Rogers pfSense configuration
-
In my opinion support for DHCP-PD is weak on the ISP side.
They're the ones changing what should be static IP addresses.
Use tunnelbroker.net. They manage to issue static /48s. And they don't charge $90+/month.
-
I'm still getting ramped up on IPv6, but it seems that support for DHCP-PD is still weak in pfSense - without the ability for static mappings to track the WAN PD, the entries will become nullified if the ISP updates the modem address assignment.
I guess I got the basics setup - for hosting a server seems like I'll still be on IPv4.
Static mappings CAN track the WAN PD. When you create a static DHCPv6 mapping and the interface is set up to track another (i.e. LAN tracking WAN), then the only part of the IPv6 address you're entering is the host portion of the address. I've posted elsewhere that I've set up two hosts on my LAN with ::4001 and ::4002 as the static DHCPv6 addresses. That way if the prefix changes, the DHCPv6 server will adjust and on renewal a valid address will be provided to the host with the new prefix.
The area that still falls short is the firewall, which has no way to create a rule for an address with a dynamic prefix. I suppose you could create an alias with the hostname of your server(s)… but I'd prefer not to have to do that. That's just another piece in a puzzle where if one part fails, you get to figure out what isn't working.
-
However, if I run a server on a network, DHCP6 would allow me to set a static address correct - this would make it easier to setup firewall rules?
With SLAAC, you can have 2 types of address, MAC based and random number "privacy" addresses. For a server, you'd configure the firewall and DNS for the MAC based address, as it's static. You may have to configure the server to have a MAC address. It's usually available in Linux, but with Windows you have to specifically enable it.
-
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
With SLAAC and MAC based addresses, there's no setup at all. It just works.
-
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
With SLAAC and MAC based addresses, there's no setup at all. It just works.
Except that static DHCP/DHCPv6 also includes hostname resolution in DNS forwarder/resolver, while SLAAC would require a DNS Entry that would need to be changed every time the prefix changes.
-
@virgiliomi:
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
With SLAAC and MAC based addresses, there's no setup at all. It just works.
Except that static DHCP/DHCPv6 also includes hostname resolution in DNS forwarder/resolver, while SLAAC would require a DNS Entry that would need to be changed every time the prefix changes.
Agreed about the hostnames. Also, it's not like it's difficult to enable dhcpv6. Since it's being used for dhcpv4, you may as well also use it for dhcpv6.
-
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
With SLAAC and MAC based addresses, there's no setup at all. It just works.
I know that. But change a NIC and you have to change all of that. Setting a static IP address on the server is probably easier over the long run. Or a push, like I said. It is pretty common practice to set static IP addresses in IPv4 for servers. Not really any need to change that.
-
If you're using DHCP, changing a NIC will require updating the server too, as the MAC address, which the server maps the address to, will change.
-
Not talking about using DHCP.
-
A bit of an update. When I started this thread, Rogers provided only a /64, but has been providing a /56 for quite some time. It appears they might now be offering a /48, as the DHCPv6 Prefix Delegation size on the WAN page now goes to /48, whereas it used to be /56. I haven't tried it yet, but someone else may be interested in trying a /48.
-
What you can select on the WAN page has nothing to do with what the ISP will or will not do.
You can set it to anything from /48 on down.
If you want to change it you probably need to copy out the DUID file to a safe place like /root so you can put it back if you need to, delete it, then change the prefix hint and save. Otherwise the ISP might ignore the prefix hint and give you your old delegation based on the DUID.
The DUID file is: /var/db/dhcp6c_duid
You might also need to clear it out of System > Advanced, Networking if you have saved it there (or change it there if you know what you are doing).
-
What you can select on the WAN page has nothing to do with what the ISP will or will not do.
You can set it to anything from /48 on down.
I don't recall ever seeing /48 before, though I could be mistaken. I'll give it a try later and see what happens.
-
What you can select on the WAN page has nothing to do with what the ISP will or will not do.
You can set it to anything from /48 on down.
My mistake. It appears you're right. I guess I'll just have to make do with a /56. ;)
-
Can anyone validate these settings still work? Trying to get IPV6 running on an XB6 Gateway in bridge mode running on PFSense 2.4 and no joy on getting the WAN interface to draw an IP. I've tried the settings above and various other combinations with no success.
-
@mjnr said in Rogers pfSense configuration:
Can anyone validate these settings still work? Trying to get IPV6 running on an XB6 Gateway in bridge mode running on PFSense 2.4 and no joy on getting the WAN interface to draw an IP. I've tried the settings above and various other combinations with no success.
Those settings are still good. Try connecting a computer directly to the modem, to see if that works. You should get an IPv6 address.
-
Use IPv4 connectivity as parent interface: yes
This can be set to no now. You no longer have to request over ipv4
-
@james2432 said in Rogers pfSense configuration:
Use IPv4 connectivity as parent interface: yes
This can be set to no now. You no longer have to request over ipv4
I thought that meant use the same interface as IPv4, not use IPv4 to get IPv6. A different connection can also be used for IPv6. For example, many use a tunnel to get IPv6, as I did for almost 6 years.
-
Use IPv4 Connectivity as Parent Interface:
When set, the IPv6 DHCP request is sent using IPv4 on this interface, rather than using native IPv6. This is only required in special cases when the ISP requires this type of configuration. -
I was just reviewing the earlier posts. I don't ever recall using that setting and I've had IPv6 via Rogers for 3 years.
-
@JKnott said in Rogers pfSense configuration:
I was just reviewing the earlier posts. I don't ever recall using that setting and I've had IPv6 via Rogers for 3 years.
Yeah Rogers can dhcp request over native ipv6 now, probably at the time of writing the guide the network engineer was correct as ipv6 wasnt wildly adopted
