Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Verizon Fios and IPV6, Which Settings Work?

    Scheduled Pinned Locked Moved IPv6
    142 Posts 26 Posters 88.2k Views 25 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott @mattlach
      last edited by JKnott

      @mattlach

      The first issue with NAT I was aware of was active mode FTP didn't work. At that time most FTP clients didn't support passive mode. Browsers were still fairly new then, so FTP clients were generally used. These days, you need STUN servers for VoIP and some games, to get through NAT. It breaks IPSec authentication headers. It also adds extra overhead for routers to process NAT. You can get the same function as RFC1918 addresses with Unique Local Addresses on IPv6.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • R Offline
        roadtripper @mattlach
        last edited by

        @mattlach IPv6 specifically has ULA addresses available to meet your desire for local addresses.

        Meanwhile, NAT is problematic for security applications like IPSec, DNSSEC, and Geolocation. CGNAT just makes this problem even worse.

        Also, private RFC1918 addressing makes combining internal networks with overlapping 10.x.x.x space unnecessarily complicated (very common in the case of business acquisitions and mergers). Never mind that the entire RFC1918 space is insufficient for large individual organizations.

        1 Reply Last reply Reply Quote 0
        • R Offline
          roadtripper @mattlach
          last edited by

          @mattlach IPv6 has been working fine for Google, Facebook, and Verizon wireless for many years now. If you want to use site-specific addresses, those are called ULAs in IPv6.

          1 Reply Last reply Reply Quote 0
          • jeremy.duncanJ Offline
            jeremy.duncan @mattlach
            last edited by

            @mattlach I suggest if you want to use private addresses use ULAs, however, keep in mind ULA address preference is lower on the source address selection - meaning if you use ULAs you may never use v6 at all because it's low on the source slection table.. If you want private, just do better on your firewalls and routing. Honestly, nothing is stopping the internet-community from routing 10/8 addresses on the internet except best common operating practices. There's no magic special sauce in 1918 addresses - just norms and rules.

            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @mattlach
              last edited by

              @mattlach said in Verizon Fios and IPV6, Which Settings Work?:

              When creating IPV6, the IETF made erroneous assumptions about how people want to use their networks that might work well for some, but certainly is not the solution for all.

              I have been running IPv6 on my LAN for over 12 years. Works fine so far.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @jeremy.duncan
                last edited by

                @jeremy-duncan said in Verizon Fios and IPV6, Which Settings Work?:

                I suggest if you want to use private addresses use ULAs, however, keep in mind ULA address preference is lower on the source address selection - meaning if you use ULAs you may never use v6 at all because it's low on the source slection table.

                ???

                I have both ULA and GUA on my LAN. No issues at all.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • S Offline
                  sophware
                  last edited by

                  My CO supposedly went live a few weeks ago. A scrip to detect RAs did briefly show something.
                  Last night, there was an outage that I hoped was some further progress.

                  Today, my LAN interface as a 2600:4040 IP, but my WAN only has fe80s. LAN devices have

                  I can ping 2600:: from LAN devices and from the pfSense WAN interface.

                  Is this normal? Should I expect the 2600:4040 address on the firewall to be on the LAN interface and not the WAN and to have the one without the 2600:4040 address to be able to ping 260::?

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @sophware
                    last edited by

                    @sophware said in Verizon Fios and IPV6, Which Settings Work?:

                    but my WAN only has fe80s.

                    Depending on your ISP, that may be normal. On IPv6, link local addresses (fe80) are often used for routing.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      sophware
                      last edited by

                      @jknott Thank you. That makes setting up HAProxy to handle inbound internet traffic interesting (or not possible).

                      1 Reply Last reply Reply Quote 0
                      • luckman212L Offline
                        luckman212 LAYER 8 @nolaquen
                        last edited by

                        @nolaquen said in Verizon Fios and IPV6, Which Settings Work?:

                        For the folks that have had IPv6 up and running for a while, has anyone had the /56 prefix change on them?

                        I've only had mine for a week and yes, the /56 has already changed twice. I'm hoping that's just because they're still monkeying around during the rollout.

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • JKnottJ Offline
                          JKnott @luckman212
                          last edited by

                          @luckman212

                          Have you enabled Do not allow PD/Address release?

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          luckman212L 1 Reply Last reply Reply Quote 0
                          • luckman212L Offline
                            luckman212 LAYER 8 @JKnott
                            last edited by

                            @jknott Yes, I have that enabled. It's possible over the last week of lots and lots of config changes and testing, that I may have briefly had it off. I also changed the seed number in my DHCP6 DUID once, which could have caused it.

                            1 Reply Last reply Reply Quote 0
                            • MaxK 0M MaxK 0 referenced this topic on
                            • MaxK 0M MaxK 0 referenced this topic on
                            • M Offline
                              mkomar @MikeV7896
                              last edited by

                              @mikev7896 if I've used the settings you are suggesting and I'm not passing ipv6 traffic, is that an indication that my area isn't using it yet, or is there a better way to confirm that?

                              Thanks!

                              MikeV7896M 1 Reply Last reply Reply Quote 0
                              • MikeV7896M Offline
                                MikeV7896 @mkomar
                                last edited by

                                @mkomar Hard to say. As far as their "standard" GPON service area (which I believe should be nearly all of their footprint), they should have IPv6 rolled out completely. I've heard of no new areas from other users... Verizon doesn't share info on where IPv6 is available or not. But since it's been almost a year since they started rolling it out, I think they should be done by now.

                                I've seen some posts from people in NYC that have been upgraded to NG-PON2 (for multi-gig) that don't seem to be able to get IPv6 working... so it's possible that Verizon hasn't enabled it on that infrastructure yet. But I'm pretty sure that in most other areas where Fios is available, IPv6 should be working.

                                There have been some issues that seem to have arisen lately regarding IPv6 on pfSense, especially pfSense Plus 23.01, but I'm running it right now and don't seem to have any IPv6 issues... so not sure if related or not.

                                The S in IOT stands for Security

                                M 1 Reply Last reply Reply Quote 0
                                • M Offline
                                  mkomar @MikeV7896
                                  last edited by

                                  @mikev7896 I apprecaite it. I appear to be getting an an assignment, but ping6 is reporting:

                                  ping6: UDP connect: No route to host

                                  kohenkatzK 1 Reply Last reply Reply Quote 0
                                  • kohenkatzK Offline
                                    kohenkatz @mkomar
                                    last edited by

                                    @mkomar I think my brother had the same thing last week - he got IPv6 addresses, but no routing. My parents had it happen a few months ago too. (Both are in Montgomery County, MD. I'm a few miles north of them in a different CO area, and it's been working for me for many months, so I'm guessing some of the CO's don't have routing set up properly.)

                                    M 1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      mkomar @kohenkatz
                                      last edited by

                                      @kohenkatz sounds good. I'm in Culpeper, VA.

                                      1 Reply Last reply Reply Quote 0
                                      • J Offline
                                        jmpalacios
                                        last edited by

                                        Hi everyone,

                                        Just adding my 2 cents to this discussion to report that I was able to get IPv6 working with Verizon FIOS out of New York City today (Manhattan, Battery Park City). The settings I used were pretty much the ones that have already been discussed here at length, but it took quite a bit of toiling, turning them off and back on a few times, and even a reboot at one point, before my test VLAN's DHCP6 server started successfully assigning v6 IPs to its clients.

                                        And, even after that, my clients were still unable to route any traffic on that VLAN, they were essentially cut off. So at first I made sure the DNS resolver was properly listening on the VLAN's interface, that no firewall rules were blocking traffic, and finally the change that tipped the balance was setting router mode to Assisted in Router Advertisements.

                                        I think the only other thing I did, that probably deviates from the general guidance here, is setting the DHCP6 DUID to "DUID-LL: Based on Link-layer Address" in System -> Advanced -> Networking -> IPv6 Options, using my WAN's MAC address (with my WAN interface being the one connected directly to the FIOS ONT).

                                        Hope that helps people here still struggling with FIOS and IPv6!

                                        PS: Needless to say, I'm all ears if anyone here more knowledgable on IPv6 than me (just about anyone) has some strong advice against how I set up my connection, thanks!

                                        T 1 Reply Last reply Reply Quote 0
                                        • J Offline
                                          jmpalacios
                                          last edited by

                                          A little extra info I learned today when tweaking my IPv6 settings that might be of interest to this forum.

                                          When trying to get IPv6 working on my LAN interface, I made the cardinal sin of disabling it in an attempt to avoid rebooting the router for the config to take, and of course locked myself out of the GUI. That forced me to reassign interfaces on the console to regain access, which in turn caused me to spend the entire day restoring my configuration to a working state (interface assignments, VLANs, firewall rules, etc.).

                                          That, of course, broke my fledgling IPv6 setup completely, and at some point attempting to restore it (and after checking everything else was configured as expected, e.g. interface assignments, firewall rules, DCHP6 settings, DNS Forwarder, etc.) I enabled the "Advanced Configuration" option for the DHCP6 client on my WAN interface, to make sure the correct Prefix Interface was selected, but without configuring any other advanced option. Well, until I disabled that (and without changing anything else), none of my LAN clients were getting any IPv6 assignments, and I was back almost to square 1; but when I did disable it, in desperation, all my LAN clients immediately got their IPv6 addresses!

                                          Hope that helps at least some desperate, IPv6 neophytes souls such as myself!

                                          1 Reply Last reply Reply Quote 0
                                          • T Offline
                                            tman222 @jmpalacios
                                            last edited by tman222

                                            @jmpalacios said in Verizon Fios and IPV6, Which Settings Work?:

                                            I think the only other thing I did, that probably deviates from the general guidance here, is setting the DHCP6 DUID to "DUID-LL: Based on Link-layer Address" in System -> Advanced -> Networking -> IPv6 Options, using my WAN's MAC address (with my WAN interface being the one connected directly to the FIOS ONT).

                                            I agree, I've had to set this as well, although I think I used DUID-LLT instead. In fact I've found that the DUID needs to be updated for IPv6 every time the WAN interface MAC address changes (for instance by changing the WAN interface to a different network port on the firewall), otherwise no new IPv6 prefix would be assigned.

                                            J 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.