BTnet IPv6 Configuration

qisback

Hi All,

I'd appreciate if someone could just confirm my IPv6 configuration because for some reason my internal LAN's IPv6 range doesn't appear to be routing. i.e. I can't route to external IPv6 IP's or webpages etc.

Delegated IPv6: 2A00B0::/56
WAN gateway/BT equipment: 2A00B0::1 (I would assume /64)

pfSense WAN address: 2A00B0::FFFF/64
pfSense WAN upstream gateway address: 2A00B0::1

pfSense LAN address: 2A00B0:1::FFFF/64

Client IPv6 address: 2A00B0:1::1/64
Client IPv6 gateway: 2A00B0:1::FFFF

Using ping as a test

I've enabled PASS for IPv6 ICMP (all) on the LAN and WAN interfaces

Client -> pfSense LAN address - Works
Client -> pfSense WAN address - Works
Client -> WAN gateway/BT equipment - Doesn't work
Client -> 2a00:1450:4009:80f::2003 (google) - Doesn't work

pfSense WAN -> 2a00:1450:4009:80f::2003 (google) - Works
pfSense LAN-> 2a00:1450:4009:80f::2003 (google) - Doesn't works
pfSense WAN -> Client - Works
pfSense LAN -> Client - Works

Remote IPv6 Client -> WAN gateway/BT equipment - Works
Remote IPv6 Client -> pfSense WAN - Works
Remote IPv6 Client -> pfSense LAN - Doesn't work
Remote IPv6 Client -> Client - Doesn't work

I believe I've configured my networks correctly and I believe the ICMP traffic should be allowed however it appears that the routing between LAN and the WAN gateway/BT equipment isn't working suggests would be appreciated.

Thanks

severach

@qisback:

pfSense WAN upstream gateway address: 2A00B0::1
Client IPv6 gateway: 2A00B0:1::FFFF

~~Looks like you set this all up static. Static is fine but you must get the numbers right.

All gateways start with FE80. BT may have a special setup but pfSense definitely does not. OS usually down non FE80 routes. When you can convince them to function routers should reject gateway packets sent to their addresses other than FE80.~~

When you're setting up static, FE80::1:1 will not work even if its working with other clients on the same network. Many routers don't use FE80::1:1 and routers that do will not answer that to you statics. You must use the actual link local address.

So, add a default gateway to the link local address of pfSense into the client. Add a default gateway to the link local address of the modem into pfSense. You can get the link local from a neighbor list or from status screens.

kpa

@severach:

Looks like you set this all up static. Static is fine but you must get the numbers right.

All gateways start with FE80. BT may have a special setup but pfSense definitely does not. OS usually down non FE80 routes. When you can convince them to function routers should reject gateway packets sent to their addresses other than FE80.

Could you point out the part of the IPv6 spec where this requirement to use link local gateway addresses is stated? This is definitely not true when you have a gif(4) tunnel from for example HE, the gateway address will be a routable address from the /64 assigned to you as the tunnel network. My experience is also that it's not required and wide variety of operating systems are fine with a routable gateway address if you set it like that manually.

qisback

Thanks for the feedback so far.

So I've tried configuring the pfSense for SLAAC and dhcp6, both assign an IP in the same prefix with no gateway so I assume its using local link?

I've configured RA on the client side and it assigns an IP in the LAN on the correct prefix and a local link address for the gateway however I still get the same results as above.

NogBadTheBad

Shouldn't BT have given you an ND & PD prefix ?

Looks to me like you've used the 1st /64 of your PD prefix on the WAN

Splitting up your 2a00b0::/56 into /64 should give you :-

2a00b0::/64
2a00b0:1::/64
2a00b0:2::/64
2a00b0:3::/64
2a00b0:4::/64
2a00b0:5::/64
2a00b0:6::/64

….

Try setting your WAN IPv6 Configuration Type DHCP6.

Tick the Use IPv4 connectivity as parent interface.

Set the DHCPv6 Prefix Delegation size.

It's exactly how I set mine up in the UK, but I'm not with BT, I'm with Zen Internet.

Here's the blurb I got from them :-

ND Prefix: 2000:3051:5400:d8::/64 ( not my address :) )
PD Prefix: 2000:3050:6353::/48 ( not my address :) )

The two prefixes are described below, along with some further information on the Zen IPv6 service:

/64 Neighbour Discovery (ND) Prefix. This is used to automatically address the WAN interface of your Router, or if you are directly connected without a router, the WAN interface of that device.

/48 Delegation Prefix. This is usually provided over DHCPv6, and requires that your router acts as a requesting router for the purpose of IPv6 delegation RFC3633 - (https://tools.ietf.org/html/rfc3633). Subnets of this prefix are used by the CPE to address devices on the LAN. If prefix delegation is not supported on the router, a suggested interface ID and static route is available, which should allow routing to take place.

qisback

Hi NogBadTheBad,

So I believe I did this on the WAN as per the above post, I suppose I didnt explain it very well.

However I will reread and try again this evening/tomorrow.

Thanks for your feedback

NogBadTheBad

@qisback:

Hi NogBadTheBad,

So I believe I did this on the WAN as per the above post, I suppose I didnt explain it very well.

However I will reread and try again this evening/tomorrow.

Thanks for your feedback

WAN gateway/BT equipment: 2A00B0::1 (I would assume /64)
pfSense WAN address: 2A00B0::FFFF/64
pfSense WAN upstream gateway address: 2A00B0::1
pfSense LAN address: 2A00B0:1::FFFF/64

All those addresses are in the 2a00b0::/56 block, thats why I mentioned it, did they give you 2 blocks of addresses ?

NogBadTheBad

Also if your using the very last IP as the gateway it should be 2a00b0:0:ffff:ffff:ffff:ffff & 2a00b0:1:ffff:ffff:ffff:ffff with a /64 rather than 2a00b0:0:0:0:0:ffff & 2a00b0:1:0:0:0:ffff

http://subnettingpractice.com/ipv6_subnetting.html

Or you could be lazy like me use :1, so used to IPv4 and .0 being the network address with a /24 :)

severach

@kpa:

Could you point out the part of the IPv6 spec

I just tested gateway addresses on already working systems. In Linux behind a pfSense I deleted the default route to FE80::1:1 and added the LAN public IP and it does work as a default route. At another location in Linux behind a Fortigate I deleted the default route to FE80::MAC and added FD00::1 and that worked too. I also changed the default route on the Fortigate to the public IP of the cable modem and rebooted to ensure that the kernel route would clear. That worked too. The pfSense is all automatic so I left that alone.

I scratched out the bad text. The problem was that I first set up my Fortigate with FC00::1/64. Packets routed to FC00::1 were rejected. Later I discover that FC00 is not yet defined. Fortigate knows this and does not allow that address to function. I changed the address to FD00::1/64 and everything worked. The first configuration I got fully working had FE80 addresses for all default routes. In the Fortigate routes for addresses other than FE80 wouldn't route or show in the Routing Monitor. They work and display now so it must have been a bug.

Now I must think about what is more desirable for the default route: FE80::MAC or FD00::1.

qisback

@NogBadTheBad:

WAN gateway/BT equipment: 2A00B0::1 (I would assume /64)
pfSense WAN address: 2A00B0::FFFF/64
pfSense WAN upstream gateway address: 2A00B0::1
pfSense LAN address: 2A00B0:1::FFFF/64

All those addresses are in the 2a00b0::/56 block, thats why I mentioned it, did they give you 2 blocks of addresses ?

Nope just given a /56

Relevant part of the email
–----
IPV6 Section:

Directly Connected Network Attributes

IPV6 Network Address : 2A00B0::
IPV6 Network Mask : /56
IPV6 BTnet NTE Router LAN Address : 2A00B0::1

Non-Directly Connected Network Attributes

IPV6 Network Address :
IPV6 Network Mask :
IPV6 Next Hop Address :

It was my understanding that I could just split the /56 down into separate /64 networks? However on re-reading it appears that they've configured their own equipment on this prefix and need to provide another allocation that is routed to this.

Essentially I have the ND but not the PD

Would this be correct?

NogBadTheBad

Might be best if you query this on the BT forums.

Have you tried track interface for your LAN ?

qisback

Mystery solved…

So BTnet made an assumption that our device would be 2A00B0::5 and statically routed everything there.

As soon as I went along with their assumption everything fell into place as expected.

Hopefully this will assist anyone else on BTnet.

Thanks to everyone who sanity checked my config

timuk_net

@qisback said in BTnet IPv6 Configuration:

So BTnet made an assumption that our device would be 2A00B0::5 and statically routed everything there.

So this is a genius answer. Thanks @qisback Accept the router announcement to get the prefix. And then take the lowest subnet and ::5 and that's a static route for all the other prefixes in your /56

Tim

JKnott

@qisback

How does your ISP provide IPv6? Most use DHCPv6-PD, which provides your LAN prefix.

JKnott

@kpa said in BTnet IPv6 Configuration:

Could you point out the part of the IPv6 spec where this requirement to use link local gateway addresses is stated?

It's common practice, not a rule. However, you have to use whatever your ISP expects. If your ISP used DHCPv6, then this is all configured automagically.

timuk_net

@JKnott said in BTnet IPv6 Configuration:

How does your ISP provide IPv6? Most use DHCPv6-PD, which provides your LAN prefix.

The provide a /56. This gives 256 /64 subnets.

The first /64 is setup on the router with router announcements. So for a single vlan with no firewall, you can just connect to the router.

Then the whole /56 (minus the first /64) is routed to the ::5 address of the first /64. So if you need a firewall, fancier routing or have multiple vlans, then you just need to put a router on the ::5 at add other /64 to interfaces as you like.

DHCPv6 PD is the modern way to do this - you do a DHCP request for a whole /64 subnet to use. This is cool, but not supported by my ISP (a BT or BTNet leased line). The static route way is totally find for my needs.