Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Forums2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus)2degrees UFB on pfsense - need help creating DHCPv6 static mappings
andicniko

10 posts

Wannabe Geek
+1 received by user: 1


#289758 27-Sep-2021 21:07
Send private message

Hi all,

 

I have a fitlet2 running pfsense 2.5.2. It is successfully connected to the internet using the attached settings (thanks 2degrees and everyone kind enough to explain things on geekzone!).

 

IPV6 is working since I last set things up, and all my clients obtain an address without any issues.

 

If it's relevant:

 

  • I am in Wellington and connected to the Chorus fibre network here
  • I do not have a static IP address (but will gladly pay for one if it help solve my issues)
  • I have attached my WAN interface settings, my LAN interface settings, and the default DHCPv6 settings

Question: Can someone explain how to create a DHCPv6 static mapping for a client on my LAN?

 

 

 

Why?

 

I have a RPI4 running pihole on my LAN, and want to point to it as a DNS server for all my clients.

 

This was straightforward for IPV4. I created a static mapping for the RPI4 and listed that as a DNS server in the DHCP server settings. But now that I have clients with IPV6 addresses, they don't seem to be using the pihole as their DNS server. I have assumed whatever is giving them an IPV6 address isn't yet pointing to the RPI4 as a DNS server.

 

Note my pihole did work when I only had IPV4. But I would like to keep IPV6 (i.e. prefer not to disable it). It's something new, and I am keen to learn how to make it work.

 

 

 

What happens when I try create a DHCPv6 static mapping?

 

I have tried to add a DHCPv6 static mapping for the RPI4. I can find it in my list DHCPv6 leases, and give it a static IP of ::2 (which is outside of the specified range, in my case, ::1000 to ::2000) in my DHCPv6 settings.

 

But the RPI4 just keeps its IP of 2406:e003:e01:9000::1f7c.

 

I have tried to force the RPI4 to get its static IPV6 address and request a new one with the following commands, but none of them helped:

 

  • dhclient -6 -r eth0; dhclient -6 eth0
  • /etc/init.d/networking restart
  • ifdown eth0; ifup eth0

 

 

Just a few things I don't understand that could be the problem

 

If I understand things correctly (unlikely...):

 

  • 2degrees has a DHCPv6 server that gives me a prefix delegation
  • I'm thinking of the prefix delegation as the first part of an IPV6 address (2406:e003:e01:9000::), with my various clients *somehow* getting assigned various addresses within that
  • But I don't think I understand how those client addresses are assigned

Does the DHCPv6 server on my system even assign IPV6 addresses to my clients, or is this done by the 2degrees' DHCPv6 server? If it's the latter, does that mean I have no ability to specify who gets what addresses within the prefix delegation?

 

I think it's pretty clear I don't know what I'm doing, but I'm keen to learn! Thanks in advance, any help is appreciated.

 

 

 

Attachments

 

WAN interface settings: https://cdn.geekzone.co.nz/imagessubs/1b6d85c2e5b57bf8d7a6d9dd08e26ff9.jpg and https://cdn.geekzone.co.nz/imagessubs/d068a99f260a08ee1b20d6c17c27a472.jpg 

 

LAN interface settings: https://cdn.geekzone.co.nz/imagessubs/6f17f422e5284d14df4ff752370def82.jpg 

 

DHCPv6 settings (blank defaults): https://cdn.geekzone.co.nz/imagessubs/74424519acef4255b8b7c5eaed635f2d.jpg 

 

DHCPv6 leases: https://cdn.geekzone.co.nz/imagessubs/50e29bdd0922c103fd29d673ba753e29.jpg

 

DHCPv6 static mapping attempt: https://cdn.geekzone.co.nz/imagessubs/b8151db90531491a785f332f493f142b.jpg 

Create new topic

This is a filtered page: currently showing replies marked as answers. Click here to see full discussion.

fe31nz
1294 posts

Uber Geek
+1 received by user: 423


  #2785365 28-Sep-2021 01:51
Send private message

I do not know anything about pfsense, but I do have DHCPv6 working on my Edgerouter ER4.  I found that with DHCPv6, that there is a problem where both the device and DHCPv6 server remember the old IPv6 they had and will keep using that even after you set up a manual DHCPv6 address assignment.  So what I often had to do was to disconnect the device, and sometimes even reboot it, and when it was disconnected, restart the DHCPv6 server (or reboot the router).

 

As well, for DHCPv6 to work, you have to set up the router to be sending the correct "autoconfig" flags (the M and O bits) in its ICMPv6 RA (Router Advertisement) packets.  Devices will automatically configure link-local IPv6 addresses (fe80::/10) when they boot, but they will only create a global unicast IPv6 address (one that can send and receive from IPv6 addresses that are not on the local subnet) when they receive an RA packet.  If they do not immediately receive an RA packet, they will send an RS (Router Solicitation) broadcast packet to request that an RA be sent.  If the M bit is on in the RA packet they receive, they will do a DHCPv6 request to get an IPv6 address, otherwise they will self generate a "stateless" IPv6 address and then test to make sure it is unique on the local subnet.  If the O bit is on in the RA packet, they will do a DHCPv6 request to get other necessary or useful information that can be provided over DHCPv6, such as the addresses of DNS servers, NTP servers, and heaps of other things.  Unlike DHCP, with DHCPv6 a device can request the optional information without requesting an address, so the RA M and O bits are independent of each other.  And there is also an option for the RA packets to carry the DNS server addresses also.  I have my ER4 set up to send the DNS server addresses in both the RA packets and DHCPv6 packets, so that devices that do not do DHCPv6 (such as Android devices) will get the DNS server addresses.

 

Before you can assign DHCPv6 addresses, you first have to delegate an IPv6 prefix to each of the subnets that your router provides.  I have static IPv4 and IPv6 addresses, so I have just done static assignments of the IPv6 prefixes, but if you are getting your IPv6 prefix from 2Degrees dynamically, it can change, and you will need to set up prefix delegation.  How that works is that 2Degress will send you a prefix delegation from their assigned IPv6 address.  It will usually be a /56 address - that means that the top 56 bits of the IPv6 address is the prefix delegated to you by 2Degrees, and your router assigns the remaining 72 bits of the IPv6 addresses.  By convention, the addresses used on each subnet are supposed to be /64 addresses, where the upper 64 bits designate the subnet and the lower 64 bits designate the device on that subnet.  In theory you can use other than a /64 on a subnet, but do not do that!  Almost all devices will assume a /64 for the subnet and many will be broken if it is anything other than a /64.  So the top 56 bits of your IPv6 addresses will be delegated by 2Degrees, and the bottom 64 bits will be used to address the devices on the subnet, leaving the middle 8 bits to be used to select the subnets in your network, allowing for up to 256 different subnets.  I reserved subnet 0 for special uses and numbered my subnets from 1 upwards.  My subnet 1 is my "Outer" subnet where my guest connections occur, and my subnet 2 is my "Inner" subnet where trusted devices connect.  My subnets 3 and 4 are currently unused and subnet 5 is my IoT subnet where untrusted devices like IoT devices are connected.  Each subnet has its own RA settings and DHCPv6 server settings.  You will need to set up pfsense to assign your subnet numbers for each of your subnets, and to use the delegated prefix for the upper 56 bits.

 

An additional complication is DUIDs.  DHCP on IPv4 uses the MAC address to distinguish between devices and select the IPv4 address to be used.  IPv6 uses a DUID value sent in the DHCPv6 packets.  The DUID is generated by the device and there are lots of options for how it is generated.  But finding what it is so that you can put it into the DHCPv6 address tables is very difficult.  And if you have a PC that dual boots, the DUID for each operating system will be different - they will each generate their own DUID.  And if you ever to a full reinstall of an OS (or factory reset a device), it will generate a new DUID.  It can be possible on real operating systems on PCs to manually control or assign the DUID, but in Windows Microsoft has a history of breaking that mechanism and when they do, the DUID will be generated again using whatever options they have selected and will change on you.  And with most other devices, you will have no control at all over the DUID generation.  So it is best to just leave the devices to generate their own DUIDs and then discover what the value is and put that value into your DHCPv6 configuration.  For dual boot PCs, there will be two entries with different DUIDs and the same IPv6 address assignment.  What I do to find the DUIDs is to run tshark (or wireshark or tcpdump) on the router, set it to capture only ICMPv6 packets, and then connect the device.  The DHCPv6 packets will be captured and you can then extract the DUID from them and put it into your DHCPv6 configuration.  And because of the problem where devices keep on getting their old IPv6 address despite you setting a new manual DHCPv6 assigned address, each time you add a new device, you will probably need to restart the DHCPv6 server while the device is disconnected, and then capture the DHCPv6 packets when it connects to check that it is actually getting your newly assigned IPv6 address.  Having to do this this is a great pain.



michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2785506 28-Sep-2021 10:07
Send private message

As per the above - you'll need a Static IP (Static IPv4 + /56 IPv6 Subnet) so you can assign a /64 prefix to your private networks. If you use SLAAC then the rest is rather seamless as all your devices should already be static enough (via device mac) for use straight-away (this is what I personally do on my network).

 

It is also important to pass through ICMPv6 on your router.

 

If you don't have a Static from 2degrees then IPv6 is not static for you.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright