[solved] WAN gets IPv6 but LAN can't

crazypotato142

Hello. I have an issue on IPv6.

My ISS provides IPv6 addresses, I could use it for years so far with the router they gave. But I moved to a pFsense & custom router on AP mode setup and I wasn't able to get IPv6 anymore, because pfSense can't get an IPv6 on LAN so other devices can't get over DHCPv6 either.

I've tried multiple setting combinations, many possible solutions I've seen on internet, nothing really worked.

I called ISS and after a work of a week they couldn't understand the issue either. Might it be because the way they provide the addresses?

patient0

@crazypotato142 how have you configured IPv6 WAN (config dialog screenshot)? And how are you supposed to get an IPv6 address, what did the ISP say?

crazypotato142

@patient0
Sorry for not giving any details.

Here are my settings:

I'm not a pro on IPv6 but I assume it's because WAN gets a link-local and not a public IPv6 prefix so it can't adv the IP to LAN?

I have to use an ONT device connected right before the firewall. And this device requires VLAN tag 35 for connectivity. Might be related to that?

I have these warnings on my logs:

rc.newwanipv6: No IPv6 address found for interface WAN [wan].

rtsold[xxxxx]: <cap_rssend> sendmsg on re0.35: Permission denied

My ISP says "Checking only to request prefix /64 and setting RA to stateless should be enough." but they checked pF settings themselves too. Tho at the end, they decided it might be the way on their systems and can't provide me an IPv6 until they change the way their own devices work which will never happen probably. They seemed not very knowledgeable about the topic so can't blame them about anything.

The router they provide was working fine. It was a Zyxel device, it was working on Stateless mode.

patient0

@crazypotato142 with PPPoE I'm used to have to select
Request a IPv6 prefix/information through the IPv4 connectivity link in the IPv6 WAN part. Have you tried that?

I assume it's because WAN gets a link-local

IPv6 does work with link-local addresses as gateways, that's ok. WAN doesn't even need it's own public address (GUA, Global Unicast Address) but mostly does get one anyway.
And the subnet for the WAN address is probably different than the subnet you get for yourself.

E.g. your WAN may get an IP 2001:123:456:789::4321 but your delegated prefix is 2001:123:456:abc::/56.

crazypotato142

@patient0
Yes, still the same. Only thing changes is link-local to %pppoe0 from %re0.35

patient0

@crazypotato142 can you ping any IPv6 addresses from your pfSense? Like 2620:fe::fe (that's a quad9.net IP)

crazypotato142

@patient0

patient0

@crazypotato142 Mmmh, not working then. The same if you remove the Request a IPv6 prefix/information through the IPv4 connectivity link check?

And for testing I'd check (one at the time):
Send an IPv6 prefix hint to indicate the desired prefix size for delegation
and
Required by some ISPs, especially those not using PPPoE

Btw: I just say that you selected Only request an IPv6 prefix, do not request an IPv6 address (as your ISP may suggested). That way your WAN interface won't get its own GUA/public WAN address. It's always going to be a link-local address, which is ok, although for Dynamic DNS you want to have one.

And are your sure that you only get an /64 prefix from the ISP, you can't do much with that. Usually clients get a /56 or /48.

Addition: Maybe search the internet for other turk.net customers who use pfSense. My search for "pfsense turk.net ipv6 pppoe settings" gives a few result but I can't connect to the web sites.

crazypotato142

@patient0

The same if you remove the Request a IPv6 prefix/information through the IPv4 connectivity link check?

Yes, unfortunately.

Btw: I just say that you selected Only request an IPv6 prefix, do not request an IPv6 address (as your ISP may suggested). That way your WAN interface won't get its own GUA/public WAN address. It's always going to be a link-local address, which is ok, although for Dynamic DNS you want to have one.

Great, I thought that was related to the issue and because I see my public IPv4 above it and maybe i had to see a public IPv6 address as well.

That's also what I see on DHCPv6 settings:

And for testing I'd check (one at the time):
Send an IPv6 prefix hint to indicate the desired prefix size for delegation
and
Required by some ISPs, especially those not using PPPoE

Done, it's the same.

@patient0 said in WAN gets IPv6 but LAN can't:

And are your sure that you only get an /64 prefix from the ISP, you can't do much with that. Usually clients get a /56 or /48.

They told me that but it doesn't change anything anyway. Just tried again, it's the same.

patient0

@crazypotato142 I edited my earlier post: Maybe search the internet for other turk.net customers who use pfSense. My search for "pfsense turk.net ipv6 pppoe settings" gives a few result but I can't connect to the web sites (beside that I can't read turkish)

crazypotato142

@patient0
That was the first thing I did after realising I couldn't set up IPv6 properly. Didn't help much due to lack of information tbh.

Top result shows this (didn't work):

They also have this on ISS' official IPv6 configuration page for their router:

patient0

@crazypotato142 I now see what you meant by 'stateless': that refers to SLAAC. So you can try setting WAN IPv6 to SLAAC instead of DHCPv6.

Btw: do you get an public IPv4 address, that is working, yes?

Here is the entry for Turk Telekom on OpenWRT:

https://openwrt.org/docs/guide-user/network/wan/isp-configurations#turk_telekom

I'd say from that entry it means Request a IPv6 prefix/information through the IPv4 connectivity link has to be checked. Not sure yet what 'ipv6 auto' translates to in pfSense.

crazypotato142

@patient0

I now see what you meant by 'stateless': that refers to SLAAC. So you can try setting WAN IPv6 to SLAAC instead of DHCPv6.

If I set it to SLAAC it doesn't provide me anything. Both IPv6 prefix thru IPv4 connectivity checked and unchecked:

But when i try to ping, it gives the exact same local-link IP I sent the SS above

Also, isn't "Stateless" a RA mode?

Btw: do you get an public IPv4 address, that is working, yes?

Of course. I have a static one working perfectly fine.

@patient0 said in WAN gets IPv6 but LAN can't:

Here is the entry for Turk Telekom on OpenWRT:

https://openwrt.org/docs/guide-user/network/wan/isp-configurations#turk_telekom

I'd say from that entry it means Request a IPv6 prefix/information through the IPv4 connectivity link has to be checked. Not sure yet what 'ipv6 auto' translates to in pfSense.

My ISP is TurkNet, does it change anything?

JKnott

@crazypotato142 said in WAN gets IPv6 but LAN can't:

Sorry for not giving any details

I see you're only requesting a prefix size of 64. That allows for only a single /64 prefix, which will allow only a single LAN. What is the largest prefix your ISP offers? That's what you should be using. For example, I get a /56, which provides 256 /64s.

JKnott

@crazypotato142 said in WAN gets IPv6 but LAN can't:

I'm not a pro on IPv6 but I assume it's because WAN gets a link-local and not a public IPv6 prefix so it can't adv the IP to LAN?

No, that has nothing to do with it. On IPv6, routing is normally over link local addresses.

crazypotato142

@JKnott

I see you're only requesting a prefix size of 64. That allows for only a single /64 prefix, which will allow only a single LAN. What is the largest prefix your ISP offers? That's what you should be using. For example, I get a /56, which provides 256 /64s.

I have no idea tbf. But even it's /64 shouldn't it work anyway?

patient0

@crazypotato142 said in WAN gets IPv6 but LAN can't:

My ISP is TurkNet, does it change anything?

Nope, the settings look the same (also on that ISP page from OpenWrt.

Also, isn't "Stateless" a RA mode?

Yep, RA/SLAAC is pair (stateless address autoconfiguration == SLAAC) and stateless is one mode in RA.

crazypotato142

@patient0

Yep, RA/SLAAC is pair (stateless address autoconfiguration == SLAAC) and stateless is one mode in RA.

Alright. So setting the configuration type on WAN settings as SLAAC doesn't seem to work. I have no idea how i will configure LAN when i selected that too so it's on DHCP6. But in RA its on Stateless DHCP mode. Should I leave it that way?

@JKnott

I see you're only requesting a prefix size of 64. That allows for only a single /64 prefix, which will allow only a single LAN. What is the largest prefix your ISP offers? That's what you should be using. For example, I get a /56, which provides 256 /64s.

When I set my WAN settings as below I get prefix ID from 0 to FF, which is from 0 to 0 with /64.

Would changing this help in any way?

crazypotato142

How can I check the prefix pFsense gets, or be sure it gets or not?

patient0

@crazypotato142 check the logs in Status / System Logs / DHCP and search for "dhcp6c". Additionally you can enable debug mode: check System / Advanced / Networking: DHCP6 Debug.