SLAAC and stateful DHCP6 IPs are configured on interface when using DHCP6 config type
If I set my WAN IPv6 configuration type to DHCP6 and leave 'Request only a IPv6 prefix' unchecked I end up with two public v6 IPs on WAN interface:
vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=60009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6> ether 00:aa:bb:cc:dd:ee inet6 fe80::2aa:bbff:fecc:ddee%vmx0 prefixlen 64 scopeid 0x1 inet 220.127.116.11 netmask 0xfffffc00 broadcast 18.104.22.168 inet6 xxxx:yyy:zzzz:4fa0:2aa:bbff:fecc:ddee prefixlen 64 autoconf inet6 xxxx:yyy:zzzz:4fa0::48 prefixlen 128 nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet autoselect status: active
xxxx:yyy:zzzz:4fa0::48 is assigned by DHCP server
xxxx:yyy:zzzz:4fa0:2aa:bbff:fecc:ddee is auto-configured. pfSense WAN is connected to modem that sends out RA messages.
This happens because function interface_dhcpv6_configure is called for slaac and dhcp6 configurations and enables RA acceptance regardless of the config type.
If I check 'Request only a IPv6 prefix' flag so that pfSense doesn't request stateful address from DHCP server I end up with SLAAC IP only. However Interfaces widget on the dashboard shows link-local address instead of SLAAC address and firewall rules that use 'WAN net' or 'WAN address' use link-local address as well. Looking at the code I see that get_interface_ipv6 function assumes that there is no public IP if 'dhcp6prefixonly' flag is set.
Return link-local address when we are only requesting IPv6 prefix only if there is no global IPv6 address. In some cases global SLAAC IPv6 address might be present when using DHCPv6. Fixes #4483
#1 Updated by Paul K over 5 years ago
Did a little bit more research on this issue.
First, in order for the SLAAC address to be auto-configured, RA message must advertise /64 (not sure why, but I was unable to reproduce it when advertising any other size prefix) prefix and autonomous address-configuration flag must be set to on (AdvAutonomous in radvd configuration).
Second, the fact that two addresses get assigned to the interface is in theory correct. RA message advertises that prefix can be used for auto-configuration and we request stateful address via DHCPv6. In practice though, you could argue that this is not the correct way to set things up. If DHCPv6 server is present AdvAutonomous flag should not be enabled. In my case I have no control over AT&T modem that does this and I expect other ISPs to follow this setup since it works if customer plugs in client computers directly to the modem and if other downstream router is present that needs prefix delegation. Also RFCs 6204 and 4862 do not specify this as invalid setup.
pfSense does not seem to be setup to handle multiple IPv6 addresses on the interface so we have to get rid of one of those addresses.
Disabling accept_rtadv on interface when DHCPv6 is used would require quite a lot of changes to the code since rtsold process is launched for SLAAC and DHCPv6 configurations and dhcp6c process is launched by rtsold. If accept_rtadv is not enabled on the interface rtsold refuses to work and so it does not start dhcp6c. The only option would be to launch dhcp6c directly for DHCPv6 configurations and via rtsold for SLAAC configurations.
It would be a lot easier to modify function get_interface_ipv6 to check if global IPv6 is not present when DHCPv6 'Request only an IPv6 prefix' flag is enabled.