Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Firewalla Gold returns IPv6 Link-Local addresses for devices in other segments

Follow
Avatar
Chris Thomas

Scenario: I have multiple network segments, dual-stacked IPv4/IPv6.

Problem: Firewalla Gold is returning ipv6 link-local addresses for devices in other network segments when queried.

 

C:\Users>ipconfig

Windows IP Configuration

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : lan
IPv6 Address. . . . . . . . . . . : 2601:xxx:xxxx:5262:xxxx:xxxx:xxxx:3fa4
Temporary IPv6 Address. . . . . . : 2601:xxx:xxxx:5262:xxxx:xxxx:xxxx:ab71
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:3fa4%15
IPv4 Address. . . . . . . . . . . : 192.168.26.169
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:4241%15

C:\Users>ping dc01.home.lan
Ping request could not find host dc01.home.lan. Please check the name and try again.

C:\Users>ping dc01

Pinging dc01.lan [fe80::xxxx:xxxx:xxxx:feff%15] with 32 bytes of data:
Control-C
^C
C:\Users>nslookup dc01
Server: firewalla.inc.lan
Address: 192.168.26.1

*** firewalla.inc.lan can't find dc01: Non-existent domain

C:\Users>nslookup dc01.lan
Server: firewalla.inc.lan
Address: 192.168.26.1

Name: dc01.lan
Addresses: fe80::xxxx:xxxx:xxxx:feff
2601:xxx:xxxx:5263:xxxx:xxxx:xxxx:feff
192.168.25.32


 

It doesn't appear that Windows has a preference for the fe80 address that is returned, I think it's just picking one of the ipv6 addresses at random....

 

C:\Users>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users>ping dc01.lan

Pinging dc01.lan [2601:xxx:xxxx:5263:xxxx:xxxx:xxxx:feff] with 32 bytes of data:
Reply from 2601:xxx:xxxx:5263:xxxx:xxxx:xxxx:feff: time=2ms
Reply from 2601:xxx:xxxx:5263:xxxx:xxxx:xxxx:feff: time=5ms
Reply from 2601:xxx:xxxx:5263:xxxx:xxxx:xxxx:feff: time=1ms


 

It does not appear that ipv6 link-local addresses are supposed to be registered in DNS.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-how-name-resolution-works-in/ba-p/256713

 

Although, if I could peel off my home.lan domain and forward it to my own dns servers, I could get around this issue.  There is an article which references how to do this, although I have not been able to make it work, perhaps my domain name 'home.lan' is conflicting with the default domain 'lan' configured on the Firewall Gold, which we also cannot change.

https://help.firewalla.com/hc/en-us/community/posts/360050179954-Active-Directory-DNS-Configuration-With-Gold

https://help.firewalla.com/hc/en-us/community/posts/360048759573-Firewalla-Gold-DHCP-server-local-domain-name

 

...ct

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Support

    That makes sense. We will make the change not to return the IPv6 link-local address in the DNS response. Thanks for the feedback.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post