Using IPv6 on LAN without IPv6 on WAN?
-
@stb said in Using IPv6 on LAN without IPv6 on WAN?:
I have enabled "Allow IPv6" in the advanced networking options.
You sure? Normally (default) it already IS enabled and it's now disabled/blocked? The wording of that checkbox in adv. settings is still a bit off for me after all these years.
Still, I cannot ping6 from a device connected to one of the ethX LAN ports to device connected to another ethY LAN port. ping IPv4 works.
Are those ports "real" VLANs or are they still default configured as "switch" on the same subnet? If so, that shouldn't be a pfSense Problem as devices in the same subnet ping6 each other not via the firewall.
@stb said in Using IPv6 on LAN without IPv6 on WAN?:
Devices connected to the same ethX (behind another switch) can perfectly ping6.
Ah so ethX and ethY are different VLANs above? Then yes, you do need IPv6 LAN rules that allow ICMP6 or you won't get them to ping6 each other. Also without any IPv6 configuration at all, you won't be able to reach another subnet, as link-local (fe80::) addresses are non-routable and only exist on the same subnet.
I already tried SLAAC because that seemed to be a sensible choice for my setup, but this did not work either (I then see some LAN_SLAAC gateway as "pending").
SLAAC requires a prefix set up that can be used for autoconfiguration. Otherwise it won't work.
What you actually need if you have no IPv6 GUA from WAN (global unicast, public addresses) is to address ULAs - unicst local addresses. A bit like (but not the same) as private IP4 addresses like 192.168.x.y or 10.x.y.z.
Check the https://en.wikipedia.org/wiki/Unique_local_address - one should randomly generate your prefix like
fd49:6912:3271::/48
(that was me completely random bouncing on the keyboard)If you have your own random /48 prefix from the fd00::/8 space you can then choose /64 prefixes from that block as needed and configure them on your different VLANs. So e.g.
fd49:6912:3271::/48 - random prefix fd49:6912:3271:100::/64 - prefix for VLAN 100 fd49:6912:3271:200::/64 - prefix for VLAN 200 etc. etc.
Just an example. Configuring pfSense on the necessary interfaces you want IPv6 ULA to work is easy, just use static IPv6 and set it up as fd49:6912:3271:1/64 for example. Then configure the settings for DHCP6 Server accordingly (if you want to run SLAAC, DHCP6 etc.) and set up PCs, VMs etc in those VLANs within those prefix space or switch dem to SLAAC / DHCP6 as you want.
Have fun ;)
Jens -
Hi Jens,
first of all, thanks for taking the time to answer. :-)
The "Allow IPv6" was unticked, because when we installed the Netgate half a year ago, we knew that we won't have WAN IPv6, so we unticked that box in order to be "on the safe side". I now ticked it as I thought this may be the reason that I have no "ping6 fe80::......" across the switch ports.
Regarding the port/switch configuration ...
and ...
On ETH7 we have the "rest of the LAN" and on ETH8 we have an Ubiquiti access point which has the normal LAN on VLAN 4091 but a guest network on VLAN 200 (therefore VLAN 200 is tagged on ETH8).
So, actually I'm still unsure of whether I have to do some additional configuration if I want devices in VLAN 4090 on ETH8 to ping6 devices in VLAN 4090 on ETH7 (or vice versa).
And: Just for that to work ... do I need SLAAC in pfSense or not?
TIA,
Stefan -
@stb said in Using IPv6 on LAN without IPv6 on WAN?:
but we'd like to be able to ping6 our fe80:: addresses on the LAN.
That should always be available, unless you disabled it on the computers. It has nothing to do with pfSense. You can set up Unique Local Addresses, which are the IPv6 equivalent of IPv4 RFC 1918. However, if you try that, you may find your devices trying IPv6 before IPv4, when going out to the Internet.
-
Hi JKnott,
ok, then I need assistance because in that case I have behaviour which I cannot explain.
I have the Unifi access point sitting behind ETH8, the Unifi Controller is behind ETH7. Using IPv4 they can talk to each other just fine (i.e. I can ping from the access point to the controller and vice versa). Using IPv6 however, I cannot reach one from the other. All other machines behind ETH7 however can ping6 each other fine as well (including the controller host). The access point has IPv6 configured as well and the interface is up and has its fe80 address assigned, and ping6 on the access point to its own fe80 address works.
Therefore I concluded that the only thing that does not work, is IPv6 across the Netgate's switch between ETH7 <-> ETH8.
Edit: I have now logged into the pfSense console and tried the following:
ping6 -I lagg0.4091 fe80::address:behind:ETH8
ping6 -l lagg0.4091 fe80::address:behind:ETH7I can ping all fe80 IPv6 addresses in my LAN behind ETH7 that way, but I cannot ping6 the access point behind ETH8. Using "ping" and the IPv4 address of the access point, it works however.
TIA,
Stefan -
Just for the record: what is the IP4 of the Controller and the Access Point, that want to talk with each other? I'm still unsure if they are actually on the switch ports seeing each other or if they are in separate VLANs even if it says they're both 4091?
-
Hi Jens,
access point has IPv4 of 192.168.1.8 and Controller host has 192.168.1.9.
Edit: I don't understand your sentence "or if they are in separate VLANs even if it says they're both 4091" to be honest ...
Greetings,
Stefan -
OK they both are in 192.168.1.x - and they can see/ping each other with the IP4, correct? Then they should be in the same broadcast domain hence they should be able to ping6 each other with their respective fe80:: link local addresses... That strikes me as somewhat odd...
And: Just for that to work ... do I need SLAAC in pfSense or not?
You don't have SLAAC in pfSense. SLAAC ist short for Stateless Address Autoconfiguration. Only thing on pfSense side you would configure is your interface IPv6 static and DHCP6 set up to "assisted" mode, so the clients generate their own IP6 based on the announced prefix and DNS servers. Instead of waiting for an address the client generates it itself without (huge) input from a server. It only needs a prefix announcement.
But as others pointed out, ULA or "private" IP6 addresses aren't the best try to set things up as applications can try to resolve DNS or route traffic to the internet via a valid IP6 and without a real IP6 capable WAN there might be problems for you.
-
Hi,
yes, controller host and access point can ping each other using IPv4 just fine.
Regarding the same using IPv6, I think I'm one (small) step further ... I forgot to include the network interface when doing the ping6 from the access point. As soon as I include that (using "ping6 -I br0"), I can ping6 the whole LAN using IPv6 addresses from the access point.
However it does not work the other way round. Neither from the Netgate's console itself ("ping6 -I lagg0.4090") nor from any of the clients in the LAN ("ping6 -I ens192" or "ping6 -I enp5s0" etc.) I can ping6 the access point's IPv6 address.
Greetings,
Stefan -
From a Mac:
$ ping6 -c3 fe80::1:1%vlan0 PING6(56=40+8+8 bytes) fe80::14ea:9daa:af44:6b3d%vlan0 --> fe80::1:1%vlan0 16 bytes from fe80::1:1%vlan0, icmp_seq=0 hlim=64 time=0.396 ms 16 bytes from fe80::1:1%vlan0, icmp_seq=1 hlim=64 time=0.367 ms 16 bytes from fe80::1:1%vlan0, icmp_seq=2 hlim=64 time=0.378 ms
From pfSense:
# : ping6 -c3 fe80::14ea:9daa:af44:6b3d%lagg0.223 PING6(56=40+8+8 bytes) fe80::1:1%lagg0.223 --> fe80::14ea:9daa:af44:6b3d%lagg0.223 16 bytes from fe80::14ea:9daa:af44:6b3d%lagg0.223, icmp_seq=0 hlim=64 time=0.936 ms 16 bytes from fe80::14ea:9daa:af44:6b3d%lagg0.223, icmp_seq=1 hlim=64 time=2.767 ms 16 bytes from fe80::14ea:9daa:af44:6b3d%lagg0.223, icmp_seq=2 hlim=64 time=0.410 ms
"When using an IPv6 link-local address to connect to a host, a zone index must be added to the address so that the packets can be sent out on the correct interface. "
https://en.wikipedia.org/wiki/Link-local_address
-
@derelict thanks for the hint with the % syntax (instead of using -I). Inspecting again, what I did, I can in fact ping6 from the pfsense to the IPv6 address assigned to the br0 interface of the access point using the lagg0.4091 interface of the Netgate, however not the br0.200 interface of the access point using the lagg0.200 interface of the Netgate. That would be the tagged VLAN 200 ... shouldn't that be possible as well?
-
No idea what the capabilities of the access points are or if that will respond to ping. As you can see in my example, one of the destinations was a VLAN on a lagg. That will leave with a VLAN tag on it.
-
Even if your ISP doesn't provide IPv6, you can still have it, using a tunnel from hurricane electric. They are free, they perform well, they are very reliable and they work. I used one for years before my ISP implemented IPv6. There are lots people here who can help you set it up.