Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 LAN to WAN Difficulties

    Scheduled Pinned Locked Moved IPv6
    32 Posts 13 Posters 17.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hda
      last edited by

      @Jackhold:

      i was think that it wouldn't work if you had the same subnets on both sides of pfsense …

      Right. So first your ISP should supply, native IPv6, at least prefix /63 or lower size-value.
      I think a /64 prefix won't work for creating a LAN.

      1 Reply Last reply Reply Quote 0
      • J
        Jackhold
        last edited by

        i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)

        1 Reply Last reply Reply Quote 0
        • H
          hda
          last edited by

          @Jackhold:

          i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)

          Well, WAN - LAN on pfSense needs routing. WAN subnetvalue is not equal to LAN subnetvalue.

          1 Reply Last reply Reply Quote 0
          • J
            Jackhold
            last edited by

            @hda:

            @Jackhold:

            i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)

            Well, WAN - LAN on pfSense needs routing. WAN subnetvalue is not LAN subnetvalue.

            the "routing" is that not what the track interface is for??

            1 Reply Last reply Reply Quote 0
            • H
              hda
              last edited by

              @Jackhold:

              the "routing" is that not what the track interface is for??

              I think Track Interface is in case of renewal of WAN.

              Now, suppose you want more than one LAN routed & firewalled, what do you think is needed in such case ?

              1 Reply Last reply Reply Quote 0
              • J
                Jackhold
                last edited by

                @hda:

                @Jackhold:

                the "routing" is that not what the track interface is for??

                I think tracking is case renewal of WAN.

                Now, suppose you want more than one LAN routed & firewalled, what do you think is needed in such case ?

                i am not sure… the way i understand ipv6 is that everyone device get and ipv6 address and the way you limit the access from the wan to your lan and the other way is by firewall.

                but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..

                1 Reply Last reply Reply Quote 0
                • H
                  hda
                  last edited by

                  @Jackhold:

                  i am not sure…

                  but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..

                  I recommend to study IPv6 RFC's for how IPv6 is supposed to work, before activating pfSense-IPv6 parallel to IPv4.
                  You want to be secure to control IPv6 streams by understanding what is going on, don't you ?

                  See also http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat-2.htm case subnetvalue. You are a site-administrator  :)

                  Reference to my thread-reply #18

                  1 Reply Last reply Reply Quote 0
                  • J
                    Jackhold
                    last edited by

                    @hda:

                    @Jackhold:

                    i am not sure…

                    but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..

                    I recommend to study IPv6 RFC's for how IPv6 is supposed to work, before activating pfSense-IPv6 parallel to IPv4.
                    You want to be secure to control IPv6 streams by understanding what is going on, don't you ?

                    See also http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat-2.htm case subnetvalue. You are a site-administrator  :)

                    Reference to my thread-reply #18

                    that one is on me i gave you the wrong addresses i got from my isp it is more like 2001:878:989::xxx/64 my isp is only giving me the interface addresses to play with the prefix and subnet is chosen for me so what i get from my isp is only one subnet it might not be possible to do what i wanner do… as you say having the same subnet on the wan as the lan site should be a problem.. but i was hoping there was a way

                    1 Reply Last reply Reply Quote 0
                    • H
                      hda
                      last edited by

                      @Jackhold:

                      .. but i was hoping there was a way

                      There is.  :)  Demand at least a prefix /63 (or smaller like /62 or /60).

                      That way pfSense-WAN can occupy subnet 'xxx0' and enable your pfSense-LAN to take subnet 'xxx1'. Then your LAN has address prefix 2001:878:989:xxx1:/64 so a host on that LAN can make a public (no NAT) /128 number by adding its 64-bit ID to that LAN-prefix.

                      1 Reply Last reply Reply Quote 0
                      • J
                        Jackhold
                        last edited by

                        @hda:

                        There is.  :)  Demand at least a prefix /63 (or smaller like /62 or /60).

                        That way pfSense-WAN can occupy subnet 'xxx0' and enable your pfSense-LAN to take subnet 'xxx1'. Then your LAN has address prefix 2001:878:989:xxx1:/64 so a host on that LAN can make a public (no NAT) /128 number by adding its 64-bit ID to that LAN-prefix.

                        i tried that and it just don't do what it should… i can ping google from the wan and local host on pfsense but any thing on the other side of pfsense just don't work.... what ever is wrong is beyond me

                        1 Reply Last reply Reply Quote 0
                        • H
                          hda
                          last edited by

                          @Jackhold:

                          @hda:

                          There is.  :)  Demand at least a prefix /63 (or smaller like /62 or /60).

                          That way pfSense-WAN can occupy subnet 'xxx0' and enable your pfSense-LAN to take subnet 'xxx1'. Then your LAN has address prefix 2001:878:989:xxx1:/64 so a host on that LAN can make a public (no NAT) /128 number by adding its 64-bit ID to that LAN-prefix.

                          i tried that and it just don't do what it should… i can ping google from the wan and local host on pfsense but any thing on the other side of pfsense just don't work.... what ever is wrong is beyond me

                          "Demand prefix /63" I mean your specification towards your ISP.
                          Then your ISP should supply at least a /63 to you/pfSense, when you do WAN-DHCP6(PD) to them.

                          And your pfSense-box is the direct outbound to your ISP, right ? (Not behind a MoDem/router OK ?)

                          1 Reply Last reply Reply Quote 0
                          • J
                            Jackhold
                            last edited by

                            @hda:

                            "Demand prefix /63" I mean your specification towards your ISP.
                            Then your ISP should supply at least a /63 to you/pfSense, when you do WAN-DHCP6(PD) to them.

                            And your pfSense-box is the direct outbound to your ISP, right ? (Not behind a MoDem/router OK ?)

                            tried that and it dont work i set up wan interface as dhcp6 and DHCPv6 Prefix Delegation size as 62 and 63, lan interface set to track interface and all that crap but still no ip's a given to my equipment on the lan side.
                            but if i set up static ip on the lan and dhcpv6 router advertisements to unmanaged i get ip's that look right but still i can't ping google….
                            and if you think it could be the firewall it's not that, i set an any any rule so that should not be the problem

                            1 Reply Last reply Reply Quote 0
                            • C
                              CiscoKid85
                              last edited by

                              I too just had this issue. Had to allow IPv6 ICMP responses in to the local LAN in order to pass ipv6-test.com. Does anyone have any additional information on this? Seems like allowing this outright might have some security implications?

                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                IPv6 needs ICMP to function properly.

                                Here's one: http://blogs.cisco.com/security/icmp-and-security-in-ipv6

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.