Verizon 5G Home Internet

meluvalli · Feb 24, 2023, 2:26 PM

Hey there. I had COX internet with IPv6 working fine.

I switched to Verizon 5G Home Internet, and can't seem to get IPv6 working with pfSense. I have a XCI55AX gateway. I set it up for Bridge mode with IP Passthrough enabled. IPv4 is working fine.

The problem I'm facing is IPv6 obtains address from WAN side. However, it's a /64 subnet and LAN side doesn't get an IPv6 address with Trace enabled.

I'm curious if anyone has this setup and if they have gotten it to work or not.

WAN Side:
IPv6 Configuration Type: DHCP6
Request only an IPv6 prefix: Checked
DHCPv6 Prefix Delegation size: 56
Send IPv6 prefix hint: Checked
LAN Side:
IPv6 Configuration Type: Track Interface
IPv6 Interface: WAN
IPv6 Prefix ID: 0

Any ideas to try?

JKnott · Feb 24, 2023, 2:26 PM

@meluvalli

Do they provide prefixes such as /56? My cell provider doesn't over the cell network, but they do over the cable network.

meluvalli · Feb 25, 2023, 7:15 AM

@jknott
I don't think they do. It's only getting a /64 address :( So, do I have any options to get IPv6 address working? Can you NAT IPv6 so I can port forward with it?

JKnott · Feb 25, 2023, 1:33 PM

@meluvalli

I have never set up NAT on IPv6. No need for it here.

madbrain · Apr 29, 2024, 5:28 AM

@meluvalli I realize this is an old topic, but did you ever get this to work ? I have the same gateway and facing the same IPv6 issue.

meluvalli · Apr 29, 2024, 8:35 AM

@madbrain Unfortunately I did not. I ended up having to switch back to COX because I couldn't host my own DNS server with them :(. They allow HTTP and HTTPS ports, but blocked DNS ports. It was strange.

madbrain · May 10, 2024, 2:41 AM

@meluvalli Interesting. I'm not hosting a DNS, but I'm hosting a VPN successfully, using UDP.
Was Verizon blocking both TCP and UDP ports 53 ?

I tried to follow the settings at https://forum.netgate.com/topic/155534/verizon-fios-and-ipv6-which-settings-work/30 which are for Verizon FiOS. Unfortunately, those did not work. LAN clients are only getting link-local IPv6 addresses.

The WAN interface in pfSense does get a public IPv6 address and gateway, though.

JKnott · Oct 4, 2024, 7:55 PM

@madbrain said in Verizon 5G Home Internet:

The WAN interface in pfSense does get a public IPv6 address and gateway, though.

That would indicate they're not using DHCPv6-PD to provide IPv6. Without it, you get IPv6 on the WAN side, but not LAN. My cell company does the same. So, the phone gets an address, as does any tethered device.

patrickdickey52761 · Oct 4, 2024, 7:55 PM

@JKnott said in Verizon 5G Home Internet:

@madbrain said in Verizon 5G Home Internet:

The WAN interface in pfSense does get a public IPv6 address and gateway, though.

That would indicate they're not using DHCPv6-PD to provide IPv6. Without it, you get IPv6 on the WAN side, but not LAN. My cell company does the same. So, the phone gets an address, as does any tethered device.

I'm dragging up the old thread because I'm in this same position, except I'm not using IP/IPv6 passthrough. Here is a picture from my Verizon Internet Gateway of the IPv6 configuration page
login-to-view

and my current pfSense Interface Status (I couldn't do anything using :2729, so I set my LAN to :2730::)
login-to-view

My configurations are:

WAN Side:
IPv6 Configuration Type: DHCP6
Request only an IPv6 prefix: UnChecked
DHCPv6 Prefix Delegation size: 64
Send IPv6 prefix hint: UnChecked
LAN Side:
IPv6 Configuration Type: Static IPv6
IPv6 Address: 2600:......:2730::
IPv6 Prefix Length: /64

And my DHCPv6 Server is set up to send :1000 to :2000.

Anything that connects directly to the Internet Gateway gets a valid IPv6 address and can pass traffic. if it goes through pfSense it doesn't pass traffic--although it does get an IPv6 address in the 2730:: range.

Any suggestions? I was using a Tunnel through HE, but virtually everything blocks that (at least they do mine). So, I would rather use the IPv6 that Verizon gives me.

Have a great day. :)
Patrick.

JKnott · Oct 5, 2024, 9:34 PM

@patrickdickey52761 said in Verizon 5G Home Internet:

That would indicate they're not using DHCPv6-PD to provide IPv6. Without it, you get IPv6 on the WAN side, but not LAN. My cell company does the same. So, the phone gets an address, as does any tethered device.

I'm dragging up the old thread because I'm in this same position, except I'm not using IP/IPv6 passthrough. Here is a picture from my Verizon Internet Gateway of the IPv6 configuration page

See the above that I wrote earlier. Cell networks generally don't provide DHCPv6-PD to connected devices. This means pfSense cannot provide IPv6 to the LAN side.

madbrain · Feb 18, 2025, 9:58 PM

@JKnott Yes, but it's really odd. It used to work in the past. I cancelled my service last year and just recently restored it. And now it doesn't work anymore, somehow. Weird that they would have broken this. I could try to switch the Comcast XB8 modem/gateway to router mode, and bypass pfSense temporarily, to see what happens to clients, and whether they get IPv6 or not.

madbrain · Feb 19, 2025, 6:27 AM

@madbrain And right after I posted this, I visited test-ipv6.com, and it passed. Without me making a single config change in pfSense. Go figure.

Gertjan · Feb 20, 2025, 12:17 PM

@patrickdickey52761 said in Verizon 5G Home Internet:

IPv6 Configuration Type: Static IPv6
IPv6 Address: 2600:......:2730::

Your Phone ISP gave you

login-to-view

to use.
I presume a 2600 : abcd : efgh : 2729::/64

You can't assign yourself the

login-to-view

= 2600 : abcd : efgh : 2730::/64

as it's probably already assigned to another client.
And even if it "seems" to work, they don't route (back) this :2730: to you anyway.

As said, the phone carrier don't offer "prefixes" as they offer a /64 for every client. These clients (you, your device) are not routers but 'end devices' (not sure about the correct word for this).

Are you sure about :

login-to-view

Static WAN Ipv6 .... why not, but its very are.
I'm using DHCPv6 and I always get the same IPv6 WAN - lucky me, as constanly changing Ipv6 'base' and prefixes is a nightmare to handle.
Some new law here in "Europe" now says : it has to change ones a year at least for my 'protection'...

patrickdickey52761 · Feb 20, 2025, 1:12 PM

@Gertjan So let me ask this. Is there an easy way to allow IPv6 traffic through my WAN interface in such a way that all devices on the LAN side can get their addresses?

What I mean is this... My Verizon modem gives everything on the LAN side an IPv6 address. Can I open up pfSense in such a way that the clients on the LAN side will get their IPv6 addresses from the Verizon modem? I don't want to have to remove the pfSense firewall, even though it's not protecting everything. But, if I have to, I will.

Have a great day and thank you. :)
Patrick.

Gertjan · Feb 20, 2025, 1:12 PM

@patrickdickey52761 said in Verizon 5G Home Internet:

Can I open up pfSense in such a way that the clients on the LAN side will get their IPv6 addresses from the Verizon modem?

That means that you would have this situation :

pfSense WAN : for example : 2600 : abcd : efgh : 2729 : ce40 : d0ff : fea9 : 5e02
pfSense LAN : for example : something between 2600 : abcd : efgh : 2729 :: 1000 and :: 2000

That the same situation as :
WAN 182.168.1.1
LAN 192.168.1.2
and you know what that does : it breaks routing

Maybe this :
If you could 'break' up your /64 in parts, like 16 /68.
Network number 12, or 'C' is the C here 2600 : abcd : efgh : 2729 : c
The first 2600 : abcd : efgh : 2729 : 0 /68 assign it to LAN
The second, 2600 : abcd : efgh : 2729 : 1 /68 assign it to LAN2
The third 2600 : abcd : efgh : 2729 : 2 /68 assign it to LAN3
and so on.
....
The twelfth 2600 : abcd : efgh : 2729 : c /68 assign it to WAN !
....

You probably have to set up the pfSense WAN IPv6 with the /68 manually and 2600 : abcd : efgh : 2729 : c(40 : d0ff : fea9 : 5e02)
LAN 2600 : abcd : efgh : 2729 : 0(0 : 0 : 0 : 1) = 2600 : abcd : efgh : 2729 : :1 /68
The DHCPv6 Pool 2600 : abcd : efgh : 2729 : : 1000 => ::2000 /68

This looks somewhat to what we could be doing with IPv4 and I'm not sure if this /64 are "RFC law" or that you can sub device the already huge /64 for your own needs.
For example 16 blocks of /68 as shown above.
Btw 68-64=4 ... bits = 1 hex nibble = [0....F] or '0000' to '1111' binary.

This has nothing to do with the firewall btw.
This is a routing issue. You can disable routing : remove pfSense, and put a switch in place ^^ Or transform pfSense in a big bridged device == an expensive switch.

JKnott · Feb 20, 2025, 3:43 PM

@patrickdickey52761 said in Verizon 5G Home Internet:

So let me ask this. Is there an easy way to allow IPv6 traffic through my WAN interface in such a way that all devices on the LAN side can get their addresses?

You could configure pfSense as just a firewall, without routing. A friend of mine just did that with OPNsense. This way you'll have a single /64 to work with on your LAN.