Static /56, /64s to LANs
-
Made a VIP to the 2009:19f0:0:701::1/64 block on the WAN interface as an IP Alias as well and made a rule on the WAN to forward ICMPv6 all to the LAN address aka (2009:19f0:0:701::100). No external ping as of now.
Why the VIP?
You just need to pass traffic on WAN to the /56 (or just part of it). No VIPs necessary.
-
You had previously mentioned it in your first response to test inbound ping to the LAN address. aka 2009:19f0:0:701::100
-
Right. That was just for a quick test to see if the prefix was actually routed by the ISP.
If you have that prefix assigned to an interface and a host on that address all you have to do is pass the traffic. If it doesn't respond then make sure that host actually WILL respond (no local firewalls, etc. Default gateway properly set, etc)
-
Ok, well that netted me nothing before so I guess something still isn't working. I have no in/outbound traffic at this time.
Just to confirm,
WAN IPv6 address set to the new /64 address that the /56 is routed to. LAN has an IP of 2009:19f0:0:701::100Created a rule on the WAN rules to allow src any to dest 2009:19f0:0:700::/56 no change in condition. LAN has default v6 all rule out. What should my gateway out on the devices on the LAN be after they receive their SLAAC configuration?
-
Probably fe80::1:1%local_interface_name
I cannot ping6 any of the addresses you have mentioned including their gateway address.
-
Packet capture on WAN
ping6 your interface address. Does the traffic even show up? Capture for NDP. do they even try to locate your MAC address to associate it with that v6 address?
If you can do that, move on to the routed subnet:
ping6 one of the addresses in the routed /56
the traffic should arrive on WAN. If it doesn't, there is nothing you can do to fix it. Go back upstream and make them fix it.
I have seen this be ISP stupidity COUNTLESS times.
-
However what I think I'm struggling to understand here is the basic concept of the IPv6 routing vs. how its typically done in IPv4. I guess because of lack of NAT and that we are forwarding public addresses through pfsense?
The main difference is that on IPv6, routing is normaly done using the link local addresses, not routeable addresses. Otherwise, things work pretty much the same. You have a prefix, same as subnet mask, that splits the address into network and host portions. The LAN is usually a /64, as that's what's required for SLAAC. You could go with DHCPv6, but SLAAC is very easy to work with.
-
Hey all, I have some good news. Finally got it running! All my VM's now receiving both v4 and v6 addresses. Off topic add to this, is it feasible to create my own 6to4 tunnel or some sort of VPN hackery with pfsense? Let's say I have another site with only v4 connectivity and wanted to extend the v6 at this site to that site using pfsense. Is something like that feasible?
-
@nh5:
Off topic add to this, is it feasible to create my own 6to4 tunnel or some sort of VPN hackery with pfsense? Let's say I have another site with only v4 connectivity and wanted to extend the v6 at this site to that site using pfsense. Is something like that feasible?
Yes, I do that with OpenVPN. I assign one of my /64s to the VPN. BTW, it's not hackery. It's normal networking. It works the same with any means to connect sites and with either IPv4 or IPv6.
-
Right. You can tunnel both IPv6 and IPv4 over OpenVPN or IPsec.
OpenVPN would probably be more flexible for what it sounds like you want.
The outer tunnel can be either v4 or v6 - doesn't matter.
-
The outer tunnel can be either v4 or v6 - doesn't matter.
Other than at the moment, IPv4 is more likely to be available.
-
Thanks for the continued answers everyone. Hopefully one final thing, when running SLAAC is there a way for me to define my DNS servers manually still? Or is DHCPv6 required to accomplish this? All my devices seem to be getting the DNS on pfsense. Would like to point them to a different internal host.
-
@nh5:
Thanks for the continued answers everyone. Hopefully one final thing, when running SLAAC is there a way for me to define my DNS servers manually still? Or is DHCPv6 required to accomplish this? All my devices seem to be getting the DNS on pfsense. Would like to point them to a different internal host.
With SLAAC, DNS servers are advertised in the router advertisements, using RDNSS.
-
What he said
