LAN devices can ping IPv6 site but pfSense itself cannot

JKnott

@left4apple

Why are you requesting only a prefix? You're telling them you don't want a global WAN address. Also, you can't just pick an address and expect it to work.

left4apple

@JKnott said in LAN devices can ping IPv6 site but pfSense itself cannot:

Why are you requesting only a prefix?

Could you please elaborate on that? Does that mean requesting a /64 on WAN? I tried /60 but ISP still gave me /64.

stephenw10

Mmm, pretty sure the AT&T router ill only pass a /64.

Did you try other /64s from the /60?

You can just use the LAN interface IP to connect, as suggested.

left4apple

@stephenw10 Yes I did get a /64 back even if I request a /61.

Aug 20 23:47:44 dhcp6c 39181 <3>[prefix] (6)
Aug 20 23:47:44 dhcp6c 39181 <3>[::] (2)
Aug 20 23:47:44 dhcp6c 39181 <3>[/] (1)
Aug 20 23:47:44 dhcp6c 39181 <3>[61] (2)
Aug 20 23:47:44 dhcp6c 39181 <3>[infinity] (8)

Aug 20 23:47:48 dhcp6c 39399	IA_PD prefix: 2600:xxxx:xxxx:xxx::/64 pltime=3600 vltime=3600

Can I get some suggestion on what's the best way to assign IPv6 addresses to LAN devices while maintaining the IPv6 ability for pfSense router itself? Thanks!

stephenw10

You can use a single /64 on the LAN and have devices within that. pfSense will use the LAN IP address for IPv6 connectivity if that's the only Pv6 address it has.

JKnott

@left4apple

I'm on Rogers and I request an address as well as a prefix. I get a global WAN address and a /56 prefix. I don't know how big of a prefix AT&T provides, but if they only give a /64, then you can have only 1 LAN. With a /56, I can have up to 256, but am currently using only 5 /64s.

Try running without requesting only a prefix and see if you get a global WAN address. Also, you don't really need one, as routing to your router/firewall is generally by link local addresses (fe80:...)

left4apple

@stephenw10 said in LAN devices can ping IPv6 site but pfSense itself cannot:

You can use a single /64 on the LAN and have devices within that

I'm trying to understand how to assign the /64 to LAN, since it's already tracking WAN interface but LAN doesn't have IPv6 address.

@JKnott Sure I'm fine with only one LAN has IPv6 address. Just don't know how to let the LAN use it instead of giving everything to just WAN.

stephenw10

The AT&T may not supply a prefix at all. Check the dhcp logs to see what's happening. You may need to enable DHCP6 Debug in Sys > Adv > Networking.

left4apple

@stephenw10 Yes verbose log for DHCP is enabled, and from the following line I think AT&T does give me a /64 prefix plus a WAN address 2600:xxxx:xxxx:xxx::. But again my understanding could be wrong.

Aug 20 23:47:48 dhcp6c 39399	IA_PD prefix: 2600:xxxx:xxxx:xxx::/64 pltime=3600 vltime=3600

johnpoz

@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

AT&T does give me a /64 prefix plus a WAN address

did you uncheck that box that says don't give your wan an IP, and select something other than a /64 say a /60

So you tried asking for /61? Never ever heard of any isp giving out that.. would be /60 or /56 are normally what isps hand out

You could also just go get a /64 from hurricane electric for free, which your wan will have its own IPv6 with, or you could even get a /48 as well.

left4apple

@johnpoz Checking Only request an IPv6 prefix, do not request an IPv6 address is what I found to make my current setup work for LAN devices(but not pfSense). Might be a coincidence, or multiple error cancelling each other out.

As to /61, it's just one of my testing from /60 to /64, all of which gets me a /64 from the ISP.

I guess a seemingly possible solution is to assign the only, precious /64 to the LAN interface and find a way to let the WAN interface use it(for whatever purpose). Reading the doc now

johnpoz

@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

seemingly possible solution is to assign the only, precious /64

Or you could just not use your isp nonsense and get a free ipv6 tunnel from HE. Have had one from them since like 2011.. Once you get one it stays, so need of worry about changing prefixes, and they also allow you to set PTR for you ipv6 space, etc.

Unless your isp gave you a /48 that never changes, not sure why anyone would deal with normally very bad ipv6 deployments designed for users that really have little clue to what an IP is in the first place and use their isp device with everything on 1 network.

left4apple

@johnpoz HE is definitely a great service. However, since I'm uploading probably 500GB stuffs through IPv6 each month, I feel guilty for using their service for free. And didn't see any place for individual donation to HE..

JKnott

@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

Sure I'm fine with only one LAN has IPv6 address. Just don't know how to let the LAN use it instead of giving everything to just WAN.

Reply

I thought you said you could ping from LAN, but not WAN. If your LAN is getting a prefix, then you're good.

left4apple

@JKnott Yes with the current setup, the LAN is able to get IPv6 address, yet IPv6 doesn't work on pfSense OS itself though there is an IPv6 address assigned to it. This causes some troubles with, e.g., Tailscale but doesn't overall affects the usability.

JKnott

@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

@JKnott Yes with the current setup, the LAN is able to get IPv6 address, yet IPv6 doesn't work on pfSense OS itself though there is an IPv6 address assigned to it. This causes some troubles with, e.g., Tailscale but doesn't overall affects the usability.

This is getting confusing. At one point you're saying you don't get a WAN address and then you do. By IPv6 address, are you referring to a link local address, which starts with fe80? Or a global address that starts with a 2?

If only a link local address, then you won't be able to do anything as that address is used just for routing. As I mentioned earlier, while some ISPs provide a global address, you don't need one.

stephenw10

It must have an IP address from the delegated /64 on the LAN interface if other devices on the LAN do and work.

What does the LAN status look like without the IPAlias on WAN?

johnpoz

@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

causes some troubles with, e.g., Tailscale but doesn't overall affects the usability.

There is nothing in tailscale that "requires" ipv6. Do you not have a public ipv4 address?

As to HE and 500GB a month - I doubt that would even show up as a blip on their traffic graphs ;)

left4apple

@JKnott said in LAN devices can ping IPv6 site but pfSense itself cannot:

This is getting confusing. At one point you're saying you don't get a WAN address and then you do. By IPv6 address, are you referring to a link local address, which starts with fe80? Or a global address that starts with a 2?

Sorry if the description wasn't clear. The WAN does got an IPv6 address assigned to it, 2600:xxxx:xxxx:e10::. Yet with the above setting I cannot ping any Internet IPv6 address on pfSense. The LAN interface is set to track the WAN for IPv6, and LAN devices works with IPv6. Trying to figure out how to let the WAN and LAN share the same /64.

johnpoz

@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

Trying to figure out how to let the WAN and LAN share the same /64.

For what possible reason? Why would think that would be a thing? Your routers wan, would either just use its link-local address to route your /64 you put behind it. Or it would get some IP in a different GUA address space and still route your /64 behind it... But with the gua address on its wan - it could use that for its own traffic needs, like talking to ns via IPv6, etc. Talking to pfsense update servers to check for updates, packages, that sort of thing.