DHCPv6 server (ULA & global)

fab1330

Hello,

I would like to use DHCPv6 server to provide at hosts a unique local IPv6 address AND an IPv6 address global unicast.

Is it possible that DHCPv6 provides two addresses to a host?

Thanks

HG

I have the same problem. I have successfully set up DHCPv6 in my home network in several VLANs using the delegated prefix from my ISP ("track interface") which is working fine.

However, apart from the GUA (Global Unicast Address), I also need to assign an ULA (Unique Local Address) to each client (via DHCPv6) for several reasons, e.g. to ensure LAN connectivity when my ISP connection doesn't work for some reason and the global prefix is lost and to have stable addresses (the prefix of my ISP changes on reconnect) within my LANs which is e.g. needed to configure local servers to listen on specific interfaces which is sometimes only possible by specifying the IP address. RFC 7368 recommends this approach, too; there you find even more reasons to do this.

I already played with virtual IPs etc., but I found no way to configure ULAs (additionally to PD/"track interface") in the DHCPv6 server so far. :( I hope someone can help here (@fab1330, have you succeeded in the end?) or tell of it's at least on the roadmap in case it's not possible at all yet because without ULAs, it's not possible to replace IPv4 completely. (I currently use IPv4 as some kind of ULA replacement.) I already did this with other routers (i.e. their integrated DHCPv6 server), however they are lacking many of the great feature of pfSense, that's why I switched to a SG-4860.

Thanks.

MikeV7896

Any reason you don't just use the link-local addresses for your unique local address? That's already a unique address being assigned to every device, and the prefix won't route.

I've created some host overrides in Unbound that point a hostname to a link-local address and they work great.

HG

Hey virgiliomi, thanks for your suggestion. Well, the main reason is that I have several LANs and VLANs with routing and firewalls in between where link-local addresses won't work.

Additionally, link-local addresses are hard to manage and they also are not very application-friendly e.g. with the zone index stuff, e.g. Firefox and other Browsers don't support them. (E.g. in Edge, https://[fe80::1:1]/ shows the pfSense login screen, although there is no zone index. The correct format with zone index https://[fe80::1:1%257]/ works partially, too, but CSS is completely broken. In Firefox, neither of them works.)  In my opinion, they are mainly good for network management, but not for running application protocols on them.

Therefore, I need and also want to stick to ULAs which are explicitly defined for having stable addresses within one's "organization" and therefore also recommended by RFC 7368 for home networks.

twitched

I use ULA Virtual IPs and SLAAC instead of DHCPv6 to configure ULAs in addition to the global prefix from my ISP.  radvd will advertise your ULA prefix if you add it as a "subnet" in the Router Advertisement configuration.  The EUI-64 addresses created by your hosts won't change.

HG

Thank you twitched, that was very helpful! I configured a ULA subnet in the Router Advertisements tab which works great so far. How do you handle DNS? Do you just add the SLAAC addresses to the Host Overrides of the DNS Resolver? (So far, I usually let the DHCP server handle DNS, e.g. using the static mappings.) Do you have some experience if the SLAAC addresses are stable enough on common operating systems (Windows, Linux, FreeBSD)? FreeBSD seems to use the EUI-64 representation of the MAC which should be quite stable, but on Windows it seems very random.

twitched

I just manually enter them into the DNS as host overrides.  They shouldn't change unless you do a complete wipe and reinstall of the operating system.  According to https://tools.ietf.org/html/rfc7721#section-4.3, Windows is doing this, and and according to https://discussions.apple.com/thread/7684138?start=0&tstart=0, apple is doing the same for Macs.  According to https://unix.stackexchange.com/questions/331129/stable-ipv6-address-on-fedora, at least Fedora is doing the same.

On Windows (ipconfig) the stable address is labeled as just "IPv6 Address."  My stable ULA address below is the one that starts with "fbfb."

   IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxx5::444d
   IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxx5:0:9029:7167:xxxx:72ed
   IPv6 Address. . . . . . . . . . . : fdfb:xxxx:xxx0:0:9029:7167:xxxx:72ed
   Temporary IPv6 Address. . . . . . : 2001:xxxx:xxx5:0:71a4:1d81:24d6:43fc
   Temporary IPv6 Address. . . . . . : fdfb:xxxx:xxx0:0:71a4:1d81:24d6:43fc
   Link-local IPv6 Address . . . . . : fe80::9029:xxxx:xxxx:xxed%11

On Mac (ifconfig) the stable ULA address starts with "fbfb" and is labeled "secured":

	inet6 fe80::1c1f:xxxx:xxxx:xxc7%en0 prefixlen 64 secured scopeid 0x6 
	inet6 2001:xxxx:xxx5::1855:3d4c:xxxx:2c7c prefixlen 64 autoconf secured 
	inet6 2001:xxxx:xxx5::1c0e:eeca:b765:a715 prefixlen 64 autoconf temporary 
	inet6 fdfb:xxxx:xxx0::75:4bf4:xxxx:aabe prefixlen 64 autoconf secured 
	inet6 fdfb:xxxx:xxx0::3d1e:9aa8:2672:8d3 prefixlen 64 autoconf temporary 
	inet6 2001:xxxx:xxx5::4666 prefixlen 64 dynamic 

pfadmin

Hi,
your adresses starts with fdfb, not fbfb. But why you don't use FC01::  ?

3.1.  Format

The Local IPv6 addresses are created using a pseudo-randomly
  allocated global ID.  They have the following format:

| 7 bits |1|  40 bits  |  16 bits  |          64 bits          |
      +–------+-+------------+-----------+----------------------------+
      | Prefix |L| Global ID  | Subnet ID |        Interface ID        |
      +--------+-+------------+-----------+----------------------------+

Where:

Prefix            FC00::/7 prefix to identify Local IPv6 unicast
                        addresses.

L                Set to 1 if the prefix is locally assigned.
                        Set to 0 may be defined in the future.  See
                        Section 3.2 for additional information.

Global ID        40-bit global identifier used to create a
                        globally unique prefix.  See Section 3.2 for
                        additional information.

Subnet ID        16-bit Subnet ID is an identifier of a subnet
                        within the site.

Interface ID      64-bit Interface ID as defined in [ADDARCH].

pfadmin

kpa

From wikipedia:

The address block fc00::/7 is divided into two /8 groups:

The block fc00::/8 has not been defined yet. It has been proposed to be managed by an allocation authority, but this has not gained acceptance in the IETF.[1][2][3] This block is also used by the cjdns mesh network.
The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string. This results in the format fdxx:xxxx:xxxx:: for a prefix in this range. RFC 4193 offers a suggestion for generating the random identifier to obtain a minimum-quality result if the user does not have access to a good source of random numbers.

pfadmin

Okay, fc are 8 bits and with /7 the fb fits the "L=1". It was all there but my fault to see fc00 as 8 bit…lots of numbers in IPv6

thank you

pfadmin

dem

Perhaps the easiest way of getting your own ULA is http://unique-local-ipv6.com.

I want to thank HG for making me aware of RFC 7368 and twitched for pointing out a simple way to implement it in pfSense.