IPv6 doubts
-
@derelict That's what happens when one starts thinking and having weird ideas. Let me fix that and I'll get back to you.
-
I just noticed the ! I know how much you like them :)
-
@Derelict Okay. Things have been fixed to the way they were before, eliminating the bridge (Bad, bad idea I had). I apologize for not following the procedure. I have been dealing with this for the past 2 months trying to get IPv6 working and, well, let's say frustration is a bad counselor. Anyhow, as requested:
Firewall rule:
-
Are you sure you've fully removed the bridge, I can still see the bridge line in the screenshot.
-
OK with those rules in place I should be able to ping 2001:818:d9d9:ba01::fffe but I cannot. So they are apparently not routing that to you like they said.
I would go back to them and ask how exactly this is provisioned.
What do I put on the WAN interface here?
How is the /56 routed to me?
Just ask for generic instructions for any router. It doesn't have to be pfSense-specific.
I would also packet capture for incoming ICMPv6 packets to that address and ping it from the outside and see if they show up.
If not I would packet capture for neighbor solicitations on WAN for that address and ping it again. If they are soliciting for a neighbor on two different /64s on WAN they are, as @johnpoz might say, borked.
-
The bridge should not matter for this test. There should be a 2001:818:d9d9:ba01::fffe/64 address on a localhost interface that should respond. The bridge should not matter here but should be cleaned up for sure.
-
@Derelict Thank you very much, I will ask these questions to the ISP and see about configuring things properly. I'll keep you posted about progress on this issue.
-
@derelict said in IPv6 doubts:
I would also packet capture for incoming ICMPv6 packets to that address and ping it from the outside and see if they show up.
If not I would packet capture for neighbor solicitations on WAN for that address and ping it again. If they are soliciting for a neighbor on two different /64s on WAN they are, as @johnpoz might say, borked.I would diagnose whatever you can so you can be well-prepared to deal with ISP, umm, indifference.
-
UPDATE: I've talked to my ISP again, they said they'd get back to me about it. I asked them how to st up the IPv6 so it works with pfSense, I think I may have stumped them, hehe. In the meantime I need to prepare my weapons of clobbering <rolls all the IPv6 RFCs and readies them to clobber my ISP with them> Just saying, is they are being unorthodox... to quote rock man from the fantastic four: "It's clobberin' time!"
-
@cmpsalvestrini said in IPv6 doubts:
I think I may have stumped them, hehe
Easy enough with first level "support". ;)
-
gets off the phone with ISP <groan> WAN IPv6 address is distributed by SLAAC ... </groan>
I suppose I will have to set up some kind of bridge... I don't see how am I going to get my IPv6 working on the LAN side of my pfSense now. mutters darkly
-
What do you get on the WAN if you set it to SLAAC? (I would set it to SLAAC, apply, then shut down pfSense, reboot your modem until it comes back green, then start pfSense).
After that is the /56 routed to you? They might be doing something there. I have never seen it but they might.
What WAN address you get really doesn't matter. It is the /56 that matters.
-
you can not hand out /56 via slaac.. So how is they said they gave you a /56?
You can assign the router an IPv6 with slaac, and then delegate the /56 with dhcp prefix delegation.
Simple solution to make all your pain go away would be just get a tunnel from HE.. You can get a /48 from them.. Take you all of a few minutes to get it up and running.
-
I know you can't. But if that is what they are saying that is what should be attempted. Who knows what they are doing.
When it doesn't work, he can go back to them and say "What about the /56?" "How is that routed to me?" Because he's certainly not going to get a /56 prefix using SLAAC, as broken as that would be.
-
@cmpsalvestrini said in IPv6 doubts:
gets off the phone with ISP <groan> WAN IPv6 address is distributed by SLAAC ... </groan>
I suppose I will have to set up some kind of bridge... I don't see how am I going to get my IPv6 working on the LAN side of my pfSense now. mutters darkly
Regardless of how you get your WAN address, they have to route your /56 prefix to you. This is normally done via the link local address, but can be done with whatever they assign to your WAN interface.
On my network, I have a /56 prefix, but the WAN address is in a different one. However, my default gateway is a link local address.
default fe80::217:10ff:fe9 UGS re0
-
blinks... Epiphany... So I use the ISP's modem link local address as gateway on my WAN interface and everything will work? And here I was setting up GUA as my gateway... forehead meets hand
-
Just let your wan get its IP via slaac... Then try and setup a IP on one of your lan side interfaces with the /56 they gave you.
If its routed to you that will work.
-
I will certainly do that. Thanks for the enlightenment Insert appropriate illuminated face here
-
Just ping6 an address on the /56 from the outside and pcap on WAN for it. No need to set anything up. If you don't see anything pcap on the interface for everything IPv6 and see if you see Neighbor Discoveries for it.
-
So let's see if this is correct:
a) Added the link-local address for the ISP-provided router as gateway for the LAN network (the ISP's router page gave me that information, as per screenshot:
WAN is as is (static 2001:818:d9d9:ba00::1/64, gateway 2001:818:d9d9:ba00::1)
LAN side is configured as follows:
This should in theory give me IPv6 Internet accessibility in my LAN side.
I hope I understood correctly what was suggested here. Feel free to yell at me if I haven't done something well.