[HOWTO] Configure IPv6 in order to "just work" (tm)

[gspannu]

Thank you everyone for the amazing amount of information in the above posts on this topic. Need to read each post carefully and then get to playing around with my setup.

Thank you all...

[Maurice]

@SerErris Ticking "Do not send any DNS configuration to clients" in the RA settings is generally not recommended. It will prevent devices without DHCPv6 support (Android etc.) from acquiring IPv6 DNS servers.

The DHCPv6 server does not require an address range. But stateless DHCPv6 requires clients to send information request messages for acquiring DNS settings. I'm not sure whether Windows does that, especially when DHCPv4 is available. Windows preferring IPv4 DNS servers over IPv6 DNS servers learned through RAs is a well-known issue.
Of course, you don't have these issues in an IPv6-only network. ;-)

@meyergru VLANs are something I would consider essential. But you're right that you can live without them in a bare minimum home network, where dual-stack might indeed be the better "just works" option.
ISPs not providing NAT64 gateways is unfortunate, yes. But there are some very reliable public ones.

[SerErris]

The proof is in the configuration.

If I do not enter a range it simply does not work. If you tell me Linux commands for any dhcp-client to verify that, it should not even work on Linux. But I do not know how to just ask a dhcp server and print the information to console vs. using it to actually set an interface.

RA is just disabled to check the DHCPv6 setting ... it does not make any difference if I do enable it or not. As long as DHCPv6 is not sending out DNS server, Windows will ignore everything from RA for name resolution and use DNS server from DHCPv4. That is a Windows problem and I agree that RA should be configured as well (actually both).

But again you can test DHCPv6 on your own. Whatever you enter into DNS server - without anything in Range - DHCPv6 will just not work and I mean at all.

I disabled IPv4 on the Windows Server completely and RA, and I got exactly nothing from the DHCP Server, which I should get.

All in all i think we do have a bug in DHCPv6, that it actually does need a range if you do manual configuration and it just does not check it. The consistent behaviour however should be to apply the default if you do not enter anything, which would be the full available range. That is exactly what DHCPv6 does if you do not manually configure the whole IPv6 part.

However the problem is, you cannot instruct the DHCP Server then to use the link local address, and every time the IPv6 prefix changes the Windows machines will not be able to resolve any name any longer.

[SerErris]

@SerErris: If you specify "Stateless", the only reason to specify DHCPv6 ranges is a syntactic one - DHCPv6 does not work without it, albeit the adresses are in fact assigned via SLAAC.

I understand that Windows prefers DHCPv4-provided DNS servers over RA-provided ones, yet: both usually point to the same DNS server and - either way - can provide DNS answers for both IPv4 and IPv6. And if you are on IPv6-only, you do not have a conflicting IPv4 DNS server, either.

So why use DHCPv6 in this scenario? I can follow that if your clients cannot handle DNS via RA (RDNSS option), then you would have to use DHCPv6 (again, with IPv6 only). That is not the case for Windows, though and personally, I have never met such clients (more often, old clients do not speak IPv6 at all).

I still think that "Unmanaged" mode is the easiest way to go.

As long as you use unmanaged the IPv6 DHCP will never be used at all for anything in Windows. That is just the fact. It might not be important for the reasons you outlined.

However I do want to get IPv6 DNS propagated as link local, so that it does NOT change. And nothing I do will ever change that correctly. And yes as soon as you do congiure DHCPv6, you need to enter a valid range. No range will just still disable the DHCPv6 - or maybe it just does not answer any requests, because of whatever reason.

So my setup will get both worlds the exact same thing. To manage everything correctly you actually need DHCPv6 to deliver a DNS server entry for IPv6 and this is actually where I stuck, because I was not aware of the range issue.

Now with range in place it does exactly what I want.

[meyergru]

However I do want to get IPv6 DNS propagated as link local, so that it does NOT change. And nothing I do will ever change that correctly.

According to this posting: https://www.reddit.com/r/ipv6/comments/1h40fad/windows_11_is_supporting_rdnss_now/ , Windows 11 now supports RDNSS via RA correctly, even with DHCPv4 still enabled.

But anyway, as I pointed out:

- If you have dual-stack, then it does not matter if you contact your DNS server via IPv4 or IPv6, so the priority of DHCPv4 vs. RDNSS does not matter, even without the mentioned fix, as long as both IPs point to the same DNS server instance.

- If you have IPv6-only, then even before the fix mentioned, Windows will accept RDNSS in absence of DHCPv4. And you can specify any DNS server addresses you like in the router advertisement section - which includes link-local IPs.

So again, you miss nothing with SLAAC in "Unmanaged" mode either way - at least for Windows and probably most other clients.

Only with clients that do not handle RDNSS, will you have to use "Stateless" mode and make DHCPv6 work (apparently by formally including an IP range that is not really used with "Stateless" mode).

[SerErris]

Yes Windows does support RDNSS as shown in the screenshot of the reddit post.

However it will never use it as long as it has a DNS server entry from DHCP. That is what I wrote. And again - yes I am aware that this is not a real issue on Windows as I anyhow have dual stack and even in single stack this would now work flawless (tested and works).

However to make a fully universal solution you actually should setup both and that inludes a statefull DHCPv6 (assisted) with range AND DNS server.

This is what I have setup now and it works as expected.

Thanks for all the work you put into it and the answers provided. Was really helpful to get myself sorted on this (still new) topic.

[Maurice]

But again you can test DHCPv6 on your own. Whatever you enter into DNS server - without anything in Range - DHCPv6 will just not work and I mean at all.

I disabled IPv4 on the Windows Server completely and RA, and I got exactly nothing from the DHCP Server, which I should get.

I just tested it (again) and it works just fine.

In OPNsense 25.1.1:
- disable the DHCPv4 server
- set Router Advertisements to "Stateless" and check "Do not send any DNS configuration to clients"
- enable the DHCPv6 server, don't enter an address range, but enter DNS servers

Hosts will now configure IPv6 addresses using SLAAC and request DNS servers via stateless DHCPv6. I've tested this with Windows (11 Pro 24H2 build 26100.3194) as well as OPNsense (25.1.1, WAN set to SLAAC).

The consistent behaviour however should be to apply the default if you do not enter anything, which would be the full available range.

Not at all, this would make it impossible to use stateless DHCPv6.

[SerErris]

Tested again - does not work here. I do not get any DNS name as soon as I do not enter any range, regardless what RA mode I have - RA statless or any other mode. Never getting an DNS entry from DHCPv6.

But anyhow - does not matter, my problem is solved.

Regarding the things that would make different modes impossible to use. I do understand that point. However the documentation should really talk about this. By now to much information is just things you actually need to know. This is not good for any product. A little bit broader description in the manual to describe all the different modes and which setting is meant to do what would be great. Esp. as a lot of technologies work quite different in IPv6 than in IPv4 and transfering knowledge from IPv4 to IPv6 does not work very well, as I figured out by myself :-(