DHCPv6 server (ULA & global)
I would like to use DHCPv6 server to provide at hosts a unique local IPv6 address AND an IPv6 address global unicast.
Is it possible that DHCPv6 provides two addresses to a host?
I have the same problem. I have successfully set up DHCPv6 in my home network in several VLANs using the delegated prefix from my ISP ("track interface") which is working fine.
However, apart from the GUA (Global Unicast Address), I also need to assign an ULA (Unique Local Address) to each client (via DHCPv6) for several reasons, e.g. to ensure LAN connectivity when my ISP connection doesn't work for some reason and the global prefix is lost and to have stable addresses (the prefix of my ISP changes on reconnect) within my LANs which is e.g. needed to configure local servers to listen on specific interfaces which is sometimes only possible by specifying the IP address. RFC 7368 recommends this approach, too; there you find even more reasons to do this.
I already played with virtual IPs etc., but I found no way to configure ULAs (additionally to PD/"track interface") in the DHCPv6 server so far. :( I hope someone can help here (@fab1330, have you succeeded in the end?) or tell of it's at least on the roadmap in case it's not possible at all yet because without ULAs, it's not possible to replace IPv4 completely. (I currently use IPv4 as some kind of ULA replacement.) I already did this with other routers (i.e. their integrated DHCPv6 server), however they are lacking many of the great feature of pfSense, that's why I switched to a SG-4860.
virgiliomi last edited by
Any reason you don't just use the link-local addresses for your unique local address? That's already a unique address being assigned to every device, and the prefix won't route.
I've created some host overrides in Unbound that point a hostname to a link-local address and they work great.
Hey virgiliomi, thanks for your suggestion. Well, the main reason is that I have several LANs and VLANs with routing and firewalls in between where link-local addresses won't work.
Additionally, link-local addresses are hard to manage and they also are not very application-friendly e.g. with the zone index stuff, e.g. Firefox and other Browsers don't support them. (E.g. in Edge, https://[fe80::1:1]/ shows the pfSense login screen, although there is no zone index. The correct format with zone index https://[fe80::1:1%257]/ works partially, too, but CSS is completely broken. In Firefox, neither of them works.) In my opinion, they are mainly good for network management, but not for running application protocols on them.
Therefore, I need and also want to stick to ULAs which are explicitly defined for having stable addresses within one's "organization" and therefore also recommended by RFC 7368 for home networks.
I use ULA Virtual IPs and SLAAC instead of DHCPv6 to configure ULAs in addition to the global prefix from my ISP. radvd will advertise your ULA prefix if you add it as a "subnet" in the Router Advertisement configuration. The EUI-64 addresses created by your hosts won't change.
Thank you twitched, that was very helpful! I configured a ULA subnet in the Router Advertisements tab which works great so far. How do you handle DNS? Do you just add the SLAAC addresses to the Host Overrides of the DNS Resolver? (So far, I usually let the DHCP server handle DNS, e.g. using the static mappings.) Do you have some experience if the SLAAC addresses are stable enough on common operating systems (Windows, Linux, FreeBSD)? FreeBSD seems to use the EUI-64 representation of the MAC which should be quite stable, but on Windows it seems very random.
I just manually enter them into the DNS as host overrides. They shouldn't change unless you do a complete wipe and reinstall of the operating system. According to https://tools.ietf.org/html/rfc7721#section-4.3, Windows is doing this, and and according to https://discussions.apple.com/thread/7684138?start=0&tstart=0, apple is doing the same for Macs. According to https://unix.stackexchange.com/questions/331129/stable-ipv6-address-on-fedora, at least Fedora is doing the same.
On Windows (ipconfig) the stable address is labeled as just "IPv6 Address." My stable ULA address below is the one that starts with "fbfb."
IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxx5::444d IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxx5:0:9029:7167:xxxx:72ed IPv6 Address. . . . . . . . . . . : fdfb:xxxx:xxx0:0:9029:7167:xxxx:72ed Temporary IPv6 Address. . . . . . : 2001:xxxx:xxx5:0:71a4:1d81:24d6:43fc Temporary IPv6 Address. . . . . . : fdfb:xxxx:xxx0:0:71a4:1d81:24d6:43fc Link-local IPv6 Address . . . . . : fe80::9029:xxxx:xxxx:xxed%11
On Mac (ifconfig) the stable ULA address starts with "fbfb" and is labeled "secured":
inet6 fe80::1c1f:xxxx:xxxx:xxc7%en0 prefixlen 64 secured scopeid 0x6 inet6 2001:xxxx:xxx5::1855:3d4c:xxxx:2c7c prefixlen 64 autoconf secured inet6 2001:xxxx:xxx5::1c0e:eeca:b765:a715 prefixlen 64 autoconf temporary inet6 fdfb:xxxx:xxx0::75:4bf4:xxxx:aabe prefixlen 64 autoconf secured inet6 fdfb:xxxx:xxx0::3d1e:9aa8:2672:8d3 prefixlen 64 autoconf temporary inet6 2001:xxxx:xxx5::4666 prefixlen 64 dynamic
your adresses starts with fdfb, not fbfb. But why you don't use FC01:: ?
The Local IPv6 addresses are created using a pseudo-randomly
allocated global ID. They have the following format:
| 7 bits |1| 40 bits | 16 bits | 64 bits |
| Prefix |L| Global ID | Subnet ID | Interface ID |
Prefix FC00::/7 prefix to identify Local IPv6 unicast
L Set to 1 if the prefix is locally assigned.
Set to 0 may be defined in the future. See
Section 3.2 for additional information.
Global ID 40-bit global identifier used to create a
globally unique prefix. See Section 3.2 for
Subnet ID 16-bit Subnet ID is an identifier of a subnet
within the site.
Interface ID 64-bit Interface ID as defined in [ADDARCH].
The address block fc00::/7 is divided into two /8 groups:
The block fc00::/8 has not been defined yet. It has been proposed to be managed by an allocation authority, but this has not gained acceptance in the IETF. This block is also used by the cjdns mesh network.
The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string. This results in the format fdxx:xxxx:xxxx:: for a prefix in this range. RFC 4193 offers a suggestion for generating the random identifier to obtain a minimum-quality result if the user does not have access to a good source of random numbers.
Okay, fc are 8 bits and with /7 the fb fits the "L=1". It was all there but my fault to see fc00 as 8 bit…lots of numbers in IPv6
dem last edited by
Perhaps the easiest way of getting your own ULA is http://unique-local-ipv6.com.
I want to thank HG for making me aware of RFC 7368 and twitched for pointing out a simple way to implement it in pfSense.