Configure IPv6

Danil 0

Hi all.
I have a problem with configuration ipv6.
I have router from ISP by DHCP, ISP Router(ipv4+ipv6)---> PFsense. I get ipv6 on WAN but not on LAN.

My configuration is below.

I tried to change DHCPv6 Prefix Delegation size from 48 till 64 but do not help. Also i tried ticked Send IPv6 prefix hint and Request only an IPv6 prefix.

How do I solve this? how do I set my lan on the pfsense?
Thanks for help.

Gertjan

@Danil-0

Something you already know : DHCPv4 on WAN is pfSense's default, and works out of the box.
"IPv6" is something else. It should be - we all would like to be - that that would work like DHCPv4.
But it doesn't.
There are guide lines, everything has been defined in known RFC's, but nearly every ISP uses something of their own sauce.
So : tell us how your ISP implements IPv6, and we'll tel you ^^

Who is your ISP ? If it is the same as mine, I could say more.

There is some general advise exist : look for the info.
You can make the info showing up by activating (under System > Advanced > Networking ) :

and know you'll see more info under : Status > System Logs > DHCP
The lines with 'dhcp6c' -the dhcp V6 client (not server) - are the ones that matter : here is an example :

With this, DHCP6C settings ion the WAN interface :

I get a (one !) prefix, that will be sued for my LAN - as I use tracking, like you, on my WAN.

Your (and mine) :

makes me thing you received one (with index 0) prefix.

A IPv6 from this prefeix will be created to make a 'random' LAN IPv6 :

Btw : not related, but I'll ask anyway :

Really ?
Ok, you've changed the LAN base LAN IPv4 from 192.168.1.1/24 to the 192.168.33 network.
But 41 ??? Normally it would be "1" - or "254", not some IP in the middle of the LAN network.
As my ISP router also uses 192.168.1.1/24 as its LAN I decided to keep 192.168.1.1/24 (the default) on pfSense, and move the ISP router (only pfSense is connected to it) to 192.168.10.1/24

Also : note this down somewhere :
RFC1918 == the definition of local non routable networks, like 192.168.1.1/24 exist also for IPv6.
Everything that starts with "fe80:" is local, and you and I have the same addresses.
If I tell you right now that the IPv4 of my PC is 192.168.1.15, you known that you can't' reach me.
For IPv6, that the same : the fe80 is identical.

This

is an example of a routable IPv6. If it was yours, you might want to hide it.

JKnott

@Danil-0 said in Configure IPv6:

I have router from ISP by DHCP, ISP Router(ipv4+ipv6)---> PFsense. I get ipv6 on WAN but not on LAN.

Is your ISP's router in bridge mode? That's what you need for IPv6 to be passed on to your LAN.

Gertjan

@JKnott said in Configure IPv6:

Is your ISP's router in bridge mode? That's what you need for IPv6 to be passed on to your LAN.

My ISP router is a router, and can't be converted in a bridging device
My ISP abandoned the bridging mode years ago, I wish it was still possible, it would simply things for sure. The ISP box is, of course, internally, bridging (I guess), but that aspect of the box isn't under my control anymore.
The four big ISPs here, in France - that's Europe, (Orange, Free, SFR, and Bouygues), making up 90+% (60 million ?) of all SoHo Internet connections all have routers these days.
Other countries around me : same thing.

I could, technically, use bridging, which means I could (have to !) ditch my ISP router all together.
Initially, I would loose the triple play concept, as I would have "Internet" (IPv4 and Ipv6) but no more phone, no more video (TV) support that also comes with the box. That wouldn't be to bad for me, as I don't use them.
Most would not agree here I think, as for some reason people still stay hours a day on the box-phone (comparable ancient POTS), and even more behind the TV ...

In my case (France, Orange, Livebox) this means I have to apply what I call Pure Networking Rocket Science to make also the TV and phone to work.

In my case, my ISP box has a DHCP4v server (of course) and a DHCPv6 server that can give a LAN IPv6 that becomes the pfSense WAN IPv6, and - most important, and this does not have a IPv4 counterpart - a - at east one - so called IPv6 "prefix" that will be used for the pfSense LAN.

My DHCPv6 ISP server gets its IPv6 'needs' : an entire so called /48 from the more upstream 'main' ISP DHCPv6 server (I guess) :

oh .... as said above, my ISP does things differently. It's not the standard /48 but a small /56. That's still 256 (minus 1 or 2) network blocks of /64. Ok for now for me, as I don't see how my 4100 can handle that much LAN's anyway

And @Danil-0 Danil, don't worry, as soon as your IPv6 works, you can (nearly) forget about it, as it will be as before : pure plug and play. These days, I don't care or look (less) if traffic uses IPpv6 or IPv4.
This forum uses only IPv6 - if you have it. if not, IPv4 is still very fine also.

Danil 0

This post is deleted!

JKnott

This post is deleted!

JKnott

@Danil-0 said in Configure IPv6:

Yes, my ISP's router in bridge mode but it is difficult situation. I'm waiting information about prefix two weeks, i do not understand, why they do not provide it or if they support it.

Try capturing the DHCPv6 sequence to see what's happening. Post the capture file here.

Danil 0

@JKnott Finally, my ISP provide me PD that is /64. Is it even possible to setup with PD /64?

JKnott

@Danil-0

A /64 will work fine. However, that's only enough for a single network. I get a /56 from my ISP, which provides 256 /64s. Currently, I use one each for my main LAN, guest WiFi, test LAN, a Cisco router and my VPN. What does your ISP say they provide?

Danil 0

@JKnott They provide /64. Tried to set up. Traceroute6 google.com is ok but not on LAN side.

Gertjan

@Danil-0

@JKnott said in Configure IPv6:

Try capturing the DHCPv6 sequence to see what's happening. Post the capture file here.

Here : https://forum.netgate.com/topic/172514/capture-full-dhcp-or-dhcpv6-sequence?_=1702908820445

?

Or can you show what the dhcp6c process (DHCP IPv6 WAN client) showed you :
( First goto System > Advanced > Networking and check DHCP6 Debug )
Read from bottom to top :

2024-05-06 09:39:33.996883+02:00 	dhcp6c 	36936 	got an expected reply, sleeping.
2024-05-06 09:39:33.996859+02:00 	dhcp6c 	36936 	removing an event on ix3, state=RENEW
2024-05-06 09:39:33.996822+02:00 	dhcp6c 	36936 	script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated
2024-05-06 09:39:33.996094+02:00 	dhcp6c 	24565 	dhcp6c renew, no change - bypassing update on ix3
2024-05-06 09:39:33.991236+02:00 	dhcp6c 	36936 	executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
2024-05-06 09:39:33.991226+02:00 	dhcp6c 	36936 	update a prefix 2a01:cb19:907:beef::/64 pltime=600, vltime=1800
2024-05-06 09:39:33.991213+02:00 	dhcp6c 	36936 	update an IA: PD-0
2024-05-06 09:39:33.991202+02:00 	dhcp6c 	36936 	Domain search list[0] home.
2024-05-06 09:39:33.991192+02:00 	dhcp6c 	36936 	nameserver[0] 2a01:cb19:907:befe:46d4:54ff:fe2a:3600
2024-05-06 09:39:33.991175+02:00 	dhcp6c 	36936 	dhcp6c Received INFO
2024-05-06 09:39:33.991164+02:00 	dhcp6c 	36936 	get DHCP option domain search list, len 6
2024-05-06 09:39:33.991153+02:00 	dhcp6c 	36936 	get DHCP option DNS, len 16
2024-05-06 09:39:33.991145+02:00 	dhcp6c 	36936 	preference: 255
2024-05-06 09:39:33.991136+02:00 	dhcp6c 	36936 	get DHCP option preference, len 1
2024-05-06 09:39:33.991125+02:00 	dhcp6c 	36936 	IA_PD prefix: 2a01:cb19:907:beef::/64 pltime=600 vltime=7039080927149950728
2024-05-06 09:39:33.991113+02:00 	dhcp6c 	36936 	get DHCP option IA_PD prefix, len 25
2024-05-06 09:39:33.991104+02:00 	dhcp6c 	36936 	IA_PD: ID=0, T1=300, T2=480
2024-05-06 09:39:33.991095+02:00 	dhcp6c 	36936 	get DHCP option IA_PD, len 41
2024-05-06 09:39:33.991086+02:00 	dhcp6c 	36936 	DUID: 00:03:00:01:44:d4:54:2a:36:00
2024-05-06 09:39:33.991075+02:00 	dhcp6c 	36936 	get DHCP option server ID, len 10
2024-05-06 09:39:33.991065+02:00 	dhcp6c 	36936 	DUID: 00:01:00:01:2c:ec:aa:20:90:ec:77:29:39:2c
2024-05-06 09:39:33.991051+02:00 	dhcp6c 	36936 	get DHCP option client ID, len 14
2024-05-06 09:39:33.991036+02:00 	dhcp6c 	36936 	receive reply from fe80::46d4:54ff:fe2a:3600%ix3 on ix3
2024-05-06 09:39:33.978715+02:00 	dhcp6c 	36936 	send renew to ff02::1:2%ix3
2024-05-06 09:39:33.978546+02:00 	dhcp6c 	36936 	set IA_PD
2024-05-06 09:39:33.978536+02:00 	dhcp6c 	36936 	set IA_PD prefix
2024-05-06 09:39:33.978522+02:00 	dhcp6c 	36936 	set option request (len 4)
2024-05-06 09:39:33.978511+02:00 	dhcp6c 	36936 	set elapsed time (len 2)
2024-05-06 09:39:33.978503+02:00 	dhcp6c 	36936 	set server ID (len 10)
2024-05-06 09:39:33.978494+02:00 	dhcp6c 	36936 	set client ID (len 14)
2024-05-06 09:39:33.978482+02:00 	dhcp6c 	36936 	a new XID (19bb2e) is generated
2024-05-06 09:39:33.978471+02:00 	dhcp6c 	36936 	Sending Renew
2024-05-06 09:39:33.978459+02:00 	dhcp6c 	36936 	reset a timer on ix3, state=RENEW, timeo=0, retrans=9677
2024-05-06 09:39:33.978407+02:00 	dhcp6c 	36936 	IA timeout for PD-0, state=ACTIVE

You can see that dhp6c received a PD :

IA_PD prefix: 2a01:cb19:907:beef::/64 pltime=600 vltime=7039080927149950728

Your ISP should have an IPv6 for you, which could be an entire /64, so your WAN interface gets one, a /128), and it should also give you another /64, the PD (see logs above).
That's the one you can use for your LAN, which has been set up with IPv6 tracking

My ISP announces IPv6 capabilities like this :

The first line is the IPv6 address my WAN obtained.
The second line is the range of prefixes variables : 256 PD's, each one is a /64.

JKnott

@Danil-0 said in Configure IPv6:

@JKnott They provide /64. Tried to set up. Traceroute6 google.com is ok but not on LAN side.

Do you get a valid IPv6 address on the LAN side?

As @Gertjan mentioned, you may have a /128 on the WAN interface, though it's not necessary.

I'd beyond belief that some ISPs provide only a single /64. As I mentioned, mine provides a /56 and some a /48. The IPv6 address space is so huge that there are over 4000 /48s available for every person on earth.

Danil 0

@Gertjan said in Configure IPv6:

script

You can find log below.

May  7 09:50:02 dhcp6c[4062]: extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:2c:b2:88:01:90:ec:77:88:d7:a1
May  7 09:50:02 dhcp6c[4062]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
May  7 09:50:02 dhcp6c[4062]: failed initialize control message authentication
May  7 09:50:02 dhcp6c[4062]: skip opening control port
May  7 09:50:02 dhcp6c[4062]: <3>[interface] (9)
May  7 09:50:02 dhcp6c[4062]: <5>[mvneta0] (7)
May  7 09:50:02 dhcp6c[4062]: <3>begin of closure [{] (1)
May  7 09:50:02 dhcp6c[4062]: <3>[send] (4)
May  7 09:50:02 dhcp6c[4062]: <3>[ia-na] (5)
May  7 09:50:02 dhcp6c[4062]: <3>[0] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>comment [# request stateful address] (26)
May  7 09:50:02 dhcp6c[4062]: <3>[send] (4)
May  7 09:50:02 dhcp6c[4062]: <3>[ia-pd] (5)
May  7 09:50:02 dhcp6c[4062]: <3>[0] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>comment [# request prefix delegation] (27)
May  7 09:50:02 dhcp6c[4062]: <3>[request] (7)
May  7 09:50:02 dhcp6c[4062]: <3>[domain-name-servers] (19)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>[request] (7)
May  7 09:50:02 dhcp6c[4062]: <3>[domain-name] (11)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>[script] (6)
May  7 09:50:02 dhcp6c[4062]: <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>comment [# we'd like some nameservers please] (35)
May  7 09:50:02 dhcp6c[4062]: <3>end of closure [}] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>[id-assoc] (8)
May  7 09:50:02 dhcp6c[4062]: <13>[na] (2)
May  7 09:50:02 dhcp6c[4062]: <13>[0] (1)
May  7 09:50:02 dhcp6c[4062]: <13>begin of closure [{] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of closure [}] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>[id-assoc] (8)
May  7 09:50:02 dhcp6c[4062]: <13>[pd] (2)
May  7 09:50:02 dhcp6c[4062]: <13>[0] (1)
May  7 09:50:02 dhcp6c[4062]: <13>begin of closure [{] (1)
May  7 09:50:02 dhcp6c[4062]: <3>[prefix-interface] (16)
May  7 09:50:02 dhcp6c[4062]: <5>[mvneta1] (7)
May  7 09:50:02 dhcp6c[4062]: <3>begin of closure [{] (1)
May  7 09:50:02 dhcp6c[4062]: <3>[sla-id] (6)
May  7 09:50:02 dhcp6c[4062]: <3>[0] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>[sla-len] (7)
May  7 09:50:02 dhcp6c[4062]: <3>[0] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of closure [}] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of closure [}] (1)
May  7 09:50:02 dhcp6c[4062]: <3>end of sentence [;] (1)
May  7 09:50:02 dhcp6c[4062]: called
May  7 09:50:02 dhcp6c[4062]: called

May  7 10:01:45 kea-dhcp6[42450]: WARN  [kea-dhcp6.dhcpsrv.0x11e7c2612000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.
May  7 10:01:45 kea-dhcp6[42450]: WARN  [kea-dhcp6.dhcp6.0x11e7c2612000] DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
May  7 10:01:45 kea-dhcp6[42450]: WARN  [kea-dhcp6.dhcpsrv.0x11e7c2612000] DHCPSRV_NO_SOCKETS_OPEN no interface configured to listen to DHCP traffic
May  7 10:01:45 kea-dhcp6[42450]: WARN  [kea-dhcp6.dhcp6.0x11e7c2612000] DHCP6_MULTI_THREADING_INFO enabled: yes, number of threads: 2, queue size: 64

My ISP told me that i have only /64 and it is not possible to provide /56.

Danil 0

@JKnott No. I do not have IPV6 on LAN :) and I have /64 on WAN. Please, check interface pics.

JKnott

@Danil-0 said in Configure IPv6:

@JKnott
about 5 hours ago

@JKnott No. I do not have IPV6 on LAN :) and I have /64 on WAN. Please, check interface pics.

That explains why you can't traceroute to Google. You do not have global IPv6 addresses on your LAN. Your ISP is giving you a single /64, which goes to pfSense, leaving nothing for the LAN side. While my WAN port has an address, it's from a completely different prefix than what I'm assigned via DHCPv6-PD.

Complain to your ISP for them being so damn cheap with addresses.

Danil 0

@JKnott I asked him about /56 prefix so they told me that it is not possible to provide. My discount will be off till 2 months so it will be better to change ISP. I found some good. Any way, thanks a lot for help!!!

Gertjan

@Danil-0 said in Configure IPv6:

I asked him about /56 prefix so they told me that it is not possible to provide.

and

@JKnott said in Configure IPv6:

Complain to your ISP for them being so damn cheap with addresses.

One simple call to 'whoever' allocates / distributes these /32 IPv6 networks (or even smaller) and your ISP has them avaible.
Bit this isn't the issue. I'm pretty sure they already 'have them'.

The thing is : they have to invest. Their equipment is probably a collection of 'works fine for IPv4' but can not deal with allocating IPv6 stuff, as they can do right now with the IPv4.
So they have to invest. But shareholders come first, then the CEOs, then the .... and etc etc.

There is only one thing you can do as a client : add the criteria "is this ISP doing the ISP job correctly ?" to your "how to select an ISP" list, and use it you while go out shopping for an ISP. If most clients would do this, all ISPs would be "IPv6 ready", or broke. Suddenly shareholder have lot of decision power ^^

Keep in mind the vast majority of all ISP clients don't kw sht about IPv6, or, understandably, don't care. Yet.
So up to you to chose wisely.

Danil 0

@Gertjan said in Configure IPv6:

One simple call to 'whoever' allocates / distributes these /32 IPv6 networks (or even smaller) and your ISP has them avaible.
Bit this isn't the issue. I'm pretty sure they already 'have them'.

The thing is : they have to invest. Their equipment is probably a collection of 'works fine for IPv4' but can not deal with allocating IPv6 stuff, as they can do right now with the IPv4.
So they have to invest. But shareholders come first, then the CEOs, then the .... and etc etc.

There is only one thing you can do as a client : add the criteria "is this ISP doing the ISP job correctly ?" to your "how to select an ISP" list, and use it you while go out shopping for an ISP. If most clients would do this, all ISPs would be "IPv6 ready", or broke. Suddenly shareholder have lot of decision power ^^

Keep in mind the vast majority of all ISP clients don't kw sht about IPv6, or, understandably, don't care. Yet.
So up to you to chose wisely.

I understand it that you mean but i receive answer that we can provide only /64 at the moment. I think, they do not have client like me or it is cca 5% from total.

JKnott

@Danil-0 said in Configure IPv6:

I understand it that you mean but i receive answer that we can provide only /64 at the moment. I think, they do not have client like me or it is cca 5% from total.

Initially, my ISP provided only a single /64, but that was temporary and now they provide a /56. However, they still properly used DHCPv6-PD, so that my WAN address was not part of that prefix. It sounds like yours isn't even doing that. In fact, your ISP should be able to provide your prefix via DHCPv6-PD, without having to provide a global address on the WAN. That would at least give you a single /64 to work with. Another possibility is to configure pfSense to be a firewall only and not a router. However, I have no experience with that. Maybe someone else here can advise.

JKnott

@Gertjan said in Configure IPv6:

The thing is : they have to invest. Their equipment is probably a collection of 'works fine for IPv4' but can not deal with allocating IPv6 stuff

That's likely a software issue, not hardware.