Static ipv6 and ipv6 neighbour
-
Hi everyone,
does pfsense 2.1 support the above and is there a guide how to set it up? My ISP uses this and I got ipv6 enabled, now I don't know how to set it up :-/
-
Not quite sure what that is, I have not run into such a install in the wild yet.
We don't have a slaac option for IPv6 yet either.
I'll have to read the documentation on that, so don't expect support soon.
-
This illustrates what my ISP offered to me. Sorry about the language, if needed I will try to translate.
In short, I got assigned an external ipv6 address, /64 subnet, "connecting segment" (the /126 thing) and I have received default gateway.
In order to make it work I need to manually add a ipv6 neighbour which is actually an isp router (default gateway) which I can do with ndp -s [ipv6] [mac]. After that I can ping the gateway (otherwise I get an error) but test-ipv6 still doesn't see my ipv6 address (pinging google on ipv6 also times out).
I use separate subnets for lan and wifi, but I only enabled ipv6 for lan subnet (until I get a /56 subnet), in dhcp server I set RA to unmanaged for lan and Router only on lan dhcp is disabled and RA set to Router only. I laso added firewall rules for ipv6 traffic.
Any help appreciated… -
I might be missing something but I think
-
pfSense WAN interface should have IPv6 address 2a01:260:a
:2/126 -
pfSense default route (gateway) should be 2a01:260:a
:1/126 (add a default gateway under System -> Routing click on Gateways tab)
-
-
I have it set up according to what you said.
-
What is the output of the pfSense shell command netstat -r -n
Perhaps your ISP can give you the IPv6 address of a ping responding system located a little beyond your router. What is reported when you attempt to ping that? Does a packet capture on the pfSense WAN interface while the ping is running show both the ping and response?
If your default route is correct and your neighbouring router responds to pings but a system beyond the router doesn't respond to pings then the fault probably lies with your ISP.
-
I can ping my ISP router (the "Neighbour"), which is the first level above my router afaik. I was told I am apparently missing global unicast gateway/route through 2a01:260:4016::1, but that was at a first glance look at my routing table.
$ netstat -r -n Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 89.212.0.1 UGS 0 3782624 rl0 84.255.209.79 89.212.0.1 UGHS 0 102 rl0 84.255.210.79 89.212.0.1 UGHS 0 12 rl0 89.212.0.0/16 link#3 U 0 35329 rl0 89.212.6.75 link#3 UHS 0 0 lo0 127.0.0.1 link#4 UH 0 607 lo0 192.168.1.0/24 link#2 U 0 175132 re0 192.168.1.1 link#2 UHS 0 0 lo0 192.168.2.0/24 link#8 U 0 33 ath0_w 192.168.2.1 link#8 UHS 0 0 lo0 Internet6: Destination Gateway Flags Netif Expire default 2a01:260:4016::2 UGS rl0 ::1 ::1 UH lo0 2a01:260:4016::/126 link#3 U rl0 2a01:260:4016::2 link#3 UHS lo0 2a01:260:4016:1:: link#2 UHS lo0 => 2a01:260:4016:1::/64 link#2 U re0 fe80::%re0/64 link#2 U re0 fe80::221:91ff:fed4:c574%re0 link#2 UHS lo0 fe80::%rl0/64 link#3 U rl0 fe80::2e0:4cff:fe67:3edf%rl0 link#3 UHS lo0 fe80::%lo0/64 link#4 U lo0 fe80::1%lo0 link#4 UHS lo0 fe80::%ath0_wlan0/64 link#8 U ath0_wla fe80::225:86ff:fece:aedd%ath0_wlan0 link#8 UHS lo0 ff01:2::/32 fe80::221:91ff:fed4:c574%re0 U re0 ff01:3::/32 fe80::2e0:4cff:fe67:3edf%rl0 U rl0 ff01:4::/32 ::1 U lo0 ff01:8::/32 fe80::225:86ff:fece:aedd%ath0_wlan0 U ath0_wla ff02::%re0/32 fe80::221:91ff:fed4:c574%re0 U re0 ff02::%rl0/32 fe80::2e0:4cff:fe67:3edf%rl0 U rl0 ff02::%lo0/32 ::1 U lo0 ff02::%ath0_wlan0/32 fe80::225:86ff:fece:aedd%ath0_wlan0 U ath0_wla -
You have an IPv6 default route but it should specify the IP6 address of your upstream router, not the IPv6 address of your WAN interface.
-
Double check your actual interface IP and gateway configuration (post screenshots if possible)
From your routing table output, you have the gateway set to 2 and not 1.
The output from "ifconfig -a" and "ndp -na" might also help.
-
One of the ISP's tech guys was good enough to take a look at my pfsense through rdp. He said I had everything set correct, but in the routing tables it was wrong (I did have it set up under WAN settings, not under Routing, if it matters), think he said wan and lan were just the opposite. He edited those I think, then he used a startup script so that the ISP router (neighbour) is added everytime I restart it and added an ipv6 gateway under routes + a global unicast route and now it works. Posting routes if it will/can help anyone.
::1 ::1 UH 0 0 16384 lo0 2000::/3 2a01:260:4016::1 UGS 0 413 1500 rl0 2a01:260:4016::/126 link#3 U 0 18425 1500 rl0 2a01:260:4016::2 link#3 UHS 0 5 16384 lo0 2a01:260:4016:1::/64 link#2 U 0 848 1500 re0 2a01:260:4016:1::1 link#2 UHS 0 0 16384 lo0 fe80::%re0/64 link#2 U 0 75 1500 re0 fe80::221:91ff:fed4:c574%re0 link#2 UHS 0 0 16384 lo0 fe80::%rl0/64 link#3 U 0 0 1500 rl0 fe80::2e0:4cff:fe67:3edf%rl0 link#3 UHS 0 0 16384 lo0 fe80::%lo0/64 link#4 U 0 0 16384 lo0 fe80::1%lo0 link#4 UHS 0 0 16384 lo0 fe80::%ath0_wlan0/64 link#8 U 0 0 1500 ath0_wlan0 fe80::225:86ff:fece:aedd%ath0_wlan0 link#8 UHS 0 0 16384 lo0 ff01:2::/32 fe80::221:91ff:fed4:c574%re0 U 0 0 1500 re0 ff01:3::/32 fe80::2e0:4cff:fe67:3edf%rl0 U 0 0 1500 rl0 ff01:4::/32 ::1 U 0 0 16384 lo0 ff01:8::/32 fe80::225:86ff:fece:aedd%ath0_wlan0 U 0 0 1500 ath0_wlan0 ff02::%re0/32 fe80::221:91ff:fed4:c574%re0 U 0 0 1500 re0 ff02::%rl0/32 fe80::2e0:4cff:fe67:3edf%rl0 U 0 0 1500 rl0 ff02::%lo0/32 ::1 U 0 0 16384 lo0 ff02::%ath0_wlan0/32 fe80::225:86ff:fece:aedd%ath0_wlan0 U 0 0 1500 ath0_wlan0$ netstat -r -n Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 89.212.0.1 UGS 0 6615203 rl0 84.255.209.79 89.212.0.1 UGHS 0 703 rl0 84.255.210.79 89.212.0.1 UGHS 0 107 rl0 89.212.0.0/16 link#3 U 0 476665 rl0 89.212.6.75 link#3 UHS 0 0 lo0 127.0.0.1 link#4 UH 0 167 lo0 192.168.1.0/24 link#2 U 0 3796618 re0 192.168.1.1 link#2 UHS 0 0 lo0 192.168.2.0/24 link#8 U 0 1138 ath0_w 192.168.2.1 link#8 UHS 0 0 lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 2000::/3 2a01:260:4016::1 UGS rl0 2a01:260:4016::/126 link#3 U rl0 2a01:260:4016::2 link#3 UHS lo0 2a01:260:4016:1::/64 link#2 U re0 2a01:260:4016:1::1 link#2 UHS lo0 fe80::%re0/64 link#2 U re0 fe80::221:91ff:fed4:c574%re0 link#2 UHS lo0 fe80::%rl0/64 link#3 U rl0 fe80::2e0:4cff:fe67:3edf%rl0 link#3 UHS lo0 fe80::%lo0/64 link#4 U lo0 fe80::1%lo0 link#4 UHS lo0 fe80::%ath0_wlan0/64 link#8 U ath0_wla fe80::225:86ff:fece:aedd%ath0_wlan0 link#8 UHS lo0 ff01:2::/32 fe80::221:91ff:fed4:c574%re0 U re0 ff01:3::/32 fe80::2e0:4cff:fe67:3edf%rl0 U rl0 ff01:4::/32 ::1 U lo0 ff01:8::/32 fe80::225:86ff:fece:aedd%ath0_wlan0 U ath0_wla ff02::%re0/32 fe80::221:91ff:fed4:c574%re0 U re0 ff02::%rl0/32 fe80::2e0:4cff:fe67:3edf%rl0 U rl0 ff02::%lo0/32 ::1 U lo0 ff02::%ath0_wlan0/32 fe80::225:86ff:fece:aedd%ath0_wlan0 U ath0_wla -
Reading your diagram that the isp gave you, it looks like a normal static ipv6 configuration.
Basically you configure the ::2 of the /126 prefix on the pfSense wan interface. You then create a gateway to the ::1 address of the /126 subnet. Normally the isp router will reply for ndp requests for this address.
You can configure the 1st /64 prefix on the lan interface. Your isp will just forward the /64 networks to the ::2 address of your /126 subnet.
This really is a basic static config as long as both the isp and pfsense reply to ndp requests. Which i think they will.
If you have any questions or want me to review your configuration i can verify it remotely.
