2.2.1 - Manually specify internal IPv6 DNS Servers using track interface on LAN

  • Appologies for the newb question but I just can't figure this out.

    I've recently started using pfSense and have 2.2.1 installed as a VM on ESXi.  My ISP runs a dual stack network and I am provided with a dynamic /64 for the WAN interface and a static /56 for the LAN via prefix delegation.

    I have managed to set everything up and had the LAN interface obtaining its IP address via Track Interface.  All of the LAN clients were automatically obtaining IPv6 addresses with the correct prefix.

    However, the only DNS server that is then provided to clients is the pfSense box.  I have a couple of internal DNS servers that I would like to use instead as I have some internal zones in use.  I can't find a way to achieve this.

    The only way I can do this is by specifying a static IPv6 address for the LAN interface which then lets me edit the DNS Settings in Services - DHCPv6/RA - Router Advertisements.  This option obviously doesn't take advantage of the automatic PD from the ISP.

    Editing Router Advertisement settings is not available when using Track Interface as it tells me I need to have a static IP.

    Is there a way I can simultaneously use Track Interface and manually specify internal IPv6 DNS servers that are automatically supplied to LAN clients via RA?

  • I have found that the best way to work around this is to disable the DNS forwarder or resolver service on pfSense, this makes pfSense stop handing out its own IP as a DNS server via DHCPv6, and then rely on IPv4 for DNS resolution.

    Another method is to create a domain override for the internal DNS zone and point it to the internal DNS server.

  • Thanks for the suggestion.  I think I have figured out a way to achieve what I wanted to do but not sure if what I have done is supposed to work/officially supported.

    I configured my LAN interface with a Static IPv6 IP and then went and edited the DNS settings under DHCPV6/RA - Router Advertisements.

    I then set the LAN interface back to track interface and everything seems to be working correctly even across reboots.  Clients are now getting the manually specified IPv6 DNS servers rather than the pfSense IPv6 adresses.

  • I think your method is better because that's how pfSense should be doing it in the first place. Hopefully the devs will correct this issue in the next release.

  • What you expirience is a fix: https://redmine.pfsense.org/issues/4436

  • The thing is, since 2.2.1 IPv6 got very narrow in terms of configurability and broke certain business cases.

    In my case. my ISP sends the prefix via DHCP-PD. It is static, but it is easier for them to manage this way. So to be able to get the PD, thanks to the "fix" I require a tracking interface. Fine, LAN is tracking WAN. Now I want to configure my second IPv6 ULA Space on the RD or I want to set DNS and NTP in DHCPv6, but this throws the error: "The DHCPv6 Server can only be enabled on interfaces configured with a static IPv6 address. This system has none.". So the idea of the "fix" broke legit config cases. great.

  • @Phoenix:

    In my case. my ISP sends the prefix via DHCP-PD. It is static, but it is easier for them to manage this way. So to be able to get the PD …

    ? Have you tried this WAN IPv6 config:

    [Interfaces: WAN] DHCP6 > client configuration > Advanced:
    Interface Statement > Send Options = ia-pd 0
    Identity Association Statement > Prefix Delegation = checked

    Then you could issue your own subnets by Static or DHCP6-Server.

  • Thanks hda

    Haven't tried, but I belive that works.

    Anyway, it is a bad ui design. Because what I do is telling the software raw config things that I can't do with simple ui elements, because the programmer thought it would not be usefull. Therefore I need to know, how to speak the config leanguage of a specific deamon. Which is fine, until this very deamon no longer accepts this option for some reason. pfSense is successfull, because you have to understand the thenology and not the raw config language of several daemons. pfsense stores what I want in XML and talks to the daemons their native language. This way it is very robust when it comes to changes in the way config files have to be written - usually something where BSD Systems fail big time.

    I am looking forward, that someone thinks the UI for configuring and(!) diagnostics of the aspects of ipv6 in depth through. It will probably happen the more folks use ipv6….

  • @Phoenix:

    What you expirience is a fix: https://redmine.pfsense.org/issues/4436

    Thanks for this.  I recently learned about it and I think that is definitely causing some of my issues.

    My IPv6 connection as I said above is a Static /56 and my WAN is given a dynamic /64 (entirely separate address) by the ISP.  The /64 is routed to the /56 by my ISP and unless I request a Prefix, that routing is not setup.  So I'm in between a rock and a hard place.

    If I try to use static IPv6 on the LAN I can properly edit the Router Adverstisements for DNS and Domain Names but my IPv6 will fail since the above fix prevents Prefix Delegation requests and the routing of the /56 to the /64 isn't setup.

    If I use Track Interface then I can't edit the RA details anymore although I seem to be able to trick pfSense as per my earlier post.

    I'll try the advanced settings and see if I can get it to work.

  • @gsiemon:

    If I use Track Interface then I can't edit the RA details anymore although I seem to be able to trick pfSense as per my earlier post.

    Yep… and there's a long-standing feature request asking for the ability to modify DHCP6 Server and RA settings when Track Interface is being used...


Log in to reply