IPv6 Multi-LAN Problem

pwmaloney

I am having trouble getting IPv6 working with multiple LANs.

• The WAN is set to DHCP6 with a prefix delegation size of 59.
• There are 4 LAN interfaces (LAN, Guest, TestLAN, and TestWAN) set to track the WAN interface with prefix IDs set to 0, 1, 2, and 3, respectively.
• Devices connected to each of the LAN interfaces are getting global and link-local IPv6 addresses.
• From the GUI, Diagnostics / Ping, I can IPv6 ping hosts on the Internet from any of the 4 LAN interfaces.
• I can IPv6 ping the corresponding pfSense interface from devices connected to any of the 4 LAN interfaces.
• The pfSense version is 2.7.2 (amd64)

The problem is that I can only access hosts on the Internet from devices connected to the "LAN" interface, not from the other three. Hosts connected to the "LAN" interface can IPv6 ping the WAN interface, but hosts connected to the other 3 interfaces cannot. There are no rules blocking IPv6 WAN access from the Guest, TestLAN, or TestWAN interfaces.

The routing table appears correct.

Any suggestions as to what I have misconfigured or how to troubleshoot this would be much appreciated.

JKnott

@pwmaloney said in IPv6 Multi-LAN Problem:

The WAN is set to DHCP6 with a prefix delegation size of 59

Is that the largest prefix your ISP provides?

pwmaloney

@JKnott - Well, I didn't know, so I called them (Comcast) just now. The max is 56. So I set that in pfSense, and the problem is resolved. Thank you!

bmeeks

@pwmaloney said in IPv6 Multi-LAN Problem:

Well, I didn't know, so I called them (Comcast) just now. The max is 56.

Most ISPs handing out IPv6 prefix delegations are going to issue one of three prefix sizes:

1. if they are generous, you get a /56;
2. if they are thrifty, you get a /60;
3. if they are a total Scrooge, you get a single /64;

An IPv6 prefix smaller than /64 is both atypical and non-standard. Also, an odd-numbered prefix would be atypical.

Gertjan

@bmeeks said in IPv6 Multi-LAN Problem:

if they are generous, you get a /56;

And then there is Hurricane Electric Free IPv6 Tunnel Broker

that give you a /64 to get warm up. And a /48 to create your own "Fortune 500".
/48 means 65536 prefixes of /64 each, so 65536 LANs ..... or 65536 x 2^16 = 65536 x 18 446 744 073 709 551 616 = 1 208 925 819 614 629 174 706 176 (static !) IPv6 addresses.

I'm not sure about the bandwidth, and as it is a free service, and sometimes their POPs are considered as VPN end-points, it's not perfect, but a good plan B and perfect to learn about IPv6.
Pass the certification test and get a free T-shirt.
I used it for years, had IPv6 everywhere using the set-it-and-forget-it-mode.

bmeeks

@Gertjan said in IPv6 Multi-LAN Problem:

And then there is Hurricane Electric Free IPv6 Tunnel Broker

Yep, HE is a good thing. I still have an account and an assigned /48 delegation, but two things made me give up using that for now:

1. My ISP moved me behind CGNAT. Currently both providers in my small town do CGNAT with their IPv4 space and offer no IPv6. Can't do the HE tunnel with CGNAT. My current provider promises IPv6 soon, but "soon" is now more than one year late .
2. The major streaming providers started automatically blocking Hurricane Electric IPv6 space. That's a major pain. I know there are tricks to be done to get around that with unbound and blocking IPv6 returns for certain domain DNS lookups, but that's a hassle to maintain.

So, I've decided for now to just exist in IPv4 space only and keep hoping that the "soon" promise of IPv6 from my ISP eventually materializes.

Gertjan

@bmeeks

@bmeeks said in IPv6 Multi-LAN Problem:

My ISP moved me behind CGNAT

That, NAT, shouldn't break the tunnel to the HE pop, but he.net has a condition : your 'WAN IPv4' as seen by them must answer to ICMP (ping). And yous doesn't .... so it's game over for you.
For me, he.net isn't possible anymore for another reason : my new "state of the art newest ISP router" that has an ONT integrated for the fiber access can't handle the '6in4' protocol (41), so pfSense can't connect to the he.net pop server

6in4 isn't ICMP (1), isn't TCP (6), isn't UDP (17), neither GRE (4) but something else.
So, I contacted them. This took me weeks to get in contact with someone who could actually understand my question.
They : We've dropped protocol 41 support on our newest models because ... here it comes .... We, Orange, in France (10+ million subscribers) are now proposing IPv4 and IPv6.
Me : Yeah, right, but your IPv6 for my usage is broken !?
They : You have a static IPv4 and your IPv6 works, I can see that from here.
Me : Yeah, sure, but as the (my) subscription implies : I'm using the Pro subscription as I'm a company, I would like to actually use the /56 as advertised. Your router, needed to connect to the Orange fiber, only has one (1) LAN, and I have a company with several LAN's - not just one.
They : Wow, what ? Multiple LANs ? But that's not supported.
Me : I have that covered : I chained on to a pfSense router, and it wants prefixes - your (my) prefixes.
They [10+ minutes on hold, waiting while listing Cherry FM] : Right, there is a issue that only one prefix gets announced by our router.
Me : Then why announcing /56 as only one /64 works ?

Then they told me to do what others already do : "ditch our ISP router, use an FTP RJ45 to Fiber plug", as my 4100 supports such a connection, create some serious DHCP 4 and 6 options and behold, now I can tap into the full IPv6 /56 advertised. Champagne !

Of course, I'll loose all the ISP "TV" facilities and/or phone support (one phone line, but who cares, we have 6 lines on a PABX), I don't need these.

So, I - and many, many other, are waiting for the router update that delivers us the needed IPv6 support.

edit : let it be known : In France, ISP Orange : less people then you have fingers on your hand know that there is more then "UDP" and "TCP" ....