Verizon 5G Home Internet
-
@meluvalli Interesting. I'm not hosting a DNS, but I'm hosting a VPN successfully, using UDP.
Was Verizon blocking both TCP and UDP ports 53 ?I tried to follow the settings at https://forum.netgate.com/topic/155534/verizon-fios-and-ipv6-which-settings-work/30 which are for Verizon FiOS. Unfortunately, those did not work. LAN clients are only getting link-local IPv6 addresses.
The WAN interface in pfSense does get a public IPv6 address and gateway, though.
-
@madbrain said in Verizon 5G Home Internet:
The WAN interface in pfSense does get a public IPv6 address and gateway, though.
That would indicate they're not using DHCPv6-PD to provide IPv6. Without it, you get IPv6 on the WAN side, but not LAN. My cell company does the same. So, the phone gets an address, as does any tethered device.
-
@JKnott said in Verizon 5G Home Internet:
@madbrain said in Verizon 5G Home Internet:
The WAN interface in pfSense does get a public IPv6 address and gateway, though.
That would indicate they're not using DHCPv6-PD to provide IPv6. Without it, you get IPv6 on the WAN side, but not LAN. My cell company does the same. So, the phone gets an address, as does any tethered device.
I'm dragging up the old thread because I'm in this same position, except I'm not using IP/IPv6 passthrough. Here is a picture from my Verizon Internet Gateway of the IPv6 configuration page
and my current pfSense Interface Status (I couldn't do anything using :2729, so I set my LAN to :2730::)
My configurations are:
- WAN Side:
IPv6 Configuration Type: DHCP6
Request only an IPv6 prefix: UnChecked
DHCPv6 Prefix Delegation size: 64
Send IPv6 prefix hint: UnChecked - LAN Side:
IPv6 Configuration Type: Static IPv6
IPv6 Address: 2600:......:2730::
IPv6 Prefix Length: /64
And my DHCPv6 Server is set up to send :1000 to :2000.
Anything that connects directly to the Internet Gateway gets a valid IPv6 address and can pass traffic. if it goes through pfSense it doesn't pass traffic--although it does get an IPv6 address in the 2730:: range.
Any suggestions? I was using a Tunnel through HE, but virtually everything blocks that (at least they do mine). So, I would rather use the IPv6 that Verizon gives me.
Have a great day. :)
Patrick. - WAN Side:
-
@patrickdickey52761 said in Verizon 5G Home Internet:
That would indicate they're not using DHCPv6-PD to provide IPv6. Without it, you get IPv6 on the WAN side, but not LAN. My cell company does the same. So, the phone gets an address, as does any tethered device.
I'm dragging up the old thread because I'm in this same position, except I'm not using IP/IPv6 passthrough. Here is a picture from my Verizon Internet Gateway of the IPv6 configuration page
See the above that I wrote earlier. Cell networks generally don't provide DHCPv6-PD to connected devices. This means pfSense cannot provide IPv6 to the LAN side.
-
@JKnott Yes, but it's really odd. It used to work in the past. I cancelled my service last year and just recently restored it. And now it doesn't work anymore, somehow. Weird that they would have broken this. I could try to switch the Comcast XB8 modem/gateway to router mode, and bypass pfSense temporarily, to see what happens to clients, and whether they get IPv6 or not.
-
@madbrain And right after I posted this, I visited test-ipv6.com, and it passed. Without me making a single config change in pfSense. Go figure.
-
@patrickdickey52761 said in Verizon 5G Home Internet:
IPv6 Configuration Type: Static IPv6
IPv6 Address: 2600:......:2730::Your Phone ISP gave you
to use.
I presume a 2600 : abcd : efgh : 2729::/64You can't assign yourself the
= 2600 : abcd : efgh : 2730::/64
as it's probably already assigned to another client.
And even if it "seems" to work, they don't route (back) this :2730: to you anyway.As said, the phone carrier don't offer "prefixes" as they offer a /64 for every client. These clients (you, your device) are not routers but 'end devices' (not sure about the correct word for this).
Are you sure about :
Static WAN Ipv6 .... why not, but its very are.
I'm using DHCPv6 and I always get the same IPv6 WAN - lucky me, as constanly changing Ipv6 'base' and prefixes is a nightmare to handle.
Some new law here in "Europe" now says : it has to change ones a year at least for my 'protection'...
-
@Gertjan So let me ask this. Is there an easy way to allow IPv6 traffic through my WAN interface in such a way that all devices on the LAN side can get their addresses?
What I mean is this... My Verizon modem gives everything on the LAN side an IPv6 address. Can I open up pfSense in such a way that the clients on the LAN side will get their IPv6 addresses from the Verizon modem? I don't want to have to remove the pfSense firewall, even though it's not protecting everything. But, if I have to, I will.
Have a great day and thank you. :)
Patrick. -
@patrickdickey52761 said in Verizon 5G Home Internet:
Can I open up pfSense in such a way that the clients on the LAN side will get their IPv6 addresses from the Verizon modem?
That means that you would have this situation :
pfSense WAN : for example : 2600 : abcd : efgh : 2729 : ce40 : d0ff : fea9 : 5e02
pfSense LAN : for example : something between 2600 : abcd : efgh : 2729 :: 1000 and :: 2000That the same situation as :
WAN 182.168.1.1
LAN 192.168.1.2
and you know what that does : it breaks routingMaybe this :
If you could 'break' up your /64 in parts, like 16 /68.
Network number 12, or 'C' is the C here 2600 : abcd : efgh : 2729 : c
The first 2600 : abcd : efgh : 2729 : 0 /68 assign it to LAN
The second, 2600 : abcd : efgh : 2729 : 1 /68 assign it to LAN2
The third 2600 : abcd : efgh : 2729 : 2 /68 assign it to LAN3
and so on.
....
The twelfth 2600 : abcd : efgh : 2729 : c /68 assign it to WAN !
....You probably have to set up the pfSense WAN IPv6 with the /68 manually and 2600 : abcd : efgh : 2729 : c(40 : d0ff : fea9 : 5e02)
LAN 2600 : abcd : efgh : 2729 : 0(0 : 0 : 0 : 1) = 2600 : abcd : efgh : 2729 : :1 /68
The DHCPv6 Pool 2600 : abcd : efgh : 2729 : : 1000 => ::2000 /68This looks somewhat to what we could be doing with IPv4 and I'm not sure if this /64 are "RFC law" or that you can sub device the already huge /64 for your own needs.
For example 16 blocks of /68 as shown above.
Btw 68-64=4 ... bits = 1 hex nibble = [0....F] or '0000' to '1111' binary.This has nothing to do with the firewall btw.
This is a routing issue. You can disable routing : remove pfSense, and put a switch in place ^^ Or transform pfSense in a big bridged device == an expensive switch. -
@patrickdickey52761 said in Verizon 5G Home Internet:
So let me ask this. Is there an easy way to allow IPv6 traffic through my WAN interface in such a way that all devices on the LAN side can get their addresses?
You could configure pfSense as just a firewall, without routing. A friend of mine just did that with OPNsense. This way you'll have a single /64 to work with on your LAN.
