IPv6

• G

  sub-delegation of WAN PD for DHCPv6 server
  • greywolfe

  15
  0
  Votes
  15
  Posts
  929
  Views

  

  @jknott said in sub-delegation of WAN PD for DHCPv6 server: @jimp said in sub-delegation of WAN PD for DHCPv6 server: “Prefix” doesn’t mean /64, it means “IPv6 subnet” "PD" means prefix delegation, part of the process that creates addresses for devices. The prefix, with PD, is 64 bits and the other 64 bits are determined by some other means such as SLAAC or DHCPv6. PD does mean prefix delegation, but I think you might be confusing a couple terms. Normal DHCPv6 doesn't involve PD. If a client just wants an address it requests one from the interface which is inside the /64 subnet. If that client also happens to be a router, then it kicks in PD to request a delegation. This is an additional block of addresses that get routed to the client. PD is not locked to /64. You can delegate whatever size blocks you want depending on what you have available. PD is frequently larger than /64, that's how an ISP will assign multiple /64's to a single customer, by delegating them a /60, /56, or whatever they choose. The firewall will take individual /64 networks out of that block and assign them locally. When you set an interface in pfSense to "Track Interface" for IPv6, you can then set an IPv6 Prefix ID which controls how it chooses a network to put on the interface. If your ISP uses PD to delegate you a /60, then you can choose from 16 different IDs for /64 networks inside that block (id 0 through f), so you can delegate ID 0 to your LAN, 1 to a guest network, 2 to a DMZ, and so on. In OPs scenario, they want to take some of that, say IDs 8-F, and use that to delegate to some other router. For example, ID 0 would be on LAN, a client gets an address in the 0 network, and then the firewall would route prefix ID 8 to that address.
• T

  Using IPv6 tunneling to sidestep gaming NAT issues
  • TauCeti

  1
  0
  Votes
  1
  Posts
  203
  Views

  No one has replied

• 

  IPv6 flow label support
  ipv6 • • imcdona

  2
  0
  Votes
  2
  Posts
  281
  Views

  

  It's also been in Linux for a while.
• I

  DHCPv6 DNS Listing With Prefix from ISP that is not Static
  • iamperson347

  6
  0
  Votes
  6
  Posts
  471
  Views

  

  @virgiliomi I've had the same prefix since that setting was added, about 2 years ago IIRC. That's stable enough for me. On IPv4, my host name is based on firewall & cable modem MAC addresses and so never changes unless I change hardware. This means that no matter what my IPv4 address is, I can still find my network. However, my IPv4 address is also stable, so long as I leave my firewall running, other than the rare occasion when my ISP makes network changes.
• L

  6to4 WAN config not returning default gateway
  • lohphat

  1
  0
  Votes
  1
  Posts
  179
  Views

  No one has replied

• M

  Working around AT&T's terrible native IPv6 implementation
  • mwp821

  12
  0
  Votes
  12
  Posts
  712
  Views

  

  @johnpoz said in Working around AT&T's terrible native IPv6 implementation: Because they are special assignment prefixes… 2001:db8::/32 is designed for documentation purpose use… Just like 192.0.2/24 in ipv4… There are others in ipv4 as well that do not route other than rfc1918… 2001:2::/48 is for benchmarking, and again not designed to route globally. There are others that might not route, they have caveats… Here… https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml Oh, that sort of thing. I wonder why they didn't use a ULA for that, instead of messing things up.
• D

  /60 on WAN, /63 on LAN
  • deet

  26
  0
  Votes
  26
  Posts
  825
  Views

  M

  @deet Exactly what I've been through. :( In case I can't clear, my PD on LAN is now a /64. Before with WAN set to /59 and hinting I was getting the /63 on WAN. I also turned off the firewall on the cable modem. Under firewall for IPv4 and 6 select Custom then at the bottom the last check box is were you can disable it. It's kind of hidden.
• B

  IPv6 HE tunnel coexisting with Prefix Delegation
  • bigtfromaz

  2
  0
  Votes
  2
  Posts
  224
  Views

  No one has replied

• S

  Netflix & HE.net tunnel fix using unbound python module revisited.
  • satadru

  7
  0
  Votes
  7
  Posts
  682
  Views

  A

  @satadru said in Netflix & HE.net tunnel fix using unbound python module revisited.: Note that the last line restarts unbound, since I’ve discovered that with timing of the script running, it is best to force unbound to restart to make sure that the symlinking for python is done before unbound starts. (Otherwise it might not start.) thanks for that, will check later on
• M

  Dual WAN IPv6
  • mrsunfire

  5
  0
  Votes
  5
  Posts
  530
  Views

  D

  @zer0t3ch said in Dual WAN IPv6: @mrsunfire: Yes the LAN gets an IPv6 too. I think the problem is the Track Interface option. That is set wo WAN, so it can‘t use the WAN_VDSL. In my point of view Multi WAN is impossible with IPv6. Or can I set LAN to assign it‘s IPv6 by DHCP? Multi-WAN is possible within the confines of what IPv6 is capable of, just not easily done with pfSense right now. ULA + NPt seems to be about the only (mostly) reliable way to get Multi-WAN IPv6 working, with appropriate caveats.
• A

  avoid using IPv6 for host/domain
  • AndrewZ

  7
  0
  Votes
  7
  Posts
  326
  Views

  A

  @johnpoz said in avoid using IPv6 for host/domain: Could you give an example site that does this? That was one of my SIP providers, here is the message I see after login: Sorry, your IP address is marked as high risk or you're accessing our web site through IP proxy or VPN. We can't provide a service to you. I'll try the script suggested, thanks!
• D

  Firewall rules bug?
  • dlasher

  11
  0
  Votes
  11
  Posts
  412
  Views

  D

  @jimp said in Firewall rules bug?: Yeah it was a validation problem. GIGO. I added some frontend and backend validation. Put those changes in by hand, and it does parse the above case correctly, throws a red The following input errors were detected: The specified source address is not a valid IPv6 prefix perfect!
• A

  Static addresses for servers
  • alankeny

  9
  0
  Votes
  9
  Posts
  438
  Views

  

  @alankeny said in Static addresses for servers: Thanks for confirming this. I started with how-to guides that kept referring to EUI-64 addresses based on the MAC with “ff:fe” in the middle. I couldn’t find any of these, since it doesn’t seem like they’re really used very much any more. I k They are. They're default on Linux, but Windows defaults to a random number. However, it can be configured to use the MAC address instead.
• T

  [Solved] IPv6 Track Interface doesn't work - static IP works
  • Terabit

  15
  0
  Votes
  15
  Posts
  1155
  Views

  

  Nice digging. Thanks for getting back.
• S

  Route IPv6 address request from server zone to WAN
  • SGAwqjJb

  4
  0
  Votes
  4
  Posts
  245
  Views

  S

  @johnpoz @Derelict Is there another way? Can I do something with Virtual IP maybe? (If I don't want a tunnel broker)
• C

  TWC IPV6 gateway issues
  • chaunbot

  13
  0
  Votes
  13
  Posts
  8533
  Views

  

  Do not revive old posts. Start a new one and state your issue.
• D

  How to retrieve my IPv6 default gateway?
  • DonZalmrol

  20
  0
  Votes
  20
  Posts
  817
  Views

  N

  @donzalmrol said in How to retrieve my IPv6 default gateway?: I was in the understanding that I would have a IPv6 gateway in the same range (2a02:.../56) like I have with my public IP (81.83.0.1/19). No.
• F

  LAN clients cannot use IPv6 after some time
  • feltel

  6
  1
  Votes
  6
  Posts
  721
  Views

  M

  Nothing new here? Am I the only one with these strange things happening?
• 

  Recommendations on cable modems for Cox that can handle IPv6
  • obitori

  8
  0
  Votes
  8
  Posts
  663
  Views

  

  @mrsunfire Thanks for the recommendation. I went with a Netgear CM700 and it works!
• 

  [RESOLVED] Problem with Cox cable-modem and pfSense with IPv6 routing on pfSense LAN side
  • obitori

  20
  0
  Votes
  20
  Posts
  1182
  Views

  

  @stan-qaz @Derelict I believe the problem was my rental ASSUS cable-modem/router-wifi. It was not passing the prefix subnet information, only individual ipv6 ip addresses for the one /64 subnet that it was using for direct connections to its LAN side. It was not sharing the rest of the /60 block that was showing up on the WAN side. When I swapped it out for a NETGEAR CM700 and plugged the pfsense firewall into the NETGEAR CM700 ethernet out, the pfsense fw picked up the proper IPv6 information to distribute IPv6 addresses on the LAN side. That's what I wanted. I am going to mark this as resolved.
• 

  Setup NAT64 in pfSense
  ipv6 nat64 dns64 • • imcdona

  9
  1
  Votes
  9
  Posts
  1223
  Views

  

  @imcdona I read the article and saw that - and what I am saying is BS.. Sure you can use up anything with bad management.. Sorry but they are not big enough to use it up if they would of planned correctly. They do not have enough employees to justify all 17 plus million IPs being gone with proper planning.
• C

  IPv6 doubts
  • cmpsalvestrini

  47
  0
  Votes
  47
  Posts
  1545
  Views

  

  OK, now you have to determine if traffic for 2001:818:d9d9:ba00::/56 is arriving on your interface. Set up a packet capture like this and start it. The try to do stuff with it like ping6 2001:818:d9d9:ba01::1/56 from the outside, telnet to it from the outside, etc. Then stop the capture and see what is there. If you need someone to ping6 it from the outside holler. Hmm. This is interesting:
• 

  Can't get WAN tracking to work for LAN side IPv6...Other options?
  • obitori

  2
  0
  Votes
  2
  Posts
  191
  Views

  

  Get a tunnel to hurricane and a /48 and use static addressing. https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker
• B

  Is anyone using "Do not wait for RA"?
  • bimmerdriver

  1
  0
  Votes
  1
  Posts
  229
  Views

  No one has replied

• F

  [Resolved] IPv6 /48 routed trough /64 interconnection
  • fabienfs

  34
  0
  Votes
  34
  Posts
  906
  Views

  

  "Please go back and look at the times when you said a link local address could not be used." Where did Derelict ever say that link-local can never be used? He did clearly point out the RFC that clearly states 2 scenario's where they do not work. "However, there are two cases where using a link-local address as the   next-hop clearly does not work.  One is when the static route is an   indirect (or multi-hop) static route.  The second is when the static   route is redistributed into another routing protocol.  In these   cases, the above text from RFC 4861 notwithstanding, either a GUA or   ULA must be used." I think this horse has been beaten enough ;)
• B

  Ipv6 multicast allowed
  • behemyth

  3
  0
  Votes
  3
  Posts
  314
  Views

  B

  I fixed it. I had to create an any/any rule on the LAN for icmpv6 traffic. There's actually an ICMPv6 protocol choice when your making a new rule for this specific thing. Once I did that those logs stopped showing up. Very little is using the rule, it's all been Link-Local addresses so far.
• T

  Same subnet in radvd.conf with two different prefix lengths
  • tbclark3

  1
  0
  Votes
  1
  Posts
  218
  Views

  No one has replied

• 

  IPv6 Bingo - Thought our resident IPv6 Promoter (jknott) would get a kick
  • johnpoz

  1
  1
  Votes
  1
  Posts
  250
  Views

  No one has replied

• J

  IPv6 DNS servers
  • jpgsense251

  5
  1
  Votes
  5
  Posts
  494
  Views

  

  ULA has nothing to do with DHCPv6.  ULA is the IPv6 equivalent of IPv4 RFC 1918 addresses.  You can use it with SLAAC, DHCPv6 or manual configuration. just like global addresses.  I'd also recommend reading a good tutorial on IPv6.
• M

  Prevent radvd from setting RDNSS and DNSSL
  • mwp821

  1
  0
  Votes
  1
  Posts
  251
  Views

  No one has replied

• R

  Update 2.4.3 Radvd Interface Missing
  • rrolfe

  4
  0
  Votes
  4
  Posts
  262
  Views

  

  huh? What version where you using before?  The interfaces you have IPv6 setup on would be listed under RA where you can enable it or not, etc.  And set its mode of operation, etc.
• T

  Blocking Comcast router advertisements
  • tbclark3

  4
  0
  Votes
  4
  Posts
  412
  Views

  T

  Thanks for your insightful comment.  It turns our you were right.  I had set up a bridge to get my 5 static IP addresses from Comcast onto a private VLAN.  Somewhere–and I'm still not sure where, the RA packets were leaking onto my LAN.  RA packets are IP6 packets, and I would think they could be filtered by PFSense even on a bridge, but apparently that is not the case. My work-around is to plug all of the interfaces that need a public IP directly into the Comcast router, and leave all of the others on my switch.  It's a little disappointing because I can't watch the traffic with PFSense, but it is working, and I'm not able to set my own nameservers.
• M

  Dual Stack Failover force IPv4 only?
  • mrsunfire

  4
  0
  Votes
  4
  Posts
  267
  Views

  

  ^^^^ And in the process you've lost IPv6 entirely, which is dumb as that's where the world is moving to.  Perhaps it would have been better to set up a 6in4 tunnel as backup for IPv6.  Many people use he.net for that.
• J

  Not getting ipv6 address on WAN unless prefix delegation size is set to none
  • jpgsense251

  10
  0
  Votes
  10
  Posts
  807
  Views

  

  Great to hear. Glad it worked.
• 

  Default IPv6 DENY Rule in system logs even tho default is PASS
  • obitori

  4
  0
  Votes
  4
  Posts
  637
  Views

  

  Thanks to both of you for your input.  I am trying to fix this as per the last post.
• L

  Testbenching pfsense in VMware trying to enable IPv6
  • lohphat

  8
  0
  Votes
  8
  Posts
  383
  Views

  

  I have used an Asus Merlin with ipv6 and as far as I know it cannot delegate a prefix. It just hands out individual addresses. You should probably ask on the Merlin forum though. https://www.snbforums.com/forums/asuswrt-merlin.42/
• T

  IPv6 DNS registration best practices?
  • tux1337

  3
  0
  Votes
  3
  Posts
  506
  Views

  T

  @Gertjan: I'm using he.net myself for IPv6, which means the prefix is always the same. So, the good old 'static MAC/DUID' reservation works great - DNS registration included. Thanks for the hint. I found this redmine entry: https://redmine.pfsense.org/issues/2017 and can confirm, that DNS registration for static DHCPv6 leases works fine. But this is not an option for my setup. The clients are dynamic and the network is to big to maintain static dhcp leases. I've done some further research to the topic. In the redmine request the developer mentioned that the hostname is not send from the dhclient. I found out that this was an issue in the isc dhclient which is solved in version 4.3. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670865 I checked the Debian dhclient.conf and can confirm that there is an entry with: send host-name = gethostname(); So I guess the hostname should be send now. I checked then the dhcp6.leases file and found out that isc-dhcpd has no field for the hostname for ipv6. I found nothing in the ISC DHCPd tracker if they are working on this to add the hostname on the dhcp6.leases file. I found out that if dnsmasq is used as DHCP and DNS Server it should be possible to have DNS client registration with ipv6 out of the box. Unfortunately pfsense uses isc-dhcpd and I think there is no option to change this from a user perspective.
• M

  IPv6 - static IP for pfSense
  • mphilippi

  3
  0
  Votes
  3
  Posts
  463
  Views

  

  You could for sure give it a static inside whatever prefix you get.  But if they happen to hand you a different prefix all your scopes can change on you. Why they don't just assign customer prefix XYZ, /48 should be what they give you and be done with it.. If you want static and your ISP will not give you one - just head over to hurricane electric and grab the free /48 they will give you.  Now you have all the statics you want ever.. And what is nice is even if you change ISP you can just keep that /48.. Even if your isp doesn't support ipv6 you still have that /48, etc.. I have had the same prefix since 2013.. And even can setup PTR on any of the IPs I want in that /48 and recently moved to isp that doesn't have any IPv6 and means nothing to me.. Since it took all of 2 seconds to setup my tunnel again with all my boxes able to have the same exact ipv6 address they had with the previous isp. Really the only draw back to tunnel is a few extra ms latency vs native connectivity - depending on where the nearest pop and where HE peers with your isp, etc.  But they have pops all over the world. https://www.tunnelbroker.net/status.php
• M

  IPv6 Not able to ping WAN to LAN
  • manishchawla2017

  14
  0
  Votes
  14
  Posts
  607
  Views

  M

  It is reaching upto my WAN port of Pfsense I am not authorized to share IP details
• K

  Google Wifi IPV6
  • koreyb

  3
  0
  Votes
  3
  Posts
  457
  Views

  K

  Sadly, gwf can't do bridge and mesh which is why I got gwf really. As it stands I have pfsense with a dhcpv6 server handing gwf a ipv6 address and prefix, but it doesn't seem to have internet access on wifi connected devices.  There has to be something I'm missing.  Hopefully someone has had some luck and can share what they have done.