Switched to AT&T fiber, IPv6 tunnel broken

JKnott

@BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

But since it's AT&T I suspect they are gonna want to charge me extra for the additional service.

I bet it's already available. With my ISP, I just had to enable it and it works. Configure pfSense for IPv6 and see what happens.

JKnott

@johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

I thought back when they first rolled out ipv6 they were using 6rd and were blocking 41 because they were using it

My ISP was offering 6to4 and 6rd before going native. I had no problem using 6in4, back then. There should have been no conflict with protocol 41.

JKnott

@johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

I would think putting it into bridge mode would disable any sort of firewalling

Given the firewall in those modems, is that a bad thing?

Since this is a pfSense forum, I expect people here will be running pfSense for their firewall.

johnpoz

@JKnott said in Switched to AT&T fiber, IPv6 tunnel broken:

There should have been no conflict with protocol 41.

I agree - just what I read some places, doesn't mean its true. Some thread somehwere was stated that att was blocking protocol 41 for anything other than their network, and when they moved to dual stack vs 6rd for their IPv6 rollout they remove the 41 block.

I am leaning towards the disable ipv6 in his att device to be honest, since if you are using the device as passthru and wanted to disable IPv6 blocking protocol 41 would be a way to stop a client connected from creating a tunnel and using IPv6 that way, etc.

BiloxiGeek

Is there a difference between bridge mode and passthrough? I've set passthrough already and didn't get the tunnel up. If there's a separate bridge mode I'm more than willing to give it a try but I've not seen that setting anywhere in the BGW320 config.

And I too would prefer to deal with any latency issues in order to keep the 6in4 tunnel with the known and expected addresses.

johnpoz

@BiloxiGeek that might what its called on that device, can you enable IPv6 and leave it passthru?

marcg

@johnpoz There's no true bridge mode on the BGW320 AFAIK. IP Passthrough is bridge-like, but is NAT under the hood. With Passthrough enabled and v6 disabled on the BGW LAN side, I could see how that might prevent ATT's native v6 from working. Disabling v6 might prevent the Passthrough v6 NAT states from being created.

@BiloxiGeek, if you haven't already done so, suggest that the BGW's Passthrough Mode be configured as DHCPS-Fixed with the pfSense WAN MAC entered as the Passthrough Fixed MAC Address. If there's ever more than one device on the BGW's LAN side -- wired or wireless -- at boot time, the DHCPS-Dynamic option will cause the BGW to pick whichever device it sees first as the passthrough client, not necessarily pfSense (probably not what you want).

johnpoz

@marcg said in Switched to AT&T fiber, IPv6 tunnel broken:

isabling v6 might prevent the Passthrough v6 NAT states from being created.

concur - I do believe that is his problem.. I don't think those devices do a true bridge, more like a nat with with dmz host sort of thing.

marcg

@johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

I don't think those devices do a true bridge, more like a nat with with dmz host sort of thing.

It's similar, but different. In Passthrough mode, pfSense gets the public v4 IP of the BGW. For v6, the pfSense gets a routeable IP via DHCP for its WAN IP, and any delegated prefixes that it requests. pfSense thinks that it's directly on the WAN with routeable addresses and prefixes.

The BGW then 1:1 NATs every flow to/from pfSense, keeping the same source/destination address/port on both sides of the NAT. There's a snippet from the BGW's NAT table below. The x's are to obscure my routeable addresses and prefixes.

Guessing one reason they don't do a true bridge is to enable the BGW to NAT+route in parallel for its non-Passthrough LAN-side clients (none in my case).

johnpoz

@marcg well that is good, then it should work for the OP.