[solved] WAN gets IPv6 but LAN can't

Gertjan

@crazypotato142

Reminder :
The DHCP log will show dhcp6c (DHCP v6 Client process) activity when you check this one :

crazypotato142

@Gertjan
It's checked. The logs above are from dhcp6c

Gertjan

@crazypotato142 said in WAN gets IPv6 but LAN can't:

@Gertjan
.....The logs above are from dhcp6c

Euh .... where ?

crazypotato142

@Gertjan said in WAN gets IPv6 but LAN can't:

@crazypotato142 said in WAN gets IPv6 but LAN can't:

@Gertjan
.....The logs above are from dhcp6c

Euh .... where ?

@crazypotato142 said in WAN gets IPv6 but LAN can't:

I have these warnings on my logs

@crazypotato142 said in WAN gets IPv6 but LAN can't:

I've seen "transmit failed: Can't assign requested address" in the logs. I've been looking for it on the internet since then.

eagle61

@crazypotato142 said in WAN gets IPv6 but LAN can't:

But I moved to a pFsense & custom router on AP mode setup and I wasn't able to get IPv6 anymore, because pfSense can't get an IPv6 on LAN so other devices can't get over DHCPv6 either.

From your first screen picture you sen here i can see you only have a fe80:-IPv6-Adress on WAN. With that you can't get any LAN-IPv6. You will need regular IPv6 on WAN first. One like 2001:...

I guss your custom router on AP mode setup does not deliver an IPv6-Adress and/or IPv6-Prefix to your pfsense. That needs to be fixed beforehand all other setups.

Please read:

• IPv6 for generic DSL dialup and
• IPv6 behind an AVM Fritz!Box

Both Documents are from OPNsense Documentation, but helped me very much to configure my pfsense with IPv6 prefix delegation.

crazypotato142

@eagle61
I thought the same at first but people here told me it is fine to have a link local there. It's confusing now.

My setup is ONT -> pF on x64 mini PC -> AP.

I don't think it's about the AP, because pF can't even provide an IP address to its own LAN interface. AP is the step when LAN interface gets one.

eagle61

@crazypotato142 said in WAN gets IPv6 but LAN can't:

My setup is ONT -> pF on x64 mini PC

No, first step is WAN-Intertface needs a IPv6-Adress. Please read IPv6 for generic DSL dialup linked before. Your WAN-Interface (Interfaces -> WAN) is pppoe0 (means IPv4 Configuration Type = PPPoE) and IPv6 Configuration Type = DHCP6 you need to mark also:

• Use IPv4 connectivity as parent interface
• Request only an IPv6 prefix
• Send IPv6 prefix hint
• DHCPv6 Prefix Delegation size = depending on what your ISP is offering you. Try /56 but might be also /60, /62, even /64 might be possible. You have to check that out.

That is how it works here on a Fiber ONT with my ISP.,

Note: and i did not think you was talking about a WiFi-AP, but was talking about the Access Point on Internet, like DSL-Modem, Fiber-ONT:or Cable-Modem..Yoi nieed first from that defice, means from ISP a IPv6 to make it working.And your photos show you have only fe80 on WAN-PPPoE. So that can't work with just fe80

EDIT: hiere is my WAN Config with running IPv6

crazypotato142

@eagle61
Alright. I finally got my IPv6 back.

First I updated it to 2.7.2 from 2.7.0. When I installed pF I thought I installed the version 2.7.2 because even on updates page 2.7.2 was selected. I used the command "certctl rehash" and it finally got fixed, let me update to 2.7.2.

When the update was done, it was all the same. Later I updated it to 2.8.0 from the update page again, which made the link-local IP's disappear from the Interfaces wigdet after the update.

I went back to WAN interface settings and selected the checkmark to request IPv6 prefix thru IPv4 connectivity. And finally it got the prefix, both LAN and WAN had IP's, and all my devices connected to internet.

So it was pF itself since the beginning. Thank you everyone!

eagle61

@crazypotato142
May i ask what DHCPv6 Prefix Delegation size you are now request for? If in any case possible and supported by your ISP it shall not be /64, but /62 /60 or even better /56

With a DHCPv6 Prefix Delegation size of only /64 your pfsense can't delegate prefixes for LAN and other local Networks.

crazypotato142

@eagle61
My ISP provides only /64.

Made it sure, it doesn't work with other prefixes selected.

eagle61

@crazypotato142
This means that your ISP is unfortunately very stingy.

With a /60 prefix you would be able to provide 16 /64 subnets, my ISP provides a /56 prefix so i am able to crate 256 /64 subnets with my pfsense.

crazypotato142

@eagle61

This means that your ISP is unfortunately very stingy.

I know. Tho my ISP provides symmetric gigabit internet & static IP for only €15 so I'll ignore that. :D Also they are the only ISP provides IPv6 for home users right now.

@eagle61

With a /60 prefix you would be able to provide 16 /64 subnets, my ISP provides a /56 prefix so i am able to crate 256 /64 subnets with my pfsense.

Sounds good. I'm not planning to have any subnets for home yet so it doesn't seem like a problem for now. Thank you anyway.

Bob.Dig

@eagle61 said in WAN gets IPv6 but LAN can't:

No, first step is WAN-Intertface needs a IPv6-Adress.

Technically it doesn't. There are some ISP around the globe, which will give you only a prefix and not a WAN-address. In the other Sense, you can configure your WAN to use one /64 of that prefix, don't know how this is done in pfSense.

@crazypotato142 You could use NPt to give many interfaces the capability to have IPv6 outbound. You would use ULAs in your LANs and then NAT everything with that one /64 you got.

crazypotato142

@Bob-Dig said in WAN gets IPv6 but LAN can't:

You could use NPt to give many interfaces the capability to have IPv6 outbound. You would use ULAs in your LANs and then NAT everything with that one /64 you got.

Useful info. Can I create an OpenVPN tunnel with that? For example, I wanted my phone to work with IPv6 even the network I connected (mainly my cellular) has no IPv6. Is there a workaround for that? I set my OpenVPN server as IPv4 + IPv6 and my phone seems to have a local IP right now.

Gertjan

@crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

I wanted my phone to work with IPv6 even the network I connected (mainly my cellular) has no IPv6. Is there a workaround for that? I set my OpenVPN server as IPv4 + IPv6 and my phone seems to have a local IP right now

A OpenVPN server (pfSense side) and the OpenVPN client (the phone side) will be using tunnel that can only be IPv4. After all, your phone service provider doesn't do IPv6.
So, the tunnel uses an IPv4. You can see this tunnel as a virtual wire. What goes into this tunnel, IPv4 packets or IPv6, that up to you to decide.
Typically, if your phone supports IPv6 and you have a prefix for your your OpenServer, then the OpenVPN server can assign to your phone and IPv4 and an IPv6 out of this prefix.
Normally, you would be using a dedicated prefix for your LAN and another dedicated prefix for your, for example, DMZ, and yet another one for your OpenVPN server.
ISPs most often have avaible for you a /56 or 256 prefixes. So, in theory, your pfSense could have 256 LANs with a usable IPv6 connectivity ^^

If you have only one prefix, and want to share that over several local pfSense networks ("LANs") like LAN, DMZ, OPT, and OpenVPN then things get a bit ... not sure .... messy.

@crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

(mainly my cellular) has no IPv6

Then no need to make the OpenVPN answer the line over IPv4 and IPv6. IPv4 will be the only one being used for the tunnel.

That's a bit strange, more and more phone carriers are created, and the recent ones don't have any IPv4 for their clients. Only IPv6 - as there are no more IPv4 left. If they offer your phone an Ipv4, then that will be a CGNAT or DSlite type of IPv4. This would work just fine for OpenVPN, though.

eagle61

@crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

Tho my ISP provides symmetric gigabit internet & static IP for only €15 so I'll ignore that

This is really very affordable. Here we have to pay at least three times as much for a fiber and not less then € 30 for a simple old DSL copper cable.

crazypotato142

@Gertjan
But the device gets IPv6 over OpenVPN tunnel. Wouldn't that mean it has the connectivity and with a prefix translation I could use IPv6? Like Teredo or HE.

@eagle61

This is really very affordable. Here we have to pay at least three times as much for a fiber and not less then € 30 for a simple old DSL copper cable.

That's unfortunate. I'm just lucky because they only offer that only over their own infrastructure and it's not very wide. The carrier and the other 2 popular ISP's have way more expensive prices but still not as much as yours.

Gertjan

@crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

Wouldn't that mean it has the connectivity and with a prefix translation I could use IPv6? Like Teredo or HE.

Imho : don't invest any time in using Toredo. That's a dying concept.
HE (tunnel broker) is something else. I've been using it for years, as they implement a clean and close to perfect, one of the best IPv6 implementations. Their services are not free ! That is, it won't cost you any money, and they even send you a free (yes) T-Shirt when you finish their IPv6 certification process. It's back to school-time-again, and do their multiple choice exam.
They offer a /64 to start with, but don't bother, go for the whopping /48 right way 65535 prefixes.
Your WAN will have a IPv6 GUA.
Downsides :
The POP needs to be close to you.
The connection can be interpreted by the site you visit as some sort of VPN connection (there is a work around available if you use pfBlockerng).
The POPs can be crowed, so the speed won't be stellar.