IPV6 no Gateway ?
-
Hi,
I got a Multi WAN Environment.
One of my WAN Interfaces learns IPV6 via DHCP but I wonder how I could route traffic trough this without a Gateway ?Status up MAC address 00:00:00:00:00:00 IPv4 address 10.8.0.28 Subnet mask IPv4 255.255.0.0 Gateway IPv4 GWMVDE1 10.8.0.1 IPv6 Link Local fe80::222:64ff:fea4:dfe8%ovpnc1 IPv6 address fd97:xxxx:xxx:x::101a Subnet mask IPv6 112 In/out packets 38911162/23160374 (45.93 GB/3.07 GB) In/out packets (pass) 38911162/23160374 (45.93 GB/3.07 GB) In/out packets (block) 16802/1999 (1.76 MB/210 KB) In/out errors 0/0 Collisions 0 -
Unlike IPv4 DHCP, IPv6 DHCP does not provide a gateway address. This is learned through router advertisements.
-
Thanks,
how do I learn my clients now that they can also use the IPv6 Connection to connect to the internet ?
-
@Satras:
how do I learn my clients now that they can also use the IPv6 Connection to connect to the internet ?
The best way to see all active IPv6 devices on your network is to look at the NDP table under Diagnostics (I think; don't have my web config in front of me right now). Sort that table by MAC address so that the link-local and internet addresses are all together for each device.
Unfortunately there's no way to use DHCPv6 under pfSense without having a static IPv6 address on your LAN interface.* But even if you have a static LAN IPv6 address and you mandate DHCPv6 use (via the "Managed" RA setting), there are some devices (Android especially) that will only use Stateless Auto-config (SLAAC) and simply won't get an IPv6 address.
- It's unfortunate that this is the case in pfSense. I know of two other open-source router firmwares - one manufacturer-supported - that support DHCPv6 on the LAN when using PD, though they seem to force the RA type to be assisted so both DHCPv6 and SLAAC are used.
-
Thanks,
So I set a static IPv6 on my LAN Interface and set the RA in DHCP6 to "Managed", but my Windows 7 Client does not get an IPv6 at all.
What else do I need to configure ? -
Satras,
Setting the Router Advertisement to Managed means that the RA messages tell the client to look for a DHCPv6 server on the network.
In this instance, SLAAC isn't used by clients.You need to set RA to Managed AND run a DHCPv6 server. The RA message will provide information to the clients on what to use for default GW, and the DHCPv6 will give them IP and DNS settings.
For example, assuming you have /48 prefix:
-
Enable Router Advertisements on your LAN interface, set to type Managed
-
Check on the Enable DHCPv6 Server on LAN interface
Set range to prefix:1:0:0:0 to prefix:ffff:ffff:ffff:ffff (this leaves you prefix:0:0:0:0 to prefix:0:ffff:ffff:ffff for static IPs)
Set DNS servers; if you don't have an IPv6 DNS server running, you can use Google's at 2001:4860:4860::8888 and 2001:4860:4860::8844 which correspond to 8.8.8.8 and 8.8.4.4.
Set your domain name, and other options as required.
On windows, you can use netstat -rn or netsh interface ipv6 show route to view the routing table.
You will notice that the default gateway on windows will show as ::/0 and probably be pointing to fe80:suffix. This is normal.–
Andrew -
-
Thanks Andrew,
Ok, this is what I initially did and deploying IPv6 Addresses in my LAN works fine.
I checked and netstat and netsh showed what you said.Ver”ff. Typ Met Pr„fix Idx Gateway/Schnittstelle ------- -------- ---- ------------------------ --- --------------------- Nein Manuell 256 ::/0 16 fe80::cad3:a3ff:fea3:399d Nein Manuell 256 ::1/128 1 Loopback Pseudo-Interface 1 Nein Manuell 8 2001::/32 12 Teredo Tunneling Pseudo-Interface Nein Manuell 256 2001:0:xxxx:xxxx:xxxx:xxxx:d15a:2f34/128 12 Teredo Tunneling Pseudo-Interface Nein Manuell 8 fd00:a9d2:xxxx:xxxx::/64 16 LAN-Verbindung 2 Nein Manuell 256 fd00:a9d2:xxxx:xxxx:xxxx:xxxx:5842:5814/128 16 LAN-Verbindung 2 Nein Manuell 256 fe80::/64 16 LAN-Verbindung 2 Nein Manuell 256 fe80::/64 15 Drahtlosnetzwerkverbindung 2 Nein Manuell 256 fe80::/64 12 Teredo Tunneling Pseudo-Interface Nein Manuell 256 fe80::5efe:192.168.xxx.xx/128 17 isatap.box Nein Manuell 256 fe80::2c5b:xxxx:xxxx:2f34/128 12 Teredo Tunneling Pseudo-Interface Nein Manuell 256 fe80::54de:xxxx:xxxx:4a6d/128 15 Drahtlosnetzwerkverbindung 2 Nein Manuell 256 fe80::7063:xxxx:xxxx:ee64/128 16 LAN-Verbindung 2 Nein Manuell 256 ff00::/8 1 Loopback Pseudo-Interface 1 Nein Manuell 256 ff00::/8 12 Teredo Tunneling Pseudo-Interface Nein Manuell 256 ff00::/8 16 LAN-Verbindung 2 Nein Manuell 256 ff00::/8 15 Drahtlosnetzwerkverbindung 2IPv6-Routentabelle =========================================================================== Aktive Routen: If Metrik Netzwerkziel Gateway 16 266 ::/0 fe80::cad3:a3ff:fea3:399d 1 306 ::1/128 Auf Verbindung 12 58 2001::/32 Auf Verbindung 12 306 2001:0:xxxx:xxxx:xxxx:ebc7:d15a:2f34/128 Auf Verbindung 16 18 fd00:a9d2:xxxx:xxxx::/64 Auf Verbindung 16 266 fd00:a9d2:xxxx:xxxx:xxxx:xxxx:5842:5814/128 Auf Verbindung 16 266 fe80::/64 Auf Verbindung 12 306 fe80::/64 Auf Verbindung 12 306 fe80::2c5b:xxxx:xxxx:2f34/128 Auf Verbindung 16 266 fe80::7063:xxxx:xxxx:ee64/128 Auf Verbindung 1 306 ff00::/8 Auf Verbindung 12 306 ff00::/8 Auf Verbindung 16 266 ff00::/8 Auf Verbindung =========================================================================== St„ndige Routen: KeineHowever I am still not able to reach any IPv6 resource by either Ping or going to an IPv6 test website.
It seems that there is something else I need to configure ?
-
Satras,
The problem appears to be that you are using non-routable IPv6 addresses!
The IPv6 fd00::/8 block is defined in RFC 4193 (http://tools.ietf.org/html/rfc4193) as Unique Local Address and explicitly non-routable. Think of these as similar to 192.168.x.x addresses, which cannot be routed over the Internet.
You need to be using globally unique addresses. Did you not get an IPv6 subnet from your provider?
The minimum allocation recommended by IETF is /56, which is 256 /64 networks, which provides plenty of room.For example if you received 2001:0db8:1234:5600/56 from your provider, that means that your first subnet is 2001:0db8:1234:5600/64, the second one is 2001:0db8:1234:5601/64, all the way through 2001:0db8:1234:56ff/64 and so if the first subnet is on the WAN side, you can use any of the other subnets on the LAN side.
–
Andrew -
See top post for what I'm getting
IPv6 address fd97:xxxx:xxx:x::101a Subnet mask IPv6 112 -
Satras,
The problem is that the WAN interface is learning fd97:xxxx from the gateway, and fd00::/8 (fd00:: to fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) are non-routable. It can't get to the Internet. Perhaps the WAN device is not configured to give you a proper routable IPv6 subnet, you need to talk to the provider.
–
Andrew -
Thanks, I understood that it's still possible, like it is right now, with NAT, right ?
But I don't know how to configure it correctly. -
@Satras:
Thanks, I understood that it's still possible, like it is right now, with NAT, right ?
But I don't know how to configure it correctly.Not right, just your internal home IPv6 network. A real native IPv6 is no-NAT-no-translation.
First get yourself an IPv6 address from your ISP. Something beginning with 2001: perhaps.
Then you will have a gateway to your outside world.Why do you need IPv6 ?
-
Who needs IPv6 right now ? I just want to be prepared and start my first tests with it.
I won't get a 2001 or similar public Network for various reasons.So still the questions, how do I configure it to work now ?
-
@Satras:
Who needs IPv6 right now ? I just want to be prepared and start my first tests with it.
Well, the Teredo Tunneling Pseudo-Interface is hardly the future to prepare for…
You would like an IPv6 numberblocksize as your own premises "frontdoornumbers", just as you have (but only) one IPv4 number now.
P.S.
I see now you have an NATting ISP and doing you as 10.8.0.28. That is another future idea, based on trying to avoid going IPv6. There you have it... -
If your ISP supports IPv6 but only provides an IP address and not a prefix to be used on your LAN, then there's no way you can use it to route IPv6 traffic unless you have other services running in your router to do IPv6-based NAT (a HIGHLY uncommon setup at this point since there are so many IPv6 addresses available).
The next best thing to not having native IPv6 from your ISP would be to acquire a tunnel address block from a provider like SIXXS or Hurricane Electric. The tunnel will still operate over IPv4, but will provide you with a /64 or greater quantity of IPv6 addresses to use on your own network. Any IPv6 traffic from your network will go through the tunnel.
As far as who needs IPv6 now… there are parts of the world where IPv4 addresses are no longer available, or providers have gone to carrier-grade NAT (basically doing on a large scale what we at home have been doing for years; using a single public IPv4 address to serve many users with private network addresses).
While you're out seeking info about IPv6, you might also want to check out Hurricane Electric's IPv6 primer. They have info and exercises that you do to learn about IPv6 and some quick basic info on how it works.
-
@Satras:
Who needs IPv6 right now ? I just want to be prepared and start my first tests with it.
I won't get a 2001 or similar public Network for various reasons.So still the questions, how do I configure it to work now ?
As I can see you're running a german Windows.
So whats your Provider right now?Several Cable Providers and Telekom can give you IPv6 prefix to get your stuff runing.
What the others tried to tell you. There are some Options via Tunneling but right now what do you have and what you done, is creating an "internal" Network with FDxx adresses also known as ULAs (unique LOCAL adresses).
These adresses where invented as replacement for site local adresses and as a Transition technique and These adresses are designed not to be routable.
You Need a tunnel Broker which is able to encaplsulate IPv6 through IPv4 or the mentioned ISP with IPv6 UGA prefix (unique GLOABL adresses, similiar to IPv4 public adresses).
I'm prepraring a Video tutorial series in english and german to explain all these basics and walk trough the processes.
if you interested stay tuned and give me some Feedback and Inputs.
call for ideas is open. ;)
