Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fritzbox and Pfsense

    Scheduled Pinned Locked Moved IPv6
    6 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Maarten90
      last edited by

      I have a /48 subnet ( 2001:xxx:xxxx::/48 ) via my ISP (native and static). When directly connected to my Fritzbox 7340, IPv6 works fine. But when I put my Pfsense box (2.1.5) between my PC and the FB. I can only use IPv6 from the Pfsense box.

      • The WAN on PFsense (2001:xxx:xxx:1:xxx:xxx:xxx:489b ) uses DHCPv6 to get the ip address
      • On the LAN side I defined a static IPv6 address (2001:xxx:xxx:f:xxx:xxx:xxx:254 /64)
      • Allowed IPv6 traffic on Pfsense (the checkbox)
      • Activated Router Advertisement (Unmanaged)
      • The default IPv6 allow rule is active
      • IPv6 DNS works also on clients
      • IPv4 is fine

      Sometimes when I ping a host (using hostname or IP) on the WAN side using IPv6 on a client, I get one response, the rest times out.

      Do you guys have any idea how to fix this, so that I'll have internet access on my cliënts?

      1 Reply Last reply Reply Quote 0
      • H
        hda
        last edited by

        Sure, solutions can be found on this forum. Browse my contributions if you like  :)

        1 Reply Last reply Reply Quote 0
        • M
          Maarten90
          last edited by

          Wow, I just saw a post of you sugesting to use a prefix hint <64 , and using track interface. It works! Thank you!

          1 Reply Last reply Reply Quote 0
          • H
            hda
            last edited by

            @Maarten90:

            … sugesting to use a prefix hint <64...

            Well, you are in a cascading setup. pfSense askes a /64 and receives an unique other subnetvalue from the FB.
            The FB has the authority over the /48 from your ISP. pfSense will do RA for /64 to its clients.
            Evidence: my FB-LAN has subnetvalue :1: and my pfSense-LAN-ONE has :ff:

            1 Reply Last reply Reply Quote 0
            • M
              Maarten90
              last edited by

              @hda:

              @Maarten90:

              … sugesting to use a prefix hint <64...

              Well, you are in a cascading setup. pfSense askes a /64 and receives an unique other subnetvalue from the FB.
              The FB has the authority over the /48 from your ISP. pfSense will do RA for /64 to its clients.
              Evidence: my FB-LAN has subnetvalue :1: and my pfSense-LAN-ONE has :ff:

              Thanks for the clarification. One strange thing though, test-ipv6.com is telling me that there's a problem with big packets, which may cause websites not to load. And thats exactly what I am experiencing currently. Searched thew forum here, and some say that setting a MTU of 1492 fixes this (tried on both the LAN and WAN interface (not simultaneously)), but that doesnt work for me. Someone else suggests setting MSS clamping to 1220, but that also breaks my IPv6 connection. The last thing I found on the forum was someone that said that changing the default allow any rule for IPv6 from 'LAN Net' to 'Any' worked for him. However that also doesnt work. Do you have any idea whats going wrong here? I am able to surf the web but sites just dont load completely.

              1 Reply Last reply Reply Quote 0
              • H
                hda
                last edited by

                @Maarten90:

                … some say that setting a MTU of 1492 fixes this...

                Salvation of (jumbo) MTU issues for IPv6 are actually beyond control of the end-user; RFC4638 must come into effect first at all locations. The other problem is that many global server-admins block IPv6 ICMP signals. So the test is useless or excluded.

                The best you can do, I think, is maybe set the value to 1492 at the first host which is your FB. [see FB>Internet>Account Info>IPv6>Addtional Settings>] So then the FB announces the right thing to pfSense (and you let that box to the default 1500)

                (Sofar I experience no webpage problems, my ISP FB-config ships max MTU 1492 as a temp. solution)

                N.B. some config changes require a reboot in download sequence of the 2 cascading boxes, and then a DHCP6(PD) ISP refresh-cycle (upto 1 or 2 hrs). So look & wait until your pfSense-LAN IPv6 number is back and up…

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.