Ipv6 static /48

andi-ch

Thank you
I did make all configuration using the GUI.
Only use cli for commands like ping, netstat, etc.

But you're right, the routing etc. is also nice done via GUI.
Here the result after flushing

Destination Gateway Flags Use Mtu Netif Expire
default 2a00:xxxx:aaaa::1 UGS 27139 1500 em1
::1 link#5 UH 14 16384 lo0
2a00:xxxx:aaaa::/64 link#2 U 1297 1500 em1
2a00:xxxx:aaaa::2 link#2 UHS 0 16384 lo0
2a00:xxxx:aaaa:3::/64 link#1 U 54 1500 em0
2a00:xxxx:aaaa:3::1 link#1 UHS 0 16384 lo0

hda

And did it work ? Report with GUI results preferred. Not from CLI.

Got the /48 on WAN (use Advanced config (Send Options=ia-pd0, Prefix Delegation=checked)) ?
Made a static LAN (in GUI) and subnet choice, as 2a00:xxxx:aaaa:3::1 mask /64 ?
Set [Services: Router advertisements] (router only) ?
Got to a host on your LAN(-switch) and created a static IP there, say 2a00:xxxx:aaaa:3::11 (/128) ?

Or you made use of other methods like DHCP6-server, SLAAC (or Track Interface) ?

andi-ch

No still not working.

Made a static LAN (in GUI) and subnet choice, as 2a00:xxxx:aaaa:3::1 mask /64 ?
Yes,
Set [Services: Router advertisements] (router only) ?
Yes
Got to a host on your LAN(-switch) and created a static IP there, say 2a00:xxxx:aaaa:3::11 (/128) ?
Clients receiving ipv6 address. I can ping up to the pfsense wan address. 2a00:xxxx:aaaa::2

Got the /48 on WAN (use Advanced config (Send Options=ia-pd0, Prefix Delegation=checked)) ?
No, here I'm lost.
Is this not if you "track interface"? I have native - static IPV6.

Also to make sure, that my provider gave me really /48 net. Just for test, I changed my WAN to the last IP of my range: 2a00:xxxx:aaaa:ffff:ffff:ffff:ffff:fffd and selected /48 (just for test)
I was able to ping this IP from http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php
That confirmed me, that I have the whole range.

WAN is now changed back to 2a00:xxxx:aaaa::2 / 64

hda

Most likely method is an ISP issueing numbers with a DHCP6-server, collected by your use of a DHCP6-client (PD).
See [Interfaces: WAN] (IPv6 Configuration Type=DHCP6).

So how, by what method, does your ISP want you to connect with them … ?

andi-ch

Assuming they routed the 2A00:xxxx:aaaa/48 via interface / 48 net. 2A00:xxxx:aaa1

doktornotor

Instead of assuming, why don't just give them a call and ask? Because your assumptions clearly don't work.

hda

It will not work with assumptions. Good Luck… Contemplate reply#2 & reply#8 again.

andi-ch

With assuming I meant, they told me so, it means I have to trust them.

andi-ch

I'm used to cisco, simple routing.

R1#configure terminal
R1(config)#interface gigabitEthernet 0/0
R1(config-if)#ipv6 address 2001:db8:0:1::1/64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 1/0
R1(config-if)#ipv6 address fe80::1 link-local
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#exit
R1#

R2#configure terminal
R2(config)#interface gigabitEthernet 0/0
R2(config-if)#ipv6 address 2001:db8:0:2::1/64
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int serial 1/0
R2(config-if)#ipv6 address fe80::2 link-local
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 1/1
R2(config-if)#ipv6 address fe80::2 link-local
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#exit

and so on

we are connected via fiber, so they have a cisco router, simple routed our /48 to "our" gateway interface.
So DHCP is not a option.

hda

Ofcourse it is an option ! Did you try/test it …?

andi-ch

Not yet, looking for an cisco router….
Let you know.

hda

Well, I meant to say do test WAN-DHCP6(PD) with pfSense on the fiber-line with native IPv6…

Anyway, I think you want for an "Upstream Gateway" number outside your /48 domain.

And how do you connect by IPv4 ?

Derelict

Your ISP is routing the /48 to something.  That something is how your WAN interface's IPv6 should be configured.

It might be DHCPv6, it might be static, it might be link-local.  Only they know.

It it's really a static /48 you'll be good to go once you get it sorted out.

jimp

Given the settings in the OP, it's static. The first /64 of the /48 is for WAN.

Looks like the only mistake made in the first post is that the prefix length on WAN should be /64 not /48. It's common for ISPs to use the first /64 of a routed block such as a /48 for the interconnect.

On the outside chance that the ISP actually made the /48 on WAN that's an error on their part, it should have the /48 routed to your 2a00:xxxx:aaaa:::2 with prefix set to /64.

Run a packet capture on WAN as you attempt to ping from a host on LAN, see what happens. If the ping leaves but doesn't come back at all, that's upstream routing. If the ping leaves and you see an NDP request on WAN for the LAN address, they fudged the prefix.

andi-ch

Yes /48 on the WAN was definitely wrong.

I had again contact with my ISP. They gave me now a transfernet /126 for my WAN. They routed the /48 to my WAN IP.
But still not working, I believe or better sure this is not a pfsense or my config error. I don't have confidence in my provider now.

I'm able to ping from LAN side, even from a host (computer) to they're router - my gateway.

Asked them now to send there "show running-config ipv6", which they won't give me….

caputre:
no NDP request found. No response seen to ICMPv6 request in frame 38.
That's all about I see.

Keep you posted.