[SOLVED] IPv6 'routing' issue (WAN <-> LAN)
-
@hda:
I will set the Draytek to pass-through mode later and see how it goes from there, i was hoping i could avoid that step… (the Draytek's firmware has various bugs, it was a pain to get IPv6 working, support was helpful though)
With Pass-through you have only to worry about the correct ISP-protocol. So get your full public IPv4 & IPv6 on the pfSense-WAN. [set pass-tru & standard settings on DTv130, so no VLAN or IPv6 stuff to do there]
If DT-firmware is the point, then complain to them for improvement.
Right now i'm still hoping to be able to tell the draytek to pass-through IPv6 only. I have 5 static IPv4 addresses which are
managed by the draytek (fritzbox and many other modem/routers only support one IPv4 on the WAN side), at first glance
i couldn't find an option in pfSense to handle several IPv4 addresses on WAN side. I need to try this later.The firmware is working as it should but the diagnostic functions for IPv6 don't really work (ping6 on the draytek is
broken, PPPoE section in IPv6 overview shows 'errors' were there are none, etc.), the support
knows about this since august last year and the new version from november (which the support guys
'promised' to not have the bugs mentioned) is still faulty. So i had quite some trouble to get IPv6
working the 'traditional' way because i was trying to fix non-existent errors. So that's why i don't
really trust the Draytek firmware and suspected it to be the culprit of my actual problem. Let's just
hope the pass-through does work/is existent. -
…
Right now i'm still hoping to be able to tell the draytek to pass-through IPv6 only.
...There is no special pass-tru capability for IPv6 needed. One could even do well with a DTv120 which has no IPv6 capa. at all !
Pass-tru means no interference from DT(v130) with communication between pfSense and ISP-node.
-
I just looked through the WAN interface IPv6 settings on pfSense and the only possible alternative
to static is DHCP6. The Draytek modem/router is set to PPP on it's WAN IPv6 side since the connection
type is PPPoE and this is the only way it works for the Draytek (my ISP told me the settings), DHCP6
doesn't work with my ISP. So what happens when i set the WAN IPv6 setting of the Draytek to 'offline'
and disable RA and DHCP6 on it's LAN side? pfSense shouldn't get the addresses via DHCP6 as my
ISP doesn't use it on their side..
But i tried it, Draytek IPv6 offline, pfSense to DHCP6, i didn't remove the Draytek's link-local IPv6 yet and
with this setup pfSense shows a link-local IPv6 and the Draytek's link-local address as gateway, so
i removed every IPv6 entry from the Draytek's LANside. After that pfSense only has a link-local address,
i tried several different setting (obtain IPv6 addresses via IPv4, prefix only, etc.) all to no avail.
There must be a way to route IPv6 from WAN to LAN on pfsense with a static setup… -
Forgetting about your routed /48 for a minute, what happens if you put the modem in bridge mode, use PPPoE for IPv4 and SLAAC for IPv6?
-
sideline IPv6 for a while. First IPv4.
AIUI, you connect DT130 to ISP as PPPoE, then have tested pass-tru/("bridge") for IPv4 and cannot get IPv4 on pfSense-WAN ?
-
Oh no, IPv4 is working fine. I didn't set the Draytek to PPPoE pass-through yet, because like i said
that's not really an option because of my 4 additional static IPv4 addresses (they're more important
than IPv6) unless pfsense has the ability to do that.
Isn't there a way to route IPv6 traffic from WAN to LAN with static addresses, just like it works with
IPv4? -
You want to look at Firewall > Virtual IPs to see about multiple IP addresses on your WAN interface. Chances are you can do what you need as long as the IPs are routed to you.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
You'll probably need to post more specific information if you want more specific help.
I think you're out of luck with IPv6 until you get your modem into bridge mode.
-
Oh no, IPv4 is working fine. I didn't set the Draytek to PPPoE pass-through yet,….
One needs to do tests to inform oneself. :D
Then very likely the IPv6 will be supplied by using IPv4 PPPoE at pfSense-WAN,
-
You're both right, there really is no way i can pull this off without setting the Draytek to PPPoE pass-throught. I accept my defeat.
I have it all set up now and IPv4 works fine, IPv6 not yet. As Derelict suggested, on the WAN side (pfsense) i've set IPv4 to PPPoE and SLAAC
for IPv6, the LAN side has static entries for both. I've put a screenshot of the interfaces page in the attachment as well as a shot of the LAN
configurations. I only get link-local IPv6 addresses on the WAN side, no ping6.
-
Link local addresses on interfaces are OK.
Looks like it's getting close to you:
traceroute6 to 2a01:170:110c:1::1 (2a01:170:110c:1::1) from 2001:470:…, 64 hops max, 12 byte packets
1 2001:470:... 0.444 ms 0.365 ms 0.311 ms
2 2001:470:... 20.509 ms 18.493 ms 27.693 ms
3 2001:470:... 26.365 ms 18.327 ms 25.308 ms
4 2001:470:0:10e::2 84.479 ms 89.593 ms 73.084 ms
5 2001:470:0:2cf::1 152.046 ms 138.959 ms 140.712 ms
6 2001:7f8:4::33b5:1 143.464 ms 147.377 ms 141.665 ms
7 2001:7f0:0:28::2 153.165 ms 153.688 ms 154.670 ms
8 2001:7f0:1:2::2 153.532 ms 157.187 ms 157.728 ms
9 2a01:170::1:2:7:0:2 159.198 ms 157.267 ms 155.856 msPut a rule on WAN passing IPv6 ICMP from any to 2a01:170:110c:1::1
You can't ping6 to the gateway address from the pfSense node itself?
-
You have set the LAN Static. That's OK. It needs Services: Router advertisements(Router Only) or including SLAAC RA needs (Unmanaged)
-
You want to look at Firewall > Virtual IPs to see about multiple IP addresses on your WAN interface. Chances are you can do what you need as long as the IPs are routed to you.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
You'll probably need to post more specific information if you want more specific help.
I think you're out of luck with IPv6 until you get your modem into bridge mode.
Thank you, i had a quick look at it and it looks very promising. I will look further into it when/if IPv6
is working (in bridge mode) -
Can we see your pfSense-WAN config screenshot ?
-
Link local addresses on interfaces are OK.
Looks like it's getting close to you:
traceroute6 to 2a01:170:110c:1::1 (2a01:170:110c:1::1) from 2001:470:…, 64 hops max, 12 byte packets
1 2001:470:... 0.444 ms 0.365 ms 0.311 ms
2 2001:470:... 20.509 ms 18.493 ms 27.693 ms
3 2001:470:... 26.365 ms 18.327 ms 25.308 ms
4 2001:470:0:10e::2 84.479 ms 89.593 ms 73.084 ms
5 2001:470:0:2cf::1 152.046 ms 138.959 ms 140.712 ms
6 2001:7f8:4::33b5:1 143.464 ms 147.377 ms 141.665 ms
7 2001:7f0:0:28::2 153.165 ms 153.688 ms 154.670 ms
8 2001:7f0:1:2::2 153.532 ms 157.187 ms 157.728 ms
9 2a01:170::1:2:7:0:2 159.198 ms 157.267 ms 155.856 msPut a rule on WAN passing IPv6 ICMP from any to 2a01:170:110c:1::1
You can't ping6 to the gateway address from the pfSense node itself?
The firewall is completely open, i can't ping6 the gateway or any external addresses from pfSense…
@hda:
You have set the LAN Static. That's OK. It needs Services: Router advertisements(Router Only) or including SLAAC RA needs (Unmanaged)
I tried both setting, no change. It is set to Router Only at the moment, see attachment (i've added the DNS entries manually, ISP doesn't provide
any for IPv4/6).@hda:
Can we see your pfSense-WAN config screenshot ?
Sure, a screenshot is in the attachment.
–-----------------
I've also attached a screenshot of the interface assignment page and the first network card (em0, which is connected to the Draytek)
is shown as unassigned. just because i'm curious, is that normal? Looks odd.
-
For sure: Set block bogon network to False = uncheck
Your iface DT to WAN is OK & transparant, because you have your IPv4, right ?
Therefore IPv6 must be possible too. Just find out how(protocol pfSense-WAN) to get it from ISP.I would test to use config: dhcp6 & use IPv4 connectivity & prefix & delegation size =/48, if SLAAC doesn't yield.
Just experiment with the combinations. ;)
DNS servers go in: System: General Setup
-
@hda:
For sure: Set block bogon network to False = uncheck
DNS servers go in: System: General Setup
Ok i've disabled the bogon block, but i still can't ping6 from the pfsense node, ping6 from the LAN
side the gateway or external addresses time out and ping6 from WAN to the gateway doesn't work at all.
(Not even from the link-local address)@hda:
Your iface to WAN is OK & transparant. Because you have your IPv4, right ?
Therefore IPv6 must be possible too. Just find out how(protocol pfSense-WAN) to get it from ISP.Yes, IPv4 is working fine. On the draytek IPv6 must be set to PPP, i don't know in which way the
whole process differs to SLAAC if it does at all. But the link-local addresses look ok, it 'should' work.
Maybe after all the fiddling around with settings over the last 2 days i need a clean default setup
to start from the beginning (also the draytek box) and then it will all magically work out… -
If you changed the configs/interfaces/"fiddling", then a reboot of the pfSense will do.
You do not have to worry about the DT anymore, it is not relevant w.r.t. pfSense IPv6 config.
The pass-through/bridging works, just as with IPv4, it works for IPv6 too.You have to experiment with IPv6 pfSense-WAN config's, (including rebooting pfSense), to find out how the ISP wants to communicate for IPv6.
Even the MTU value matters for IPv6. (I work with 1492 on WAN & LAN).
-
I had very little time over the last 2 days but today i finally got it right, IPv6 is working.
The trick was to set the WAN interface config to 'None' for IPv6, i saw that after a reset to
default and no IPv6 configuration at all the WAN side got it's SLAAC address and
the correct ISP gateway address. After setting a static IPv6 on the LAN interface ping6
finally could reach external IPv6 addresses.Thank you for all your help and time on this!
-
Good for you :)
…
The trick was to set the WAN interface config to 'None' for IPv6, i saw that after a reset to
default and no IPv6 configuration at all the WAN side got it's SLAAC address
...Did you set pfSense-WAN to None for IPv6 and got a SLAAC working ???
-
@hda:
Good for you :)
…
The trick was to set the WAN interface config to 'None' for IPv6, i saw that after a reset to
default and no IPv6 configuration at all the WAN side got it's SLAAC address
...Did you set pfSense-WAN to None for IPv6 and got a SLAAC working ???
EDIT: I didn't mean SLAAC address but link local address. SLAAC was disabled.
Yes, when i set up the Draytek box last year my ISP explained their process
to me and it worked with the setting 'PPP' which is basically the same as
pfsense's 'None'.
So the ISP is only giving out the IPv6 gateway address,
no prefix and this happens through the PPPoE connection.
Took me a week of back and forth with Draytek support and a few calls
to ISP when eventually i got an email from my ISP's admin that he downloaded
the manual of my Draytek box and he told me to set it to 'PPP' which tells it to
get the gateway address via PPPoE and to set a static IPv6 on the LAN side.
That worked. But i didn't expect this to work exactly the same way with pfsense
as well…
