Issue configuring IPv6 with ULA, but works fine with Track Interface.

lamboalpha

I am having an issue setting up IPv6 with ULA. I have looked a several posts, including Routing IPv6 ULA Across Interfaces text, but still can’t resolve the issue. IPv6 is working properly with LAN with "Track Interface", DHCPv6, and RA: Managed mode. Additionally, "Do not allow PD/Address release" set. But, the changing of the last octet in the IPv6 allocation is messing with static IPv6 settings in servers. I am trying to implement a workaround, regardless of the ability to get a static allocation from the ISP.

Therefore, I would like to implement ULA, using fd00/64. I changed the LAN interface from Track Interface to Static IP (with a fd00::/64 address) and added the fd00::/64 subnet to the RA settings. However, IPv6 connectivity is lost. I also tried to ping external IPv6 addresses from the pfSense, but it also fails. I did try selecting both the WAN and WAN (link local) interfaces for the pings. The WAN does have a IPv6 address (e.g. a fe80 gateway IP address, in addition to its link local address). If it a minor settings that I am missing, that would make me happy, but, I can't understand why changing settings on the LAN side would affect the WAN IPv6 connectivity. I have also thought to use NPt, but the lack of a static LAN IPv6 address also prevents that.

Bob.Dig

@lamboalpha said in Issue configuring IPv6 with ULA, but works fine with Track Interface.:

However, IPv6 connectivity is lost.

Sure, you would need to do NAT. But there is a better way, you can do static mappings even if you use track interface for GUA. And you can have an alias for your server with the hostname used in the static mapping. So no need for ULA this time.

JKnott

@lamboalpha said in Issue configuring IPv6 with ULA, but works fine with Track Interface.:

I changed the LAN interface from Track Interface to Static IP

That's your problem. You don't set a static address. You use a virtual IP for the ULA.

JKnott

@bob-dig said in Issue configuring IPv6 with ULA, but works fine with Track Interface.:

Sure, you would need to do NAT. But there is a better way, you can do static mappings even if you use track interface for GUA. And you can have an alias for your server with the hostname used in the static mapping. So no need for ULA this time.

Why not just do things the proper way?

Some people need ULA because they have a stupid ISP that won't provide a constant prefix. Others may want to use a private network for IoT, etc., but still be able to route to/from their main LAN.

lamboalpha

@jknott, I did initially use PD. However, I need to specify static IPs for some equipment within the IPv6 with in range. As I have no control over the allocation from the ISP, occasionally the last octet changes and breaks the configuration of the downstream servers. I know it's not the way I would prefer to do it either. However, I need to come up with a workaround for it.

lamboalpha

@bob-dig I do have host names configured for the servers. However, the application requires the servers have a static IP address. The applications are not on the pfSense box.

Bob.Dig

@lamboalpha Static IPv6 and no DNS?

JKnott

@lamboalpha

Set up ULA the way I described in the link and it will work. Does that equipment have to be reachable from the outside? If so, you need a consistent prefix from your ISP. Otherwise, ULA should work fine. With SLAAC, addresses can be based on MAC addresses.

lamboalpha

I set the following for v6: WAN: SLAAC, LAN: Track Interface . Firewall: Virtual IP fd00... I disabled DHCP IPv6 and left RA enabled with fd00... the subnet. I also added the virtual IP address.
The devices on the LAN are obtaining a IP address. However, there is no IPv6 connectivity for the router nor LAN devices (as tested by ping each interface for connectivity). I have to enable DHCP6 on the WAN for just the router to have IPv6 connectivity. I am missing something...

@JKnott and other, thanks for the assistance.

JKnott

@lamboalpha said in Issue configuring IPv6 with ULA, but works fine with Track Interface.:

I set the following for v6: WAN: SLAAC, LAN: Track Interface . Firewall: Virtual IP fd00... I disabled DHCP IPv6 and left RA enabled with fd00... the subnet. I also added the virtual IP address.

Normally, the WAN is set to DHCP6 and the LAN SLAAC.

Get things working properly without ULA first. Then add ULA as per my instructions. I suspect you're getting things mixed up.

lamboalpha

@jknott Corrected, but still no IPv6 connectivity for the base configuration (no ULA). I have to have track interface and RA enabled to get IPv6 to work. RA is not possible with SLACC.

JKnott

@lamboalpha said in Issue configuring IPv6 with ULA, but works fine with Track Interface.:

RA is not possible with SLACC.

It most certainly is. That's how it works. A router advertisement tells the network what the prefix is and the client provides the suffix. Maybe you can show your Router Advertisement page.

BTW, why are you blocking out your IPv4 addresses? They're RFC1918 private addresses, which means they're meaningless outside of your LAN.

lamboalpha

@jknott pfSense will not let me enable RA with SLAAC enabled on the LAN. The RA was included with the previous post. There is nothing else below the error (for the Services/DHCPv6 Server & RA page).

If I try to enable RA prior to selecting SLAAC, I get the following error.

You are right on the LAN IPv4 address, but I don't need to share it.

Bob.Dig

@lamboalpha said in Issue configuring IPv6 with ULA, but works fine with Track Interface.:

pfSense will not let me enable RA with SLAAC enabled on the LAN.

No. You should do what it says if you already stuck... change RA first or disable it or disable IPv6 first.

Bob.Dig

@lamboalpha said in Issue configuring IPv6 with ULA, but works fine with Track Interface.:

the application requires the servers have a static IP address. The applications are not on the pfSense box.

So what is this application... and where are they?

JKnott

@lamboalpha

Change the IPv6 Configuration Type to track interface.

lamboalpha

@jknott Ok, the LAN interface has a IPv6 address. But, there is no IPv6 on the LAN. I only enabled RA, but no DHCPv6. What step do I need to next? I have not used IPv6 before and apparently need to study up on it. I thinking I would need some type of NAT or NPt, but I don't know how to setup this up on pfSense when the WAN has a dynamic IPv6 assignment. It seems like a simple ask but hard to do.

@Bob-Dig I said static, I should have said reserved and assigned by DHCP. There is DNS on the network, but some servers need/should have a static IP address, e.g. like the local DNS or network equipment or servers. For example: the DNS server was changing IPv6 address due to the ISP was causing issues, the system would have to fallback to IPv4 when doing DNS lookups. IPv6 had preference.

JKnott

@lamboalpha

Can you post screen captures of your WAN, LAN and Router Advertisement pages?

You do not need NAT, etc.. I would expect your ISP provides a /56 prefix, which provides 256 /64 prefixes, though some ISPs provide a different size. You use the /64s for each LAN or VLAN.

lamboalpha

@jknott

JKnott

@lamboalpha

Change DHCPv6 Prefix Delegation size to whatever your ISP provides. Many, including mine, provide a /56, so 56 would go in that box.

Also, for Router mode I have Unmanaged - RA Flags.