IPv6 private network address

baos

Occasional Visitor
Here is my problem, I run a couple local ipv6 services on my lan, and I have a prefix that is dynamic via dhcp. Every time the prefix changes, I need to update several config files and I don't always notice right away which impacts other things.

As I understand it fd00:: or fc00:: were at some point designated local and not global routable, similar to 192.168.*, though may be stuck in some form of red tape ( https://en.wikipedia.org/wiki/Unique_local_address ). I have previously used them in the past (pre asus router) and would like to continue using them. The problem is that the asus router doesn't route them over the lan.

The Router firmware: 386.5_2
The router: RT-AX58U
 

ColinTaylor

Part of the Furniture
The problem is that the asus router doesn't route them over the lan.
If your LAN consists of a single subnet (which is usually the case) there is no routing taking place. Can you give a specific example of the problem.
 

baos

Occasional Visitor
If your LAN consists of a single subnet (which is usually the case) there is no routing taking place. Can you give a specific example of the problem.
I allocate address fc00::2 to a lan computer, I then attempt to ping that address from another lan computer. All computers have global ipv6 addresses, but technically if fc00::2 was local routable like the 192.168.1.2 address it also has, that wouldn't be required.

To look at this another way, imagine 192.168 was isp assigned and kept changing every 2 months, requiring several config files to be updated. This is currently what I am dealing with for my ipv6 lan.
 

drinkingbird

Senior Member
I allocate address fc00::2 to a lan computer, I then attempt to ping that address from another lan computer. All computers have global ipv6 addresses, but technically if fc00::2 was local routable like the 192.168.1.2 address it also has, that wouldn't be required.

To look at this another way, imagine 192.168 was isp assigned and kept changing every 2 months, requiring several config files to be updated. This is currently what I am dealing with for my ipv6 lan.

Unfortunately the idea of IPv6 was that everyone could have a static /64 that never changes, but many ISPs are not on board with that. You could ask your ISP for one but they'll probably want to charge you.

In order to communicate between a machine with a public IPv6 and a private FC/FD ULA address, you would have to have a ULA address on the Asus alongside the public subnet. I'm not sure how complex that would be, I haven't used IPv6 on the Asus, but on professional gear it is straightforward. But then this traffic would be going through the router which isn't ideal, it may limit your throughput. This is no different than v4, communicating between subnets requires an L3 device. Its not that the Asus can't route these ranges, it just needs to be configured to be able to do it.

Every host will have a link-local IPv6 IP and in some cases hostname resolution will work for those, you could potentially just use hostname lookups, but if your app/OS looks to DNS first then it will get the public IP and that won't work. Probably not a reliable way to go.

Can your config files not reference hostnames instead of IPs (hostnames for your public subnet, skipping using the private subnet entirely)? That's really your only solution for this, other than using IPv4 for this local communication (which will work fine as well, not losing anything by doing that). You can have dynamic v6 and static v4 alongside each other on the LAN with DNS and DHCP all functioning properly.

IPv6 requires a shift in thinking. Hostnames are now critical and the primary method of getting to a host, even if just on your LAN. Even if you had a static subnet, are you only going to use the IPs that are short and easy to remember? Even then, 17+ digits is not exactly easy to remember.
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
Here is my problem, I run a couple local ipv6 services on my lan, and I have a prefix that is dynamic via dhcp. Every time the prefix changes, I need to update several config files and I don't always notice right away which impacts other things.

As I understand it fd00:: or fc00:: were at some point designated local and not global routable, similar to 192.168.*, though may be stuck in some form of red tape ( https://en.wikipedia.org/wiki/Unique_local_address ). I have previously used them in the past (pre asus router) and would like to continue using them. The problem is that the asus router doesn't route them over the lan.

The Router firmware: 386.5_2
The router: RT-AX58U
You can assign yourself a local ipv6 address to the same interface you have your other address on. The one thing about ipv6 is that it can have multiple address assignments on an interface. The problem comes in when ever your isp update your ipv6 address, you need a script in place to keep your locally added address in place. It involves making a ULA address.

Here is a thread that may help:
 

drinkingbird

Senior Member
You can assign yourself a local ipv6 address to the same interface you have your other address on. The one thing about ipv6 is that it can have multiple address assignments on an interface. The problem comes in when ever your isp update your ipv6 address, you need a script in place to keep your locally added address in place. It involves making a ULA address.

Here is a thread that may help:

IPv4 can have multiple IPs on an interface as well. The challenge (with either protocol) is having one be dynamic and one be static which often isn't supported on a client, at least not easily.

So even if you use a script to create a secondary v6 subnet on your LAN, your clients still need to be configured with dual IPs, one dynamic, one static. Unless you use much more complex scripts to set up DHCP for the private range also.

Sort of brings me back to the "why" question - why is the private subnet (now called ULA) even needed? The idea of the private FC00::/7 is totally different in IPv6 - it is for truly private networks, not connected to the internet at all.
 

SomeWhereOverTheRainBow

Part of the Furniture
IPv4 can have multiple IPs on an interface as well. The challenge (with either protocol) is having one be dynamic and one be static which often isn't supported on a client, at least not easily.

So even if you use a script to create a secondary v6 subnet on your LAN, your clients still need to be configured with dual IPs, one dynamic, one static. Unless you use much more complex scripts to set up DHCP for the private range also.

Sort of brings me back to the "why" question - why is the private subnet (now called ULA) even needed? The idea of the private FC00::/7 is totally different in IPv6 - it is for truly private networks, not connected to the internet at all.
DHCP servers like dnsmasq hand out all address's with :: , so even when your ISP changes your "ipv6 prefix" your script will still keep the same local ULA you made. The point is to have a stable address you have control over if your ISP constantly changes your ipv6 prefix. While this would not have an applicable use outside your home network, it can be very applicable inside the network.
 

drinkingbird

Senior Member
DHCP servers like dnsmasq hand out all address's with :: , so even when your ISP changes your "ipv6 prefix" your script will still keep the same local ULA you made. The point is to have a stable address you have control over if your ISP constantly changes your ipv6 prefix. While this would not have an applicable use outside your home network, it can be very applicable inside the network.
That goes to my comment earlier in the thread where IPv6 is not the same as IPv4. Having private and public ranges is not the intent, you should be using hostnames to resolve your hosts, it does not matter if your IP changes from time time as your hostnames will not change and will dynamically update your router's DNS.

Not saying I don't see the reasoning, just saying it is something people need to get their heads around if they want to move to IPv6. The concepts have changed and trying to force things to work "how they used to" defeats the purpose. ULA is not intended to be used on devices with internet access (though yes, plenty are doing so today, again, trying to force things to work like they did with v4).
 

SomeWhereOverTheRainBow

Part of the Furniture
That goes to my comment earlier in the thread where IPv6 is not the same as IPv4. Having private and public ranges is not the intent, you should be using hostnames to resolve your hosts, it does not matter if your IP changes from time time as your hostnames will not change and will dynamically update your router's DNS.

Not saying I don't see the reasoning, just saying it is something people need to get their heads around if they want to move to IPv6. The concepts have changed and trying to force things to work "how they used to" defeats the purpose. ULA is not intended to be used on devices with internet access (though yes, plenty are doing so today, again, trying to force things to work like they did with v4).
While I see your personal opinion, and thank you for sharing. My response was just to answer the OP question and not to provide a personal opinion. While I have no need for such script, some people aspire more for personal knowledge. While I understand your opinion on the matters, with ipv6 it is important to have some control in ones local network. For example, if your local addresses change as a response to your ISP changing the dynamic GUA assignment, having a hostname will be irrelevant in a local network because the address assigned to it will no longer be good, especially when the change GUA assigment causes addresses to change locally (i am referring to controlling hostnames server side and not client side). Either a Stateful configuration or a ULA address can solve this partially, however it would be pointless with devices that only take slaac assignments, but hostnames would be pointless in this situation as well.
 

baos

Occasional Visitor
Unfortunately the idea of IPv6 was that everyone could have a static /64 that never changes, but many ISPs are not on board with that. You could ask your ISP for one but they'll probably want to charge you.

In order to communicate between a machine with a public IPv6 and a private FC/FC address, you would have to have an FC/FC address on the Asus alongside the public subnet. I'm not sure how complex that would be, I haven't used IPv6 on the Asus, but on professional gear it is straightforward. But then this traffic would be going through the router which isn't ideal, it may limit your throughput.

Every host will have a link-local IPv6 IP and in many cases hostname resolution will work for those, you could potentially just use hostname lookups, but if your app/OS looks to DNS first then it will get the public IP and that won't work.

Can your config files not reference hostnames instead of IPs? That's really your only solution for this, other than using IPv4 for this local communication (which will work fine as well, not losing anything by doing that).
I have never had a link local ipv6 ip work over a lan with any system
Code:
 ping fe80::1234
. for example, returns "ping: sendmsg: Invalid argument" (with -6, and it is able to ping the other ipv6 addresses). I think it is intended to work similar to 127.0.0.1.
Hostnames will not work for ip address configs, at least for my context. This is a FreeBSD server, and it is running the DNS. It is also the only one I need to have a static ip that I can somehow reference from the lan. At current config it nabs a dynamic ipv4 and ipv6 address, then append fc00::2 to it's interface. I had been previously assigning it manually with [dynamic subnet]::2.

I found a solution though, but am having trouble making it persistent.
If I do,
Code:
ifconfig br0 add fc00::1/7
, then for a while I can ping fc00::2 from anything on the lan.

I tried several variations of this, but eventually within about an hour (dhcp renew?), I can no longer ping fc00::2.
Code:
echo '#!/bin/sh' >> /jffs/scripts/services-start
echo 'ifconfig br0 add fc00::1/7' >> /jffs/scripts/services-start
chmod +x /jffs/scripts/services-start
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
I have never had a link local ipv6 ip work over a lan with any system (fe80::). ping returns "ping: sendmsg: Invalid argument" (with -6, and it is able to ping the other ipv6 addresses). I think it is intended to work similar to 127.0.0.1.
Hostnames will not work for ip address configs, at least for my context. This is a FreeBSD server, and it is running the DNS. It is also the only one I need to have a static ip that I can somehow reference from the lan. At current config it nabs a dynamic ipv4 and ipv6 address, then append fc00::2 to it's interface. I had been previously assigning it manually with [dynamic subnet]::2.

I found a solution though, but am having trouble making it persistent.
If I do,
Code:
ifconfig br0 add fc00::1/7
, then for a while I can ping fc00::2 from anything on the lan.

I tried several variations of this, but eventually within about an hour (dhcp renew?), I can no longer ping fc00::2.
Code:
echo '#!/bin/sh' >> /jffs/scripts/services-start
echo 'ifconfig br0 add fc00::1/7' >> /jffs/scripts/services-start
chmod +x /jffs/scripts/services-start
Try addresses like

fdbe:beef:cafe::1/64

Just an example

The start of the address is simply fd instead of fc.

Or simply generate your own ula

 

drinkingbird

Senior Member
While I see your personal opinion, and thank you for sharing. My response was just to answer the OP question and not to provide a personal opinion. While I have no need for such script, some people aspire more for personal knowledge. While I understand your opinion on the matters, with ipv6 it is important to have some control in ones local network. For example, if your local addresses change as a response to your ISP changing the dynamic GUA assignment, having a hostname will be irrelevant in a local network because the address assigned to it will no longer be good, especially when the change GUA assigment causes addresses to change locally (i am referring to controlling hostnames server side and not client side). Either a Stateful configuration or a ULA address can solve this partially, however it would be pointless with devices that only take slaac assignments, but hostnames would be pointless in this situation as well.

This is not my personal opinion (not sure why you repeated it 3 times), this is the design of IPv6. Hostnames are now the norm, accessing IP addresses is no longer reasonable or manageable. People who are trying to create "easy to remember" v6 IPs are just trying to replicate v4, again defeating the purpose. There is a total change of mindset that needs to be understood before deciding to implement v6.

If your ISP changes your subnet, your DHCP needs to be aware of that, hand out new IPs and update DNS. I'm not talking about SLAAC or ULA, I'm talking about just using your main internet routable v6 IP which will be mapped to DNS, and if implemented properly, will dynamically update your DNS when the IP changes. Again v6 really never assumed that ISPs would still be refusing to give out static assignments as default, but even those that change, it will usually only change if you reboot or do some other major change, which will cause all clients to renew their IPs anyway, get new ones, and update DNS. At least that is the way it is supposed to work. Whether Asus handles it well, I don't know.
 

baos

Occasional Visitor
This is not my personal opinion (not sure why you repeated it 3 times), this is the design of IPv6. Hostnames are now the norm, accessing IP addresses is no longer reasonable or manageable. People who are trying to create "easy to remember" v6 IPs are just trying to replicate v4, again defeating the purpose. There is a total change of mindset that needs to be understood before deciding to implement v6.

If your ISP changes your subnet, your DHCP needs to be aware of that, hand out new IPs and update DNS. I'm not talking about SLAAC or ULA, I'm talking about just using your main internet routable v6 IP which will be mapped to DNS, and if implemented properly, will dynamically update your DNS when the IP changes. Again v6 really never assumed that ISPs would still be refusing to give out static assignments as default, but even those that change, it will usually only change if you reboot or do some other major change, which will cause all clients to renew their IPs anyway, get new ones, and update DNS. At least that is the way it is supposed to work. Whether Asus handles it well, I don't know.
The ip that is being changed, is the DNS. How do you suggest I handle that with a hostname? I am not aware of anyone who enters a hostname in the dns field of their connection.
The ipv6 ip changes frequently. The isp hardware needs restarted frequently to function. I bought a vps because I don't trust the isp hardware. Not to mention power outages that can last for hours.
 

drinkingbird

Senior Member
I have never had a link local ipv6 ip work over a lan with any system (fe80::). ping returns "ping: sendmsg: Invalid argument" (with -6, and it is able to ping the other ipv6 addresses). I think it is intended to work similar to 127.0.0.1.
Hostnames will not work for ip address configs, at least for my context. This is a FreeBSD server, and it is running the DNS. It is also the only one I need to have a static ip that I can somehow reference from the lan. At current config it nabs a dynamic ipv4 and ipv6 address, then append fc00::2 to it's interface. I had been previously assigning it manually with [dynamic subnet]::2.

I found a solution though, but am having trouble making it persistent.
If I do,
Code:
ifconfig br0 add fc00::1/7
, then for a while I can ping fc00::2 from anything on the lan.

I tried several variations of this, but eventually within about an hour (dhcp renew?), I can no longer ping fc00::2.
Code:
echo '#!/bin/sh' >> /jffs/scripts/services-start
echo 'ifconfig br0 add fc00::1/7' >> /jffs/scripts/services-start
chmod +x /jffs/scripts/services-start

No, loopback (127.0.0.1) is ::1 in IPv6, different from stateless IP

FE80 (SLAAC) is similar to 169.254 in IPv4 except it is much more robust and is used for lots of local communication (whereas in IPv4 it was mostly used for "no response from DHCP"). Your ping is probably defaulting to source from your public IP which is why it can't ping other link local IPs. You'd need to force it to source from the LL. If you fired up a sniffer you'd be surprised how much stuff is communicating over the LL IP without you even telling it to.

Yes, running your own DNS (not on the Asus) will be an issue without static IPv6 assignment. That's not a normal use case. DNS servers pretty much always have to have a static IP (I've seen some funky workarounds though but at some point, some DNS server involved needs to be referenced by an IP). If you have the Asus though not sure why you need a separate DNS - you can customize (via scripts) the Asus DNS quite a bit. Some ISPs will even let you dynamically update their DNS, however you would need to append their domain suffix when doing lookups (unless you have that same suffix being handed out via DHCP in which case it is automatically appended).

If you want to run this setup reliably then you probably need to follow @SomeWhereOverTheRainBow s post and script that was referenced. Still not sure how you're going to get every client to let you assign a secondary IP though, unless this network is strictly computers and no cell phones, IOT, etc.

It might be easier to just use v4 for local communication and v6 for internet. Pretty much solves all your problems and is very flexible.
 

baos

Occasional Visitor
No, loopback (127.0.0.1) is ::1 in IPv6, different from stateless IP

FE80 (SLAAC) is similar to 169.254 in IPv4 except it is much more robust and is used for lots of local communication (whereas in IPv4 it was mostly used for "no response from DHCP"). Your ping is probably defaulting to source from your public IP which is why it can't ping other link local IPs. You'd need to force it to source from the LL. If you fired up a sniffer you'd be surprised how much stuff is communicating over the LL IP without you even telling it to.

Yes, running your own DNS (not on the Asus) will be an issue without static IPv6 assignment. That's not a normal use case. DNS servers pretty much always have to have a static IP (I've seen some funky workarounds though but at some point, some DNS server involved needs to be referenced by an IP). If you have the Asus though not sure why you need a separate DNS - you can customize (via scripts) the Asus DNS quite a bit. Some ISPs will even let you dynamically update their DNS, however you would need to append their domain suffix when doing lookups (unless you have that same suffix being handed out via DHCP in which case it is automatically appended).

If you want to run this setup reliably then you probably need to follow @SomeWhereOverTheRainBow s post and script that was referenced. Still not sure how you're going to get every client to let you assign a secondary IP though, unless this network is strictly computers and no cell phones, IOT, etc.

It might be easier to just use v4 for local communication and v6 for internet. Pretty much solves all your problems and is very flexible.
I don't need every client to have a secondary ip. I only need one client to have a static ip. I don't care what that ip is, it just needs to route to the lan. My problems are also solved by retiring the asus router, but I would prefer it to function. I don't run services on it because I use specific things that were not designed for it.
 

drinkingbird

Senior Member
The ip that is being changed, is the DNS. How do you suggest I handle that with a hostname? I am not aware of anyone who enters a hostname in the dns field of their connection.
The ipv6 ip changes frequently. The isp hardware needs restarted frequently to function. I bought a vps because I don't trust the isp hardware. Not to mention power outages that can last for hours.

1. Not suggesting you handle that with a hostname. You can't even put in a hostname for the DNS on a client in most cases and if you do, you have to have a hosts file that translates it to IP. As mentioned in my previous post, didn't realize you were running a DNS not on the Asus. What is it about the Asus DNS that isn't enough?
2. Sounds like you need to invest in a static IP from your ISP if you want to stay pure v6 and run your own DNS server.
3. Invest in a cheap UPS
4. By ISP hardware do you mean their DNS server? Use Level 3 or Google or whomever instead then, if you just need internet lookups. Local lookups can be handled by Asus.

You say you're using a VPS which is a server hosted offsite. Now I'm totally confused as FC00::/7 would not apply. Of course it won't route out to the WAN. If you have a VPN to the VPS you could route it but still not sure what that is buying you.
 

drinkingbird

Senior Member
I don't need every client to have a secondary ip. I only need one client to have a static ip. I don't care what that ip is, it just needs to route to the lan.

So you want all clients except the DNS to have public IP only, then the DNS to have private, reachable from those clients?

You will need to configure a secondary IP on the LAN interface of the Asus, say FD00::1/8
DNS will use FD00::2/8 with a default gateway of FD00::1
Router should not need any static routes, since it knows directly connected routes for both subnets at this point.
As mentioned by @SomeWhereOverTheRainBow you will need a script to make sure this gets re-applied anytime the main IP changes as it will get erased each time that happens
On the router you will need to check the iptables rules and make sure nothing is blocking this. IPv6 firewall may be interfering?

If none of that works and you are still getting unreachable, check the routing table on the router, maybe it is already using FC or FD for something? Or has some black hole static route for it.

Honestly, since it is for LAN comms only, you could choose some other non-private v6 subnet. The 6to4 range 2002::1 and 2002::2 might work.
 

SomeWhereOverTheRainBow

Part of the Furniture
It might be easier to just use v4 for local communication and v6 for internet. Pretty much solves all your problems and is very flexible.

I think with this comment, locally the OP might be able to get away with mapping a static ipv4 address to ipv6 in place of the actual ipv6 dns. Obviously this would be needed to be tested, but it is completely controllable under dns setting unlike trying to maintain an address with the previous script posted.

While I don't usually condon this method, if it works it may be viable in this use case.
 

drinkingbird

Senior Member
I think with this comment, locally the OP might be able to get away with mapping a static ipv4 address to ipv6 in place of the actual ipv6 dns. Obviously this would be needed to be tested, but it is completely controllable under dns setting unlike trying to maintain an address with the previous script posted.

While I don't usually condon this method, if it works it may be viable in this use case.

Don't even really need to take it that far. Every machine can have a v4 static (or reserved) and v6 dynamic address, and his DNS can respond with authoritative v4 for local hosts and recursive v6 for internet (assuming the domain has a v6 address). As long as the local hosts don't also have a v6 entry in his DNS they will coexist fine. Since there is still stuff out there without v6, you pretty much need to leave v4 with overload NAT enabled anyway, which will be a failback for internet too. Actually even if the local DNS responds with v6 for local hosts, it will be fine, as long as those hosts are all dynamically updating DNS when their v6 IP changes which they should be. The only static IP he really needs is the DNS server, so the lookup will be v4 and the actual traffic will use v6.

With an enterprise class router you can do a hide or static nat from v4 to v6 but I don't think the Asus can do that, nor is it really necessary (and would cause issues for non-v6 destinations).
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top