IPv6 only on LAN
-
@pmisch:
Do you have the access point running as a bridge or is it acting as a router? I strongly suggest to use it as a bridge instead of a router.
Yes, but I cannot see how to switch the wdr3600 to "bridge" mode, I can only just set it up as an AP and don't use the WAN. I think this is not the same, do you think that can bring me some problems?
When I understand you correctly you have your access point already in bridged mode, which is fine. You can check if the router's LAN IP is in the same subnet as your clients are and your client's default gateway is the pfSense box and not the AP's IP.
Check which provider offers the better v6 support.
Start IPv6 only with that one provider. I suggest not to try IPv6 on both WAN interfaces at the same time.Just go ahead and enable IPv6 for one WAN interface of your pfsense router and then also enable Router Advertisement for your LAN. That should generally be it.
Some IPv6 configuration parameters look a bit overwhelming at first but don't stop to try. Also: read a lot about IPv6. -
"I myself utilize a provider that hands me a static /48 prefix which is excellent."
Yeah that would be fantastic if you could get ISPs in the US to do that.. But this is not the case.. Here in the use your lucky to get a /60 and it quite often changes when the wind blows… So its like impossible to keep the same network address space.. I really don't get why they won't just give you a /60, /56 or /48 if you want and always hand you the same one.
Does your isp allow you to set the PTR records for this address space - HE does when you get a tunnel from them.
But just because your isp provides you good ipv6, why would you tell him to avoid tunnel if his isp doesn't provide him any ipv6 at all or its crappy. There are some that will only give you 1 /64, etc.
As to using any wifi router as just AP.. Yeah any wifi router can do that - just use lan, turn off its dhcp server - give its lan an IP on your network = AP..
-
@pmisch:
@pmisch:
Do you have the access point running as a bridge or is it acting as a router? I strongly suggest to use it as a bridge instead of a router.
Yes, but I cannot see how to switch the wdr3600 to "bridge" mode, I can only just set it up as an AP and don't use the WAN. I think this is not the same, do you think that can bring me some problems?
When I understand you correctly you have your access point already in bridged mode, which is fine. You can check if the router's LAN IP is in the same subnet as your clients are and your client's default gateway is the pfSense box and not the AP's IP.
Yes, I though it was right and verified that I have everything as the docs says about using a router with pfSense, so I'm right with that.
But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?
@pmisch:
Check which provider offers the better v6 support.
Start IPv6 only with that one provider. I suggest not to try IPv6 on both WAN interfaces at the same time.Just go ahead and enable IPv6 for one WAN interface of your pfsense router and then also enable Router Advertisement for your LAN. That should generally be it.
Some IPv6 configuration parameters look a bit overwhelming at first but don't stop to try. Also: read a lot about IPv6.ok, will try that and will let you know. None of my both ISPs provide native IPv6 support, so besides asking them, I will try a HE tunnel.
Thanks everybody!
-
More specifically you follow this wiki entry to turn your wireless router into a bridged access point:
Actually, the DHCP server doesn't have to be turned off. There's nothing wrong with having multiple DHCP servers on a network and is often done on larger networks. You just have to ensure that duplicate addresses are not issued, but that can be done by simply having the servers hand out different portions of the address block. Also, these days, gratuitous ARP requests are often used to ensure duplicates don't occur.
-
Does your isp allow you to set the PTR records for this address space - HE does when you get a tunnel from them.
That's the only thing I'm not happy about. My provider has generated PTR for the whole prefix but I cannot request to set a specific PTR. For most purposes those generic PTR records suffice. You are right. The HE features are great. I used to run such a tunnel for over a year until I got my native connection.
But just because your isp provides you good ipv6, why would you tell him to avoid tunnel if his isp doesn't provide him any ipv6 at all or its crappy. There are some that will only give you 1 /64, etc.
All I was saying is that native IPv6 is generally a better idea than a tunnel. I don't presume that native IPv6 ALWAYS is better. This seems to be one of those exceptions.
It's really sad that your provider just fuxxxs IPv6 up :-( I would write a letter to customer satisfaction.
Anyhow I think even a dynamic IPv6 prefix is something you can work with. If I had to deal with a dynamic prefix I would update the changing IPs into valid DNS names. That can be done with pfSense by using DDNS. That way pfSense automatically updates the A record for a host if the IP changes.
I'm referring to: Services - DHCPv6 Server & RA - DHCPv6 Server - Dynamic DNS -
But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?
Just to be clear. It's no router when you run it as a bridge.
Yes, it's transparent. You don't have to setup anything on the Access Point. The only thing you might want to do is to configure an IPv6 address for the AP so you can access it through its IPv6 address. There are several different methods like static configuration, stateful or stateless.
-> https://tools.ietf.org/html/rfc3736
-> https://tools.ietf.org/html/rfc3315
-> https://tools.ietf.org/html/rfc4862 -
But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?
Just to be clear. It's no router when you run it as a bridge.
Yes, it's transparent. You don't have to setup anything on the Access Point. The only thing you might want to do is to configure an IPv6 address for the AP so you can access it through its IPv6 address. There are several different methods like static configuration, stateful or stateless.
-> https://tools.ietf.org/html/rfc3736
-> https://tools.ietf.org/html/rfc3315
-> https://tools.ietf.org/html/rfc4862 -
Actually, the DHCP server doesn't have to be turned off. There's nothing wrong with having multiple DHCP servers on a network and is often done on larger networks.
Yeah that is bad idea!! Most soho wifi routers dhcp server is very limited, many of them will not even allow you point to a different gateway other than its own IP. I would suggest TURN it off - you have zero use for it since pfsense would be your dhcp server.
-
ok, it's working!. I have sucessfully connected a HE tunnel and it's working, as I can ping from the pfSense box to ipv6 sites and it works (with horrible lantency, but it works).
But it seems I have not been able to make DHCP work as it should, because the DHCPv6 leases does not appear except for and iPad I have on my network, but when checking on the iPad it only seems to receive the ipv6 dns servers and no ipv6 address, and the test-ipv6.com check does not show any ipv6 address…
I can post the screenshots of my configuration if anyone can help me.
-
First, you need RADVD enabled and working (In Unmanged or Assisted mode). Leave DHCPv6 alone for now, it's badly broken on Windows, not implemented on Android, and used in whacky ways on Bitten Fruit Co. products.
-
First, you need RADVD enabled and working (In Unmanged or Assisted mode). Leave DHCPv6 alone for now, it's badly broken on Windows, not implemented on Android, and used in whacky ways on Bitten Fruit Co. products.
the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.
-
the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.
Automagical options for you for RA are: "Unmanaged" (SLAAC method)
Even with RA="Router Only", you can always manually give a host on a LAN an IPv6subnet/64-number yourself.
Config your LAN static as you like.
The /48-part is HE, the next Word-part is your-subnet, then the last 64-bits are up to you, like say ::abe 8) -
@hda:
the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.
Automagical options for you for RA are: "Unmanaged" (SLAAC method)
Even with RA="Router Only", you can always manually give a host on a LAN an IPv6subnet/64-number yourself.
Config your LAN static as you like.
The /48-part is HE, the next Word-part is your-subnet, then the last 64-bits are up to you, like say ::abe 8)You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.
I have more that 20 devices/computers, I would like to leave that work to the DHCPv6 server. -
I have started a new thread because of my DHCP problems on https://forum.pfsense.org/index.php?topic=126054.0 because I think the subject has changed from the original one. Please follow it there.
Thanks.
Pablo -
You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.
There is no need to set up any addresses manually with RA set to "Unmanaged".
-
You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.
There is no need to set up any addresses manually with RA set to "Unmanaged".
Ah, ok, I see. And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?
Because I have changed to Assisted (I understand that it somehow "includes" the "Unmannaged" behaviour, right?) and I think al least some devices are getting ipv6 addresses but they are not on the range I configured on DHCPv6 page (but they do are on my LAN) and also I think I'm not getting the defauylt ipv6 gateway on this clients as for example I can ping inside the LAN, but not outside. -
And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?
SLAAC has nothing to do with DHCPv6. It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number. If DHCPv6 is used, it's generally for providing things like server addresses. However, it's not needed for DNS servers, as that can be provided by RDNSS.
-
And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?
SLAAC has nothing to do with DHCPv6. It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number. If DHCPv6 is used, it's generally for providing things like server addresses. However, it's not needed for DNS servers, as that can be provided by RDNSS.
ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)
-
And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?
SLAAC has nothing to do with DHCPv6. It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number. If DHCPv6 is used, it's generally for providing things like server addresses. However, it's not needed for DNS servers, as that can be provided by RDNSS.
ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)
No such way. The RA daemon that advertises the route and the prefix does absolutely nothing else but those functions, selection of the address from the advertised prefix happens completely on the client (of course assisted with duplicate address detection but even that does not involve the RA daemon).
-
@kpa:
And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?
SLAAC has nothing to do with DHCPv6. It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number. If DHCPv6 is used, it's generally for providing things like server addresses. However, it's not needed for DNS servers, as that can be provided by RDNSS.
ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)
No such way. The RA daemon that advertises the route and the prefix does absolutely nothing else but those functions, selection of the address from the advertised prefix happens completely on the client (of course assisted with duplicate address detection but even that does not involve the RA daemon).
ok, thanks for your help, I'm learning a lot!!!! :)
Just one more… I cannot make my clients to ping a host on internet, the names resolve ok to the IPv6 addresses, but somehow I guess I do not have a gateway configured properly or something is "closed" at the pfSense box that blocks traffic.
