2.2.1: No IPv6 assigned to LAN anymore
-
My setup?
Why? -
Unless I'm confused, your setup will break eventually.
Conclusion is the "Track Interface" is promoted to the default LAN config. Plus automated issuance of LAN IP using SLAAC.
The don't bother out-of-the-box solution for beginner. ;)All other LAN config goes by using WAN "Advanced". Fine with me.
-
Couldn't agree more.
My ipv6 setup works like this 3 years, last 2 years on pfsense…
Autoconfig of lan seems bad idea for me and my both networks, home and work... -
…
Autoconfig of lan seems bad idea for me and my both networks, home and work...IF or WHEN my native (quasi-)static number of IPv6 prefix, by DHCP(PD), is changed (by ISP) I want to have my LAN dropped !. Security. No secret unnoticed changes from the far side allowed. :)
-
IMHO its a bastardized solution and getting a tunnel would be better for what you guys are doing, but its cool. Sounds like you are well aware it is not ideal.
-
IMHO its a bastardized solution…
Yes, Track Interface is wizard-like, the easy way out. But, if one does IPv6, they should know the manual workings, in analogy with (experience of) multiple IPv4-no-NAT. So for me the full (overly) automation with Track Interface is a security flaw or allowing meddling with your site by ISP.
-
The things you talked about are not the problem for the average user as I see it.
Yes its good to understand the inner workings and all, but the problem as I see it is that you are assigning static IPs on the LAN from a /48 or /56 or /64 or whatever that is assigned dynamically by dhcp and could break in a day or a year. Who knows?
Thats the part I'd never do, but if its working for you and you don't mind the possible breakage, then thats cool.
For me, its a show stopper if my internet breaks because my pfsense is far far away.
-
The things you talked about are not the problem for the average user as I see it.
…There is no such as an average user 8)
But. ISP WAN/LAN prefix changes AND the LAN SLAAC on boxes are without question a privacy security risk issue. pfSense should promote security. This comes with understanding what one is doing. Otherwise one may just get a consumer-router-FW. (duh) :)
-
I agree - Thats why I'd advise you to get a reliable /48 from HE. Its actually static.
-
…get a reliable /48 from HE....
Dependent on IPv4, that's funny.
I want local paid accountability, not SIXXS or not HE, and parallel functionality level like multiple-IPv4. -
Well, I think we got down to the bottom of the original issue. You guys choose not to use track interfaces but assign static IP instead. You don't have to do that, but you choose to do that and it is ok if that works for you. Since you don't use functionality the way it was meant to be used, don't complain when fixes to that functionality break your setup.
-
I also would prefer a static native IPV6 on the WAN when available.
-
Guys I have a static native /56 from provider for lan…
It wont change I don't know from where u got ideas it will change :) Itz more reliable than track iface IMHO... -
Ok I thought I'd chime in here too just to add that I too ran into this same problem that others have had.
I'm with a Canadian ISP called Teksavvy and they assign you a /64 for the WAN side of the PPPoE connection and a /56 for your LAN side. I'm assuming that you have to use DHCPv6+PD in order to get the assignments but at least for the LAN side it's always the same static /56 assignment. It's as close to Hurricane Electric's /48 assignment in terms of it practically being a static. My LAN was configured with a static IPv6 address (no tracking) from that /56 (picked the first /64) and it's been working perfectly fine since December 2014 when I migrated from HE's tunnel. I even followed this youtube video for how to set things up: https://youtu.be/zdSI7Ez0Xhs?list=PL4T5Ac0HrL3PeGPoixe8RpHEeZuhf_hDD
The upgrade to 2.2.1 definitely broke it for me and I'm not 100% sure that the way I and others were doing it was completely wrong. There are many ISPs out there that will assign you a static LAN /48 or /56 but is only made routeable to you when you request the prefix delegation from a DHCPv6 setup. Personally I had my LAN interface setup with ::1 as it made it easy to point my browser to it to get into the pfsense gui and I used it as the default gateway for some manually hard coded machines on my LAN. The track option makes sense IMHO in situations like a residential setup where you just want IPv6 to work on the LAN and you don't care one way or the other what the assignments are to the hosts and the LAN interface. If your ISP recycles your LAN assignment then you don't care so long as IPv6 still works. That's fine for that scenario but on an enterprise network that would never fly.
I've been playing with IPv6 for a number of years now and I actually deployed network wide when I worked for an ISP a few years ago. We didn't do DHCPv6 assignments as we manually assigned them to our beta customers. But from an Cisco IPv6 course that I took, I'm almost positive that one could have configured a LAN facing interface on a router to be automagically assigned via PD as well as having a hard coded IPv6 address on it. Obviously that would only work if you knew the delegation but still.
So, right now I've got things working again by doing the Advanced configuration but I've only added this "ia-pd 0" and ticked off prefix-delegation. Should I do the rest of the stuff based on azzido's image? Alternatively, should I just switch over to Tracked and use the link-local address of the LAN interface for accessing pfsense? Would this second option break my SLAAC and DHCPv6 assignments I'm doing towards the LAN?
LoboTiger
-
…
So, right now I've got things working again by doing the Advanced configuration but I've only added this "ia-pd 0" and ticked off prefix-delegation. Should I do the rest of the stuff based on azzido's image? Alternatively, should I just switch over to Tracked and use the link-local address of the LAN interface for accessing pfsense? Would this second option break my SLAAC and DHCPv6 assignments I'm doing towards the LAN?You're doing fine is it not ? :)
In case of doubt, write up your functional specification for your premises and just build that configuration. 8) -
@hda:
…
So, right now I've got things working again by doing the Advanced configuration but I've only added this "ia-pd 0" and ticked off prefix-delegation. Should I do the rest of the stuff based on azzido's image? Alternatively, should I just switch over to Tracked and use the link-local address of the LAN interface for accessing pfsense? Would this second option break my SLAAC and DHCPv6 assignments I'm doing towards the LAN?You're doing fine is it not ? :)
In case of doubt, write up your functional specification for your premises and just build that configuration. 8)Yeah but if I'm going to go to the trouble of using the advanced configuration I figured I should populate as best as possible. :)
LoboTiger
-
lobotiger, see notes on the image I posted if you want config file configured via advanced settings to look exactly like before.
ia-pd you already configured because you obviously need that. If you did not have 'Request only an IPv6 prefix' flag checked before then add 'ia-na 0' + check 'Non-Temporary Address Allocation' flag. domain-name-servers and domain-name request options are always included when using basic settings.
As far as switching to track interface, unfortunately there is currently a limitation that prevents you from using DHCPv6 server on interfaces configured as DHCP6 or Track. See this RM ticket: https://redmine.pfsense.org/issues/3029
-
As far as switching to track interface, unfortunately there is currently a limitation that prevents you from using DHCPv6 server on interfaces configured as DHCP6 or Track. See this RM ticket: https://redmine.pfsense.org/issues/3029
Actually, track interface will automatically enable DHCP6 servers on these interfaces; the problem is that the GUI exposes no way of configuring them.
-
So I just upgraded to 2.2.1 and lost my IPv6 connectivity to the LAN as well. I'm in the same boat as many people here (with Canadian ISP Teksavvy) who hands out a /64 for the WAN and a /56 for the LAN. I was able to enable "track interface" and the internet seems to work, but now almost everything on the LAN is broken because of it. I'm probably just not figuring out how this works, but hopefully somebody here knows…
-
How do I get a static IPv6 address back to the router so I can add it to a local DNS server and not have to remember the IP?
-
How can I manually define internal DNS servers via IPv6 now? I need my systems to use domain controllers as DNS servers or else a lot of things will obviously break.
-
For my servers with IPv6 addresses, can I continue to manually assign static IPv6 addresses to them? What gateway do I use now if the router no longer has a static address?
-
How can I access servers by hostname/fqdn now? The track interface option got the internet back up, but all my static IP addresses that were assigned to my servers stopped working so I can't find them on the LAN anymore (via IPv6). What addresses should I assign?
It's certainly possible that a lot of this stuff is way over my head, but I really don't understand how using "Track interface" will function reliably in a managed environment. Doesn't this leave the network in an incredibly vulnerable situation where if the ISP changes something one day then all my servers, client devices and DNS settings will instantly break? It seems to me that if the ISP screws something up or gives you a different IP delegation one day then it's not too big of a deal if it causes your internet connection to stop working. If it simultaneously takes your whole LAN down though, that's a rather serious issue. There must be something I'm missing?
-
-
So in the end I with "Track Interface" selected on the LAN side my connection was very flaky over IPv6. For some reason, clients were taking a very long time to get their IPv6 addresses (up to 5 minutes). Then some clients started randomly losing their IPv6 internet access again. This piled on top of all the ways this breaks the LAN configuration and internal DNS resolution settings already in place, I decided that configuring it this way is probably going to be unreliable and more trouble than it's worth, at least with Teksavvy IPv6 addressed handed out via prefix delegation.
In the end, I configured Interfaces | WANv6 | DHCP6 client configuration like this and put everything else back how it was before and it works fine again:
Thanks to azzido in post #25 from this thread for the solution.