Netgate is offering COVID-19 aid for pfSense software users, learn more.
The DHCPv6 server in pfSense® software will hand out addresses to DHCPv6 clients and automatically configure them for network access. By default, the DHCPv6 server is enabled on the LAN interface and set to use a prefix obtained by tracking WAN’s DHCPv6 delegation.
The DHCPv6 server page, found under Services > DHCPv6 Server, has a tab for each available interface. The DHCPv6 daemon can only run and be configured on interfaces with a Static IP address, so if a tab for an interface is not present, check that it is enabled and set with a Static IP. It is not currently possible to adjust settings for tracked interface DHCP service.
The DHCPv6 server cannot be active on any interface if the DHCPv6 Relay service is in use.
DHCP Instance Options¶
For each Interface, there are many options to choose from. At a minimum, the Enable box must be checked on the interface tab and an address range (starting and ending IPv6 addresses) to use for DHCPv6 clients must be defined. For the DHCPv6 server to be active on the network, Router Advertisements must also be set to either Managed or Assisted mode on the Router Advertisements tab.
The other settings may be configured, but are optional.
DHCPv6 does not provide gateway information. Router Advertisements tell hosts on the network how to reach a router. DHCPv6 is for other host configuration such as DNS, delegation, and so on.
See the DNS Forwarder article for information on the default DNS server behavior.
Some other options which may be set for clients include Network booting options, LDAP URI, and the ability to add in any custom DHCP option number and value.
The Range parameter works similarly to the same setting on IPv4 but it is worth mentioning again here due to the differences in IPv6 addressing.
Given the vast amount of space available inside even a /64, a good trick is to
craft a range that restricts hosts to use an easy to remember or recognize
range. For example, Inside a /64 such as
2001:db8:1:1::, set the DHCPv6
2001:db8:1:1::d:FFFF, using the
in the second to last section of the address as a sort of shorthand for “DHCP”.
That example range contains 2^16 (65,536) IPs, which is extremely large by
today’s IPv4 standards, but only a small portion of the whole /64.
DHCPv6 Prefix Delegation¶
Prefix delegation, covered earlier in DHCP6 Prefix Delegation and Track Interface, allows automatically dividing and allocating a block of IPv6 addresses to networks that will live behind other routers and firewall that reside downstream from pfSense (e.g. in the LAN, DMZ, etc). Most users acting in a client capacity will not need this and will likely leave it blank.
Prefix delegation can be used to hand out /64 chunks of a /48 to routers automatically, or any other combination, so long as the range is set on the boundaries of the desired delegation size. The downstream router obtains an IPv6 address and requests a delegation, and the server allocates one and dynamically adds a route so that it is reachable via the assigned DHCPv6 address given to the client.
The Prefix Delegation Range Sets the start and end of the delegation pool.
The range of IPv6 addresses specified here must be routed to this firewall by
upstream routers. For example, to allocate /60 networks to downstream firewalls
out of a given range, then one could specify
2001:db8:1111:FFF0:: with a Prefix Delegation Size of 60. This allocates a
/60 (16 subnets of size /64) to each downstream firewall that requests a
delegation so that they can in turn use those for their LAN, VPNs, DMZ, etc.
Downstream firewalls can even further delegate their own allocation to routers
behind them. Note that in this example, 16 delegations would be possible. Adjust
the range and size as needed.
When crafting the values for the range and delegation size, keep in mind that
the range must start and end on boundaries that align with the desired prefix
size. In this /60 example, the range could not start or end on anything that has
a value in the places to the right of the second value in the fourth section of
the address, so it can start on
2001:db8:1111:F500:: but not
DHCPv6 Static Mappings¶
Static mappings on DHCPv6 work differently than IPv4. On IPv4, the mappings were performed using the MAC address of the PC. For IPv6, the designers decided that wasn’t good enough, since the MAC address of a PC could change, but still be the same PC.
Enter, the DHCP Unique Identifier, or DUID. The DUID of the host is generated by the operating system of the client and, in theory, will remain unique to that specific host until such time as the user forces a new DUID or the operating system is reinstalled. The DUID can range from 12 to 20 bytes, and varies depending on its type.
The DUID field on the static mapping page expects a DUID for a client PC in
a special format, represented by pairs of hexadecimal digits, separated by
colons, such as
How to obtain this DUID depends on the operating system. The easiest way is to
allow the PC to obtain a lease via DHCPv6, and then add an entry from the DHCPv6
Leases View (Status DHCPv6 Leases). In Windows, it can be found as DHCPv6 Client
DUID in the output of
On Windows, the DUID is generated at install time, so if a base image is used and workstations are cloned from there, they can all end up with the same DUID, and thus all end up pulling the same IPv6 address over DHCPv6.
Clear the DUID from the registry before making an image to clone, by issuing the following command:
reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /f /v Dhcpv6DUID
That command may also be run on a working system to reset its DUID if needed.
The DUID format is listed on the page, but it roughly follows the format:
DUID-LLT - ETH -- TIME --- ---- address ----
DUID-LLT is link-layer plus time, which means it uses the link type of a network interface on the system (Generally 00:01 to indicate the format, plus 00:01, or 00:06 for Ethernet), plus the timestamp at which the DUID was generated in hex, plus the MAC address of the first NIC. It may be difficult or impossible to predict a system’s DUID. Unless the operating system has a way to look it up, it may be best to allow the client to obtain a dynamic lease and then copy the DUID from the leases view.
Numbered Options Notes¶
When using numbered custom options, be careful of the type. Some will be OK on text/string but others are not. Also beware that numbered options do NOT correspond exactly to the DHCP numbered options for IPv4
For more information on DHCP option numbers and types, see https://tools.ietf.org/html/draft-ietf-dhc-v6opts-00