No access (ping) from LAN -> Outside

razzfazz

@fips:

This is what my ISP send me:
IPv6:
IP Network: 2a02:xxx:10:37::/64
Gateway: 2a02:xxx:0010:0037:0000:0000:0000:0001
Network range: 2a02:xxx:0010:0037:0000:0000:0000:0002 - 2a02:xxx:0010:0037:ffff:ffff:ffff:ffff

I would assume that "Gateway" means the address of ISP's Gateway.

Wait, is the v6 address that you said you received on your WAN interface inside that prefix as well? If that's the case, you can't use the same prefix on the LAN side as well.

razzfazz

Out of curiosity, is this a direct fiber or ethernet connection, by any chance? What does your IPv4 configuration look like? Are you sure your ISP actually expects you to use a router (vs. just a switch)?

fips

@razzfazz:

Wait, is the v6 address that you said you received on your WAN interface inside that prefix as well? If that's the case, you can't use the same prefix on the LAN side as well.

Hmm… I guess this is it.
I used the same prefix on the LAN side.
So i have to split up the Network and use for LAN prefix /100 (for example).

Well i think my ISP know that i am going to use a router, its a datacenter where you can rent rack cages.
They provide you with an IPv4 subnet and an IPv6 subnet.

kpa

Yeah sorry, should have written "Track for LAN".

That configuration looks very strange and chances are you're not going get it working on pfSense. The standard methods for delegating prefixes assume that the WAN network and the LAN network are completely distinct prefixes. Ask again your ISP for precise and exact instructions how you're supposed to use the addresses they gave you.

razzfazz

@fips:

Well i think my ISP know that i am going to use a router, its a datacenter where you can rent rack cages.
They provide you with an IPv4 subnet and an IPv6 subnet.

Why do you think you need a router in this case? It seems to me that the usage model intended by your ISP is for you to just directly connect your machines to the provided network port without an additional router in between.

fips

@razzfazz:

Why do you think you need a router in this case? It seems to me that the usage model intended by your ISP is for you to just directly connect your machines to the provided network port without an additional router in between.

But if i connect it directly how you say it, how should i control traffic than?
Maybe i don't need a router, but for sure i need a firewall, so i have to connect pfsense in right way to manage it.

Point is still:
WAN works, i can ping
LAN doesn't, even directly on the LAN interface of pfsense.

There are some articles that user had to add a static route to be a able to use IPv6 on LAN side. Well this didn't work for me, but maybe there is some other things which is important to config, but not obviously to see.

razzfazz

If all you want is firewalling, it seems to me that your best bet would be setting up pfSense as a transparent firewall as described here.

EDIT: Also check out this.

fips

@razzfazz:

If all you want is firewalling, it seems to me that your best bet would be setting up pfSense as a transparent firewall as described here.

EDIT: Also check out this.

Thanks, but with this i would loose IPv4 NAT which is an absolutely no-go.

razzfazz

Why? I thought your ISP gives you an entire v4 subnet as well?!

fips

@razzfazz:

Why? I thought your ISP gives you an entire v4 subnet as well?!

Thats true, but its a /29 Subnet so i have 5 IPv4 addresses.

razzfazz

Well, as pointed out before, using the same /64 on both the WAN and the LAN interface won't work, and since all you get is a /64, splitting out a sub-prefix will be problematic as well (IPv6 is really designed to use /64 as the maximum prefix size for LAN use; things like SLAAC will not work with anything longer). So, not sure what to tell you at this point.