IPV6 for PfSense as a router behind ISP's router.

Bob.Dig

@jknott said in IPV6 for PfSense as a router behind ISP's router.:

@yellowrain

If pfSense is behind the ISP's router, it will get an IPv6 address, but will be unable to provide IPv6 to the LAN side. ISPs use DHCPv6-PD to provide a prefix to pfSense (mine provides a /56) which pfSense can then split into multiple /64s. With the ISP's router ahead of it, pfSense will not see DHCPv6-PD.

That is not true in every case. My router (Fritzbox) in front allows me to delegate prefixes to my pfSense downstream, working fine.
But there is a more general problem with pfSense handling dynamic IPv6: I would says it doesn't at all.

Bob.Dig

@yellowrain said in IPV6 for PfSense as a router behind ISP's router.:

I forgot to add that WAN firewall rule on pfsense :
-ICMP allowed (except redirect), to see RA advertisement of the Box

I didn't needed that, it is done invisible by pfSense like all DHCP-related stuff.

JKnott

@yellowrain said in IPV6 for PfSense as a router behind ISP's router.:

These ip include an expected delegated prefix, and I can see their lease in the Status page.

I expect the ISPs router will provide only a single /64, which means there's nothing to provide to your LAN.

JKnott

@bob-dig said in IPV6 for PfSense as a router behind ISP's router.:

That is not true in every case. My router (Fritzbox) in front allows me to delegate prefixes to my pfSense downstream

I could do the same with pfSense or my Cisco router. But I don't think consumer level gateways do that.

Bob.Dig

@jknott It is around here. Costed me 100 bugs when I bought it two years ago. Fritzbox is probably the most sold router in Germany.

Spoiler

JKnott

@bob-dig

Perhaps @yellowRain can provide more info about what he's got and his ISP. I'm on Rogers, in Canada, and they make it very easy to use bridge mode. Also, with fibre, you can use their gateway or provide your own, connecting directly to the ONT.

Here's the first screen you see when you login:

yellowRain

@jknott Lucky one ;). I have to do with what I'm given for now, that is to say ftth, but no bridge mode and almost no support. Maybe one day I will be in a more friendly zone.

JKnott

@yellowrain said in IPV6 for PfSense as a router behind ISP's router.:

@jknott Lucky one ;). I have to do with what I'm given for now, that is to say ftth, but no bridge mode and almost no support. Maybe one day I will be in a more friendly zone.

Please describe what you have, so we can get ideas. Can you connect directly to the ONT, as with my ISP?

SteveITS

@yellowrain If you cannot find another solution, there are tunnel brokers like Hurricane Electric that will provide free IPv6.

https://docs.netgate.com/pfsense/en/latest/recipes/ipv6-tunnel-broker.html

It has a couple of down sides. For instance bandwidth is much lower than our native speed which I assume is HE throttling downloads. Also sometimes services will detect that and reject the connection as being a VPN or hidden IP.

yellowRain

@jknott I do not wish to go into this popular challenge.
Here, direct connection to the ONT is not encouraged, neither documented, so it is a challenge, surely because :

• connection sharing issues limiting profitability of ISP,
• and also maybe security concerns.
  For these reasons, the ISP sould change specs any time, you may lose your phone line, TV, or be banned a few days if you play with that while discovering correct settings, and it is understandable.

Second reason, I'm using this box for home purpose, not business.
At the same time, I want to keep an eye on all my devices like a business, thus I need DHCPv6, and a solution for Android devices.

Besides, I want my pfSense box assume the role of gateway everywhere I go, plug it to any ISP box with a working connection, all my internal devices can work without any changes and reach the internet.

With IPV4, only a few port forward rules changes on the ISP box can enable the services I need externally.
With no connectivity, all my devices also continue to work, thanks to the pfSense router.

I wish I could do the same with ipv6.

I read one solution was to loan "Provider-Independent (PI)" ipv6 subnet, then have some "NPT" Nat rules.
It is a serious option for businesses, and I'm also interested, but paying for provisionning a private portable subnet...

I think I will have to choose ULA, which is also compatible with "NPT" Nat rules. Hope the "no precedence over IPv4" drawback will not be noticeable.

DNS is another whole story for home use.
External resolution works.
But what an headache to include dynamically local hostnames : in DHCPv6 leases GUI page, if we want to see the name of hosts, we need to store records of DHCPv6 in a BIND DNS server, Unbound is not compatible. By the way, the documentation of the now EOL ISCdhcp client is a bit astonishing !!

Currently IPv4 is just fine, so I can live with it.

But if IPv6 is the future, then this scares me a bit, until I learn a bit more and solutions arise.
Maybe documented use case is the missing part (in ancient times, PfSense-Monowall had a lot of use cases documented)

yellowRain

@steveits I waited native ipv6 from my ISP. It has already appeared some time ago, but has been disabled until last month.

But for sure I would have tested with the Hurricane tunnel if I were younger and had professional interest in IPv6. Reminds me the very beginning of VPN brokers. Given the current mess, IPv6 tunnels can be a new niche market (and temporary solution) for sure.
Thanks for the reminder ! ;)

yellowRain

Happy to report that the DHCPv6 client of PfSense is detected by my ISP box, delegated prefix (DHCP-PD) on LAN works, and my web browsers reach IPv6 site successfully.

It may be thanks to :

• ISP action, since I reported that IPv6 was not working as I wanted.
• PfSense 23.01 beta (2023-01-06)