Finally! With PAN-OS 11.0 a long missing IPv6 feature was introduced: DHCPv6-PD aka prefix delegation. For the first time, we can now operate a PAN-OS firewall directly on the Internet (the IPv6-Internet that is) on many kinds of ISP connections. Remember: To get a routed IPv6 prefix requires DHCPv6-PD (if you’re not a BGP-homed enterprise). Hence, without that feature, we could not connect to the Internet with a Palo directly.
With DHCPv6-PD, the firewall can receive a prefix from the ISP (commonly a /48 or a /56), while handing out /64s to downstream layer 3 interfaces. Here we go:
Please refer to my previous blog post about DHCPv6 prefix delegation in detail.
My Setup
I’m sitting behind a fibre ISP connection from Deutsche Glasfaser. The ethernet1/1 interface is directly attached to the fibre modem. I’m referring to it as my “WAN interface”. (More details about the connection establishment are available in German.) I’m using a PA-440 with PAN-OS 11.1.1. The client-facing interfaces ethernet1/3.24 and ethernet1/7 shall hand out /64 prefixes via RAs.
Configuration of the WAN Interface
At first, the WAN interface (ethernet1/1 in my case) is enabled for IPv6 with the type “DHCPv6 Client”. In my scenario, I set the request type to “Non-Temporary Address” only. In the second step, the prefix delegation is enabled (with a prefix length hint of 48 – just because I can) and a name for the pool:
I enabled DAD (Duplicate Address Detection) on the WAN interface (the best practice for firewall interfaces is to NOT activate it, but to be IPv6-compliant facing the ISP I would recommend it), enabled NDP monitoring, and enabled the DNS recursive name server and domain search list via DHCPv6 as well to get that information via DHCPv6:
Configuration of Host-Facing Interfaces
To let the Palo assign a /64 per host-facing interface, you have to enable IPv6 with the type “Inherited” and add a “GUA from Pool”. This is the pool you’ve created in step 2 above.
Since I wanted to test static subnet-IDs, I chose “dynamic with identifier”. Note that the identifier is a number from 0-4095 (decimal) converted to hexadecimal for the last three characters in the fourth hextet. (That is: This process on the NGFW is meant to deal with /52 prefixes turned into /64. Can’t we use /48 prefixes?!? This would require a range from 0-65535. Or even better: Why can’t we just type in hexadecimal values? That doesn’t seem to me to be fully developed here.)
Example: If your ISP-assigned prefix via DHCPv6-PD is 2001:db8:2311:a300::/56, choosing an identifier of 15 (decimal) will convert to an f (hex) and will end in the following host-facing prefix: 2001:db8:2311:a30f::/64. Since I wanted to see a 24 as the subnet-ID to follow my VLAN, I chose an identifier of 36. The name of this “Assign Addr” portion is not relevant at all.
Address resolution and router advertisement as always (no M nor O flag in my lab):
On my first host-facing interface, ethernet1/3.24, I set the DNS support to manual to use statically configured recursive DNS servers and my own search list. (I’m using Google’s public DNS64 servers here since this subnet is IPv6-only with NAT64. More on this in upcoming blog posts.) On another subnet, ethernet1/7, I chose the DHCPv6 type as the recursive DNS server to use the ISP-provided recursive DNS server which came in via DHCPv6, while I did not want to use the provided DNS search list in my lab, hence I left it unchecked:
Further Less reading from PANW: DHCPv6 Client with Prefix Delegation.
Show It To Me Baby! (uh huh, uh huh)
Within the well-known Network -> Interfaces -> Ethernet view you can click on “Dynamic-DHCPv6 Client” for information about the WAN interface and on “IPv6-Inherited” for the host-facing interfaces:
Let’s start with the WAN interface. This “DHCPv6 Client Runtime Info” lists the client (1) and server (2) DHCPv6 information aka DUID, the IPv6 address of the interface itself (3) with its default gateway (4), along with the recursive DNS servers (5). Finally, the IPv6 prefix (6) which is why we are all here:
A further click on “Show Prefix Pool Assignment” lists all the dynamically assigned /64 prefixes to downstream interfaces, in my case those two configured layer 3 interfaces. Note the last two hex values aka subnet-IDs of 24 (configured as decimal 36) and 43 (configured as decimal 67):
The “IPv6-Inherited” on a host-facing interface, in my case ethernet1/3.24, shows the parent interface (eth1/1), the inherited prefix, and so on:
Command Line Interface
On the CLI you can use several commands for further troubleshooting. (Remember that you can find commands with something like this: find command keyword dhcpv6)
For example:
1 2 3 |
show dhcp client ipv6 pool-details all show dhcp client ipv6 state interface ethernet1/1 debug dhcpd show objects |
That is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
weberjoh@pa> show dhcp client ipv6 pool-details all Pool Name: DeuGlasfaser-Internet Prefix: 2a00:6020:5004:2600::/56 Requesting Interface: ethernet1/1 Remaining Lease Time: 0 days 0:45:32 Preferred Lifetime (sec): 3600 Valid Lifetime (sec): 3600 IAID: 19010010 DUID: 00010001262c4077005056b18ad7 State: active Delegated Interface(s): ethernet1/3.24 ethernet1/7 Address Assignment(s): ethernet1/3.24 2a00:6020:5004:2624:667c:e8ff:fe8a:7912 ethernet1/7 2a00:6020:5004:2643:667c:e8ff:fe8a:7916 weberjoh@pa> weberjoh@pa> show dhcp client ipv6 state interface ethernet1/1 DHCPv6 Details: Interface: ethernet1/1 Rapid Commit: Enabled State: BOUND Client: Address: fe80::667c:e8ff:fe8a:7910 DUID: 000100012d86be01647ce88a7910 (Type: LLT) Server: Address: fe80::ff:fe01:101 DUID: 00010001262c4077005056b18ad7 Preference: 0 Gateway: fe80::ff:fe01:101 Remaining lease time: 0 days 0:42:41 IPv6 Address (IA_NA): Address: 2a00:6020:1000:40::436 Preferred Lifetime (sec): 3600 Valid Lifetime (sec): 3600 IPv6 Address (IA_TA): Delegated Prefix: IAID: 19010010 IPv6 Prefix (IA_PD): Prefix: 2a00:6020:5004:2600::/56 Preferred Lifetime (sec): 3600 Valid Lifetime (sec): 3600 DNS Server: 2a00:6020:100::1 2a00:6020:200::1 DNS Suffix: Counters: DHCPv6 control packets received: 10 DHCPv6 control packets sent: 11 RA control packets received: 20 RS control packets sent: 1 weberjoh@pa> weberjoh@pa> debug dhcpd show objects --------------DHCP CFG OBJS--------------- CFG obj itf name: ethernet1/1 (0x7f9858088440) --------------DHCP RT OBJS--------------- RT obj name: ethernet1/1 (0x7f9860007160) obj addr:0x7f9860007160 enabled:1 create def route:1 def route metric:10 server mac: 02:00:00:01:01:01 Retry number:0 Elapsed seconds:1583 State:Bound --------------DHCPV6 CFG OBJS--------------- CFG obj itf name: ethernet1/1 (0x7f9858089c00) --------------DHCPV6 RT OBJS--------------- DHCPv6 client: ethernet1/1, if_index: 16, rt: 0x7f9864007160 General: vr_id: 1, b_enabled: 1 pointer address : 0x7f9864007160 IP Address : 2a00:6020:1000:40:0:0:0:436 Server ID : 0:0:0:0:0:0:0:0 Link local Addr : fe80:0:0:0:667c:e8ff:fe8a:7910 Gateway : fe80:0:0:0:0:ff:fe01:101 Trans ID : 0xf6f3bd Client DUID : 000100012d86be01647ce88a7910 (length: 14, duid_type: LLT) SLAAC Data: opaque_data: 0x7f9864007160, ifindex: 16, name: ethernet1/1, mac: 64:7c:e8:8a:79:10 autoconfig: disable, dhcpv6: enable managed flag: true, address: 0:0:0:0:0:0:0:0 Config parameters: Accept-RA : Enabled Rappid Commit : Enabled default_route_metric : 10 Preference : high Server Info: Client mac | Server mac : 64:7c:e8:8a:79:10 | 02:00:00:01:01:01 Hostname : Server DUID : 00010001262c4077005056b18ad7 (length: 14) DHCP6 Server IP : fe80:0:0:0:0:ff:fe01:101 Lease value | Lease used : 3600 | 1089 Lease until | Current epoch : 65f440cc | 65f436fd DHCP6 state : BOUND Retransmission parameters: Retry timer not running Timer values of IAs (minimum) calculated: T1 | T2 | PT | VT : 1800 | 2880 | 3600 | 3600 Lease timer (valid lt) : value: 3600, elapsed: 1089, remaining: 2511 T1 timer (renew) : value: 1800, elapsed: 1089, remaining: 711 T2 timer (rebind) : value: 2880, elapsed: 1089, remaining: 1791 IA_NA: IA Addr : 2a00:6020:1000:40:0:0:0:436 IAID | T1 | T2 | PT | VT : 03010010 | 1800 | 2880 | 3600 | 3600 IA_PD: IA Prefix : 2a00:6020:5004:2600:0:0:0:0/56 IAID | T1 | T2 | PT | VT : 19010010 | 1800 | 2880 | 3600 | 3600 Other Info: DNS List : Enabled (Server) DNS List, count : 2 (list ptr: 0x0x7f986008a8d0) 0 : 2a00:6020:100:0:0:0:0:1 (lifetime: 0) 1 : 2a00:6020:200:0:0:0:0:1 (lifetime: 0) Suffix List : Enabled (Server) Suffix List, count : 0 (list ptr: 0x(nil)) ------------------------------------------ weberjoh@pa> |
A Client’s Perspective
Following is a Wireshark screenshot from a router advertisement (RA, ICMPv6 message type 134) as seen by a client behind interface ethernet1/7. You can see the prefix with the correct subnet-ID of 43 within the “ICMPv6 Option: Prefix information”, as well as 2x the “Recursive DNS Server” which are the ones from my ISP gathered via DHCPv6:
However, note that the “Prefix” shows the full IPv6 address of the PANW interface rather than the first 64 bits only (with all other bits set to zero) which violates the standards (RFC 4861 “Neighbor Discovery for IP version 6 (IPv6)”, section 4.6.2):
What’s still missing?
With PAN-OS 11.1, Palo Alto Networks has added another IPv6 feature: IPv6 support for PPPoE. This was still missing in PAN-OS 11.0. With this feature, you can now operate a PAN-OS firewall directly on the WAN connection of residential ISPs. (I reported those missing features back then in 2015. π)
So, are we feature complete now? Unfortunately not. We are still missing a DHCPv6 server on PAN-OS. And, please, not only for IA_NA (Identity Association for Non-temporary Addresses) but also for IA_PD (Identity Association for delegated prefixes) as well! That is: DHCPv6-PD server-side. Yay.
And, we are missing DNS64 as well. This could easily be done within the DNS proxy. It would round up the IPv6 completeness of PAN-OS firewalls since all the other features such as RA with RDNSS/DNSSL and NAT64 are already there.
(A little fun fact at the end: The late Juniper ScreenOS firewalls had a working DHCPv6-PD implementation a decade ago! I blogged about it here in 2015, for example.)
Soli Deo Gloria!
Photo by Jamie Templeton on Unsplash.
Have you tested it if the ISP not running DHCPv6 for IA_NA so you don’t get any address on the “WAN”-interface? Some products get crazy when they get IA_PD but not IA_NA. π
And often things like FW license and other checks don’t work either then.
//Tobbe
Uh, interesting point. I have not yet encountered such a scenario up to now. Configuration-wise, this is possible with the Palo. Within the “DHCPv6 Client” pane you can disable the “Enable IPv6 Address” while still enabling the “Enable Prefix Delegation” one.
What are your experiences with products that get crazy within this scenario? :)
Hi Johannes,
found your great article while searching for the reason why IPv6 Type>Inherited ist not available on a VLAN interface although the documentation is describing it in the absolute same way as for an Layer3 interface.
Have you experienced the same issue or do I have huge tomatoes on my eyes (sorry for the german phrase)?
Thanks and BR
Andreas
Uh, that’s interesting. Indeed, you can’t select this Type -> Inherited on *VLAN* interfaces.
I suspect that PANW has simply forgotten to implement it there. I already had some other IPv6-related bugs that were only present in VLAN interfaces while not in hardware-/subinterface. E.g., here: https://weberblog.net/minor-palo-bug-icmpv6-errors-sourced-from-unspecified-address/
Perhaps we should withdraw our trust in this type of VLAN interface in general?