Static IPv6 setup

mevans336

I am having this EXACT same issue and have my network configured almost identically to yours. To/From the WAN works, to/from LAN clients to the LAN interface works, but nothing WAN to LAN or LAN to WAN does. I have verified I have an allow all for IPv6 on my LAN interface as well.

I have opened a ticket with pfSense. If they can help me figure this out, I'll post back here because I suspect we've both configured something incorrectly.

mevans336

My issue was very likely not the same as yours, as I was able to ping the WAN IPv6 IP of my pfSense router. My issue wound up being a CARP issue and therefore, unrelated to a single host setup. (Props to pfSense support!)

Did you get your issue resolved?

nunalog

I have the same issue with Bell Canada.
I'm thinking this can be resolved with virtual ip's of some sort but i have no idea.

cmb

@nunalog:

I have the same issue with Bell Canada.
I'm thinking this can be resolved with virtual ip's of some sort but i have no idea.

You have the same symptom. And probably the same root cause, the routing of your LAN-side IPv6 subnet isn't working. But there are many possible reasons for that, which shouldn't all be jumbled into one thread. Please start a new thread and describe your Bell-provided IPv6 information, and what you've configured.

rhyde

I know this was 2 years ago but did anyone resolve this? Having the exact same issue.

msf2000

It's probably the routing. Are you using a IPv6 tunnel broker, or is your IPv6 natively provided by the same ISP as IPv4?

msf2000

If you're using a tunnel broker, then let your LAN clients to use a different subnet (/64).
2001:xxxx:xxxx:1000::1 -- isp side of ipv6 tunnel
2001:xxxx:xxxx:1000::2 -- firewall side of ipv6 tunnel
2001:xxxx:xxxx:2000::1 -- firewall lan interface
2001:xxxx:xxxx:2000::/64 -- lan dhcp range anywhere in here is fine.

Then, configure the IPv6 router as "Managed" mode.
http://firewall/services_router_advertisements.php

rhyde

@msf2000

I am receiving a static /56 IPv6 block from CenturyLink Business.

Upstream Gateway:
2001:XXXX:XXXX:900::1

WAN Interface:
2001:XXXX:XXXX:900::2 /64

LAN Interface:
2001:XXXX:XXXX:901::1 /64

PINGS:

YES | LAN > WAN
YES | WAN > Gateway
YES | WAN > GOOGLE DNS

NO | LAN > Gateway
NO | WAN > LAN

ISP PINGS:
NO | Gateway > WAN

Firewall rules are correct. I have RA turned on in "Assisted" Mode.

From what I read:
The Upstream Gateway needs to have a route for the /56 pointing to the Pfsense WAN interface

msf2000

On the page /system_gateways.php
Is there an entry for 2001:XXXX:XXXX:900::1 using interface WAN?

rhyde

Yes there is and it is also the default gateway.

msf2000

Try one or both of these:

1. Traceroute from a LAN client to 2001:XXXX:XXXX:900::1
2. Goto the top menu Diagnostics --> Routes.
   Screenshot just the section "IPv6 Routes".

You should see:
Destination -- Gateway
default -- 2001:XXXX:XXXX:900::1
2001:XXXX:XXXX:900::1 -- link##
2001:XXXX:XXXX:900::2 -- link##
2001:XXXX:XXXX:901::1 -- link##
2001:XXXX:XXXX:901::/64 -- link##

ignore the fe80:: stuff

Keep in mind that /64 would make the WAN & LAN subnets separated properly, but a /56 would not.

2001abcd:900::1/56 is
Start Range: 2001abcd:900:0:0:0:0
End Range: 2001abcd:9ff:ffff:ffff:ffff:ffff

lam16

am having same problem

i have BT statis ip address
network address: 2a00:2323:ffaa::/64
gateway 2a00:2323:ffaa::1

WAN
ip: 2a00:2323:ffaa::5/64

LAN
ip: 2a00:2323:ffaa:1000::/56

ping
WAN to GW - OK
WAN to google - OK

LAN to WAN - OK
LAN to GW - FAIL
LAN to google - FAIL

system > advanced > networking > ipv6 enabled
FIREWAL > WAN ipv6 *** pass
FIREWAL > LAN ipv6 *** pass

please can you help? what am i missing?

msf2000

For everyone having routing problems with IPv6, be sure you setup the router under:
http://firewall/services_router_advertisements.php?if=lan

Router Mode should be "Managed"
Managed - Will advertise this router with all configuration through a DHCPv6 server.

That's the only way I've gotten it to work correctly.

Napsterbater

@msf2000

"Managed" is not the only "correct" setting. It is only needed/used IF you want to disable SLAAC and tell the client to ONLY use DHCPv6, of which you need to also have DHCPv6 correctly configured on that interface.

In fact most deployments especially in residential will/should use unmanaged (DNS provided via RDNSS only), or stateless DHCP, this allows SLAAC addressing and RDNSS (provides DNS servers for devices supporting RDNSS) AND allows devices that only support DNS via Stateless DHCP to get DNS servers and such from DHCPv6 (Older Windows versions, including early Win10)

In fact a setting of Managed will not allow some/many device to get an IPv6 address at all as not all support DHCPv6, Android being the biggest ones.

If unmanaged is not working then double check all settings on the screen, also confirm the systems are getting DNS servers even if they are only IPv4 (provided they have IPv4 connectivity)

msf2000

@Napsterbater

I don't know enough about DHCPv6 to know what the correct setting in every deployment scenario. Based on the OP and others' comments, I provided the only setting that worked for me in my deployment.

Can you please make a suggestion to @rhyde on what settings to change?

rhyde

This post is deleted!

rhyde

Hey guys I finally had some breakthrough with this. Please note that the below config is if you want to have dual stack support.

Here is what ultimately worked:

Put the LAN and WAN in Bridge Mode

WAN interface config:

LAN interface config:

DHCPv6 & RA config:

DHCP config:

WAN firewall rules:

LAN firewall rules:

Let me know if you guys have any thoughts or suggestions to this config. I am open to whatever. There could be some issues with it but at least it works. :)

JKnott

@rhyde said in Static IPv6 setup:

Let me know if you guys have any thoughts or suggestions to this config. I am open to whatever. There could be some issues with it but at least it works. :)

What does the ISP say you should be using? If they're expecting you to use DHCPv6-PD and you use a static config, you may find you have problems, even if it working at the moment.

rhyde

@jknott the ISP is giving a static IP only. This is business grade internet, not residential.

Derelict

I cannot imagine that a bridge like that is necessary.

That is really ugly.

They should route the /56 to an address on the WAN interface. That address can be obtained in multiple different ways. It can even be link-local. It is really up to them to tell you, in general terms, how to provision your router interface. For anyone else it would just be a guessing game.

This is an example of instructions for a static /48 from a popular IPv6 transit + colo provider:

IPv6
2001:xx:x:xx::/64
::1 is ISP
::2 is Customer

They route 2001:xxx:xxx::/48 to 2001:xx:x:xx::2

It's as simple as that. Interface network + routed subnet.

In that case you would set pfSense WAN to Static 2001:xx:x:xx::2/64 with a gateway of 2001:xx:x:xx::1 and use 2001:xxx:xxx::/48 on the inside however you want.