Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up IPv6 on my Netgate

    Scheduled Pinned Locked Moved IPv6
    22 Posts 4 Posters 2.4k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott @eagle61
      last edited by

      @eagle61 said in Setting up IPv6 on my Netgate:

      DHCPv6 Prefix Delegation size 64

      That's the size he's requesting. Mine's set to 56, as you show in your own example. I don't know what Comcast offers, but /60 sounds right. He should try that. If he requests a /64, then that's all he'll get.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • CatSpecial202C Offline
        CatSpecial202 @Gertjan
        last edited by

        @Gertjan I actually plan to do a separate post about my DNS setup. I was working on troubleshooting and testing that a bit before i responded here.

        Thank you to everyone for all the responses. Just to be clear I am passing all the tests on https://test-ipv6.com/ with a 10/10. Oh, and my modems only option is bridge mode it's a very basic Netgear CM600.

        Maybe I should have initially requested a 60 block? I just attempted to get a new one. I only changed the below options. I then went to my WAN interface and released my wan interface and asked to renew it but it looks like I got a response with the same configuration. I wasn't expecting it to work.

        ChatGPT 😛 gave me two options for potentially getting a new WAN.

        #1: I could turn off my modem and firewall for a few hours and then maybe my existing WAN IP will get reassigned to someone else and when i come back and turn it on I'll get a new assignment.

        #2: I could change my mac address in the spoof mac address section and my ISP will think i have a new device and assign me a new wan.

        What do you think about these options?

        Should i be unselecting this option? What exactly does this do?
        Do not allow PD/Address release
        dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent

        Here are all the options i have selected. I also got removed the blocking portion.

        Interfaces -> WAN

        • IPv6 Config Type DHCP6
        • USE IPv4 connectivity as parent interface
        • DHCPv6 Prefix Delegation size 60
        • Send IPv6 prefix Hint
        • Do not wait for RA

        Screenshot 2024-11-21 at 21.34.22.png

        The result of my wan interface being released. I also included the LAN

        Screenshot 2024-11-21 at 21.43.56.png

        @eagle61 here is my ifconfig output

        Why is my gateway interface that link local address? How can i get that to go away and actually monitor my IPv6 wan?

        Screenshot 2024-11-21 at 21.33.10.png

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @CatSpecial202
          last edited by

          @CatSpecial202 said in Setting up IPv6 on my Netgate:

          Why is my gateway interface that link local address? How can i get that to go away and actually monitor my IPv6 wan?

          Using the link local address is entirely normal with IPv6. It's the same with mine. You use the global address for stuff like VPNs, etc. The link local address should be the address for your gateway, not your own own router.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          CatSpecial202C 1 Reply Last reply Reply Quote 0
          • CatSpecial202C Offline
            CatSpecial202 @JKnott
            last edited by CatSpecial202

            @JKnott Why is it normal to have IPv6 and then link local on the gateway? What exactly is the difference between the gateway and the WAN? Is this just weird looking because of IPv6?

            Ohhhh, I think i just realized.

            Is this the default gateway for my network? We wont be able to visibly distinguish gateways like we do with IPv4?

            With IPv4 if I have the IP address 10.10.10.14. My default gateway is 10.10.10.1?

            fe80::21c:73ff:fe00:99%mvneta0 <--- this is the gateway for my IPv6 WAN address?
            2001:xxx:xxx:xx:5d33:xxx:c499:69b5 <--- Address on wan

            2601:xx:xxxx:xxxx:92ec:77ff:fe5b:35db <--- this is the address on my LAN

            What is the gateway for this LAN address?

            I went into my gateway settings and updated it with a different monitoring IP. I forgot I did this with my IPv4 gateway when i set everything up.

            6508c667-8209-4801-8759-4f43317760e8-image.png

            and now i have

            b38c47d2-6611-4e43-a2e3-af363ce1be0b-image.png

            JKnottJ 1 Reply Last reply Reply Quote 0
            • E Offline
              eagle61
              last edited by

              @CatSpecial202 said in Setting up IPv6 on my Netgate:

              I went into my gateway settings and updated it with a different monitoring IP. I forgot I did this with my IPv4 gateway when i set everything up.

              I don't think that was the reason for the 100% Packetloss of the Gateway "WAN_DHCP6 (default)"
              Actually today mine shows also a 100% Packetloss
              Bildschirmfoto_2024-11-22_09-24-50.png
              But at same time all ipv6-connections runs fine
              Bildschirmfoto_2024-11-22_09-29-41.png
              as you can see above
              ping6 works as wells as traceroute (ipv6) like i would expect.

              I am not sure why it is but i suspect its related to historical reasons. IPv6 is much younger then IPv4. In your as well as in my configuration that is taken in account here:
              Bildschirmfoto_2024-11-22_09-37-50.png
              We both select Use IPv4 connectivity as parent interface (Request a IPv6 prefix/information through the IPv4 connectivity link)
              As far as i understand this, it means the initial setup of IPv6 uses the IPv4 connectivity.If that is correct, at this time the pfsense can't have any IPv6-gateway with a non link-local address.
              And it seems also this link-local gateway-address is not used anymore after IPv6-Connectivity is fully established. Why else everything would works fine even if the link-local gateway-address is not reachable anymore after a while?
              Finally i checked this:
              Bildschirmfoto_2024-11-22_10-05-28.png
              Its the output of a log of a in Germany very popular Fritz!Box. It does even not show the IPv6-Garteway, just the IPv4 one in its log. Since the Fritz!Box is what most of ISP here deliver to its customers if the order the ONT, Cable-Modem, DSL-Moden in a Router-Device directly from ISP, i suspect the link-local IPv6-gateway address is not of value after you have a running IPv6-connectivity

              Oh and when i checked my WAN_DHCP6-Status last time (two or three days in past) it was online, but now its offline. No clue why that changed in time.

              CatSpecial202C 1 Reply Last reply Reply Quote 0
              • CatSpecial202C Offline
                CatSpecial202 @eagle61
                last edited by CatSpecial202

                @eagle61 I did a bit of googling and like you stated earlier yes this is the intended configuration.

                The below article was helpful in my understanding. The confusion is in the difference between the two protocols IPv4 and IPv6. There is no equivalent link-local in IPv4, and in IPv6 the link-local is used in the neighbor discovery protocol. Which is the upgraded implementation meant to replace ARP. So, the gateway should ALWAYS have some FE80:1 address and this is by design of the IPv6 protocol. The articles mentions that it's possible to use something else but it's not recommended.

                https://blogs.infoblox.com/ipv6-coe/fe80-1-is-a-perfectly-valid-ipv6-default-gateway-address/

                Also, an old post in the forums that discuss a similar topic.

                https://forum.netgate.com/topic/131599/how-to-retrieve-my-ipv6-default-gateway/6

                GertjanG 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @CatSpecial202
                  last edited by

                  @CatSpecial202 said in Setting up IPv6 on my Netgate:

                  Is this the default gateway for my network? We wont be able to visibly distinguish gateways like we do with IPv4?

                  Link local addresses are normal for IPv6 routing, though in some circumstances a global or unique local address can also be used. Remember, routing is normally to the next hop and a link local address is fine for that. In fact, with point to point links, you only need the interface. Check the router for computers on your LAN and you'll find it's a link local address.

                  As for gateway or router, the terms are more or less interchangeable, with gateway generally referring to your connection to the rest of the world rather than internal routing.

                  When you look at what a devise says is the route, it will likely be a link local address, with the interface appended.

                  Here's the route or gateway from the computer I'm using:
                  fe80::4262:31ff:fe12:b66c dev em1

                  It lists the link local address of the LAN interface of pfSense and the interface ID on this computer.

                  And here's the default route or gateway from my pfSense box:
                  default fe80::217:10ff:fe9 UGS igb0

                  Again, it lists the gateway link local address and the pfSense interface.

                  As for the monitor address, it has to be one that responds to pings. On IPv6, I found I had to do a traceroute to Google and picked the 2nd hop address, as the first one, which is my gateway address, didn't respond.

                  Incidentally, there is a security benefit to using the link local address for routers. It's not reachable from outside.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  E 1 Reply Last reply Reply Quote 1
                  • GertjanG Offline
                    Gertjan @CatSpecial202
                    last edited by Gertjan

                    @CatSpecial202

                    Not important right now, but, be ware : problems are on the horizon.
                    The day you install and use pfBlockerng, the pfSense package, you have a LAN problem.
                    Because :
                    b8507d56-c646-4c6e-8de9-6fb637027f0f-image.png

                    is also used by pfBlockerng as a virtual IP :

                    0d230a60-3988-4396-a02b-d3e5318a29f1-image.png

                    And yes, you can change that 10.10.10.1 in pfBlockerng but as it conflicts with your LAN, the pfSense GUI probably won't work ....

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • E Offline
                      eagle61 @JKnott
                      last edited by

                      @JKnott and @CatSpecial202

                      thanks to both of you for the helpful explanations and the additional links.

                      I do use firewalls for more then 10 years now, but i did used a IPFire and this does not supports IPv6 at all. The promised to bring a new IPFire 3.0 supporting IPv6 since some years now. But still no final release on the horizion visible. So i switched in June from IPFire to pfsense and therefor i still have to learn much about IPv6.

                      I now understand the only problem if the Gateway IPv6 with its fe80:: will be shown as Offline, Packetloss: 100% is it does not respond to a ping6. This can be fixed by using a Monitor IP.
                      That sounds easy to solve.

                      But what i still do not understand is why my pfsense fe80:: local link default gateway sometimes seems to answer pings and some times not and from what that is depending?

                      Some days in past i checked my Status / Gateways every early morning. The status of the pfsense fe80:: local link default gateway was every early morning shown as online. But now in the afternoon it is offline. I did not in the meantime change my pfsense config at all. What happens in my case is my ISP forces every night a reconnect. With this reconnect i get every night a new IPv4- and IPv6-address as well as new IPv6-Prefix.
                      But i would also think a reconnect shall not effect the link-local addresses and for sure not they answer a ping or not.

                      @JKnott said in Setting up IPv6 on my Netgate:

                      As for the monitor address, it has to be one that responds to pings. On IPv6, I found I had to do a traceroute to Google and picked the 2nd hop address, as the first one, which is my gateway address, didn't respond.

                      This is my traceroute to google from pfsense shell:
                      traceroute6 google.com
                      traceroute6 to google.com (2a00:1450:4001:812::200e) from 2a02:3100:XXXX:XXXX:XXXX:ff:XXXX:XXXX, 64 hops max, 28 byte packets
                      1 2a02:3001::208 7.840 ms 7.976 ms 7.793 ms
                      2 2a02:3001::13c 6.973 ms 7.041 ms 7.519 ms

                      Both the No 1 and No 2 answer pings. But those are not link local and maybe might change after the reconnect every night. So that seems not to be a good solution.

                      Additional i checked out also Status / Interfaces -> WAN Interface:
                      What I see there are two IPv6 Link Local - Addresses:

                      • IPv6 Link Local: fe80::XXXX:ff:XXXX:XXXX%pppoe0
                      • Gateway IPv6: fe80::ae99:29ff:fe6e:30e2%pppoe0

                      in my case (since use of PPPoE) with the %pppoe0 at the end.
                      Also the IPv6 Link Local do answer to a ping6 and it is fixed since the use of "Interface-ID" (ex. ::6743:12::f9aa::44a1) or "EUI-64 MAC" (ex. 3C:49:37:12:26:B3) to create the part after fe80:: its a fixed IPv6-Adress, that will never change, except i change the NIC itself.
                      So is suspect using the IPv6 Link Local address would be best to use as Monitor IP in System / Routing / Gateways for the WAN_DHCP6.

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ Offline
                        JKnott @eagle61
                        last edited by

                        @eagle61 said in Setting up IPv6 on my Netgate:

                        Both the No 1 and No 2 answer pings. But those are not link local and maybe might change after the reconnect every night. So that seems not to be a good solution.

                        Only the gateway link local address can be used. Any other will be unreachable, as you can't route to them. This means you have to use a routeable public address.

                        So is suspect using the IPv6 Link Local address would be best to use as Monitor IP in System / Routing / Gateways for the WAN_DHCP6.

                        The one to use is the one that responds.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        E 1 Reply Last reply Reply Quote 0
                        • E Offline
                          eagle61 @JKnott
                          last edited by eagle61

                          @JKnott said in Setting up IPv6 on my Netgate:

                          The one to use is the one that responds.

                          Yes, as i thought too and i did it on my pfsense in the meantime and now all looks fine.

                          Bildschirmfoto_2024-11-22_18-28-58.png

                          The IPv6-Address marked with the red dot answer pings, that one with the black dot does not answer pings, but was used as default by pfsense in default configuration and is still used in the next screen shot as Gateway IP

                          Bildschirmfoto_2024-11-22_18-29-15.png

                          but the Monitor IP is now that one with red dot. Before both was same (the black dot marked one).

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • GertjanG Offline
                            Gertjan @eagle61
                            last edited by

                            @eagle61

                            Euh ... lol. Normally, you would hide your 2a02:..... (GUA ?) address.
                            The fe80 are like RFC1918, we've use all the same ones. These are local and are not usable / routable on the Internet.
                            007aae00-e6fc-4532-9276-b485102e8f3a-image.png

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            JKnottJ 1 Reply Last reply Reply Quote 0
                            • JKnottJ Offline
                              JKnott @Gertjan
                              last edited by

                              @Gertjan said in Setting up IPv6 on my Netgate:

                              The fe80 are like RFC1918

                              Actually, unique local addresses are like RFC1918. You can pick whatever addresses you want within the ULA block and, like RFC1918 addresses, they are routeable, just not on the public Internet.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.