Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 only on LAN

    Scheduled Pinned Locked Moved IPv6
    32 Posts 8 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • junicastJ
      junicast
      last edited by

      @pablot:

      @pmisch:

      Do you have the access point running as a bridge or is it acting as a router? I strongly suggest to use it as a bridge instead of a router.

      Yes, but I cannot see how to switch the wdr3600 to "bridge" mode, I can only just set it up as an AP and don't use the WAN. I think this is not the same, do you think that can bring me some problems?

      When I understand you correctly you have your access point already in bridged mode, which is fine. You can check if the router's LAN IP is in the same subnet as your clients are and your client's default gateway is the pfSense box and not the AP's IP.

      Check which provider offers the better v6 support.
      Start IPv6 only with that one provider. I suggest not to try IPv6 on both WAN interfaces at the same time.

      Just go ahead and enable IPv6 for one WAN interface of your pfsense router and then also enable Router Advertisement for your LAN. That should generally be it.
      Some IPv6 configuration parameters look a bit overwhelming at first but don't stop to try. Also: read a lot about IPv6.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "I myself utilize a provider that hands me a static /48 prefix which is excellent."

        Yeah that would be fantastic if you could get ISPs in the US to do that.. But this is not the case.. Here in the use your lucky to get a /60 and it quite often changes when the wind blows… So its like impossible to keep the same network address space..  I really don't get why they won't just give you a /60, /56 or /48 if you want and always hand you the same one.

        Does your isp allow you to set the PTR records for this address space - HE does when you get a tunnel from them.

        But just because your isp provides you good ipv6, why would you tell him to avoid tunnel if his isp doesn't provide him any ipv6 at all or its crappy.  There are some that will only give you 1 /64, etc.

        As to using any wifi router as just AP.. Yeah any wifi router can do that - just use lan, turn off its dhcp server - give its lan an IP on your network = AP..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • P
          pablot
          last edited by

          @pmisch:

          @pablot:

          @pmisch:

          Do you have the access point running as a bridge or is it acting as a router? I strongly suggest to use it as a bridge instead of a router.

          Yes, but I cannot see how to switch the wdr3600 to "bridge" mode, I can only just set it up as an AP and don't use the WAN. I think this is not the same, do you think that can bring me some problems?

          When I understand you correctly you have your access point already in bridged mode, which is fine. You can check if the router's LAN IP is in the same subnet as your clients are and your client's default gateway is the pfSense box and not the AP's IP.

          Yes, I though it was right and verified that I have everything as the docs says about using a router with pfSense, so I'm right with that.

          But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?

          @pmisch:

          Check which provider offers the better v6 support.
          Start IPv6 only with that one provider. I suggest not to try IPv6 on both WAN interfaces at the same time.

          Just go ahead and enable IPv6 for one WAN interface of your pfsense router and then also enable Router Advertisement for your LAN. That should generally be it.
          Some IPv6 configuration parameters look a bit overwhelming at first but don't stop to try. Also: read a lot about IPv6.

          ok, will try that and will let you know. None of my both ISPs provide native IPv6 support, so besides asking them, I will try a HE tunnel.

          Thanks everybody!

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            More specifically you follow this wiki entry to turn your wireless router into a bridged access point:

            Actually, the DHCP server doesn't have to be turned off.  There's nothing wrong with having multiple DHCP servers on a network and is often done on larger networks.  You just have to ensure that duplicate addresses are not issued, but that can be done by simply having the servers hand out different portions of the address block.  Also, these days, gratuitous ARP requests are often used to ensure duplicates don't occur.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • junicastJ
              junicast
              last edited by

              @johnpoz:

              Does your isp allow you to set the PTR records for this address space - HE does when you get a tunnel from them.

              That's the only thing I'm not happy about. My provider has generated PTR for the whole prefix but I cannot request to set a specific PTR. For most purposes those generic PTR records suffice. You are right. The HE features are great. I used to run such a tunnel for over a year until I got my native connection.

              @johnpoz:

              But just because your isp provides you good ipv6, why would you tell him to avoid tunnel if his isp doesn't provide him any ipv6 at all or its crappy.  There are some that will only give you 1 /64, etc.

              All I was saying is that native IPv6 is generally a better idea than a tunnel. I don't presume that native IPv6 ALWAYS is better. This seems to be one of those exceptions.
              It's really sad that your provider just fuxxxs IPv6 up :-( I would write a letter to customer satisfaction.
              Anyhow I think even a dynamic IPv6 prefix is something you can work with. If I had to deal with a dynamic prefix I would update the changing IPs into valid DNS names. That can be done with pfSense by using DDNS. That way pfSense automatically updates the A record for a host if the IP changes.
              I'm referring to: Services - DHCPv6 Server & RA - DHCPv6 Server - Dynamic DNS

              1 Reply Last reply Reply Quote 0
              • junicastJ
                junicast
                last edited by

                @pablot:

                But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?

                Just to be clear. It's no router when you run it as a bridge.
                Yes, it's transparent. You don't have to setup anything on the Access Point. The only thing you might want to do is to configure an IPv6 address for the AP so you can access it through its IPv6 address. There are several different methods like static configuration, stateful or stateless.
                -> https://tools.ietf.org/html/rfc3736
                -> https://tools.ietf.org/html/rfc3315
                -> https://tools.ietf.org/html/rfc4862

                1 Reply Last reply Reply Quote 0
                • junicastJ
                  junicast
                  last edited by

                  @pablot:

                  But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?

                  Just to be clear. It's no router when you run it as a bridge.
                  Yes, it's transparent. You don't have to setup anything on the Access Point. The only thing you might want to do is to configure an IPv6 address for the AP so you can access it through its IPv6 address. There are several different methods like static configuration, stateful or stateless.
                  -> https://tools.ietf.org/html/rfc3736
                  -> https://tools.ietf.org/html/rfc3315
                  -> https://tools.ietf.org/html/rfc4862

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Actually, the DHCP server doesn't have to be turned off.  There's nothing wrong with having multiple DHCP servers on a network and is often done on larger networks.

                    Yeah that is bad idea!!  Most soho wifi routers dhcp server is very limited, many of them will not even allow you point to a different gateway other than its own IP.  I would suggest TURN it off - you have zero use for it since pfsense would be your dhcp server.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • P
                      pablot
                      last edited by

                      ok, it's working!. I have sucessfully connected a HE tunnel and it's working, as I can ping from the pfSense box to ipv6 sites and it works (with horrible lantency, but it works).

                      But it seems I have not been able to make DHCP work as it should, because the DHCPv6 leases does not appear except for and iPad I have on my network, but when checking on the iPad it only seems to receive the ipv6 dns servers and no ipv6 address, and the test-ipv6.com check does not show any ipv6 address…

                      I can post the screenshots of my configuration if anyone can help me.

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        First, you need RADVD enabled and working (In Unmanged or Assisted mode). Leave DHCPv6 alone for now, it's badly broken on Windows, not implemented on Android, and used in whacky ways on Bitten Fruit Co. products.

                        1 Reply Last reply Reply Quote 0
                        • P
                          pablot
                          last edited by

                          @doktornotor:

                          First, you need RADVD enabled and working (In Unmanged or Assisted mode). Leave DHCPv6 alone for now, it's badly broken on Windows, not implemented on Android, and used in whacky ways on Bitten Fruit Co. products.

                          the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.

                          1 Reply Last reply Reply Quote 0
                          • H
                            hda
                            last edited by

                            @pablot:

                            the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.

                            Automagical options for you for RA are: "Unmanaged" (SLAAC method)

                            Even with RA="Router Only", you can always manually give a host on a LAN an IPv6subnet/64-number yourself.
                            Config your LAN static as you like.
                            The /48-part is HE, the next Word-part is your-subnet, then the last 64-bits are up to you, like say ::abe  8)

                            1 Reply Last reply Reply Quote 0
                            • P
                              pablot
                              last edited by

                              @hda:

                              @pablot:

                              the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.

                              Automagical options for you for RA are: "Unmanaged" (SLAAC method)

                              Even with RA="Router Only", you can always manually give a host on a LAN an IPv6subnet/64-number yourself.
                              Config your LAN static as you like.
                              The /48-part is HE, the next Word-part is your-subnet, then the last 64-bits are up to you, like say ::abe  8)

                              You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.
                              I have more that 20 devices/computers, I would like to leave that work to the DHCPv6 server.

                              1 Reply Last reply Reply Quote 0
                              • P
                                pablot
                                last edited by

                                I have started a new thread because of my DHCP problems on https://forum.pfsense.org/index.php?topic=126054.0 because I think the subject has changed from the original one. Please follow it there.

                                Thanks.
                                Pablo

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned
                                  last edited by

                                  @pablot:

                                  You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.

                                  There is no need to set up any addresses manually with RA set to "Unmanaged".

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pablot
                                    last edited by

                                    @doktornotor:

                                    @pablot:

                                    You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.

                                    There is no need to set up any addresses manually with RA set to "Unmanaged".

                                    Ah, ok, I see. And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?
                                    Because I have changed to Assisted (I understand that it somehow "includes" the "Unmannaged" behaviour, right?) and I think al least some devices are getting ipv6 addresses but they are not on the range I configured on DHCPv6 page (but they do are on my LAN) and also I think I'm not getting the defauylt ipv6 gateway on this clients as for example I can ping inside the LAN, but not outside.

                                    1 Reply Last reply Reply Quote 0
                                    • JKnottJ
                                      JKnott
                                      last edited by

                                      And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

                                      SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pablot
                                        last edited by

                                        @JKnott:

                                        And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

                                        SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

                                        ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kpa
                                          last edited by

                                          @pablot:

                                          @JKnott:

                                          And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

                                          SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

                                          ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)

                                          No such way. The RA daemon that advertises the route and the prefix does absolutely nothing else but those functions, selection of the address from the advertised prefix happens completely on the client (of course assisted with duplicate address detection but even that does not involve the RA daemon).

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            pablot
                                            last edited by

                                            @kpa:

                                            @pablot:

                                            @JKnott:

                                            And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

                                            SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

                                            ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)

                                            No such way. The RA daemon that advertises the route and the prefix does absolutely nothing else but those functions, selection of the address from the advertised prefix happens completely on the client (of course assisted with duplicate address detection but even that does not involve the RA daemon).

                                            ok, thanks for your help, I'm learning a lot!!!! :)

                                            Just one more… I cannot make my clients to ping a host on internet, the names resolve ok to the IPv6 addresses, but somehow I guess I do not have a gateway configured properly or something is "closed" at the pfSense box that blocks traffic.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.