IPV6 for PfSense as a router behind ISP's router.

yellowRain

Hi,
I'm running 22.05 and IPV6 has been enabled by my ISP recently.

For numerous various reasons, I want to keep my private LAN outside the reach of the ISP box, thus my pfSense is plugged to the ISP router box.
'Local' Subnet 1 (gateway = ISP router) : TV box + pfSense router
'Local' Subnet 2 (gateway = PFSense router) : private LAN

I understand Netgate generally advise to put the modem in bridge mode or plug directly to the ISP fiber.
I cannot do both : bridge mode is not permitted by my ISP + the other solution is surley possible with patience but far too complex and not supported by my ISP.

I tried to add all IPv6 relevant settings (in the PfSense GUI), but cannot ping ipv6.google.com from my private LAN.

Settings :

• WAN DHCP6 client (prefix + IPV6 adress)
• LAN Tracking WAN interface
• LAN Firewall rule accept any IPV6 packets
• WAN Firewall rule IPV6 open 546 port (not really needed I guess)
• WAN disable block bogon networks
• Advanced : allow IPV6 and DHCP6 debug mode
• LAN-side services : DHCP6 server (I see the delegated prefix, size /64, here) + RA Assisted.
• Furthermore, I checked that syctl has the ipv6 forwarding set to 1 on the PfSense shell. (First thing I would do/check for IPV4 on a linux router with iptables)
• box ISP : IPV6 firewall open to outgoing packets only

Issue spotted in the ISP box GUI : my ISP box delegates some ipv6 block, but does not allow to configure the firewall for the delegated range, because the option is greyed (It states that the DHCP6 client of the pfsense box is not detected on this page), which might be already one problem.

'Local' Subnet 1 : no problem
can nslookup and ping ipv6.google.com from items connected here

Pfsense box : a priori no problem
The PfSense gets a /64 ipv6 delegated subnet, which is fine for me. (My ISP delegates a modest /60 range.)
can nslookup and ping ipv6.google.com

'Local' Subnet 2 : loads of issues
connected items in my private LAN gets their IPv6, with a correct delegated prefix a priori.
can nslookup ipv6.google.com from items connected here
not possible to ping ipv6.google.com
ipv4 browsing becomes unstable (connection stalls sometimes, some images on webpages not displayed.)

PS : I might have made a subtle error in the IPv6 configuration difficult to spot, but I saw some users in the forum in the past 10 years have already reported similar issue.

PS2 : Happy New Year ! ;)

PS3 : I saw that Android supports SLAAC only, so that I would have to test that too in my private LAN afterwards.

JKnott

@yellowrain

If pfSense is behind the ISP's router, it will get an IPv6 address, but will be unable to provide IPv6 to the LAN side. ISPs use DHCPv6-PD to provide a prefix to pfSense (mine provides a /56) which pfSense can then split into multiple /64s. With the ISP's router ahead of it, pfSense will not see DHCPv6-PD.

yellowRain

@jknott I saw your answer in other posts, sure pfsense will not see the DHCPv6-PD of the ISP. But it may see something called 'next hop' subnet :
Pfsense gives an IPv6 to items in LAN, and provide DNS, because the DHCPv6 and RA is enabled and LAN IPV6 interface Tracks WAN interface.

These ip include an expected delegated prefix, and I can see their lease in the Status page.

These items cannot ping IPv6.google.com though.

I forgot to add that WAN firewall rule on pfsense :
-ICMP allowed (except redirect), to see RA advertisement of the Box

Bob.Dig

@jknott said in IPV6 for PfSense as a router behind ISP's router.:

@yellowrain

If pfSense is behind the ISP's router, it will get an IPv6 address, but will be unable to provide IPv6 to the LAN side. ISPs use DHCPv6-PD to provide a prefix to pfSense (mine provides a /56) which pfSense can then split into multiple /64s. With the ISP's router ahead of it, pfSense will not see DHCPv6-PD.

That is not true in every case. My router (Fritzbox) in front allows me to delegate prefixes to my pfSense downstream, working fine.
But there is a more general problem with pfSense handling dynamic IPv6: I would says it doesn't at all.

Bob.Dig

@yellowrain said in IPV6 for PfSense as a router behind ISP's router.:

I forgot to add that WAN firewall rule on pfsense :
-ICMP allowed (except redirect), to see RA advertisement of the Box

I didn't needed that, it is done invisible by pfSense like all DHCP-related stuff.

JKnott

@yellowrain said in IPV6 for PfSense as a router behind ISP's router.:

These ip include an expected delegated prefix, and I can see their lease in the Status page.

I expect the ISPs router will provide only a single /64, which means there's nothing to provide to your LAN.

JKnott

@bob-dig said in IPV6 for PfSense as a router behind ISP's router.:

That is not true in every case. My router (Fritzbox) in front allows me to delegate prefixes to my pfSense downstream

I could do the same with pfSense or my Cisco router. But I don't think consumer level gateways do that.

Bob.Dig

@jknott It is around here. Costed me 100 bugs when I bought it two years ago. Fritzbox is probably the most sold router in Germany.

Spoiler

JKnott

@bob-dig

Perhaps @yellowRain can provide more info about what he's got and his ISP. I'm on Rogers, in Canada, and they make it very easy to use bridge mode. Also, with fibre, you can use their gateway or provide your own, connecting directly to the ONT.

Here's the first screen you see when you login:

yellowRain

@jknott Lucky one ;). I have to do with what I'm given for now, that is to say ftth, but no bridge mode and almost no support. Maybe one day I will be in a more friendly zone.

JKnott

@yellowrain said in IPV6 for PfSense as a router behind ISP's router.:

@jknott Lucky one ;). I have to do with what I'm given for now, that is to say ftth, but no bridge mode and almost no support. Maybe one day I will be in a more friendly zone.

Please describe what you have, so we can get ideas. Can you connect directly to the ONT, as with my ISP?

SteveITS

@yellowrain If you cannot find another solution, there are tunnel brokers like Hurricane Electric that will provide free IPv6.

https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html

It has a couple of down sides. For instance bandwidth is much lower than our native speed which I assume is HE throttling downloads. Also sometimes services will detect that and reject the connection as being a VPN or hidden IP.

yellowRain

@jknott I do not wish to go into this popular challenge.
Here, direct connection to the ONT is not encouraged, neither documented, so it is a challenge, surely because :

• connection sharing issues limiting profitability of ISP,
• and also maybe security concerns.
  For these reasons, the ISP sould change specs any time, you may lose your phone line, TV, or be banned a few days if you play with that while discovering correct settings, and it is understandable.

Second reason, I'm using this box for home purpose, not business.
At the same time, I want to keep an eye on all my devices like a business, thus I need DHCPv6, and a solution for Android devices.

Besides, I want my pfSense box assume the role of gateway everywhere I go, plug it to any ISP box with a working connection, all my internal devices can work without any changes and reach the internet.

With IPV4, only a few port forward rules changes on the ISP box can enable the services I need externally.
With no connectivity, all my devices also continue to work, thanks to the pfSense router.

I wish I could do the same with ipv6.

I read one solution was to loan "Provider-Independent (PI)" ipv6 subnet, then have some "NPT" Nat rules.
It is a serious option for businesses, and I'm also interested, but paying for provisionning a private portable subnet...

I think I will have to choose ULA, which is also compatible with "NPT" Nat rules. Hope the "no precedence over IPv4" drawback will not be noticeable.

DNS is another whole story for home use.
External resolution works.
But what an headache to include dynamically local hostnames : in DHCPv6 leases GUI page, if we want to see the name of hosts, we need to store records of DHCPv6 in a BIND DNS server, Unbound is not compatible. By the way, the documentation of the now EOL ISCdhcp client is a bit astonishing !!

Currently IPv4 is just fine, so I can live with it.

But if IPv6 is the future, then this scares me a bit, until I learn a bit more and solutions arise.
Maybe documented use case is the missing part (in ancient times, PfSense-Monowall had a lot of use cases documented)

yellowRain

@steveits I waited native ipv6 from my ISP. It has already appeared some time ago, but has been disabled until last month.

But for sure I would have tested with the Hurricane tunnel if I were younger and had professional interest in IPv6. Reminds me the very beginning of VPN brokers. Given the current mess, IPv6 tunnels can be a new niche market (and temporary solution) for sure.
Thanks for the reminder ! ;)

yellowRain

Happy to report that the DHCPv6 client of PfSense is detected by my ISP box, delegated prefix (DHCP-PD) on LAN works, and my web browsers reach IPv6 site successfully.

It may be thanks to :

• ISP action, since I reported that IPv6 was not working as I wanted.
• PfSense 23.01 beta (2023-01-06)