Multiple IPv6 Prefix Delegation over AT&T Residential Gateway for pfSense 2.4.5
-
@ttmcmurry said in Multiple IPv6 Prefix Delegation over AT&T Residential Gateway for pfSense 2.4.5:
Perhaps a more realistic approach is to track MAC/IPv6 addresses over a period of time and then port scan those IPs
MAC addresses where? If they're not on the local LAN, you'll never see them.
-
Just to give a n=1 sample size. I have never set "State Table" settings and this stuff has been working great for me. I have been using this on opnsense for the past year or so (pfsense prior). I should probably add notes that this works on opnsense as well on the github repo.
-
@lilchancep I tried out your Github repo and it worked flawlessly. Thank you for the efforts.
pfSense 2.6.0-RELEASE
NVG599
Software version 11.6.0h0d48Now the bigger question is why can't we have this "just work" from the pfSense GUI (and not have to have end users work around it as you have?)
In any event, this is awesome, thank you!
-
@bplein I did tcpdump on WAN and saw as many PD packets as I configured in v6. I remember when it was comcast, I only had 1 PD request and 1 response with many prefixes. likely the RG is configured to only hand out /64 prefixes with a range of /62.
you'll see similar config options in pf's dhcpv6 server, the PD range, and PD prefix
pfsense probably just didn't expect such an ugly config by ATT thus not having this option built into web ui
-
@ttmcmurry Here's some data points:
NVG599
IP Passthrough: Disabled
Cascaded Router Option: Enabled (I have 5 static IPs from AT&T, plus my single dynamic)pfSense operates on a private IP from the RG's LAN DHCP range.
The 5 private IPs are set up as IP Alias Virtual IPs.
The NAT table from the RG shows it is tracking outbound state for anything coming from the pfSense box (192.168.1.65), plus anything coming from any of my 5 private IPs, plus all ipV6 traffic.
So (reading your last post), if I reconfigured to use one of my 5 static IPs as the pfSense WAN IP, then I'd bypass NAT and the state table? Is this known to work?
-
@bplein said in Multiple IPv6 Prefix Delegation over AT&T Residential Gateway for pfSense 2.4.5:
So (reading your last post), if I reconfigured to use one of my 5 static IPs as the pfSense WAN IP, then I'd bypass NAT and the state table? Is this known to work?
Curious about this also. I recently got AT&T 1Gbps with a BGW320-505 and would like to avoid it's state table limit restriction with my pfSense box.
-
Your last sentence is accurate. For reasons that may only make sense to AT&T, once the static public IP in the RG is associated to pfSense's WAN MAC, it enters the closest thing to IP Passthrough that it's capable of.
The only downside is pfSense gets 1 public IP.
The RG's state table drops off to a few hundred states, which I assume is the RG itself talking to AT&T. Meanwhile pfSense is tracking everything it has open independently of the RG. Assuming enough traffic is being generated behind pfSense, you can compare both state tables and see that both are entirely different.
-
Hello everyone!
Is something like this script adaptable for Verizon FIOS, by chance?
I'm in the similar situation, where I get a /56 from them, and set my interfaces to Track Interface, give each interface it's own IPv6 Prefix ID, etc. But it only seems to work on a single LAN interface.
FIOS is a little different it seems from AT&T, in that the WAN IPv6 settings must have "Use IPv4 connectivity as parent interface" checked, "Request only an IPv6 prefix" checked and "Send IPv6 prefix hint" checked.
I attempted to basically adapt the file here and use it, but I think the lack of those options is maybe the holdup.
The custom file I created looks like this:
interface igb0 { send ia-na 0; send ia-pd 0; send ia-pd 1; send ia-pd 2; script "/var/etc/dhcp6c_wan_script.sh"; }; id-assoc na 0 { }; id-assoc pd 0 { prefix-interface igb1 { sla-id 0; sla-len 0; }; }; id-assoc pd 1 { prefix-interface igb2 { sla-id 0; sla-len 0; }; }; id-assoc pd 2 { prefix-interface igb3 { sla-id 0; sla-len 0; }; };With IPv6 working on just a single interface, my pfSense dhcp6c_wan.conf looks like this:
interface igb0 { send ia-pd 0; # request prefix delegation request domain-name-servers; request domain-name; script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please }; id-assoc pd 0 { prefix ::/56 infinity; prefix-interface igb1 { sla-id 0; sla-len 8; }; };Contents of radvd.conf with the single LAN interface working looks like:
# Automatically Generated, do not edit # Generated for DHCPv6 Server lan interface igb1 { AdvSendAdvert on; MinRtrAdvInterval 200; MaxRtrAdvInterval 600; AdvDefaultLifetime 1800; AdvLinkMTU 1500; AdvDefaultPreference high; AdvManagedFlag on; AdvOtherConfigFlag on; prefix 2600:4040:XXXX:XXXX::/64 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference high; RemoveRoute on; }; RDNSS 2600:4040:XXXX:XXXX:XXX:XXXX:XXXX:XXXX { AdvRDNSSLifetime 1800; }; DNSSL Removed.US { AdvDNSSLLifetime 1800; }; };Any suggestions/possibility of implementing the same thing so I can put IPv6 on all my LANs which are igb1, igb2 and igb3, instead of it only working on igb1?
I see there's a lot of posts (on a lot of other sites, a lot on reddit, etc.) where it seems for others who are also trying to take an ISP supplied /56 and put individual /64's on multiple LANs and seemingly having the same issue, where it just doesn't work.
I know in the advanced DHCP6 client configuration, the "Prefix Interface" drop-down is set for the first LAN, and there's no way to select multiple LANs there.
It just seems like there's gotta be a way to break these large IPv6 blocks into individual /64s that could help out everyone!
Thanks for any thoughts/suggestions!
-
This is how i did it (on an SG-5100)
interface igb0 { send ia-na 0; send ia-pd 0; send ia-pd 1; send ia-pd 2; send ia-pd 3; send ia-pd 4; send ia-pd 5; send ia-pd 6; request domain-name-servers; request domain-name; script "/var/etc/dhcp6c_wan_script.sh"; }; id-assoc na 0 { }; id-assoc pd 0 { prefix-interface ix0 { sla-id 0; sla-len 0; }; }; id-assoc pd 1 { prefix-interface ix1.101 { sla-id 0; sla-len 0; }; }; id-assoc pd 2 { }; id-assoc pd 3 { }; id-assoc pd 4 { }; id-assoc pd 5 { }; id-assoc pd 6 { }; id-assoc pd 7 { };Then my LAN interfaces as setup as such;
For LAN:
For LAN2:
-
@styxl Thanks! It turns out there was another configuration oddity that was the culprit. I've been able to get it going fine on FIOS without this script. I'll keep it in mind if anything ends up changing though.
-
I am able to get an IPV6 address on WAN and LAN But when I go to a site to test IPV6 it fails. When I plug directly into the RG it passes the test. Am I missing something?
TIA
-
What failure do you see at the test site?
Which test site are you using? -
@jknott
Test-ipv6 gives no results for IPV6
and IPVG-test says not supported -
Are you sure you have an IPv6 address, other than link local?
-
@jknott
On the interface status page it is showing the link local and an IPV6 address. So, I am assuming so. -
What do you get when you run netstat -r?
You should see something like this:Internet6:
Destination Gateway Flags Netif Expire
default fe80::217:10ff:fe9 UG igb0Try a packet capture when you try to access test-ipv6.
-
I am getting prefix delegation to my two LAN interfaces. It is working great. However, sometimes the prefixes swap interfaces. Is there a way to configure dhcp6c to prevent that?
I have an ATT BGW320 and am using a UniFi USG router. Sorry I don't have a PFsense router. I think I just don't know what the dhcp6c configuration should be to prevent the swapping.
-
What do you mean swap prefixes? Normally, you assign a prefix ID to each interface.
-
@jknott
For instance the prefixes and address might be assigned this way
2600:1700:2b60:df9e::1 assigned to eth0
2600:1700:2b60:df9f::1 assigned to eth1Then a few days later or after a reboot they might be reversed
2600:1700:2b60:df9f::1 assigned to eth0
2600:1700:2b60:df9e::1 assigned to eth1Is there a way to keep the assignments consistent? What part of the configuration assigned a particular prefix to an interface?
-
@paul_s Something in the pfSense WebGUI. You can set it up for free...
