DHCPv6 Server¶
The DHCPv6 server in pfSense® software will hand out addresses to DHCPv6 clients and automatically configure them for network access. By default, the DHCPv6 server is enabled on the LAN interface and set to use a prefix obtained by tracking WAN’s DHCPv6 delegation.
The DHCPv6 server page, found under Services > DHCPv6 Server, has a tab for each available interface. The DHCPv6 daemon can only run and be configured on interfaces with a Static IP address, so if a tab for an interface is not present, check that it is enabled and set with a Static IP. It is not currently possible to adjust settings for tracked interface DHCP service.
Warning
The DHCPv6 server cannot be active on any interface if the DHCPv6 Relay service is in use.
DHCP Instance Options¶
For each Interface, there are many options to choose from. At a minimum, the Enable box must be checked on the interface tab and an address range (starting and ending IPv6 addresses) to use for DHCPv6 clients must be defined. For the DHCPv6 server to be active on the network, Router Advertisements must also be set to either Managed or Assisted mode under Services > Router Advertisements.
The other settings may be configured, but are optional.
Note
DHCPv6 does not provide gateway information. Router Advertisements inform hosts on the network about available routers. DHCPv6 is for other host configuration such as DNS, delegation, and so on.
See also
See the DNS Forwarder article for information on the default DNS server behavior.
Some other options which may be set for clients include Network booting options, LDAP URI, and the ability to add in any custom DHCP option number and value.
DHCPv6 Range¶
The Range parameter works similarly to the same setting on IPv4 but it is worth mentioning again here due to the differences in IPv6 addressing.
Given the vast amount of space available inside even a /64, a good trick is to
craft a range that restricts hosts to use an easy to remember or recognize
range. For example, Inside a /64 such as 2001:db8:1:1::, set the DHCPv6
range be: 2001:db8:1:1::d:0000 to 2001:db8:1:1::d:FFFF, using the d
in the second to last section of the address as a sort of shorthand for “DHCP”.
That example range contains 2^16 (65,536) IPs, which is extremely large by
today’s IPv4 standards, but only a small portion of the whole /64.
DHCPv6 Prefix Delegation¶
Prefix delegation, covered earlier in DHCP6 Prefix Delegation and Track Interface, allows automatically dividing and allocating a block of IPv6 addresses to networks that will live behind other routers and firewall that reside downstream from the firewall (e.g. in the LAN, DMZ, etc). Most users acting in a client capacity will not need this and will likely leave it blank.
Prefix delegation can be used to hand out /64 chunks of a /48 to routers
automatically, or any other combination, so long as the range is set on the
boundaries of the desired delegation size. The downstream router obtains an IPv6
address and requests a delegation, and the server allocates one and dynamically
adds a route so that it is reachable via the assigned DHCPv6 address given to
the client.
The Prefix Delegation Range Sets the start and end of the delegation pool.
The range of IPv6 addresses specified here must be routed to this firewall by
upstream routers. For example, to allocate /60 networks to downstream
firewalls out of a given range, then one could specify 2001:db8:1111:F000::
to 2001:db8:1111:FFF0:: with a Prefix Delegation Size of 60. This
allocates a /60 (16 subnets of size /64) to each downstream firewall
that requests a delegation so that they can in turn use those for their LAN,
VPNs, DMZ, etc. Downstream firewalls can even further delegate their own
allocation to routers behind them. Note that in this example, 16 delegations
would be possible. Adjust the range and size as needed.
When crafting the values for the range and delegation size, keep in mind that
the range must start and end on boundaries that align with the desired prefix
size. In this /60 example, the range could not start or end on anything that
has a value in the places to the right of the second value in the fourth section
of the address, so it can start on 2001:db8:1111:F500:: but not
2001:db8:1111:F550::.
DHCPv6 Static Mappings¶
Static mappings on DHCPv6 work differently than IPv4. On IPv4, the mappings were performed using the MAC address of the PC. For IPv6, the designers decided that wasn’t good enough, since the MAC address of a PC could change, but still be the same PC.
Enter the DHCP Unique Identifier, or DUID. The DUID of the host is generated by the operating system of the client and, in theory, will remain unique to that specific host until such time as the user forces a new DUID or the operating system is reinstalled. The DUID can range from 12 to 20 bytes, and varies depending on its type.
The DUID field on the static mapping page expects a DUID for a client PC in
a special format, represented by pairs of hexadecimal digits, separated by
colons, such as 00:01:00:01:1b:a6:e7:ab:00:26:18:1a:86:21.
How to obtain this DUID depends on the operating system. The easiest way is to
allow the PC to obtain a lease via DHCPv6, and then add an entry from the DHCPv6
Leases View (Status DHCPv6 Leases). In Windows, it can be found as DHCPv6 Client
DUID in the output of ipconfig /all.
Note
On Windows, the DUID is generated at install time, so if a base image is used and workstations are cloned from there, they can all end up with the same DUID, and thus all end up pulling the same IPv6 address over DHCPv6.
Clear the DUID from the registry before making an image to clone, by issuing the following command:
reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /f /v Dhcpv6DUID
That command may also be run on a working system to reset its DUID if needed.
DUID Format¶
The DUID format is listed on the page, but it roughly follows the format:
DUID-LLT - ETH -- TIME --- ---- address ----
DUID-LLT is link-layer plus time, which means it uses the link type of a network interface on the system (Generally 00:01 to indicate the format, plus 00:01, or 00:06 for Ethernet), plus the timestamp at which the DUID was generated in hex, plus the MAC address of the first NIC. It may be difficult or impossible to predict a system’s DUID. Unless the operating system has a way to look it up, it may be best to allow the client to obtain a dynamic lease and then copy the DUID from the leases view.
Numbered Options Notes¶
When using numbered custom options, be careful of the type. Some will be OK on text/string but others are not. Also beware that numbered options do NOT correspond exactly to the DHCP numbered options for IPv4
For more information on DHCP option numbers and types, see https://tools.ietf.org/html/draft-ietf-dhc-v6opts-00