DHCPv6 Puns

Hi! I'm trying to get IPv6 from my ISP but the client packets are unable to be routed.

Some info:

• I can ping my router from the internet;
• IPv6 addresses are assigned to clients;
• On router, IPv6 address is only assigned to LAN interface;
• My ISP distributes a /64 subnet;
• The only routes created using ISP address (dynamically created) are one blackhole to the delegated subnet and another one using my LAN as Gateway.

Hello, we are trying to provide IPv6 connection to our customers using DHCPv6 PD but it looks like we are facing the same issue (missing routes to delegated prefixes), that are discussed on the Internet forums by other ISPs for years but with no solutions at all.

What we would appreciate is some automatic facility to insert routes to delegated prefixes into the routing tables, exactly what others ask for, but the forum threads usually end at "not supported by underlying ISC-DHCP-SERVER. That counts at least for UBNT, OpnSense and Debian. I checked WIDE DHCP stack, looks like it has better support for Prefix Delegation, but it also looks like route insertion is not supported again.

This must be a huge setback for IPv6 adoption, as theres no framework to just plug home router and get simply working IPv6 connection. Except maybe turning on NAT66 which i guess wasn't meant to be used widely.

So how are routes to delegated prefixes supposed to be created? Static routes created by hand ( like in the Cisco example lower) is something we really don't wanna do, as it requires reconfiguration by hand everytime preference x gets delegated.

Dynamic routing on CPE? That doesn't feel feasible. RAs do not provide this mechanism, as that would made it a routing protocol.

Relay reply doesn't install the routes either. At least on Debian and opensense, and looks like neither on edgerouter, see below.

What are we missing? What is the correct course we should take?

https://forum.opnsense.org/index.php?topic=7719.0

https://community.ui.com/questions/EdgeRouter-as-DHCPv6-PD-server/dfed3fe9-92ef-4994-9e24-4382a58f1bd7

https://tools.ietf.org/id/draft-ietf-dhc-dhcpv6-pd-relay-requirements-04.html

https://networklessons.com/cisco/ccie-routing-switching-written/ipv6-dhcpv6-prefix-delegation

What behavior should I expect for active/active dual WAN with regard to DHCPv6 prefix delegation? Will my LAN use both delegations?

Anyone able to point me in the right direction to get DHCPv6-PD working with AT&T? I’ve enabled IP passthrough on the BGW320-500 and see a single /64 of the /60 on my FWG but it doesn’t get used on downstream LAN networks.

Hi, OPNsense noob here asking for your help!

I've recently switched to OPNsense from pfsense, and everything went smoothly except for one issue.

My provider delegates me a public /56 IPv6 net, which i get via interface WAN and pppoe on my OPNsense-Router. I have one interface for WAN/pppoe and one interface for LAN (VLAN1) and some more vlans. The VLAN-Interfaces (including WAN) get the right IPv6 addresses from the tracked WAN-Interface. (https://img.lauka.app/LVNwzMvF.png and https://img.lauka.app/voaGc1tw.png)

I'd like to use DHCPv6 for my LAN-Devices, as i did with my pfsense.. DHCPv6 on LAN is enabled (https://img.lauka.app/lidq4f8j.png and https://img.lauka.app/68OR0tbL.png), and RA is configured for managed mode (https://img.lauka.app/f9yL7nus.png).

However devices in LAN don't get IPv6 addresses. If i change the RA to anything that allows SLAAC, my devices correctly generate their public SLAAC addresses, but even with assisted or stateless they don't get a DHCPv6. Via tcpdump i can see DHCPv6 solicit packets reaching the LAN interface of opnsense, but no answers.

I have a guest vlan with identical configuration regarding RA and DHCPv6, and there everything works as intended. Devices get their DHCPv6 address and everything works there.

Am i missing something? Do you guys have any idea where i can troubleshoot any further? Any help would be greatly appreciated!

So I have a /32 block in my possession, which works fine with SLAAC, but I would like to have managed address configuration, which is to be done via DHCPv6, but I cannot find a way to configure it on RouterOS to ensure each LAN client device gets an address. For example, I want to use a /64 pool to give a /127 or /128 to each LAN client device such as my phone or something.

Anybody got any ideas?

This is on RouterOS v7.1 (Stable)

Hey guys. I've tried to setup IPv6 with my ISP. The details provided are as follows

• SLAAC point-to-point link
• DHCPv6 with prefix delegation (/48 prefix)
• Client parameters: IA-NA: 1, IA-PD: 1, IAID for NA: 1

I've tried to figure out what these mean and reading through the source of odhcpc6 https://github.com/openwrt/odhcp6c/blob/master/src/odhcp6c.c#L176-L205 https://github.com/openwrt/odhcp6c/blob/master/src/odhcp6c.c#L231-L265 It seems like "Request IPv6-address" (luci > WAN6 > General Settings) or the odhcp6c -N positional argument should be set to "try" to get both IA_NA=1 and IA_PD=1 from what I understand.

For IAID it seems like I should only put "48:1" in reqprefix which is Request IPv6-prefix of length (luci > WAN6 > General Settings).

I've tried enabling both and playing around with it with various settings and I cannot get a public IP.

Should this be visible on the WAN6 interface under it with these configurations? Or should I expect a client from the network to pull it as needed?

My ISP uses PPPoE. Adding a new interface for that on OpenWrt 21.02.1 creates an additional "Virtual dynamic interface (DHCPv6 client)" (with no settings available) but nothing for IPv4. To connect to the internet I mirrored the DHCPv6 client as DHCP client and it works.

Why is that? Why is the additional interface needed? I'm no networking expert and a bit confused now.

The local network is fdac::/64. The router address is fdac::1. Proxmox host is fdac::2 and the two containers running on that Proxmox host are fdac::a and fdac::b, connected to a regular linux bridge. I currently use stateful DHCPv6 as well since I dislike SLAAC (topic for another day, not the point of this post), but these addresses are all static. M-flag is set to 1, O flag to 0, A flag to 0.

When I set the L flag (AdvOnLink) to 1 and I reboot all containers and hosts, pinging eachother will not work. When I disable the L flag (AdvOnlink = false) and reboot, all the containers and hosts are able to ping eachother ***AS LONG AS THEY HAVE A /128 STATIC PREFIX (like fdac::a/128)***. I've even done iperf tests and they operate at full speed between eachother. However, it seems the first ping always has to go through the router, and then subsequently gets redirected. Example:

root@test6:~# ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if146: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdac::a/128 scope global deprecated 
       valid_lft forever preferred_lft 0sec
    inet6 fe80::5c3b:a5ff:fe62:4d2/64 scope link 
       valid_lft forever preferred_lft forever
root@test6:~# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fdac::a dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::feec:daff:fed6:617f dev eth0 proto ra metric 1024 expires 1727sec hoplimit 64 pref high
root@test6:~# traceroute fdac::b
traceroute to fdac::b (fdac::b), 30 hops max, 80 byte packets
 1  fdac::1 (fdac::1)  0.226 ms  0.240 ms  0.305 ms
 2  fdac::b (fdac::b)  0.754 ms  0.760 ms  0.759 ms
root@test6:~# ping fdac::b -c 1
PING fdac::b(fdac::b) 56 data bytes
64 bytes from fdac::b: icmp_seq=1 ttl=63 time=0.353 ms

--- fdac::b ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.353/0.353/0.353/0.000 ms
root@test6:~# traceroute fdac::b
traceroute to fdac::b (fdac::b), 30 hops max, 80 byte packets
 1  fdac::b (fdac::b)  0.304 ms  0.227 ms  0.205 ms
root@test6:~# 

This all works just fine with the L flag set to off (0). But when I turn it on and reboot the container. A new IP route will be add

I've figured out a solution to the weird routing issues I was having where IPv6 traffic would get sent to WAN instead of LAN after a while (resulting in no replies to pings, as any packets would loop between my isp and router until they expired).

Let's say my /64 prefix (can be applied to any other network prefix) is aaaa:bbbb:cccc:dddd::/64. I added two routes (in my controller) to LAN, each with a prefix length of /65, aaaa:bbbb:cccc:dddd::/65 and aaaa:bbbb:cccc:dddd:8000::/65 (0x8000 is 1 followed by 15 zeroes in binary).

That's effectively the same as routing the whole /64 to LAN BUT the key point is it's more specific than a /64 route, so it takes priority from the strange /64 route to WAN that gets added when using DHCPv6 from my ISP.

admin@ubnt:~$ ip -6 r
aaaa:bbbb:cccc:dddd::/65 dev eth1  proto zebra  metric 1024 
aaaa:bbbb:cccc:dddd:8000::/65 dev eth1  proto zebra  metric 1024 
aaaa:bbbb:cccc:dddd::/64 dev eth1  proto kernel  metric 256 
aaaa:bbbb:cccc:dddd::/64 dev pppoe0  proto kernel  metric 256  expires 2591843sec

Despite having a higher metric of 1024, the two routes are at the top, solving my problem.

I decided to start messing around with IPV6 and have a working configuration. ISP is Comcast, I’m getting a DHCPv6 assignment as a /64 from them using DHCPv6 and on the LAN using Track Interface and Allow manual adjustment of DHCPv6 and Router Advertisements. Client tests all pass on the various IPv6 test sites.

 

On the LAN interface I’ve set DHCPv6 to use the block from :::::1000 to ::2000 and only some clients are pulling their assignments from here. However, some clients, namely my iPhone and printer seem to ignore the DHCPv6 server and have grabbed whatever they want from the Comcast delegated prefix. It also appears that many clients simply don’t talk to the DHCPv6 server – are these devices ignoring the DHCPv6 server and simply using RA and NDP to pick an address to use?

 

Another anomaly is that my iMac running Catalina pulls the same GUA address from the DHCPv6 block for both the wired and wifi interfaces. It also pulls plenty of temporary addresses from both the GUA and ULA ranges where the GUA addresses are outside of the DHCPv6 server. It also appears to try to match the address portion so the GUA and ULA are the same:

 

inet6 fd9e:xxxx:xxxx:xxxx:10b3:3e55:c2f8:e1e1 prefixlen 64 autoconf temporary
inet6 2601:xxxx:xxxx:xxxx:10b3:3e55:c2f8:e1e1 prefixlen 64 autoconf temporary

EDIT: This is pertinent to the Mac interfaces: If you are referring to the DUID then it's a DHCP Unique Identifier for a DHCP participant

 

I’ve also set up a VIP with a block for ULAs and that appears to be working as well - presumably clients are getting their assignments from the Router Advertisement. Also this appears to be the only way to have GUA and ULA assigned addresses as there doesn’t seem to be a way to advertise DHCPv6 on the VIP.

 

Getting all of this into DNS appears to be an epic pain if clients are going to ignore the DHCPv6 server.

I apologize for being all over the map. Am I doing something wrong or going about this poorly? My goal is to have a working IPv6 network where I can simply use names to get to my hosts and have the addresses, GUA and ULA, assigned in DNS.

Hey guys,

i am testing IPv6 and it kinda works.

I configured it the same way as shown in the opnsense docs (this).

So my WAN interface is set to DHCPv6 and my LAN interface to "Track Interface". My clients get an IPv6 and am able to connect to the internet..

To get a little bit more control i want to enable the "Allow manual adjustment of DHCPv6 and Router Advertisements" feature in my LAN interface. I enabled the DHCPv6 server under services and configured everything but the clients just wont use it. They get IPv6 addresses outside the specified range and dont use the configures DNS servers. Is this a known bug?

I already restartet the firewall to get another prefix but nothing seems to work.

I made some screenshots of the settings:https://imgur.com/a/UVhIb0O

It seems like the LAN interface uses the WAN DHCPv6 server? Am i configuring that right?
Any help would be much appreciated :)

I recently set up a dhcpv6 server in my network. The problem is: I set the range of it to

VLAN120 subnet6 2001:470:2249:120::/64 
{ 
range6 2001:470:2249:120::20 2001:470:2249:120::250; option dhcp6.name-servers 2606:4700:4700::1111; range6 2001:470:2249:120:: temporary; 
}

and there is only 1 client in my network that gets the ::250 address. Other clients don't get any addresses at all. What is the problem here?

In addition: I opened the /var/log/syslog file and I noticed, that 2 clients (2 different clients) have the same DUID. After setting one ubuntu client to DHCP only and restarting the adapter it gets the ::250 address. The other client (with the same DUID) gets the ::250 address for about 5 seconds and then it disappears. The client has then no ip address

I followed the guide below and it seems to be working fine. I was just wondering what you all are using on the LAN side to get your IPv6 address to your clients? Are you using DHCPv6 or just SLAAC on pfSense? What are your settings?

https://www.reddit.com/r/Starlink/comments/mih62d/how_to_make_ipv6_keep_working_with_pfsense/?utm_source=share&utm_medium=web2x&context=3

I've tried several guides I've found here as well as other places to get my srx650 to take an address and delegated prefix from my Xfinity residential service and it just isn't happening. Has anyone had any success with this?

I have a PA-220 at home and now host a server at a CoLo in a friend's rack. Unfortunately, he doesn't have many spare IPv4 addresses and buying another block would cost $300/month - so that's a no go. However, IPv6 addresses are plentiful. I therefore need v6 at home. To my utter shock, PA does not support obtaining a v6 PD from an upstream ISP. This is my kludgy workaround to use v6 and still use my PA-220 for v4.

I happened to have a MikroTik hap ac^2 and a switch that can do port mirroring. On the MikroTik device, I installed the IPv6 package. I also spoofed the PA-220's WAN interface MAC address. Having 2 identical MAC addresses on a switch will not work as it will get confused as to which port to send traffic to. Port mirroring to the rescue. I also have a Netgear GS908E which go on sale on Amazon every now and then for about $25. It can do port mirroring. On it, I set the source as the PA (port 1) and the target as the MikroTik (port 2).

So the topology looks like this:

cable modem -> GS908E, port 3
HAP ac^2 (port 1) -> GS908E, port 2
PA-220 WAN -> GS908E, port 1
HAP ac^2 (any L2 switch port) -> PA-220, any L2 switch port

This works. Spectrum delegates a /64 prefix. Each device on my network gets a IPv4 from the PA-220 and a IPv6 from the HAP ac^2. I have verified with several IPv6 test sites, a few IPv6 only sites, and running ping -6 www.google.com from Windows or ping6 www.google.com from MacOS. The HAP ac^2 IPv6 firewall has sane defaults but does allow v6 addresses to be pinged (as expected).

I know this is nothing earth shattering and a hack, but thought I'd share just in case it helps someone else. I was lucky to have all of the extra gear already on hand thus not having to making any new purchases. It looks like the MikroTik can do the port mirroring by itself without having to rely on an additional switch. I am still investigating how to do this.

Bottom line: You can spoof the PA WAN MAC address and use IPv6 / port mirroring (on separate gear) in order to achieve IPv6 PD and also retain using IPv4 on a PA device.

I'm trying to use dhcpcd(8) from packages to get an IPv6 address and default gateway from Comcast Xfinity for my router (APU2).

Update 1: Problem solved, per the portal and contrary to what the rep said: Your Xfinity services are currently disconnected. I'll leave this up because someone else might benefit from the config and troubleshooting steps.

Update 2: Since this is a new address I had to "link" my old and new Comcast accounts. Then I had to use the app to activate the service by supplying the app with my modem's MAC address. Service is up and the configuration below gets me online, albeit there's no LAN setup yet.

Update 3: The modem reported "Modem's IP Mode: IPv6 Only" but turns out I can connect just fine over IPv4. Oh well, it was a learning experience. :)

$ cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

$ cat /etc/hostname.em0
dhcp # this is for ipv4 only
up

$ cat /etc/pf.conf
pass log

$ cat /etc/dhcpcd.conf
ipv6only
noipv6rs
waitip 6

allowinterfaces em0 em1

interface em0
  ipv6rs
  ia_na 1
  ia_pd 2 em1/0

When I start dhcpcd, I always see this message logged:

dhcpcd[68750]: em0: no global addresses for default route
dhcpcd[68750]: timed out

The IPv6 address assigned to em0 by dhcpcd(8) is a link-local address:

$ ifconfig em0
em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0d:b9:xx:xx:xx
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet6 fe80::20d:xxxx:xxxx:xxxx%em0 prefixlen 64 scopeid 0x1
        inet 24.xxx.xxx.xxx netmask 0xfffffc00 broadcast 24.xxx.xxx.255

Indeed I have a default route for IPv4, but not IPv6:

$ route -n show | grep default
default            24.xxx.xxx.xxx       UGS        0       79     -     8 em0

I see IPv6 announcements from an external device when capturing em0:

fe80::1a8b:xxxx:xxxx:xxxx > ff02::1: icmp6: router advertisement [class 0xe0]
fe80::1a8b:xxxx:xxxx:xxxx > ff02::16: HBH multicast listener report v2, 6 group record(s) [class 0xe0] [hlim 1]

dhcpcd(8) running in the foreground:

# dhcpcd -t 5 -6 em0
dhcpcd-9.4.0 starting
DUID 00:01:00:01:28:xx:xx:xx:xx:xx:xx:xx:xx:xx
em0: IAID 00:00:00:01
em0: soliciting a DHCPv6 lease
em0: solic

Moving to a new apartment where the existing roomates have Spectrum with the ISP provided wifi 6 router. I want to set up my own homelab behind a pfsense router, but I don't want to touch the existing router (since my roommates are not tech savvy and don't want them to blame me if something happens with the network).

I know putting a router behind the spectrum router will put me behind double NAT For v4 but I don't mind. What I want is DHCP PD working so my pfsense can get atleast a /60 which it can distribute downsteam.

The spectrum router is pretty locked down and can be managed only via the spectrum app. Can anyone with a similar setup lmk if this works?

Hi everyone,

I have an issue that I'm hoping someone can help with. I have a headless Ubuntu 20.04 server running and it pulls a DHCPv4 from my Pfsense box with out an issue but it refuses to pull an address from the DHCPv6 server. It is getting the RA from the router and generating its own address that is accessible but I want to issue a reserved dhcp address so that I always know what it is. I have done multiple Google searches but I am unable to figure out how to get Ubuntu to request a DHCPv6 address from the server.

Any suggestions?

Hehey Zämme

Ich schreib hier mal Deutsch, da es ja so oder so ein Schweizer ISP ist. :)

Wir haben hier leider ein bisschen verwirrung bezüglich Copper7.

Ein Kollege und ich haben ein nahezu identisches Setup:

ZYXEL (Bridge-Modus) -> OPNsense -> LAN/DMZ u.s.w.

Wir beide haben Copper7, laut init7.net wird Copper7 über DHCPv6 geregelt.

>"Ein statisches IPv6 /48 Netz bekommen Sie kostenlos dazu. Die Adressierung erfolgt über DHCPv6-PD Prefix-Delegation."

Meine OPNsense bekommt da keine IPv6, nur lauter abstürtze, seine bekommt eine IPv6 ohne weiteres. Ich wiederum habe kein Problem wenn ich SLAAC aktiviere am PPPoE Interface.

Also habe ich den support angefragt und mir wurde deutlich gemacht, dass Copper7 NICHT mit DHCPv6-PD erfolgt, sonder mit RADIUS.

rfc4818

Ok wir haben alles überprüft, beim Kollegen Copper7 -> DHCPv6 = SUCCESS

Bei mir DHCPv6 = fail ... SLAAC = OK

Wieso geht überhaupt beim Kollegen DHCPv6 wenn es doch nicht gehen sollte ?!?

2 Wochen wenn nicht mehr, hatten wir damit zu kämpfen und nach dem Support, sind wir nur noch mehr verwirrt.

Versteht mich bitte nicht falsch, ich liebe init7 und bin hoch zufrieden, aber der Support sagte auch die Fritz!box würde nicht funktionieren im BridgeMode... ich habe dem Support dann mitgeteilt wie man es macht....

Ich weiss nicht was da los ist, ich will nur wissen, gibt es irgendwo Technische Dokumente die mir mehr sagen wie der Support oder die Homepage ? :)

Ich grüsse Euch

Hi,

I'm new to proxmox (7.0-10, no subscription) and made a very basic test installation (during installation I set basically everything to the defaults).

After the installation completed, I noticed, that the proxmox host only had an IPv4 but didn't acquire an IPv6 (neither SLAAC nor DHCPv6).

I found nothing obvious in the Web-GUI and also googling didn't give me the desired results.

Am I missing something obvious or is this no "standard" feature with can easily be configured?

Thanks

Hehey Folks

Since a few days i try do set up my IPv6 Network but i got some really big Problems, and so let me describe my struggle.

First, my ISP gave my the following IPv6 Data:

WAN    IPv6 Range : xxxx:xxxx:xxxx:xxxx::/64
Routed IPv6 Range : xxxx:xxxx:xxxx::/48

I've a zyxel modem and behind my OPNsense My-OPNsense-Device .

After a fresh installation, all just works as it should.

Interfaces:

igb0 -> DMZ
igb3 -> LAN
igb4 -> WAN -> ipv4(pppoe0) 

IPv4 works as it should and so the whole rest is running smooth.

Ok now let do the IPv6 settings.

LAN and DMZ are ipv6(None)

WAN -> IPv6(DHCPv6)
Request only an IPv6 prefix : (Yes)
Prefix delegation size : 48
Send IPv6 prefix hint : (Yes)
Use IPv4 connectivity : (Yes)

If i do this after hours of IPv6 None, i get i IPv6 Address, but from the WAN Range and after 1 minute, the WAN iface crashes and is in a permanently Up/Down mode and i have to set IPv6 to None on WAN.

I tried it with:

Request only an IPv6 prefix : (No)
Send IPv6 prefix hint : (No)

or just one of these two options, but everytime it is the same result.

So i run tcpdump in the time of my tries and here is some output of the tcpdump:

15:59:59.899425 IP6 (hlim 1, next-header UDP (17) payload length: 82) fe80::225:90ff:fe30:fe0.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=8300e8 (client-ID type 0) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 0) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0))
16:00:00.965591 IP6 (hlim 1, next-header UDP (17) payload length: 82) fe80::225:90ff:fe30:fe0.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=8300e8 (client-ID type 0) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 106) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0))
16:00:03.292523 IP6 (hlim 1, next-header UDP (17) payload length: 82) fe80::225:90ff:fe30:fe0.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=8300e8 (client-ID type 0) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 339) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0))
16:00:03.309665 IP6 (class 0xe0, hlim 255, next-header UDP (17) payload length: 86) fe80::2a2:eeff:fe2d:900.dhcpv6-server > fe80::225:90ff:fe30:fe0.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=8300e8 (server-ID hwaddr type 1 00a2ee2d0900) (client-ID type 0) (IA_PD I

Hey!

So I'm trying to migrate some IPv6 and am stuck with a weird problem and am wondering how others have approached this. Open to any suggestions for redesigns etc.

For reasons, we would like to use DHCPv6 statefully - give DNS servers and IP addresses from the DHCP and use the routers RA to announce the gw address (and possibly DNS as well as a backup) to the clients.

Currently using M & O flag on the router.

The problem is that with this configuration a Windows 10 client will assign an IPv6 address to itself with SLAAC and will prefer using that IP address for connections, instead of the one assigned by the DHCPv6. This somewhat defeats the purpose of using the DHCP server in the first place.

We would like to have clients use only the IPv6 addresses we are assigning by the DHCP. Is that an unreasonable expectation? How have you guys solved this?

EDIT1:

Due to the fact that when I started experimenting with this, I was not using M & O flags, Windows would have kept using the IPv6 address it got first with SLAAC, till it would have timed out: https://i.ibb.co/pxqmdSz/image.png

Had to run: "netsh int ipv6 reset" to remove that IP - re-enable the interface and now I'm left with the DHCP IP only, which is good enough. In this environment I am not worried about people/devices assigning IPs for themselves in general.

EDIT2:

The SLAAC IP came back and is once again the preferred IP.

EDIT3:

The "A" flag was what we were looking for initially, but "preferred lifetime 0" for the prefix with SLAAC could theoretically be a better solution, since we would have a backup solution for when DHCPv6 was not working/not supported (pointing at android). We're gonna go with the A flag first, since it's a much more standard solution and we do not have android clients initially anyway.
We can later on use the "preferred lifetime 0" hack for other networks if we see the need.

How can I make DHCPv6 leases be registered in DNS?

My goal is to set up inbound firewall rules for IPv6 hosts in my LAN. As the IPv6 prefix on WAN is dynamic (DHCPv6 with prefix delegation) I cannot simply hard-code IPv6 addresses in these firewall rules. I have been given the advice to use host names in aliases to setup firewalling, this way the rules would follow the IPv6 prefix when it changes.

So I've switched the LAN interface configuration from SLAAC to DHCPv6 and the clients are getting leases. But these leases seem not to be registered in DNS. When queried for the AAAA record of a LAN host my OPNsense does not hand out anything (neither with FQDN nor host-only).

I'm currently using Unbound DNS ('DHCP Registration' option checked, but I think this is DHCPv4 only), but switching to dnsmasq would not be an issue if that would make it work.

I need predictable IPv6 addressing for a MacOS system, and this seems challenging. I have radvd and ISC dhcpd6 set up on my network, but neither works for this use case. SLAAC addressing is completely ignored by the OS, and instead you get temporary privacy addresses or 'autoconf secured' (RFC 3972 Cryptographically Generated Addresses) addresses.

Given that I can't get SLAAC to work at all, I'm looking into the DHCPv6 side of things, and strangely this works just fine with the WiFi interface. I've got this set up in my ISC dhcpd6 config:

host ifruitbook.wifi {

# This host entry is hopefully matched if the client supplies a DUID-LL

# or DUID-LLT containing this MAC address.

hardware ethernet <macaddr>;

host-identifier option dhcp6.client-id <client-id>;

fixed-address6 <v6addr>;

}

On the WiFi interface I only get the static DHCPv6 address, and that works just fine, but with the wired interface I absolutely cannot disable the 'autoconf secured' address. I set up the following sysctl parameters to no avail:

net.inet6.send.opmode=0

net.inet6.ip6.use_tempaddr=0

net.inet6.ip6.prefer_tempaddr=0

net.inet6.ip6.use_deprecated=0

What's even more strange is that my dhcpd6 logs indicate that the DHCPv6 host-identifier is the *same* for both the WiFi and wired network interfaces.

Anyways, what do? Please advise, etc...

I have

iface eth0 inet6 dhcp
	pre-up /sbin/ip token set ::xxxx:xxxx:xxxx:xxxx dev eth0
	netmask 64

in my /etc/network/interfaces in my raspberry pi. The problem is that IPv6 stops working after like 30 minutes. If I use iface eth0 inet6 dhcp and disable DHCP IPv6 works for like 3 days which I think is the lease time from Openwrt router. My question is there is no permanent solution to get the IPv6 working forever either with DHCP or SLAAC. Privacy extensions stops working in 30 minutes with dhcpv6 and after 3 days with slaac. Does anyone have any idea why this is happening.

Hi,

I recently noticed that one device in my network causes a lot of entries in the DHCP logs because of failed requests towards the DHCPv6 server.

My environment:

• pfsense CE 2.5.1
• DHCPv6 active and RA router mode set to "Assisted"; everything else is pretty standard
• no VLAN, only one LAN-net --> no firewall rules with relevance within the LAN
• Buggy device: Bosch smart home controller (afaik only available in Europe)

What I noticed:

https://preview.redd.it/i89bbbzy85d71.png?width=1137&format=png&auto=webp&s=3030025dc782b91cfe7088e499d49ca923d2c8a4

After sending the advertise nothing else happens. All other clients follow up with a request message. Those log entries repeat every about 2 minutes.

--> seams like the device ist DHCPv6-enabled but for some reason fails to acquire an address.

Anything on the pfSense-side I could try to fix this? The affected device has no ssh, web server or anything else running afaik that could be useful to get more insights. Only accessible via their App and HomeKit.

Thanks

Hi all,

I'm hoping someone here with IPv6 knowledge can assist me with better understanding how the heck this is all meant to work.

So, my brain:I have been trying to learn how IPv6 works, but I cannot seem to wrap my head around some parts of it, and I am struggling with Prefix Delegation currently.

Network Map: Clicky Here for Image

I have been given a /48 by my ISP, and I wish to use Prefix Delegation from the DMZ firewall to offer /64 subnets to the other LAN segments behind the LAN, Servers, Client and WiFi firewalls.

Let's say for arguments sake, my IPv6 /48 is:

aaaa:bbbb:cccc::/48

One assumes that my "subnet" is exactly the 3 octets of 4 hex codes above, and I can use the 4th octet to create more /64 networks, such as:

aaaa:bbbb:cccc:0001::/64

So I am getting the correct prefix delegation from my ISP when looking at my dhcp6c logs which is great, and I am assigning a static IPv6 address within my first /64 block to my LAN interface of my DMZ firewall as so:

aaaa:bbbb:cccc:0001::1/64

Now when I go to setup DHCP6 and RA (in Managed mode), I am attempting to set the configuration to the best of my abilities, but PFSense moans at me that the PD To Address is not a valid IPv6 Network for a /48.

Range: ::0002:0000:0000:0000:0000 -> ::ffff:ffff:ffff:ffff:ffff
PD Range: aaaa:bbbb:cccc:0000:0000:0000:0000:0000 -> aaaa:bbbb:cccc:FFFF:FFFF:FFFF:FFFF:FFFF
PD Size: 48

This is where I am struggling, I am rather new to the concepts of IPv6, so my questions are:

1. Is the PD Size of 48 correct for assigning /64's down to other firewalls on a /48 prefix from my ISP?
2. In regards to the PD Range, why is pfsense saying that the range is invalid, i assumed that anything from 0000 to ffff on the 4th octet was correct, but I am obviously wrong, but i do not know why.

*edit*

I forgot to say, I am on version 2.5.1 of PFSense :)

*edit 2*

To save you all reading the text below, I may have found a PFSense bug?

Currently, when dhcp attempts to respond to my other devices, it is unable due to "no route to host".

This is caused by a fe80::/64 route being present, forcing all traffic to the loopback adapter.

I can fix this by running:

route delete -inet6 fe80::%vmx0 -prefixlen 64

route add -inet6 fe80::%vmx1 -prefixlen 64 -iface vmx1

I just need to find out a way to run this automatically now...

We have a few hundred devices on the local network here, and looking to the future, I thought it would be a good idea to enable DHCPv6. The SRX1500 is functioning as a DHCP server for both v4 and v6.

DHCP has been configured as follows:

set system services dhcp-local-server dhcpv6 reconfigure
set system services dhcp-local-server dhcpv6 overrides interface-client-limit 200
set system services dhcp-local-server dhcpv6 group v6-group interface irb.790
set system services dhcp-local-server dhcpv6 group v6-group interface irb.791
set system services dhcp-local-server dhcpv6 server-duid-type duid_ll
set system services dhcp-local-server pool-match-order ip-address-first
set system services dhcp-local-server overrides delete-binding-on-renegotiation
set system services dhcp-local-server group estate-qppe-dhcp interface irb.790
set system services dhcp-local-server group estate-qppe-dhcp interface irb.791

Those irb interfaces are set up as follows:

set interfaces irb unit 790 family inet address 10.79.0.1/24 primary
set interfaces irb unit 790 family inet address 10.79.0.1/24 preferred
set interfaces irb unit 790 family inet6 address 2001:db8:790::1/64 primary
set interfaces irb unit 790 family inet6 address 2001:db8:790::1/64 preferred
set interfaces irb unit 791 family inet address 10.79.1.1/24
set interfaces irb unit 791 family inet6 address 2001:db8:791::1/64

The address pools look like this:

set access address-assignment pool pool-791-v4 family inet network 10.79.1.0/24
set access address-assignment pool pool-791-v4 family inet range range-791-v4 low 10.79.1.32
set access address-assignment pool pool-791-v4 family inet range range-791-v4 high 10.79.1.254
set access address-assignment pool pool-791-v4 family inet dhcp-attributes server-identifier 10.79.1.1
set access address-assignment pool pool-791-v4 family inet dhcp-attributes domain-name example.net
set access address-assignment pool pool-791-v4 family inet dhcp-attributes name-server 10.79.1.64
set access address-assignment pool pool-791-v6 family inet6 prefix 2001:db8:791::/64
set access address-assignment pool pool-791-v6 family inet6 range range-791-v6 low 2001:db8:791::1:0/64
set access address-assignment pool pool-791-v6 family inet6 range range-791-v6 high 2001:db8:791::ffff:ffff/64
`set access address-assignment pool pool-791-v6 family inet6 dhcp-attributes domain-name example.

DHCPv6-PD support is new for VyOS 1.3. A lot of people have been waiting on this. I did a deep dive on getting it set up (and am currently behind a router running VyOS 1.3 with IPv6 via DHCPv6-PD).

http://soucy.org/vyos/DHCPv6-PD_on_VyOS.pdf

http://soucy.org/vyos/DHCPv6-PD_on_VyOS-Appendix.txt

Hope someone finds this useful. So far it's working great but it's only been a day.

Im using Kea as a DHCP relay, and a Cisco router on the back end to provide GPON through OLT/ONUs.

On IPv4, I can do a fancy dancy flex_id expression to get the Circuit ID:

"identifier-expression": "relay4[1].hex",

That gives me the Circuit ID in return

"OLTMAC/OLTPORT/ONUMAC/ONUPORT/VLAN"

But, With DHCPv6 I have not been able to get that kind of information. Just the interface on the Cisco via option 18, and the clients routers mac address. I really would like to be able to grab that ONU mac for logging..

Any suggestions?

THanks!

I have setup up Active Directory DNS and DHCP with forward and reverse zones and DNS updates from DHCP server.

Everything works as expected with no extra configuration from VMs - A, AAAA and PTR records in both reverse zones are added. However, containers on the same bridge/VLAN only register A and IPv4 PTR records.

I saw some suggestions to specify send fqdn.fqdn = gethostname(); in /etc/dhcp/dhclient.conf, because, according to the relevant RFC, if it doesn't end with a '.', the domain should be automatically added. But this didn't work either - under DHCPv6 leases, only the hostname showed up, where the VMs had FQDNs, and the PTR record was simply 'hostname.'.

My only guess is that it could be related to how Proxmox configures the LXCs. Any advice or suggestions on how I could resolve this issue are greatly appreciated.

So I have an ISP where they only give a single /64 through DHCPv6 Client and refused my requests for a larger prefix size. The underlying WAN interface uses PPPoE, so it's DHCPv6 Client running on top of PPPoE.

Edit: I forgot to mention, the /64 is a dynamic prefix that the ISP changes every few hours.

Now I have multiple subnets/LAN interfaces and would like to break /64 along with SLAAC to give /80 to each LAN interfaces/subnets via DHCPv6 or something.

How would we go about doing just that in RouterOS v6 stable?

Hi,

I've tried several methods and guides to enable IPv6 on my WAN interface and add delegation to my internal interface.

My problem is the wan interface don't get an IPv6 and not a single IP is delegated.

The Layout is as followed:

<ISP> - <FritzBox> - <[wan1] Fortigate 60F [Internal]> - <LAN>

The FritzBox is configured as PPPoE Router and has enabled DHCPv6 with IA_PD and IA_NA on Forti side.

my wan config:

config system interface
    edit "wan1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping
        set type physical
        set alias "T-Com"
        set monitor-bandwidth enable
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess ping
            set dhcp6-prefix-delegation enable
            set dhcp6-prefix-hint ::/57
        end
        set dns-server-override disable
    next
end

my internal config:

config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.178.1 255.255.255.0
        set allowaccess ping https ssh http fgfm fabric
        set type hard-switch
        set stp enable
        set device-identification enable
        set monitor-bandwidth enable
        set role lan
        set snmp-index 6
        set auto-auth-extension-device enable
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping https ssh
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set subnet ::/64
                    set rdnss-service default
                next
            end
        end
    next
end

I've tried smaller dhcp6-prefix-hint and several other options, everytime a similar result.

The Debug Log:

https://preview.redd.it/cpxxnzz090m61.png?width=971&format=png&auto=webp&s=811939b8a1a7f63598149b676ee17b677b8110d1

Does anyone have an idea what's the probleme here?

Does anyone how to get DHCPv6 with Spectrum Internet working? With my edgerouter x. I just use the wizard enable DHCPv6 with Prefix Delegation /60 and I would get IPv6 and just works..but with OPENWRT I can get IPv6..but it's not working..help please..thanks