Multiple IPv6 Prefix Delegation over AT&T Residential Gateway for pfSense 2.4.5
-
Hello everyone!
Is something like this script adaptable for Verizon FIOS, by chance?
I'm in the similar situation, where I get a /56 from them, and set my interfaces to Track Interface, give each interface it's own IPv6 Prefix ID, etc. But it only seems to work on a single LAN interface.
FIOS is a little different it seems from AT&T, in that the WAN IPv6 settings must have "Use IPv4 connectivity as parent interface" checked, "Request only an IPv6 prefix" checked and "Send IPv6 prefix hint" checked.
I attempted to basically adapt the file here and use it, but I think the lack of those options is maybe the holdup.
The custom file I created looks like this:
interface igb0 { send ia-na 0; send ia-pd 0; send ia-pd 1; send ia-pd 2; script "/var/etc/dhcp6c_wan_script.sh"; }; id-assoc na 0 { }; id-assoc pd 0 { prefix-interface igb1 { sla-id 0; sla-len 0; }; }; id-assoc pd 1 { prefix-interface igb2 { sla-id 0; sla-len 0; }; }; id-assoc pd 2 { prefix-interface igb3 { sla-id 0; sla-len 0; }; };With IPv6 working on just a single interface, my pfSense dhcp6c_wan.conf looks like this:
interface igb0 { send ia-pd 0; # request prefix delegation request domain-name-servers; request domain-name; script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please }; id-assoc pd 0 { prefix ::/56 infinity; prefix-interface igb1 { sla-id 0; sla-len 8; }; };Contents of radvd.conf with the single LAN interface working looks like:
# Automatically Generated, do not edit # Generated for DHCPv6 Server lan interface igb1 { AdvSendAdvert on; MinRtrAdvInterval 200; MaxRtrAdvInterval 600; AdvDefaultLifetime 1800; AdvLinkMTU 1500; AdvDefaultPreference high; AdvManagedFlag on; AdvOtherConfigFlag on; prefix 2600:4040:XXXX:XXXX::/64 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference high; RemoveRoute on; }; RDNSS 2600:4040:XXXX:XXXX:XXX:XXXX:XXXX:XXXX { AdvRDNSSLifetime 1800; }; DNSSL Removed.US { AdvDNSSLLifetime 1800; }; };Any suggestions/possibility of implementing the same thing so I can put IPv6 on all my LANs which are igb1, igb2 and igb3, instead of it only working on igb1?
I see there's a lot of posts (on a lot of other sites, a lot on reddit, etc.) where it seems for others who are also trying to take an ISP supplied /56 and put individual /64's on multiple LANs and seemingly having the same issue, where it just doesn't work.
I know in the advanced DHCP6 client configuration, the "Prefix Interface" drop-down is set for the first LAN, and there's no way to select multiple LANs there.
It just seems like there's gotta be a way to break these large IPv6 blocks into individual /64s that could help out everyone!
Thanks for any thoughts/suggestions!
-
This is how i did it (on an SG-5100)
interface igb0 { send ia-na 0; send ia-pd 0; send ia-pd 1; send ia-pd 2; send ia-pd 3; send ia-pd 4; send ia-pd 5; send ia-pd 6; request domain-name-servers; request domain-name; script "/var/etc/dhcp6c_wan_script.sh"; }; id-assoc na 0 { }; id-assoc pd 0 { prefix-interface ix0 { sla-id 0; sla-len 0; }; }; id-assoc pd 1 { prefix-interface ix1.101 { sla-id 0; sla-len 0; }; }; id-assoc pd 2 { }; id-assoc pd 3 { }; id-assoc pd 4 { }; id-assoc pd 5 { }; id-assoc pd 6 { }; id-assoc pd 7 { };Then my LAN interfaces as setup as such;
For LAN:
For LAN2:
-
@styxl Thanks! It turns out there was another configuration oddity that was the culprit. I've been able to get it going fine on FIOS without this script. I'll keep it in mind if anything ends up changing though.
-
I am able to get an IPV6 address on WAN and LAN But when I go to a site to test IPV6 it fails. When I plug directly into the RG it passes the test. Am I missing something?
TIA
-
What failure do you see at the test site?
Which test site are you using? -
@jknott
Test-ipv6 gives no results for IPV6
and IPVG-test says not supported -
Are you sure you have an IPv6 address, other than link local?
-
@jknott
On the interface status page it is showing the link local and an IPV6 address. So, I am assuming so. -
What do you get when you run netstat -r?
You should see something like this:Internet6:
Destination Gateway Flags Netif Expire
default fe80::217:10ff:fe9 UG igb0Try a packet capture when you try to access test-ipv6.
-
I am getting prefix delegation to my two LAN interfaces. It is working great. However, sometimes the prefixes swap interfaces. Is there a way to configure dhcp6c to prevent that?
I have an ATT BGW320 and am using a UniFi USG router. Sorry I don't have a PFsense router. I think I just don't know what the dhcp6c configuration should be to prevent the swapping.
-
What do you mean swap prefixes? Normally, you assign a prefix ID to each interface.
-
@jknott
For instance the prefixes and address might be assigned this way
2600:1700:2b60:df9e::1 assigned to eth0
2600:1700:2b60:df9f::1 assigned to eth1Then a few days later or after a reboot they might be reversed
2600:1700:2b60:df9f::1 assigned to eth0
2600:1700:2b60:df9e::1 assigned to eth1Is there a way to keep the assignments consistent? What part of the configuration assigned a particular prefix to an interface?
-
@paul_s Something in the pfSense WebGUI. You can set it up for free...
-
That sounds like a hardware issue. Any chance you're using USB Ethernet ports.
-
Not using USB. The interfaces are integrated in the router.
-
I have never seen anything like that.
I just noticed this:
I have an ATT BGW320 and am using a UniFi USG router. Sorry I don't have a PFsense router.
So, you're not running pfSense? If not, maybe you should be asking in a UniFi forum.
My router is the one described in my sig, which I have been using with pfSense for over 1.5 years and before that, I had a HP compact desktop computer. Before that, I had a Linux based firewall on that HP computer and other computers before that. I have never, ever seen interfaces move. Are eth0 and eth1 associated with the same interface (same MAC) when the prefixes move?
-
@JKnott
I have a lot of respect for the members of this forum and have been unable to find the answer at UniFi. I was hoping that someone with experience like you might know the mechanism that assigns the delegated prefixes to a particular interface. Is it dhcp6c or is it radvd or something else? Then I hoped there might be a configuration parameter that might anchor the prefix to an interface.The interfaces are not moving, they retain the same MAC address. The IPv6 prefix changes.
thanks for your time.
-
Are you running pfSense or not? If not, you're not likely to find a lot of support here. As I mentioned, I have never seen your situation on multiple computers, with either pfSense or Linux firewalls over twenty years or so. My sole Unifi experience is with my AC-Lite access point.
With pfSense, the prefix will change if you don't select that setting I mentioned. Also, some ISPs mess things up to. But neither of those would cause the problem you're mentioning where the same prefix moves to another port.
-
@JKnott
As I stated in my first post "I don't have a PFsense router."
As I stated in my last post "thanks for your time" -
Have no experience with Unifi - my guess would be there's something being incorrectly set on non-wan interfaces. If your ISP is giving you a /60, then you should be specifying on each internal interface the prefix delegate hint so that internal interfaces assign themselves correctly each time.
What I originally posted in post 1 has a step that refers to this process where the prefix delegation is associated "id-assoc" "pd 1" with the correct interface "hn1" (etc).
The only assumption made with AT&T is they reserve a certain number of networks in their /60 for AT&T use, and the rest are available for delegation.
If UniFi doesn't have a way to associate interfaces to prefix delegation, then you'll get the variability that you're experiencing. Even on PFSense, this has to be done by hand, there's nothing in the GUI that allows admins to configure prefix delegation.
The answer to your other question is the documented method in post #1 is using DHCPv6 (no Router Advertisements) to pull the PD.
