Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


25 posts

Geek
+1 received by user: 1


Topic # 239673 29-Jul-2018 13:20
Send private message quote this post

Hi, all.

I finally managed to get IPv6 to work on my new PFSense firewall, but I don't entirely understand precisely how this works from a higher level ISP perspective.

For understanding, I am on VDSL so I'm using PPPoE.

My WAN interface has a link-local IPv6 address and my LAN interface has been assigned a public IPv6. I can ping this LAN interface (after opening a firewall rule to allow it) and everything seems dandy. But that seems strange.

Why do I not have an IP on my WAN interface?

And furthermore, it seems my DHCP6 server isn't doing anything, because it shows no leases when I look it up, but my devices on my LAN have IPv6 addresses too. Are these being assigned directly from the ISP or am I reading something wrong?

I have a good knowledge of IPv4, I work in an IT related role, but I want to delve into IPv6 to learn more about it.

Thanks.

Create new topic
3122 posts

Uber Geek
+1 received by user: 1210

Subscriber

  Reply # 2064612 29-Jul-2018 15:52
Send private message quote this post

Your devices might instead be getting their IP via SLAAC. Which is your router announces what the range of valid addresses is. And the devices choose themselves what address to use.

Do your devices get valid public addresses?







25 posts

Geek
+1 received by user: 1


  Reply # 2064613 29-Jul-2018 15:54
Send private message quote this post

Yup it seems that must have been the missing part of the DHCP confusion. They have public IPv6 addresses, yes, and they work fine on IPv6.

Do you know if there's a way to monitor those "assignments"? I realise they're self-selecting, but can my firewall keep track of them?

366 posts

Ultimate Geek
+1 received by user: 75


  Reply # 2064713 29-Jul-2018 22:42
Send private message quote this post


My WAN interface has a link-local IPv6 address and my LAN interface has been assigned a public IPv6. I can ping this LAN interface (after opening a firewall rule to allow it) and everything seems dandy. But that seems strange.

Why do I not have an IP on my WAN interface?

And furthermore, it seems my DHCP6 server isn't doing anything, because it shows no leases when I look it up, but my devices on my LAN have IPv6 addresses too. Are these being assigned directly from the ISP or am I reading something wrong?

 

An IPv6 router can route packets to the ISP next hop router using link-local IPv6 addresses, so it will not normally have a global unicast IPv6 address unless you assign it one.  You would normally only do that if you want the router itself to be able to connect to the Internet using IPv6, for example if you want it to be able to update itself from an IPv6 server, or you want to be able to use it as an IPv6 SSH or VPN server from the Internet (and have opened the ports to do that).

 

Your WAN side DHCPv6 server will only be used if you tell your IPv6 router to send the right things in its IPv6 Router Advertisment (RA) packets.  The RA packets have two flag bits that control this: M (Managed Address Configuration Flag) and O (Other Stateful Configuration Flag).  See here for the RA packet format:

 

http://www.tcpipguide.com/free/t_ICMPv6RouterAdvertisementandRouterSolicitationMess-2.htm

 

If the M bit is set, then your devices that receive that RA packet will get their global unicast IPv6 addresses using DHCPv6.  If it is clear, they will get their global unicast IPv6 addresses by using SLAAC - essentially, they will calculate their own address from the IPv6 prefix in the RA packet (doing it in a way that normally will not cause conflicts), then check to see if there is a conflict.  If there is, they will recalculate their address and try again.  If the O bit is set, then devices will ask your DHCPv6 server for non-address information, such as the DNS server addresses.  If it is clear, they will not ask for any other information via DHCPv6 and will have to get that sort of thing some other way.  Just setting up a DHCPv6 server does not normally affect the RA settings - so you will need to set the M and O bits using the RA configuration settings somewhere.

 

There is a nasty problem with using DHCPv6 and Android devices - for some strange reason, Google has decided that Android will not do DHCPv6 (which pretty much every other IPv6 capable device in existence does support).  Search the net for the reason they give - I remain convinced that they are completely wrong about this.  I and many others believe that by doing this they are breaking the IPv6 standard, but they persist in refusing to support DHCPv6, and have refused to add it as an option controlled by a setting.  The result is that the only way to get DHCPv6 to work on an Android device is to root it and install a third party DHCPv6 app on it.  I have done this with my tablet and it does work.  So if you have any unrooted Android devices that you want to have IPv6 working on, then you will need to have a way of them using SLAAC to get their addresses.  The simple way to do that is to have your WiFi access point set up with one subnet on one SSID where the RA packets have M on (for all devices except unrooted Android), and a second subnet on a different SSID where the RA packets have M off for the unrooted Android devices.  The downside of such a setup is that the unrooted Android devices are on a different subnet from the rest and can not see the same broadcast packets, so they can not do proper SMB networking, for example, with devices on the other subnet.




25 posts

Geek
+1 received by user: 1


  Reply # 2064737 30-Jul-2018 06:08
Send private message quote this post

Very interesting, thanks. Looks like I've got a lot of reading to do XD.

In PFSense there is an "assisted" RA mode where it says it does both DHCP6 and SLAAC. I've turned that on so that must be how my android devices are working but there's no IPv6 leases.

I might go have a look at that IPv6 reasoning from Google.

366 posts

Ultimate Geek
+1 received by user: 75


  Reply # 2065304 30-Jul-2018 21:33
Send private message quote this post

2fst4u: Very interesting, thanks. Looks like I've got a lot of reading to do XD.

In PFSense there is an "assisted" RA mode where it says it does both DHCP6 and SLAAC. I've turned that on so that must be how my android devices are working but there's no IPv6 leases.

I might go have a look at that IPv6 reasoning from Google.

 

As best I can tell from a quick web search, "Assisted" RA mode does SLAAC addressing - it likely only sets the O flag, not the M flag.  If you want devices to get their global unicast IPv6 addresses via DHCPv6, then there is not other way to do it except setting the M flag.  And with the M flag set, no device will use SLAAC to get IPv6 addresses - not even Android devices that do not do DHCPv6.

 

You should run Wireshark (or tshark or tcpdump on the command line) and see what is actually in your RA packets.  Use a capture filter of "icmp6" to get just the ICMPv6 packets, which includes the RA packets.  RA packets are not sent very often unless the router has just been restarted, or a device has sent a Router Solicitation packet (which it will do when it connects intially).  So just set up the capture and leave it for 20 minutes or so and you should see an RA packet.


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.