LAN devices can ping IPv6 site but pfSense itself cannot
-
Hi everyone. I'm seeing a weird problem. I'm using AT&T Fiber which provides IPv6 service. WAN is set to DHCP6 with the following setting:
LAN is set to track WAN interface with the following setting:
Since AT&T ISP by default hands out a
/64net, an "IP Alias" on "WAN" is created with proper address, e.g., 2600:xxxx:xxxx:e11::48/64 if I get 2600:xxxx:xxxx:e10::48/64 from ISP. (Tips got from a reddit post )With all of the above setting, the clients in the LAN network can get IPv6 address and can p
ping6 www.google.com. However, pfSense itself cannot ping such IPs.Can I get some advice where to start look into? Thanks!
-
@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:
Tips got from a [reddit post]
Maybe those tips from reddit which then came from chatgpt aren't working? Maybe don't craft a WAN-address yourself. Just maybe you don't need a IPv6-WAN-address.
-
Hmm, I wouldn't expect that to work. If you set request only a prefix and it hands you a /64 you can use that on one interface only.
Setting another interface in a different /64 isn't going to do anything. I would think. -
@stephenw10 It's a little weird how AT&T hands out IPv6 addresses. Their own fiber modem is able to request a
/60, but in pass-through mode the router(PFSENSE in my case) can only request a/64. The AT&T technician said that the subsequent IPv6 address can be manually set, aka the IP alias case) -
@left4apple well not sure why you would think you would ever get anything other than a /64 when that is what your requesting, and also you have checked for pfsense to not get its own address on the wan.
Why would their modem get a /60, I don't think I have ever seen an ISP device that allows you to setup multiple networks or vlans.. Even when they create a guest network they still use the same network range, and just filter that network from talking to the wired network in the bridge, etc.
-
Yeah, I'm pretty sure that is true because if you manage to remove the AT&T router entirely you can get a /60:
https://github.com/MonkWho/pfatt?tab=readme-ov-file#ipv6-setupBut if you don't do that you have to somehow know or set a route for other /64s. If might be using that /64 itself. Try a different one and hope!
-
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
well not sure why you would think you would ever get anything other than a /64 when that is what your requesting
I requested a
/60before but always get a/64in the DHCP6 response. And the technician told me that the next available address is reserved for me even if I don't request it. I think that's how the AT&T modem works.Not an IPv6 expert as most of my network knowledge are still on IPv4 era(I'm too old) so if the question sounds stupid please forgive.
-
@stephenw10 AT&T doesn't allow the customer devices to authenticate for Internet and force us to use their own modem. The pass-through mode is what they provide that is similar to bridge mode but not entirely the same.
I guess they give their own modems some privileges.
Someone managed to crack the modem and get the identification, then camouflage their own router to look like an authentic AT&T modem. Costs is like $120 to buy a modem factory key.
-
@left4apple If your pfSense LAN has IPv6, than pfSense LAN-address has IPv6 too. And it can go out to the ipv6-internet. Maybe it does that automatically, try pinging something and leave source as auto.
-
Why are you requesting only a prefix? You're telling them you don't want a global WAN address. Also, you can't just pick an address and expect it to work.
-
@JKnott said in LAN devices can ping IPv6 site but pfSense itself cannot:
Why are you requesting only a prefix?
Could you please elaborate on that? Does that mean requesting a
/64on WAN? I tried/60but ISP still gave me/64. -
Mmm, pretty sure the AT&T router ill only pass a /64.
Did you try other /64s from the /60?
You can just use the LAN interface IP to connect, as suggested.
-
@stephenw10 Yes I did get a
/64back even if I request a/61.Aug 20 23:47:44 dhcp6c 39181 <3>[prefix] (6) Aug 20 23:47:44 dhcp6c 39181 <3>[::] (2) Aug 20 23:47:44 dhcp6c 39181 <3>[/] (1) Aug 20 23:47:44 dhcp6c 39181 <3>[61] (2) Aug 20 23:47:44 dhcp6c 39181 <3>[infinity] (8) Aug 20 23:47:48 dhcp6c 39399 IA_PD prefix: 2600:xxxx:xxxx:xxx::/64 pltime=3600 vltime=3600Can I get some suggestion on what's the best way to assign IPv6 addresses to LAN devices while maintaining the IPv6 ability for pfSense router itself? Thanks!
-
You can use a single /64 on the LAN and have devices within that. pfSense will use the LAN IP address for IPv6 connectivity if that's the only Pv6 address it has.
-
I'm on Rogers and I request an address as well as a prefix. I get a global WAN address and a /56 prefix. I don't know how big of a prefix AT&T provides, but if they only give a /64, then you can have only 1 LAN. With a /56, I can have up to 256, but am currently using only 5 /64s.
Try running without requesting only a prefix and see if you get a global WAN address. Also, you don't really need one, as routing to your router/firewall is generally by link local addresses (fe80:...)
-
@stephenw10 said in LAN devices can ping IPv6 site but pfSense itself cannot:
You can use a single /64 on the LAN and have devices within that
I'm trying to understand how to assign the
/64to LAN, since it's already tracking WAN interface but LAN doesn't have IPv6 address.@JKnott Sure I'm fine with only one LAN has IPv6 address. Just don't know how to let the LAN use it instead of giving everything to just WAN.
-
The AT&T may not supply a prefix at all. Check the dhcp logs to see what's happening. You may need to enable DHCP6 Debug in Sys > Adv > Networking.
-
@stephenw10 Yes verbose log for DHCP is enabled, and from the following line I think AT&T does give me a
/64prefix plus a WAN address2600:xxxx:xxxx:xxx::. But again my understanding could be wrong.Aug 20 23:47:48 dhcp6c 39399 IA_PD prefix: 2600:xxxx:xxxx:xxx::/64 pltime=3600 vltime=3600 -
@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:
AT&T does give me a /64 prefix plus a WAN address
did you uncheck that box that says don't give your wan an IP, and select something other than a /64 say a /60
So you tried asking for /61? Never ever heard of any isp giving out that.. would be /60 or /56 are normally what isps hand out
You could also just go get a /64 from hurricane electric for free, which your wan will have its own IPv6 with, or you could even get a /48 as well.
-
@johnpoz Checking
Only request an IPv6 prefix, do not request an IPv6 addressis what I found to make my current setup work for LAN devices(but not pfSense). Might be a coincidence, or multiple error cancelling each other out.As to
/61, it's just one of my testing from/60to/64, all of which gets me a/64from the ISP.I guess a seemingly possible solution is to assign the only, precious
/64to the LAN interface and find a way to let the WAN interface use it(for whatever purpose). Reading the doc now
