Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up IPv6 on my Netgate

    Scheduled Pinned Locked Moved IPv6
    22 Posts 4 Posters 2.4k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      eagle61 @JKnott
      last edited by eagle61

      @JKnott said in Setting up IPv6 on my Netgate:

      Are you sure it's your link local address? Or the gateway?

      You are right its his gateway-adress, what is usually a link local address.
      The point I think what makes his problems is visible in his first scree shot he posted. His WAN Address starts with 2001: but his LAN IPv6 Address starts with 2601:
      That's false If the LAN tracks the WAN its shall be same.
      In my case right now
      WAN is starting 2a01:c23:
      LAN is starting 2a01:c23:
      OPT1 is starting 2a01:c23:
      OPT2 is starting 2a01:c23:
      all tracks the WAN to create its own prefix and IP-Adresses

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @eagle61
        last edited by

        @eagle61 said in Setting up IPv6 on my Netgate:

        His WAN Address starts with 2001: but his LAN IPv6 Address starts with 2601:
        That's false If the LAN tracks the WAN its shall be same.

        One has nothing to do with the other, beyond being within the ISPs overall address block. The WAN is in a /64 prefix used by the ISP. The LAN is in the block belonging to the customer. What "track" means is the LAN prefix follows whatever is assigned with DHCPv6-PD. You can see what's assigned by capturing the full DHCPv6 sequence and examining the capture with Wireshark.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        E 1 Reply Last reply Reply Quote 0
        • E Offline
          eagle61 @JKnott
          last edited by

          @JKnott

          Not sure i can explain what i see as his problem correct in english. But it seems he got by his ISP just an /64-Prefix.
          Now he want to create an Subnet with his own prefix. This Subnet Prefix is smaller then the /64-Prefix he got or request on WAN-Interface.
          So it shall be a /65 Prefix. But that is not supported by pfsense because (as far as i know) then there is not enough space anymore for the 48 bits for the site prefix, in addition to 16 bits for the subnet ID

          But correct me if i am wrong.

          In my case i don't have this problem, since my ISP supports me a /56-Prefix on my WAN-Interface and so i never run into this problem

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @eagle61
            last edited by

            @eagle61 said in Setting up IPv6 on my Netgate:

            But it seems he got by his ISP just an /64-Prefix.

            Where are you seeing that? If on the WAN status, that's normal, as the link local address is within a /64. What I don't see is what prefix size he's requesting or getting.

            The point I think what makes his problems is visible in his first scree shot he posted. His WAN Address starts with 2001: but his LAN IPv6 Address starts with 2601:
            That's false If the LAN tracks the WAN its shall be same.

            No, that's incorrect. I have the same thing here and it's been working fine for years. As I mentioned the WAN address is part of the ISPs /64, not his assigned prefix.

            My WAN public address starts with 2607:f798:804:90 but my LAN prefix starts with 2607:fea8:4c82:5900.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • E Offline
              eagle61
              last edited by eagle61

              @JKnott said in Setting up IPv6 on my Netgate:

              But it seems he got by his ISP just an /64-Prefix.
              

              Where are you seeing that? If on the WAN status

              @CatSpecial202 said in Setting up IPv6 on my Netgate:

              Interfaces → WAN

              IPv6 Config Type DHCP6
              **DHCPv6 Prefix Delegation size 64**
              

              In my case, since iknow my ISP delivers /56 Prefixes i choose there

              • DHCPv6 Prefix Delegation size 56 second i did read this
              • https://forum.netgate.com/topic/165929/comcast-residential-64-delegation
                and it seems from that post Comcast deliver depending on type of contract /60 or /64-Prefixes. From headline Re: How to setup IPv6 for Comcast or similar ISP? i suspect Comcast is ISP of CatSpecial202
              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @eagle61
                last edited by

                @eagle61 said in Setting up IPv6 on my Netgate:

                DHCPv6 Prefix Delegation size 64

                That's the size he's requesting. Mine's set to 56, as you show in your own example. I don't know what Comcast offers, but /60 sounds right. He should try that. If he requests a /64, then that's all he'll get.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • CatSpecial202C Offline
                  CatSpecial202 @Gertjan
                  last edited by

                  @Gertjan I actually plan to do a separate post about my DNS setup. I was working on troubleshooting and testing that a bit before i responded here.

                  Thank you to everyone for all the responses. Just to be clear I am passing all the tests on https://test-ipv6.com/ with a 10/10. Oh, and my modems only option is bridge mode it's a very basic Netgear CM600.

                  Maybe I should have initially requested a 60 block? I just attempted to get a new one. I only changed the below options. I then went to my WAN interface and released my wan interface and asked to renew it but it looks like I got a response with the same configuration. I wasn't expecting it to work.

                  ChatGPT 😛 gave me two options for potentially getting a new WAN.

                  #1: I could turn off my modem and firewall for a few hours and then maybe my existing WAN IP will get reassigned to someone else and when i come back and turn it on I'll get a new assignment.

                  #2: I could change my mac address in the spoof mac address section and my ISP will think i have a new device and assign me a new wan.

                  What do you think about these options?

                  Should i be unselecting this option? What exactly does this do?
                  Do not allow PD/Address release
                  dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent

                  Here are all the options i have selected. I also got removed the blocking portion.

                  Interfaces -> WAN

                  • IPv6 Config Type DHCP6
                  • USE IPv4 connectivity as parent interface
                  • DHCPv6 Prefix Delegation size 60
                  • Send IPv6 prefix Hint
                  • Do not wait for RA

                  Screenshot 2024-11-21 at 21.34.22.png

                  The result of my wan interface being released. I also included the LAN

                  Screenshot 2024-11-21 at 21.43.56.png

                  @eagle61 here is my ifconfig output

                  Why is my gateway interface that link local address? How can i get that to go away and actually monitor my IPv6 wan?

                  Screenshot 2024-11-21 at 21.33.10.png

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @CatSpecial202
                    last edited by

                    @CatSpecial202 said in Setting up IPv6 on my Netgate:

                    Why is my gateway interface that link local address? How can i get that to go away and actually monitor my IPv6 wan?

                    Using the link local address is entirely normal with IPv6. It's the same with mine. You use the global address for stuff like VPNs, etc. The link local address should be the address for your gateway, not your own own router.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    CatSpecial202C 1 Reply Last reply Reply Quote 0
                    • CatSpecial202C Offline
                      CatSpecial202 @JKnott
                      last edited by CatSpecial202

                      @JKnott Why is it normal to have IPv6 and then link local on the gateway? What exactly is the difference between the gateway and the WAN? Is this just weird looking because of IPv6?

                      Ohhhh, I think i just realized.

                      Is this the default gateway for my network? We wont be able to visibly distinguish gateways like we do with IPv4?

                      With IPv4 if I have the IP address 10.10.10.14. My default gateway is 10.10.10.1?

                      fe80::21c:73ff:fe00:99%mvneta0 <--- this is the gateway for my IPv6 WAN address?
                      2001:xxx:xxx:xx:5d33:xxx:c499:69b5 <--- Address on wan

                      2601:xx:xxxx:xxxx:92ec:77ff:fe5b:35db <--- this is the address on my LAN

                      What is the gateway for this LAN address?

                      I went into my gateway settings and updated it with a different monitoring IP. I forgot I did this with my IPv4 gateway when i set everything up.

                      6508c667-8209-4801-8759-4f43317760e8-image.png

                      and now i have

                      b38c47d2-6611-4e43-a2e3-af363ce1be0b-image.png

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • E Offline
                        eagle61
                        last edited by

                        @CatSpecial202 said in Setting up IPv6 on my Netgate:

                        I went into my gateway settings and updated it with a different monitoring IP. I forgot I did this with my IPv4 gateway when i set everything up.

                        I don't think that was the reason for the 100% Packetloss of the Gateway "WAN_DHCP6 (default)"
                        Actually today mine shows also a 100% Packetloss
                        Bildschirmfoto_2024-11-22_09-24-50.png
                        But at same time all ipv6-connections runs fine
                        Bildschirmfoto_2024-11-22_09-29-41.png
                        as you can see above
                        ping6 works as wells as traceroute (ipv6) like i would expect.

                        I am not sure why it is but i suspect its related to historical reasons. IPv6 is much younger then IPv4. In your as well as in my configuration that is taken in account here:
                        Bildschirmfoto_2024-11-22_09-37-50.png
                        We both select Use IPv4 connectivity as parent interface (Request a IPv6 prefix/information through the IPv4 connectivity link)
                        As far as i understand this, it means the initial setup of IPv6 uses the IPv4 connectivity.If that is correct, at this time the pfsense can't have any IPv6-gateway with a non link-local address.
                        And it seems also this link-local gateway-address is not used anymore after IPv6-Connectivity is fully established. Why else everything would works fine even if the link-local gateway-address is not reachable anymore after a while?
                        Finally i checked this:
                        Bildschirmfoto_2024-11-22_10-05-28.png
                        Its the output of a log of a in Germany very popular Fritz!Box. It does even not show the IPv6-Garteway, just the IPv4 one in its log. Since the Fritz!Box is what most of ISP here deliver to its customers if the order the ONT, Cable-Modem, DSL-Moden in a Router-Device directly from ISP, i suspect the link-local IPv6-gateway address is not of value after you have a running IPv6-connectivity

                        Oh and when i checked my WAN_DHCP6-Status last time (two or three days in past) it was online, but now its offline. No clue why that changed in time.

                        CatSpecial202C 1 Reply Last reply Reply Quote 0
                        • CatSpecial202C Offline
                          CatSpecial202 @eagle61
                          last edited by CatSpecial202

                          @eagle61 I did a bit of googling and like you stated earlier yes this is the intended configuration.

                          The below article was helpful in my understanding. The confusion is in the difference between the two protocols IPv4 and IPv6. There is no equivalent link-local in IPv4, and in IPv6 the link-local is used in the neighbor discovery protocol. Which is the upgraded implementation meant to replace ARP. So, the gateway should ALWAYS have some FE80:1 address and this is by design of the IPv6 protocol. The articles mentions that it's possible to use something else but it's not recommended.

                          https://blogs.infoblox.com/ipv6-coe/fe80-1-is-a-perfectly-valid-ipv6-default-gateway-address/

                          Also, an old post in the forums that discuss a similar topic.

                          https://forum.netgate.com/topic/131599/how-to-retrieve-my-ipv6-default-gateway/6

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • JKnottJ Offline
                            JKnott @CatSpecial202
                            last edited by

                            @CatSpecial202 said in Setting up IPv6 on my Netgate:

                            Is this the default gateway for my network? We wont be able to visibly distinguish gateways like we do with IPv4?

                            Link local addresses are normal for IPv6 routing, though in some circumstances a global or unique local address can also be used. Remember, routing is normally to the next hop and a link local address is fine for that. In fact, with point to point links, you only need the interface. Check the router for computers on your LAN and you'll find it's a link local address.

                            As for gateway or router, the terms are more or less interchangeable, with gateway generally referring to your connection to the rest of the world rather than internal routing.

                            When you look at what a devise says is the route, it will likely be a link local address, with the interface appended.

                            Here's the route or gateway from the computer I'm using:
                            fe80::4262:31ff:fe12:b66c dev em1

                            It lists the link local address of the LAN interface of pfSense and the interface ID on this computer.

                            And here's the default route or gateway from my pfSense box:
                            default fe80::217:10ff:fe9 UGS igb0

                            Again, it lists the gateway link local address and the pfSense interface.

                            As for the monitor address, it has to be one that responds to pings. On IPv6, I found I had to do a traceroute to Google and picked the 2nd hop address, as the first one, which is my gateway address, didn't respond.

                            Incidentally, there is a security benefit to using the link local address for routers. It's not reachable from outside.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            E 1 Reply Last reply Reply Quote 1
                            • GertjanG Offline
                              Gertjan @CatSpecial202
                              last edited by Gertjan

                              @CatSpecial202

                              Not important right now, but, be ware : problems are on the horizon.
                              The day you install and use pfBlockerng, the pfSense package, you have a LAN problem.
                              Because :
                              b8507d56-c646-4c6e-8de9-6fb637027f0f-image.png

                              is also used by pfBlockerng as a virtual IP :

                              0d230a60-3988-4396-a02b-d3e5318a29f1-image.png

                              And yes, you can change that 10.10.10.1 in pfBlockerng but as it conflicts with your LAN, the pfSense GUI probably won't work ....

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              1 Reply Last reply Reply Quote 0
                              • E Offline
                                eagle61 @JKnott
                                last edited by

                                @JKnott and @CatSpecial202

                                thanks to both of you for the helpful explanations and the additional links.

                                I do use firewalls for more then 10 years now, but i did used a IPFire and this does not supports IPv6 at all. The promised to bring a new IPFire 3.0 supporting IPv6 since some years now. But still no final release on the horizion visible. So i switched in June from IPFire to pfsense and therefor i still have to learn much about IPv6.

                                I now understand the only problem if the Gateway IPv6 with its fe80:: will be shown as Offline, Packetloss: 100% is it does not respond to a ping6. This can be fixed by using a Monitor IP.
                                That sounds easy to solve.

                                But what i still do not understand is why my pfsense fe80:: local link default gateway sometimes seems to answer pings and some times not and from what that is depending?

                                Some days in past i checked my Status / Gateways every early morning. The status of the pfsense fe80:: local link default gateway was every early morning shown as online. But now in the afternoon it is offline. I did not in the meantime change my pfsense config at all. What happens in my case is my ISP forces every night a reconnect. With this reconnect i get every night a new IPv4- and IPv6-address as well as new IPv6-Prefix.
                                But i would also think a reconnect shall not effect the link-local addresses and for sure not they answer a ping or not.

                                @JKnott said in Setting up IPv6 on my Netgate:

                                As for the monitor address, it has to be one that responds to pings. On IPv6, I found I had to do a traceroute to Google and picked the 2nd hop address, as the first one, which is my gateway address, didn't respond.

                                This is my traceroute to google from pfsense shell:
                                traceroute6 google.com
                                traceroute6 to google.com (2a00:1450:4001:812::200e) from 2a02:3100:XXXX:XXXX:XXXX:ff:XXXX:XXXX, 64 hops max, 28 byte packets
                                1 2a02:3001::208 7.840 ms 7.976 ms 7.793 ms
                                2 2a02:3001::13c 6.973 ms 7.041 ms 7.519 ms

                                Both the No 1 and No 2 answer pings. But those are not link local and maybe might change after the reconnect every night. So that seems not to be a good solution.

                                Additional i checked out also Status / Interfaces -> WAN Interface:
                                What I see there are two IPv6 Link Local - Addresses:

                                • IPv6 Link Local: fe80::XXXX:ff:XXXX:XXXX%pppoe0
                                • Gateway IPv6: fe80::ae99:29ff:fe6e:30e2%pppoe0

                                in my case (since use of PPPoE) with the %pppoe0 at the end.
                                Also the IPv6 Link Local do answer to a ping6 and it is fixed since the use of "Interface-ID" (ex. ::6743:12::f9aa::44a1) or "EUI-64 MAC" (ex. 3C:49:37:12:26:B3) to create the part after fe80:: its a fixed IPv6-Adress, that will never change, except i change the NIC itself.
                                So is suspect using the IPv6 Link Local address would be best to use as Monitor IP in System / Routing / Gateways for the WAN_DHCP6.

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • JKnottJ Offline
                                  JKnott @eagle61
                                  last edited by

                                  @eagle61 said in Setting up IPv6 on my Netgate:

                                  Both the No 1 and No 2 answer pings. But those are not link local and maybe might change after the reconnect every night. So that seems not to be a good solution.

                                  Only the gateway link local address can be used. Any other will be unreachable, as you can't route to them. This means you have to use a routeable public address.

                                  So is suspect using the IPv6 Link Local address would be best to use as Monitor IP in System / Routing / Gateways for the WAN_DHCP6.

                                  The one to use is the one that responds.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  E 1 Reply Last reply Reply Quote 0
                                  • E Offline
                                    eagle61 @JKnott
                                    last edited by eagle61

                                    @JKnott said in Setting up IPv6 on my Netgate:

                                    The one to use is the one that responds.

                                    Yes, as i thought too and i did it on my pfsense in the meantime and now all looks fine.

                                    Bildschirmfoto_2024-11-22_18-28-58.png

                                    The IPv6-Address marked with the red dot answer pings, that one with the black dot does not answer pings, but was used as default by pfsense in default configuration and is still used in the next screen shot as Gateway IP

                                    Bildschirmfoto_2024-11-22_18-29-15.png

                                    but the Monitor IP is now that one with red dot. Before both was same (the black dot marked one).

                                    GertjanG 1 Reply Last reply Reply Quote 0
                                    • GertjanG Offline
                                      Gertjan @eagle61
                                      last edited by

                                      @eagle61

                                      Euh ... lol. Normally, you would hide your 2a02:..... (GUA ?) address.
                                      The fe80 are like RFC1918, we've use all the same ones. These are local and are not usable / routable on the Internet.
                                      007aae00-e6fc-4532-9276-b485102e8f3a-image.png

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      JKnottJ 1 Reply Last reply Reply Quote 0
                                      • JKnottJ Offline
                                        JKnott @Gertjan
                                        last edited by

                                        @Gertjan said in Setting up IPv6 on my Netgate:

                                        The fe80 are like RFC1918

                                        Actually, unique local addresses are like RFC1918. You can pick whatever addresses you want within the ULA block and, like RFC1918 addresses, they are routeable, just not on the public Internet.

                                        PfSense running on Qotom mini PC
                                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                        UniFi AC-Lite access point

                                        I haven't lost my mind. It's around here...somewhere...

                                        1 Reply Last reply Reply Quote 1
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.