[HOWTO] Configure IPv6 in order to "just work" (tm)

[gspannu]

Thank you everyone for the amazing amount of information in the above posts on this topic. Need to read each post carefully and then get to playing around with my setup.

Thank you all...

[Maurice]

@SerErris Ticking "Do not send any DNS configuration to clients" in the RA settings is generally not recommended. It will prevent devices without DHCPv6 support (Android etc.) from acquiring IPv6 DNS servers.

The DHCPv6 server does not require an address range. But stateless DHCPv6 requires clients to send information request messages for acquiring DNS settings. I'm not sure whether Windows does that, especially when DHCPv4 is available. Windows preferring IPv4 DNS servers over IPv6 DNS servers learned through RAs is a well-known issue.
Of course, you don't have these issues in an IPv6-only network. ;-)

@meyergru VLANs are something I would consider essential. But you're right that you can live without them in a bare minimum home network, where dual-stack might indeed be the better "just works" option.
ISPs not providing NAT64 gateways is unfortunate, yes. But there are some very reliable public ones.

[SerErris]

The proof is in the configuration.

If I do not enter a range it simply does not work. If you tell me Linux commands for any dhcp-client to verify that, it should not even work on Linux. But I do not know how to just ask a dhcp server and print the information to console vs. using it to actually set an interface.

RA is just disabled to check the DHCPv6 setting ... it does not make any difference if I do enable it or not. As long as DHCPv6 is not sending out DNS server, Windows will ignore everything from RA for name resolution and use DNS server from DHCPv4. That is a Windows problem and I agree that RA should be configured as well (actually both).

But again you can test DHCPv6 on your own. Whatever you enter into DNS server - without anything in Range - DHCPv6 will just not work and I mean at all.

I disabled IPv4 on the Windows Server completely and RA, and I got exactly nothing from the DHCP Server, which I should get.

All in all i think we do have a bug in DHCPv6, that it actually does need a range if you do manual configuration and it just does not check it. The consistent behaviour however should be to apply the default if you do not enter anything, which would be the full available range. That is exactly what DHCPv6 does if you do not manually configure the whole IPv6 part.

However the problem is, you cannot instruct the DHCP Server then to use the link local address, and every time the IPv6 prefix changes the Windows machines will not be able to resolve any name any longer.

[SerErris]

@SerErris: If you specify "Stateless", the only reason to specify DHCPv6 ranges is a syntactic one - DHCPv6 does not work without it, albeit the adresses are in fact assigned via SLAAC.

I understand that Windows prefers DHCPv4-provided DNS servers over RA-provided ones, yet: both usually point to the same DNS server and - either way - can provide DNS answers for both IPv4 and IPv6. And if you are on IPv6-only, you do not have a conflicting IPv4 DNS server, either.

So why use DHCPv6 in this scenario? I can follow that if your clients cannot handle DNS via RA (RDNSS option), then you would have to use DHCPv6 (again, with IPv6 only). That is not the case for Windows, though and personally, I have never met such clients (more often, old clients do not speak IPv6 at all).

I still think that "Unmanaged" mode is the easiest way to go.

As long as you use unmanaged the IPv6 DHCP will never be used at all for anything in Windows. That is just the fact. It might not be important for the reasons you outlined.

However I do want to get IPv6 DNS propagated as link local, so that it does NOT change. And nothing I do will ever change that correctly. And yes as soon as you do congiure DHCPv6, you need to enter a valid range. No range will just still disable the DHCPv6 - or maybe it just does not answer any requests, because of whatever reason.

So my setup will get both worlds the exact same thing. To manage everything correctly you actually need DHCPv6 to deliver a DNS server entry for IPv6 and this is actually where I stuck, because I was not aware of the range issue.

Now with range in place it does exactly what I want.

[meyergru]

However I do want to get IPv6 DNS propagated as link local, so that it does NOT change. And nothing I do will ever change that correctly.

According to this posting: https://www.reddit.com/r/ipv6/comments/1h40fad/windows_11_is_supporting_rdnss_now/ , Windows 11 now supports RDNSS via RA correctly, even with DHCPv4 still enabled.

But anyway, as I pointed out:

- If you have dual-stack, then it does not matter if you contact your DNS server via IPv4 or IPv6, so the priority of DHCPv4 vs. RDNSS does not matter, even without the mentioned fix, as long as both IPs point to the same DNS server instance.

- If you have IPv6-only, then even before the fix mentioned, Windows will accept RDNSS in absence of DHCPv4. And you can specify any DNS server addresses you like in the router advertisement section - which includes link-local IPs.

So again, you miss nothing with SLAAC in "Unmanaged" mode either way - at least for Windows and probably most other clients.

Only with clients that do not handle RDNSS, will you have to use "Stateless" mode and make DHCPv6 work (apparently by formally including an IP range that is not really used with "Stateless" mode).

[SerErris]

Yes Windows does support RDNSS as shown in the screenshot of the reddit post.

However it will never use it as long as it has a DNS server entry from DHCP. That is what I wrote. And again - yes I am aware that this is not a real issue on Windows as I anyhow have dual stack and even in single stack this would now work flawless (tested and works).

However to make a fully universal solution you actually should setup both and that inludes a statefull DHCPv6 (assisted) with range AND DNS server.

This is what I have setup now and it works as expected.

Thanks for all the work you put into it and the answers provided. Was really helpful to get myself sorted on this (still new) topic.

[Maurice]

But again you can test DHCPv6 on your own. Whatever you enter into DNS server - without anything in Range - DHCPv6 will just not work and I mean at all.

I disabled IPv4 on the Windows Server completely and RA, and I got exactly nothing from the DHCP Server, which I should get.

I just tested it (again) and it works just fine.

In OPNsense 25.1.1:
- disable the DHCPv4 server
- set Router Advertisements to "Stateless" and check "Do not send any DNS configuration to clients"
- enable the DHCPv6 server, don't enter an address range, but enter DNS servers

Hosts will now configure IPv6 addresses using SLAAC and request DNS servers via stateless DHCPv6. I've tested this with Windows (11 Pro 24H2 build 26100.3194) as well as OPNsense (25.1.1, WAN set to SLAAC).

The consistent behaviour however should be to apply the default if you do not enter anything, which would be the full available range.

Not at all, this would make it impossible to use stateless DHCPv6.

[SerErris]

Tested again - does not work here. I do not get any DNS name as soon as I do not enter any range, regardless what RA mode I have - RA statless or any other mode. Never getting an DNS entry from DHCPv6.

But anyhow - does not matter, my problem is solved.

Regarding the things that would make different modes impossible to use. I do understand that point. However the documentation should really talk about this. By now to much information is just things you actually need to know. This is not good for any product. A little bit broader description in the manual to describe all the different modes and which setting is meant to do what would be great. Esp. as a lot of technologies work quite different in IPv6 than in IPv4 and transfering knowledge from IPv4 to IPv6 does not work very well, as I figured out by myself :-(

[Kets_One]

Hi,

I currently have a few local virtual IPv6 addresses created under 'interfaces', namely: fd07::1/128 and fd08::1/128 that i use to serve NTP time to WAN users.
This is instead of forwarding the WAN NTP requests to my physical LAN NTP servers.

However, even though i have put NAT and FW rules in place to route this traffic to these addresses as well as update chrony config i still need to include ::/0 as client address range in the chrony config to get them to work. What am i missing here?

[meyergru]

Just guessing here, because you do not tell what IPs your WAN clients use or what you configured in Chrony instead of '::/0':

1. You must supply Chrony wth a range of IPs it listens to. If you don't, then it won't listen at all. So, you either have to provide '::/0' or 'fc00::/7' and the clients either are with the same subnets or use inbound NAT.

2. fc00::/7 is an ULA IPv6 address range, which serves the same purpose as RFC1918 for IPv4, i.e. it is not routed on the internet. If your WAN clients do not use a sender IP from the same range, they will only get through with a routeable IP. In that case, you will have to have Chrony accept those.

[lox]

Hello,

Thank you for that how to.

With that setup :
- How to see devices connected to the network (with DHCPv4 I use "leases") ?
- How to set static IPV6 from the router ?

[meyergru]

You can look at the IPv6 neighbour discovery tables, "ndp -a" or "Interfaces: Diagnostics: NDP Table" in the web UI.

What do you mean by "static IPv6"? Maybe you do not understand IPv6 completely:

There is not "one IPv6" per device, there can be many GUAs, ULAs and LL addresses. The GUA(s), as an example, will be comprised of a network-specific 64 bit prefix and one or more 64-bit interface address suffixes. With SLAAC, that is usually the EUI-64, which is derived statically from the MAC (there are exceptions to this rule on several OSes now). There can be alternatives to that when privacy extensions are in use, such that outbound connections are made via a varying IP. That is not for you to decide, it is up to the client what it wants to use. It registers as many IPv6 to its MAC address via NDP and uses them as it likes.

[n3]

@meyergru
Thank you very much for the howto. It helps a lot!

Despite there being enough IPv6 address prefixes with the abundance of 2^128 possible IPs, many ISPs do not provide you with a static IPv6 prefix like the RFCs propose. Some of them will give you just one /64 range, which is awkward, because you usually need one /64 for each of your subnets/VLANs. Even if they provide a /56 or /48 prefix, which you can then subdivide, some ISPs change the ranges regularly or at least when the connection drops. I think this is to make it harder to host services like a business customer would and thus to differentiate business and consumer uplinks. You can try "prevent release" and setting the DUID under "Interfaces : Settings", but usually, it does not help.

Actually I have a FTTH/B connection and my ISP is Telekom. I only have a modem and opnsense use it to establish the connection. I get a IPv4 and IPv6 but since 3 days both addresses are the same. Also when I restart opnsense. I thought about assigning a fixed IP address to the connection but is it realy a good idea? You wrote, that a static prefix is proposed in the RFC, but I also read, that there is a IPv6 Working Group (I fortgot how it is named) that recommend to use dynamic IPv6 due to privacy reasons. I understand, that a stativ IP address is better but for my private use und homelab, I think a dynamic IPv6 will be better, or? I will only expose a nextcloud and a webserver.
Also when I see, that my IP doesn't changed in the last 3 days, a stativ IP maybe do not have disadvantages in privacy.

Long story short: What advantages would I have from a static IP address (bsuiness  contract) in my private environment with two exposed services, and would it make sense regarding privacy reasons?

So, mostly, you want to have inside-out IPv6 access first, potentially using IPv6 privacy extensions for this in order to hide your identity.

How and has it the same privacy like a dynamic ip? Or do you mean additionl privacy extensions for dynamic ips?

If you also want to expose services, I recommend to use reverse proxies like HAproxy, Caddy or Nginx

Only if I have dynanmic ip address and no static? With a stativ ip I do not need a revers proxy, or? If needed, should I use it with a plugin in opnsense, or as a stand alone service (I'm using proxmox).

[meyergru]

IPv6 privacy can be had by using IPv6 privacy extensions. Your IPv6 prefix will stay the same, but one cannot see what client actually uses the connection because the lower 64 bits are random. However, there is a tradeoff:

1. For business needs, you will likely use a static prefix, because you have to register IPv6 adresses in DNS (e.g. for web servers).
2. For private use, you may want to completely hide your identity (one might argue that this can only be achieved by using a VPN).

Of course, privacy extensions only change the lower 64 bits, so your "company" connections can always be identified via the upper 64 bits.

I always use reverse proxies with IPv4 on the internal networks. For example, it is damn near impossible to expose Docker services otherwise. Th reverse proxy should be on OpnSense, because it will also fetch the certificates (assumming you use ACME certificates). Why would I delegate network access layer to something behind the firewall?

[n3]

IPv6 privacy can be had by using IPv6 privacy extensions. Your IPv6 prefix will stay the same, but one cannot see what client actually uses the connection because the lower 64 bits are random. However, there is a tradeoff:

1. For business needs, you will likely use a static prefix, because you have to register IPv6 adresses in DNS (e.g. for web servers).
2. For private use, you may want to completely hide your identity (one might argue that this can only be achieved by using a VPN).

Of course, privacy extensions only change the lower 64 bits, so your "company" connections can always be identified via the upper 64 bits.

I always use reverse proxies with IPv4 on the internal networks. For example, it is damn near impossible to expose Docker services otherwise. Th reverse proxy should be on OpnSense, because it will also fetch the certificates (assumming you use ACME certificates). Why would I delegate network access layer to something behind the firewall?

For safety's sake, the IPv6 has to parts. The prefix and the interface identifier. Afaik the interface identifier is static and the address of my isp. The prefix is dynamic. If I get a stativ IPv6, the prefix will also be static and we get privacy problems. Right?

I thought that the interface identifier is changed and therefor I get more privacy. Is there any example that shows shows the IPv6 with and without privacy extensions?
But I have the feeling that for me I do not get any privacy with a static IPv6, because I only have a few users and services in my network. Right? Therefore a dynamic IPv6 with DynDNS and a reverse proxy.