- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
Configuring the SonicWall IPv6 DHCPv6 Server
03/26/2020 
39 People found this article helpful
100,101 Views
Description
Configuring the SonicWall IPv6 DHCPv6 Server
Resolution
Feature/Application:
The Dynamic Host Control Protocol for IPv6 (DHCPv6) can provide a device with IPv6 addresses assigned by a DHCP server and other configuration information.
- IPv6 Clients listen for DHCP messages on UDP port 546.
- IPv6 DHCP Servers and relay agents listen for DHCP messages on UDP port 547.
A DHCPv6 client obtains an IPv6 address or other network parameters for the first time, from a DHCPv6 server in the following manner:
| SOLICIT (1) | A client sends a Solicit message to locate servers. |
| ADVERTISE (2) | A server sends an Advertise message to indicate that it is available for DHCP service, in response to a Solicit message received from a client. |
| REQUEST (3) | A client sends a Request message to request configuration parameters, including IP addresses, from a specific server. |
| REPLY (7) | A server sends a Reply message containing assigned addresses and configuration parameters in response to a Solicit, Request, Renew, Rebind message received from a client. A server sends a Reply message containing configuration parameters in response to an Information-request message. A server sends a Reply message in response to a Confirm message confirming or denying that the addresses assigned to the client are appropriate to the link to which the client is connected. A server sends a Reply message to acknowledge receipt of a Release or Decline message. |
The following additional message types are available and defined in RFC 3315.
| RENEW (5) |
| REBIND (6) |
| RELEASE (8) |
| INFORMATION-REQUEST (11) |
| DECLINE (9) |
| CONFIRM (4) |
| RECONFIGURE (10) |
| RELAY-FORW (12) |
DHCPv6 makes use of the following multicast addresses:
- FF02::1:2 - All_DHCP_Relay_Agents_and_Servers: A link-scoped multicast address used by a client to communicate with neighboring (i.e., on-link) relay agents and servers. All servers and relay agents are members of thismulticast group.
- FF05::1:3 - All_DHCP_Servers: A site-scoped multicast address used by a relay agent to communicate with servers, either because the relay agent wants to send messages to all servers or because it does not know the unicast addresses of the servers. Note that in order fora relay agent to use this address, it must have an address of sufficient scope to be reachable by the servers. All servers within the site are members of wthis multicast group.
A DHCPv6 Client will know when to use DHCPv6 based on Router Advertisements (RA) from a router.
DHCPv6 defines two different configuration modes:
- DHCPv6 stateful mode: DHCPv6 clients require IPv6 address together with other network parameters (e.g. DNS Server, Domain Name, etc.).
- DHCPv6 stateless mode: DHCPv6 client only obtains network parameters other than IPv6 address.
Choosing which kind of those modes depends on Managed (M) Address Configuration and Other (O) Configuration flag in the advertised Router Advertisement message:
- M = 0, O = 0: No DHCPv6 infrastructure. Hosts configure IPv6 addresses based on Router Advertisements (RA). If the RA has the prefix information, hosts combine the prefix and a unique Interface Identifier address to derive an IPv6 address.
- M = 1, O = 1: IPv6 hosts use DHCPv6 for both IPv6 address and other network parameter settings.
- M = 0, O = 1: IPv6 hosts use DHCPv6 only for other network parameter settings and not for address configuration. Hosts derive stateless addresses using address prefixes in Router Advertisements. If the RA has the prefix information, hosts combine the prefix and a unique Interface Identifier address to derive an IPv6 address. This is known as DHCPv6 stateless because the server is not assigning stateful addresses.
- M = 1, O = 0: IPv6 hosts use DHCPv6 only for address configuration. However, as per RFC 2462, "It is not a valid configuration for a host to use stateful address autoconfiguration to request addresses only, without also accepting other configuration information."
The SonicWall DHCPv6 server can be configured similar to IPv4, using Dynamic or Static IPv6 addresses. This KB article describes how to configure the SonicWall DHCP Server for IPv6 (DHCPv6) to lease IPv6 addresses to hosts.
Procedure:
Preparing the IPv6 Interface
- Login to the SonicWall Management GUI
- Navigate to the Network > Interfaces page.
- Select the radio button IPv6 under View IP Version.
- Click on the Configure icon for the interface you want to configure the DHCPv6 Server address for and the Edit Interface window will be displayed.
General Tab
- In the IP Assignment pulldown menu, select Static.
- IPv6 Address: A unique IPv6 unicast address. Example: 2002:c0a8:a8a8:1::1
- Prefix Length: The network bit. Example: a prefix of 64 for the above IPv6 address would mean a network with addresses from 2002:c0a8:a8a8:0001:0000:0000:0000:0000 to 2002:c0a8:a8a8:0001:ffff:ffff:ffff:ffff
- Enable Router Advertisement: Enable this option to make this an advertising interface that distributes network. Routers Advertisements are sent in ICMPv6 Type 134 packet to the multicast group ff02::1.
- Advertise Subnet Prefix of IPv6 Primary Static Address: Leave this option unchecked.
Advanced Tab
- Enable Listening to Router Advertisement: Leave this option unchecked.
- Enable Stateless Address Autoconfiguration: Leave this option unchecked.
Router Advertisement Tab
- Enable Router Advertisement: This would be automatically checked if Enable Router Advertisement in the General tab is checked.
- Optionally, you can modify the following Router Advertisement settings
- Router Adv Interval Range - The time interval allowed between sending unsolicited multicast Router Advertisements from the interface, in seconds.
- Link MTU - The recommended MTU for the interface link. A value of 0 means firewall will not advertise link MTU for the link.
- Reachable Time - The time that a node assumes a neighbor is reachable after having received a reachability confirmation. A value of 0 means this parameter is unspecified by this firewall.
- Retrans Time - The time between retransmitted Neighbor Solicitation messages. A value of 0 means this parameter is unspecified by this firewall.
- Current Hop Limit - The default value that should be placed in the Hop Count field of the IP header for outgoing IP packets. A value of 0 means this parameter is unspecified by this firewall.
- Router Lifetime - The lifetime when firewall is accepted as a default router. A value of 0 means that the router is not a default router.
- Managed checkbox: Enabling this option will make the SonicWall send Managed Address Configuration Flag, also known as the M flag, set to 1 in their Router Advertisements. When an IPv6 host receives a Router Advertisement with this flag set, and if SonicWall DHCPv6 server is enabled with an IPv6 address range, IPv6 hosts can obtain IPv6 addresses from within the range. This need not be checked if the SonicWall DHCPv6 Server is not enabled. If this option is checked and the SonicWall DHCPv6 server is not enabled, IPv6 hosts configure their own IPv6 addresses based on the subnet prefix in Router Advertisements.
- Other Configuration checkbox: Enabling this option will make the SonicWall send the Other Stateful Configuration Flag, also known as the O flag, set to 1 in its Router Advertisements. When an IPv6 host receives a Router Advertisement with this flag set, and if a DHCPv6 server is available, IPv6 hosts can obtain configuration settings other than their IPv6 address, such as the DNS server address. This need not be checked if the SonicWall DHCPv6 Server is not enabled.
- Prefix List Settings: Leave this option unchecked.
- Click on OK to save the changes.
Configuring the DHCPv6 Server
- Navigate to the Network > DHCP Server page
- Select the radio button under IPv6 on the far right side of the page under View IP Version, to change to the DHCPv6 interface.
- Enable check box Enable DHCPv6 Server.
- Click on the Accept button to save the changes.
- Click on the Add button to bring up the Add DHCPv6 Dynamic Scope window.
- Enable the check box Enable this DHCPv6 Scope and enter the following:
- Name: Enter a name for this scope.
- Prefix: Enter a 64 bit prefix for the IPv6 address range. Example: 2002:c0a8:a8a8:1::
- Range Start: Enter the IPv6 address range start excluding any static IPv6 addresses. Example: 2002:c0a8:a8a8:1::2
- Range End: Enter the IPv6 address range start excluding any static IPv6 addresses. Example 2002:c0a8:a8a8:1::c8
Note: The above defined scope contains 199 IPv6 addresses. - Valid Lifetime (minutes): Default 2160 minutes.
- Preferred Lifetime (minutes):
Note: Minimum is 0 and Maximum is 71582789. Setting a value of “71582789” means the lifetime is infinite.
- Click on the DNS Tab
- Select the radio button Specify Manually
- Enter the IPv6 address of the DNS server.
- Click on OK to save.
Testing
DHCPv6 Clients "solicit" a DHCPv6 server for an IPv6 address based on Router Advertisments (RA). When a SonicWall interface has been configured to send RA with Managed (M) and/or Other Configuration (O) options, the SonicWall sends RA periodically with this information. An IPv6 client will send a DHCPv6 Solicit message after receiving an RA or it can be made to do so without waiting for an RA by sending a Router Solicitation message.
In IPv6 enabld Windows OS a DHCPv6 IP address can be obtained by the command: ipconfig /release6 and ipconfig/renew6. The following screen capture shows an IPv6 enabled Windows PC with an IPv6 address from the SonicWall DHCPv6 server.
Related Articles
- L2TP user to access the network across site to site vpn.
- Global VPN Client slowing down the internet speed
- App Control fails by schema error when editing VPN category
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO