IPv6 connectivity NAT
-
Hello,
I've been trying to setup my IPv6 on my LAN but not sure about it. First my setup is slight complex due to the fact I am with UK ISP provider Hyperoptic which does Carier Grade NAT (CG-NAT). See below for some visulization
pfsense has the WAN interface which gets both IPv4 and IPv6 through DHCP both. I can confirm I can connect with SSH to the pfsense and ping external IPv6 addresses.
Internally the workstation it getting IPv4 normally and everything works on that but tcan't figure out the IPv6 settings. Do i need to run DHCP6 or can relay that ? Has anyone a similar setup and got it working?
Regards,
Leonidas -
I doubt your carrier is using CGNAT for IPv6. At the very least you should be getting a /64 prefix, though generally you'll get more. What does your ISP offer? Mine gives me a /56, which is 256 /64s, each of which contains 18.4 billion, billion addresses.
Also, don't use DHCP6, if you don't have a specific need for it, as Android devices won't work with it. Use SLAAC instead. You should also mention the type of connection to your ISP, as that can affect configuration details.
-
@JKnott said in IPv6 connectivity NAT:
I doubt your carrier is using CGNAT for IPv6. At the very least you should be getting a /64 prefix, though generally you'll get more. What does your ISP offer? Mine gives me a /56, which is 256 /64s, each of which contains 18.4 billion, billion addresses.
Thanks for the reply! That's a fair point - The IPv6 is provided with /56 prefix.
Also, don't use DHCP6, if you don't have a specific need for it, as Android devices won't work with it. Use SLAAC instead. You should also mention the type of connection to your ISP, as that can affect configuration details.
So in order to use SLAAC I need to disable Router Advertisement or one of the other fields ?
See my IPS router WAN connection status - blurred out the sensitive bits:
-
@JKnott said in IPv6 connectivity NAT:
Also, don't use DHCP6, if you don't have a specific need for it, as Android devices won't work with it. Use SLAAC instead. You should also mention the type of connection to your ISP, as that can affect configuration details.
OK as soon as I switch from DHCPv6 on the WAN interface to SLAAC I lost IPv6 connectivity to the outside world from the pfsense. So clearly that's not working ok for me.
-
@artafinde said in IPv6 connectivity NAT:
as soon as I switch from DHCPv6 on the WAN interface to SLAAC I lost IPv6 connectivity
That is expected. On WAN you have to keep DHCPv6, not on LAN though. And does your first router do prefix delegation? Most can't do it.
-
@Bob-Dig said in IPv6 connectivity NAT:
That is expected. On WAN you have to keep DHCPv6, not on LAN though.
OK WAN interface now with DHCPv6 works. This assigns a IPv6 on the WAN interface:
*** Welcome to pfSense 2.7.2-RELEASE (amd64) on pfSense *** WAN (wan) -> igb0 -> v4/DHCP4: 10.0.0.2/24 v6/DHCP6: 2a01:4b00:xxxx:xxxx:xxx:xxxx:xxxx:b024/128Interesting the SLAAC you see it's saying:
MAN (lan) -> igb1 -> v4: 10.120.10.1/24 v6/SLAAC: ::10.10.10.1/128@Bob-Dig said in IPv6 connectivity NAT:
And does your first router do prefix delegation? Most can't do it.
How can I find out? I don't think so to be honest it's
ZTE H3600 V9 V9.0.24P14_HOPI think chinese made - didn't delve too much into. -
@artafinde said in IPv6 connectivity NAT:
OK as soon as I switch from DHCPv6 on the WAN interface to SLAAC I lost IPv6 connectivity to the outside world from the pfsense. So clearly that's not working ok for me.
Use SLAAC on the LAN side, so your devices get IPv6 addresses. You still have to use DHCP6 on the WAN.
Here's the info on my ISP, which may give you an idea of what to do. Their connection is via cable modem.
-
@artafinde said in IPv6 connectivity NAT:
How can I find out? I don't think so to be honest
The usual procedure is to put the modem in bridge mode.
-
Yeah bridge mode doesn't exist of course on these :)
I'll try setting the LAN to Track Interface instead of SLAAC since this doesn't work now as I see from your thread.
-
Neither SLAAC nor Track Interface on LAN assigns a proper IPv6 on my linux workstation.
➜ ip a [..] 3: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether a8:5e:45:11:95:be brd ff:ff:ff:ff:ff:ff altname enxa85e451195be inet 10.120.10.20/24 metric 1024 brd 10.120.10.255 scope global dynamic enp6s0 valid_lft 6506sec preferred_lft 6506sec inet6 fe80::aa5e:45ff:fe11:95be/64 scope link proto kernel_ll valid_lft forever preferred_lft forever [..]I'm thinking it has something to do with the
systemd-networkdconfiguration:That's Default config from Arch Linux systemd + the below:
# /etc/systemd/network/wired.network [Match] Name=enp* [Network] DHCP=yesAccording to systemd man page DHCP=yes makes IPv4 and IPv6 configure with dhcp. Maybe I'm thinking I need to set something different for IPv6 from the systemd examples https://man.archlinux.org/man/systemd.network.5#EXAMPLES
-
@artafinde said in IPv6 connectivity NAT:
Yeah bridge mode doesn't exist of course on these :)
Then pfSense will not be able to provide IPv6 to your LAN. It seems strange the ISP would provide a /56 without a way to use it.
-
@JKnott
I don't need public IPv6 addresses to my LAN - i just need to be able to route IPv6 traffic outside to the internet.Reading in the web the Hyperoptic router does prefix delegation as if i difectly connect to it with wifi (macos) i get a working ipv6 with a /64 range.
-
@artafinde said in IPv6 connectivity NAT:
I'll try setting the LAN to Track Interface
This should work.
Your WAN DHCPv6 client obtains a WAN IPv6 - and you've shown already above you have a 'valid' IPv6 for this interface.
Hook up another device, like a Windows PC, to your ISP router, and it will also obtain an IPv6.
pfSense is a router, so it will ask more from the upstream DHCP (ISP) DHCPv6 server : it ask for an IPv6, right - but also a prefix.
You told use that it has a /56 for you - like my ISP.
This means that it uses (probably) one of these /65, a /64, to be used on it's LAN network - and pfSense's WAN interface will obtain an IPv6 lying in this prefix. So one prefix is used, 255 are left for you to use /64-/56 = 8, and 2^8 = 256.
Your DHCPv6 WAN client will, if at least one pfSense LAN interface is set to 'tracking', try to obtain a prefix (a /64 block) so it can be sued for this LAN. because you have a /56 available, your pfSEbnse could offer 255 LAN interfaces, all with their own /64 prefix.Example : my ISP router announces to me it has a /56 for me :
So I set my LAN to IPv6 tracking :
and below :
where I selct from the WAN interface prefix number "0 out 0" (actually 1 out 1 available).
I can see this /64 prefix "eb" or decimal 235 prefix being used on the DHCPv6 LAN server page :
where I declared a IPv6 DHCP pool from ::2 to ::86 - the other ::87 to ::fff:ffff:ffff:ffff are available for other devices ( a couple of zillion other devices
).Now all my LAN devices are using an IPv6 out of this pool or prefix, as they all prefer IPv6 over IPv4.
edit : forget to add my personal thought about SLAAC : I don't have any.
Also : I never used or owned a android device, so I can stay with "DHCP", the IPv6 way. -
@artafinde said in IPv6 connectivity NAT:
i just need to be able to route IPv6 traffic outside to the internet
Why is that? There is no IPv6-only-internet, as far as I know.
Technically, you could NAT IPv6 the same way as IPv4. But it doesn't make much sense.
-
@Bob-Dig said in IPv6 connectivity NAT:
Why is that? There is no IPv6 only internet, as far as I know.
Interesting.
After reading this IPv6 description - and if you accept that what's said over there as 'probably exact' you have a choice to make.
Edit that page.
Or accepts thatInternet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP)
thus one might sat that IPv6 is an important part (and still growing) of the Internet.
-
@Bob-Dig said in IPv6 connectivity NAT:
Why is that? There is no IPv6-only-internet, as far as I know.
I need to be able to connect to servers which have only IPv6 ip through SSH.
-
@artafinde said in IPv6 connectivity NAT:
I need to be able to connect to servers which have only IPv6 ip through SSH
If everything else already mentioned here doesn't work for you, you could
- switch Outbound NAT to hybrid
- take a look, what pfSense is doing for Outbound NAT on IPv4 and then replicate that manually to IPv6. For that you will have to add ULA to your LAN.
-
@artafinde said in IPv6 connectivity NAT:
I don't need public IPv6 addresses to my LAN - i just need to be able to route IPv6 traffic outside to the internet.
Why not find out how to put your modem into bridge mode and do things properly. NAT was created to get around the IPv4 address shortage. No need for it with IPv6.
-
@Gertjan
Thanks for the details reply! I followed your steps but something is missing still. See belowFirst made sure the router gets an IPv6 on WAN interface with a proper prefix:
<snips from ssh>WAN (wan) -> igb0 -> v4/DHCP4: 10.0.0.2/24 v6/DHCP6: 2a01:4b00:xxxx:de00:20d:b9ff:fe4f:b024/64Then as you suggested (lan) interface gets to track WAN IPv6
and
but this gets a /128 as you see below:
MAN (lan) -> igb1 -> v4: 10.120.10.1/24 v6/t6: ::10.10.10.1/128Is that ok I wonder..
I've setup DHCPv6 for lan interface
And I've set the Router Advertisement as below
I see in the logs the below error:
/status_services.php: The command '/usr/local/sbin/radvd -p /var/run/radvd.pid -C /var/etc/radvd.conf -m syslog' returned exit code '1', the output was '/var/etc/radvd.conf:12 error: syntax error'The radvd.conf is like below so it complains about
prefix ::a0a:a01/128?# Automatically Generated, do not edit # Generated for DHCPv6 Server lan interface igb1 { AdvSendAdvert on; MinRtrAdvInterval 200; MaxRtrAdvInterval 600; AdvDefaultLifetime 1800; AdvLinkMTU 1500; AdvDefaultPreference medium; AdvManagedFlag off; AdvOtherConfigFlag on; prefix ::a0a:a01/128 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference medium; RemoveRoute on; }; };Not sure what's the error or where i messed up but workstation doesn't get an IP from pfsense.
PS:I've tried connected to the ISP router with laptop and IPv6 works 100%. (gets assigned a /64 IPv6).
-
@artafinde Your router doesn't delegate so you can't do what Gertjan has done.
