming from the Cisco world, and thinking "everything Cisco" is awesome (not saying that Cisco came up with Stateless DHCP, but I definitely learnt about it from Cisco), I never ONCE stopped to think WHY would I EVER have the need to stop my clients from getting their IPv6 addresses from the DHCP server.
How about waste of IP addresses?? (I say that as a joke!). Certainly NOT, as we have PLENTY of IPv6 addresses.
But then how about management and/or auditing? Having to deal with 2 ip addresses is certainly more work than 1 ip address. Twice the work to go through logs, twice the work to follow Netflow streams, I'd assume, twice everything. I am just thinking out loud here, these thoughts are just my musings at the moment.
How about Policy Based Routing? Routing packets based on the source IP, would require that our packets have the same source IP, every time. Hmm…maybe not as a case could be made here that assigning clients ip addresses from a specific subset of our prefix using dhcp is a better method. Okay scratch that.
Only solid reason I can think of is to allow our packet through, at a destination network firewall. We would only have to define our firewall rule once at the destination, since our ip is not changing at intervals. So this is ONE reason. We have very fine and granular control of our packets. Having the option of an ip address that does not change over time, is unique, and is unmanaged works in this case!!! +1 to having Stateless DHCP ;)
My point being, why would you NOT have Stateless DHCP as an option? And let the people using pfSense decide the use case?
This feature certainly is offered by Cisco (that's where I learned of it first), why not pfSense?
Kind regards,
Aqueeb. -
But then how about management and/or auditing? Having to deal with 2 ip addresses is certainly more work than 1 ip address. Twice the work to go through logs, twice the work to follow Netflow streams, I'd assume, twice everything. I am just thinking out loud here, these thoughts are just my musings at the moment.
[…]
Only solid reason I can think of is to allow our packet through, at a destination network firewall. We would only have to define our firewall rule once at the destination, since our ip is not changing at intervals. So this is ONE reason. We have very fine and granular control of our packets. Having the option of an ip address that does not change over time, is unique, and is unmanaged works in this case!!! +1 to having Stateless DHCP ;)Virtually all modern devices support IPv6 privacy extensions and will prefer RFC4941 addresses (which are random and change over time) for outbound traffic in the interest of privacy. So even without DHCPv6, you'll generally be looking at non-deterministic and non-constant source addresses for any given client.
-
Yes, you are right, my argument for Stateless DHCP was very weak. But just because I cannot think of a good enough reason to use Stateless DHCP, does not mean, it has no place in the networking world.
Or is that exactly what you are saying. That pfSense users should not even have the option of Stateless DHCP?
As a side note, at least on windows systems, from my very brief research, you can set a GPO to run once, the appropriate netsh commands to disable the randomizer and the privacy state. I haven't done this myself but according to the guy in this link
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26968185.html
it can be done.
Otherwise you can always manually run the netsh commands to disable the automatic address generation using the randomizer and privacy state. But this was just an FYI.
I really would like to know the answer to the question "Should pfSense users not even have the option of Stateless DHCP?"
Kind regards,
Aqueeb. -
You could always submit a pull request on GitHub and see what the folks in charge think. I would imagine that having an actual use case would increase your chances of getting the change accepted, but hey, can't hurt to give it a shot?!
-
Thanks for the suggestion razzafazz!! I will definitely do that and see.
Till then I have messaged Keith Barker on YouTube, and asked him if he has any use case scenarios for Stateless DHCP. Hopefully he'll reply back!
Have a good day!
Kind regards,
Aqueeb. -
No reply from Keith Barker so far :-\
BUT, I learnt what a Pull Request is!! Thank You for pointing me in the right direction with your wording, razzfazz! Without you actually saying "Pull Request" I would have had NO idea how to get my changes submitted to the github repository.
I have just submitted a Pull Request to the pfSense github repository.
Hopefully they'll think "Stateless DHCP" is worth adding my changes to the main codebase.
Kind regards,
Aqueeb. -
any update from the pfsense dev team on your pull request? Would it be possible for you to share the request link?
-
Just wanted to provide an update that my pull request for committed to master.
https://github.com/pfsense/pfsense/pull/1033
Kind regards,
Aqueeb. -
I've started using RA in Stateless DHCP mode and have enabled DHCPv6 to hand out DNS addresses. This seems to work fine for Windows 8.1 machines on my network but Windows 10 doesn't get the IPv6 DNS server addresses. Is this a problem with Win10 or pfsense?