If you configure slaac unmanaged how does the search list option work exactly?
For example if you set in the field the domain to be "workgroup.internal" and a slaac client has a hostname "client1" how does name resolution work/supposed to work?
If I ping -6 "client1.workgroup.internal" it does not work. Is there a missing piece here, do I need to configure something on unbound? How would a slaac client register its hostname?
It doesn't. The search domain defines what the client appends when requesting a domain name from the name server. Registration of names is not something SLAAC covers.
Right. SLAAC is meant to give IP adressed to clients. They can even take up random IPs (e.g. with privacy extensions). Those are for outbound access, mostly.
If you want to make your clients addressable by name, you can use these mechanisms:
1. IPv4 only (this is the simplest and my recommendation): Do not bother to make your clients addressable by IPv6 at all.
2. Via DHCPv6. While this works, the DNS entries hold as long as your DHCP lease time and thus, may be wrong with dynamic prefixes.
3. With static prefixes: Use SLAAC and hope that the client uses EUI-64 (potentially among others). Then you can statically namen your clients via PREFIX:EUI-64. In this case, you can also use DHCPv6.
4. With dynamic prefixes: ULAs may be your friend, but note that they are prioritized LOWER than even IPv4 - contrary to popular belief).
Because most people have dynamic prefixes, I prefer to use 1., but with SLAAC for outbound access only. This is all covered here: https://forum.opnsense.org/index.php?topic=45822.0
I am using dnsmasq with SLAAC and RA-NAMES. This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address. I find this to be very convenient. It doesn't help with privacy addresses, but I generally don't need to reference those clients by name anyway.
I have high hopes for the new hostwatch db/service to help with this, even if some non-standards based solution is needed in OPNsense.
The problem with 1. above is that the client's SLAAC GUA is the one that shows in logs (e.g. Unbound & F/W live view), and this might even be a temporary address from privacy extensions. It's not resolvable to a hostname so tracking clients is more work. I usually have to work backwards from NDP to find the MAC and then cross-reference manually in Leases.
A future OPNsense update could leverage the hostwatch data to auto-register SLAAC clients in DNS, maybe? It could discover and track the temporary addresses this way.
🤞
Quote from: klinebau on February 24, 2026, 08:18:58 PMI am using dnsmasq with SLAAC and RA-NAMES. This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address.
I will have to re-check my Dnsmasq settings but this doesn't always work me. It works for clients in the DHCP pool but not for hosts entries.
Maybe I did something wrong.
RA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.
Quote from: klinebau on February 24, 2026, 08:18:58 PMI am using dnsmasq with SLAAC and RA-NAMES. This allows dnsmasq to register IPv6 addresses for clients that use EUI-64 address. I find this to be very convenient. It doesn't help with privacy addresses, but I generally don't need to reference those clients by name anyway.
How do I configure this option?
Many thanks
P
Since slaac unmanaged addresses never change on the clients, the client always chooses the same ipv6 address, can I also use a strategy where I just create AAAA on unbound for computers I need to dns resolve to? Is this correct?
I should note I have a /56 static from my provider.
If your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.
Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.
Quote from: meyergru on February 25, 2026, 12:45:25 AMIf your prefix is static, you can create overrides in Unbound for any client, using its EUI-64. So you get <prefix(56 bits)>+<interface prefix (8 bits)>+<client-EUI-64> as IPv6 for usual clients.
Note that some clients (e.g. Windows) choose to use arbitrary suffixess instead of a MAC-derived EUI-64 for privacy reasons. I am not talking privacy extensions here with changing suffixes, but hiding the MAC, which could normally be derived from the suffix.
Seems like neither my ubuntu boxes or windows boxes have FFFE in the addresses so guess they all use private ip's.
However they also never seem to change ever. I have had many opportunities for them to change with things down for various changes and they seem to always get the exact same address always.
Is an override in unbound the same as setting an aaaa record? Am I right to assume the ipv6 wont change on clients?
That depends. Cliets are free to use many IPv6 at the same time: LL, ULA and GUA, and also multiple ones of the latter.
For outbound access, they have means to determine what is best (like if they use privacy extensions, they will use a random GUA preferably). For inbound access, they will react to any of them. So, if you want to have a permanent DNS handle, you would use the EUI-64 GUA (or ULA for dynamic prefixes).
As said, many clients derive that from the MAC, Windows does not, but AFAIK, the EUI-64 part still is static.
For Ubuntu and other Linuxes, I normally see MAC-derived EUI-64 parts with SLAAC, so IDK what the reason is that your see otherwise - maybe some DHCPv6 service is in play?
Quote from: meyergru on February 25, 2026, 12:16:06 PMFor Ubuntu and other Linuxes, I normally see MAC-derived EUI-64 parts with SLAAC, so IDK what the reason is that your see otherwise
My - educated - guess is that server variants of e.g. Ubuntu use EUI-64 based SLAAC while desktop variants enable privacy extensions.
I don't run desktop Linux but that's what I would expect.
In NetworkManager there is an option "IPv6 address generation mode," which can be set to either "stable privacy" or "EUI64." This is separate from the privacy extensions mode.
On my linux desktop "stable privacy" is the default, which does not derive from the MAC address but rather generates a unique address that remains stable on a per-network basis. If you change networks (or NICs, I guess) you get a different one.
Quote from: klinebau on February 24, 2026, 08:36:56 PMRA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.
I'm not near my OPNsense now but can verify later this week. The host which is failing to register does have an IPv4 reservation by MAC. However, the same client has reservations on multiple ranges/domains so that it always gets a .100 address no matter which VLAN I move it to. Maybe that causes some problem.
Quote from: allebone on February 24, 2026, 11:01:02 PMHow do I configure this option?
I used the configuration example right out of the dnsmasq documentation (https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples). The only difference is that I used RA-STATELESS and RA-NAMES for the RA Mode.
Quote from: Patrick M. Hausen on February 25, 2026, 12:34:38 PMMy - educated - guess is that server variants of e.g. Ubuntu use EUI-64 based SLAAC while desktop variants enable privacy extensions.
It's whatever you make of it or whatever the used networking software is by your distro :
- Ubuntu and from what I heard also the latest Raspberry Pi OS like Netplan which then influences NetworkManager.
- Most Desktop installs use NetworkManager as the Default too.
- Debian also has /etc/network/interfaces and others based on it usually do too...
However for some years now it seems NetworkManager is the way to go in the future!
- Then there is also dhcpcd.conf which mainly Raspberry Pi RaspBian has used in the past...
- And then there is also the option to avoid all of those and just use SystemD for all your networking stuff ;)
Quote from: OPNenthu on February 25, 2026, 04:09:01 PMIn NetworkManager there is an option "IPv6 address generation mode," which can be set to either "stable privacy" or "EUI64." This is separate from the privacy extensions mode.
On my linux desktop "stable privacy" is the default, which does not derive from the MAC address but rather generates a unique address that remains stable on a per-network basis. If you change networks (or NICs, I guess) you get a different one.
This document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.html
Quote from: nero355 on February 25, 2026, 07:01:03 PMThis document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.html
Ah, actually it looks like I was wrong about the NIC with "stable privacy" mode. Per this document:
"
Also, the address is stable when the network interface hardware is replaced."
Interesting, thanks everyone. Based on the above Im going to simply create AAAA records for servers I want to access by name and see if after 1 year any ipv6 addresses changed. If they did I will just statically assign them an ipv6 address. This is very easy to do anyway. I would probably just statically assign them going forward but want to see if they ever change out of interest.
One more question, if I follow this guide: https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples
And enable slaac in Services ‣ Dnsmasq DNS & DHCP ‣ General - must I then disable Router advertisements on that interface under Services ‣ Router Advertisements? Are these 2 services in conflict?
-P
Quote from: allebone on February 25, 2026, 10:04:57 PMIf I follow this guide: https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples
And enable slaac in Services ‣ Dnsmasq DNS & DHCP ‣ General
Must I then disable Router advertisements on that interface under Services ‣ Router Advertisements? Are these 2 services in conflict?
Please read : https://docs.opnsense.org/manual/radvd.html :)
Quote from: OPNenthu on February 25, 2026, 07:46:02 PMQuote from: nero355 on February 25, 2026, 07:01:03 PMThis document explains all the options and seems to match your experience : https://www.networkmanager.dev/docs/api/latest/settings-ipv6.html
Ah, actually it looks like I was wrong about the NIC with "stable privacy" mode. Per this document:
"Also, the address is stable when the network interface hardware is replaced."
Was a quick reply so did not check everything, but you were on the right track for sure and that's what matters ;)
So the answer is yes, they conflict.
Quote from: klinebau on February 24, 2026, 08:36:56 PMRA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.
Hello, I have tried to configure this but have an issue. The router advertisements seem to be working to a degree because clients get the DHCP6 options I set (such as 23 - dns servers) correctly via RA. If I change the DNS servers they then receive the new values, however the DHCP range seems to not be 100%.
Under the leases tab I see (as an example):
<see image>
But the client does not get the ipv6 address 2607:f2c0:f00e:3512::18e5 as I would expect.
I have as you mentioned slaac and ra-names in DHCP range. If the client does not accept the ipv6 address Im not clear how this service helps resolve names?
Kind regards,
P
I have resolved my own issue with the "DHCP register firewall rules" option and I agree this method works perfectly and is very good. The clients keep their old slasc address so that still works but gain in addition another DHCP address.
You are all excellent. Every one of you should be proud of yourselves.
Unless you have a specific need, you might consider ditching DHCPv6 by using RA-STATELESS (instead of SLAAC). There really isn't a need to assign addresses if the clients you need to reference are using EUI-64. While identity association makes firewall rules easier to manage now, having fewer IP addresses is still easier to manage. YMMV
Quote from: klinebau on February 24, 2026, 08:36:56 PMRA-NAMES uses the MAC address to register the IPv6 address, so you have to have an IPv4 address along with MAC in order for it to match using the EUI-64 address.
My issue with the Linux hosts might be that some of them are using the "stable privacy" mode rather than "EUI64," so I guess Dnsmasq has no way to know that and guess the stable GUA address. Therefore it can't ping it for confirmation.
My Android clients are a bit different. They have a privacy mode which uses a randomized MAC for each network, but they do generate an EUI64 address based on that randomized MAC. So those get registered.
I guess the only way to simulate that on a desktop is to spoof the interface MAC and change the mode back to "EUI64," maybe.