@JKnott said in Multiple /64 ULA subnets sharing same WAN /64 prefix via NPTv6?:

It's amazing how CHEAP some ISPs are, considering the IPv6 address space is so vast. While my ISP initially provided a single /64, that was only temporary and they soon moved to /56. Then there's he.net, which will provide a /48 for free! Before my ISP offered IPv6, I used a tunnel and got a /56 again for free.

BTW, the address space is so vast that every single person on earth could have over 4000 /48s and that's with only 1/8th of the entire address space assigned to anything.

My ISPs don't even offer more expensive plans, not that I'd accept paying. A tech even told me that only government companies are forced to follow IPv6 standards. As it's a private ISP company, they can use proprietary protocols, and it's my problem if Internet doesn't work fully. Another one told me that I'm "welcome" to cancel the contract if I want to.

Indeed, according to IPv6 standard, every ISP receives at least a /32 prefix. With it, these 2 ISPs have more /56 prefixes than IPv4 addresses.

@nva said in Multiple /64 ULA subnets sharing same WAN /64 prefix via NPTv6?:

My ISP only route single /64 subnet to resident connection. I'm planning to deploy ULA for each of my VLANs and then NPT to that public /64 prefix assigned by ISP. Do I need to worry about suffix conflict?

Is there any drawbacks (e.g. latency...) in deploying ULA + NPt compared to just GUA via Track interface? The only problem i can think of is that I would need to manually adjust NPt entries every time my ISP routed prefix change and will try to get it working.

Were you able to get it to work? That's what I was considering doing on my OpenWRT a couple years ago but got tired after 2 long fights with both ISPs. Now I'm considering moving to pfSense because of some BusyBox limitations.

Are you able to update your VLANs prefixes when your ISP changes it?

One ugly thing I consider doing is choosing a random /60 prefix from one of my ISPs /32 and setting it as base for my VLANs. ALAIK, some OSs will use IPv4 if only ULA is provided for them, because it implies that no Internet is available on IPv6, even if router manages ULA to GUA correctly.

Using a global prefix that's not delegated to me breaks me from reaching out any device that's on that prefix, but I don't access any residential IP other than mine anyway.

@JKnott You can delegate prefixes. An address is assigned and the delegated prefix is routed to it.

e25444ec-ae09-48a2-883d-650b75f7ff52-image.png

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6.html#dhcpv6-prefix-delegation

Don't lose hope... it's been just less than a month since it started working for me, so they may have re-started testing.

Fixed in upstream, see https://redmine.pfsense.org/issues/10757

@carloabelli

Unlike IPv4, ICMP is essential with IPv6. I have a rule on my WAN that allows all ICMP on both 4 & 6.

Well... in the packet capture, the MAC address of the Ethernet frame matches the MAC address of the default gateway from my ISP (which is not unusual when dealing with packets being routed to you). But the IPv6 address is definitely not the same, and it doesn't appear to be an EUI64 address, so I can't match it to a MAC address. I do realize that I masked part of the address that would have identified that fact.

It's likely a misconfiguration on my ISP's part... they only just got IPv6 up and running about a week ago, and it may not even be completed yet (But I've figured out how to make it work with pfSense, not knowing whether their own routers even work with it).

It's kind-of annoying that this is logged in the general system log though...it'd be nice if it were in the routing log... but I assume since it's the kernel generating these messages, that's why it's in the system log.

That was exactly what I needed. Thank you so much!

I have been working on a similar setup. Dual WAN IPv4+IPv6. I get native IPv4 from my ISP. For IPv6 I have been using Hurricane Electric for at least a decade. Recently, I stumbled upon a tunnel service that does both IPv4 and IPv6. This makes it possible to rather easily move services, yet keeping IPs the same, both IPv4 and IPv6.

But that's more of a backstory. I have been researching quite the same problem you describe. Packets that are generated on the router (e.g. ICMP TTL Exceeded when doing a traceroute) should be sent back through the same interface they entered, but for IPv6, this doesn't work.

It seems that in FreeBSD, the backing operating system for pfSense, this is simply not implemented for IPv6. There is code in review for this, but it may take some more time before that reaches FreeBSD itself, and consequently pfSense.

Hope this helps.

With thanks to Netgate tech support, the solution was to turn off my interface's Block private networks and loopback addresses. Upon reflection, this does make sense and with it disabled, my DHCPv6 server with RA set to either managed or assisted is now responding to DHCPv6 client requests and issuing assignments.

And yet, I will submit a feature request such that when the DHCPv6 Server is enabled, an alert should be posted saying "but you need to disable Block private networks and loopback addresses on the interface, otherwise the DHCPv6 server will never receive the incoming IPv6 client's request for a local RA server..."

@rajeshh
That's called "dual stack" and will be needed for a while yet. If the games support IPv6, then it will work that way for you. The operating systems prefer IPv6, but will use IPv4 when necessary.

Of course as soon as I post this I redid it with a new vhid and a FULLY expanded ipv6 address. No :: no :0: and no :3: was done, that fixed it and my routes came up with the upstream router.

I still would like to find that redmine issue so I can track the fix. If anyone knows the # I would appreciate it.

Thanks

me too, what this is?

Aug 24 05:38:00 kernel sa6_recoverscope: embedded scope mismatch: fe80:c::f298:38ff:fe93:d380%13. sin6_scope_id was overridden

@HG

You also have to look at how often DHCPv6-PD executes and whether it does after PPPoE comes up. I have a capture of DHCPv6 at boot up and the first renewal and it's over 22 hours between them.

Hey, I'm not sure if this is still relevant but restarting the service at status>gateways fixed it for me. However, I was already able to ping my IPv6 gateway from the diagnostics>ping tool.

Untitled (2).png

@johnpoz

Config is done and working as expected.

Got a /48 from HE and /50 subnets to LAN.

9fc6b336-5d05-4538-b512-87464720b176-image.png

DHCPv6 Server & RA (/56 to downstream CPEs)

8466e9df-c67d-489c-a7cf-09743b7f7b14-image.png

RA

3bffbe77-935e-49ce-b134-6c532079aa6b-image.png

Tested with Android 8/9, Android TV 7.1.2, iOS 9.3.6, Windows 10, Arch Linux, OpenWRT, and some others Home Gateways.

@qsystems If you are using Unifi APs (Multicast Enhancement, rings bell for those) make sure you have the latest firmware loaded, they have had some issues with multicast recently and supposedly corrected with newer firmware.

@kesawi said in Planning for IPv6 /48 allocation:

My question for anyone who may know, is it possible to have two separate concurrent DHCPv6 scopes with pfSense and Windows? If so what do I need to do to get it to work?

I doubt it, as there would be no way to determine which DHCPv6 server was desired.

I assume if I give up on DHCPv6 and just go to SLAAC for both then ULA and GUA will still co exist?

That's what I have. Also, if you have Android devices, you don't want to use DHCPv6. For some idiotic reason, Android doesn't support it.

I have two internal DNS severs. Do I need to specify both their respective ULA and GUA addresses in the RA settings, or can I just specify the ULA addresses?

You can use either GUA or ULA address. However, you don't have to specify an address as pfSense does that by default. It uses it's own address, unless you specify otherwise.