IPv6 Router Advertisements

Automatic address assignment for IPv6 works quite a bit differently than IPv4. Even so, most of the DHCP options are similar, but there are notable differences in behavior in how things are assigned and also how items like the gateway are handed off to clients. Unless otherwise noted, options of the same name work the same for DHCP and DHCPv6. DHCPv6 is configured under Services > DHCPv6 Server and Router Advertisements (RA) are configured under Services > Router Advertisement.

DHCPv6 vs Stateless Address Autoconfiguration

There are a few clients that do not have support for DHCPv6. Some clients only support Stateless Address Autoconfiguration, or SLAAC for short. There is no way for the firewall to have direct knowledge of a list of hosts on the segment using SLAAC addresses, so for some environments it is much less desirable because of the lack of control and reporting of addresses. Consider address tracking and operating system support requirements when deciding how to allocate IPv6 addresses to clients on the network.

Many operating systems such as Windows, macOS, FreeBSD, Linux, and their cousins contain DHCPv6 clients that are capable of obtaining addresses as expected via DHCPv6. Some lightweight or mobile operating systems such as Android do not contain a DHCPv6 client and will only function on a local segment with IPv6 using SLAAC.

Router Advertisements (Or: “Where is the DHCPv6 gateway option?”)

In IPv6, hosts locate a router through Router Advertisement (RA) messages sent from routers instead of by DHCP; IPv6-enabled routers that support dynamic address assignment are expected to announce themselves on the network to all clients. As such, DHCPv6 does not include any gateway information. So clients can obtain their addresses from DHCPv6 or SLAAC, but unless they are statically configured, they always locate their next hop by using RA packets sent from available gateways.

To enable the RA service:

  • Navigate to Services > Router Advertisement

  • Click the interface tab for the interface being configured

  • Select a mode other than Disabled from the Router Mode drop-down list

  • Click Save

The other options to control RA behavior may be set as needed for the network:

Router Advertisement Modes:

The modes for the RA daemon control the services offered by pfSense® software, announce the firewall as an IPv6 router on the network, and direct clients on how to obtain addresses.

Disabled:

The RA daemon is disabled and will not run. IPv6 gateways must be entered manually on any client hosts.

Router Only:

This firewall will send out RA packets that advertise itself as an IPv6 router. DHCPv6 is disabled in this mode.

Unmanaged:

The firewall will send out RA packets and clients are directed to assign themselves IP addresses within the interface subnet using SLAAC. DHCPv6 is disabled in this mode.

Managed:

The firewall will send out RA packets and addresses will only be assigned to clients using DHCPv6.

Assisted:

The firewall will send out RA packets and addresses can be assigned to clients by DHCPv6 or SLAAC.

Stateless DHCP:

The firewall will send out RA packets and addresses can be assigned to clients by SLAAC while providing additional information such as DNS and NTP from DHCPv6.

Router Priority:

If multiple IPv6 routers exist on the same network segment, they can indicate to clients in which order they should be used. If a high priority router becomes unavailable, clients will try a normal priority router, and finally a low priority router. Select either Low, Normal, or High from the list. If there is only one router on the network, use Normal.

Default Valid Lifetime:

Length of time, specified in seconds, that the advertised prefix will be valid. The default value is 86400 seconds (one day)

Default Preferred Lifetime:

Length of time, specified in seconds, that the client addresses generated in this prefix using SLAAC are valid. The default value is 86400 seconds (one day)

Minimum & Maximum RA interval:

The router sends advertisements on each interface configured to transmit messages. Advertisements include route information and indicate to network hosts that the router is operational. The router sends these unsolicited multicast router advertisements periodically, with a time range defined by minimum and maximum values in seconds.

The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages.

Router lifetime:

The lifetime associated with the default router in seconds. A value of 0 indicates that the router is not a default router and that associated default routes should be discarded.

The default is three times the maximum RA interval seconds.

RA Subnets:

This section allows defining a list of subnets for which this firewall will send RA packets. Enter as many subnets as needed, each with an appropriate prefix (typically 64.). To create an additional row for another subnet, click fa-plus Add.

DNS Settings:

Obtaining DNS information from RA messages is not universally supported, but for clients that do support it, using SLAAC to give an IP address and DNS from RA can do away with the need for using DHCPv6 entirely.

DNS Servers:

Enter up to three IP addresses for DNS Servers, or leave the fields blank to use the system default DNS servers or DNS Resolver/DNS forwarder if enabled.

Domain Search List:

Operates identically to the DHCP option of the same name.

Use same settings as DHCPv6 server:

When checked, these values will be pulled from the DHCPv6 options automatically.