Using IPv6 on LAN without IPv6 on WAN?
-
@stb said in Using IPv6 on LAN without IPv6 on WAN?:
but we'd like to be able to ping6 our fe80:: addresses on the LAN.
That should always be available, unless you disabled it on the computers. It has nothing to do with pfSense. You can set up Unique Local Addresses, which are the IPv6 equivalent of IPv4 RFC 1918. However, if you try that, you may find your devices trying IPv6 before IPv4, when going out to the Internet.
-
Hi JKnott,
ok, then I need assistance because in that case I have behaviour which I cannot explain.
I have the Unifi access point sitting behind ETH8, the Unifi Controller is behind ETH7. Using IPv4 they can talk to each other just fine (i.e. I can ping from the access point to the controller and vice versa). Using IPv6 however, I cannot reach one from the other. All other machines behind ETH7 however can ping6 each other fine as well (including the controller host). The access point has IPv6 configured as well and the interface is up and has its fe80 address assigned, and ping6 on the access point to its own fe80 address works.
Therefore I concluded that the only thing that does not work, is IPv6 across the Netgate's switch between ETH7 <-> ETH8.
Edit: I have now logged into the pfSense console and tried the following:
ping6 -I lagg0.4091 fe80::address:behind:ETH8
ping6 -l lagg0.4091 fe80::address:behind:ETH7I can ping all fe80 IPv6 addresses in my LAN behind ETH7 that way, but I cannot ping6 the access point behind ETH8. Using "ping" and the IPv4 address of the access point, it works however.
TIA,
Stefan -
Just for the record: what is the IP4 of the Controller and the Access Point, that want to talk with each other? I'm still unsure if they are actually on the switch ports seeing each other or if they are in separate VLANs even if it says they're both 4091?
-
Hi Jens,
access point has IPv4 of 192.168.1.8 and Controller host has 192.168.1.9.
Edit: I don't understand your sentence "or if they are in separate VLANs even if it says they're both 4091" to be honest ...
Greetings,
Stefan -
OK they both are in 192.168.1.x - and they can see/ping each other with the IP4, correct? Then they should be in the same broadcast domain hence they should be able to ping6 each other with their respective fe80:: link local addresses... That strikes me as somewhat odd...
And: Just for that to work ... do I need SLAAC in pfSense or not?
You don't have SLAAC in pfSense. SLAAC ist short for Stateless Address Autoconfiguration. Only thing on pfSense side you would configure is your interface IPv6 static and DHCP6 set up to "assisted" mode, so the clients generate their own IP6 based on the announced prefix and DNS servers. Instead of waiting for an address the client generates it itself without (huge) input from a server. It only needs a prefix announcement.
But as others pointed out, ULA or "private" IP6 addresses aren't the best try to set things up as applications can try to resolve DNS or route traffic to the internet via a valid IP6 and without a real IP6 capable WAN there might be problems for you.
-
Hi,
yes, controller host and access point can ping each other using IPv4 just fine.
Regarding the same using IPv6, I think I'm one (small) step further ... I forgot to include the network interface when doing the ping6 from the access point. As soon as I include that (using "ping6 -I br0"), I can ping6 the whole LAN using IPv6 addresses from the access point.
However it does not work the other way round. Neither from the Netgate's console itself ("ping6 -I lagg0.4090") nor from any of the clients in the LAN ("ping6 -I ens192" or "ping6 -I enp5s0" etc.) I can ping6 the access point's IPv6 address.
Greetings,
Stefan -
From a Mac:
$ ping6 -c3 fe80::1:1%vlan0 PING6(56=40+8+8 bytes) fe80::14ea:9daa:af44:6b3d%vlan0 --> fe80::1:1%vlan0 16 bytes from fe80::1:1%vlan0, icmp_seq=0 hlim=64 time=0.396 ms 16 bytes from fe80::1:1%vlan0, icmp_seq=1 hlim=64 time=0.367 ms 16 bytes from fe80::1:1%vlan0, icmp_seq=2 hlim=64 time=0.378 msFrom pfSense:
# : ping6 -c3 fe80::14ea:9daa:af44:6b3d%lagg0.223 PING6(56=40+8+8 bytes) fe80::1:1%lagg0.223 --> fe80::14ea:9daa:af44:6b3d%lagg0.223 16 bytes from fe80::14ea:9daa:af44:6b3d%lagg0.223, icmp_seq=0 hlim=64 time=0.936 ms 16 bytes from fe80::14ea:9daa:af44:6b3d%lagg0.223, icmp_seq=1 hlim=64 time=2.767 ms 16 bytes from fe80::14ea:9daa:af44:6b3d%lagg0.223, icmp_seq=2 hlim=64 time=0.410 ms"When using an IPv6 link-local address to connect to a host, a zone index must be added to the address so that the packets can be sent out on the correct interface. "
https://en.wikipedia.org/wiki/Link-local_address
-
@derelict thanks for the hint with the % syntax (instead of using -I). Inspecting again, what I did, I can in fact ping6 from the pfsense to the IPv6 address assigned to the br0 interface of the access point using the lagg0.4091 interface of the Netgate, however not the br0.200 interface of the access point using the lagg0.200 interface of the Netgate. That would be the tagged VLAN 200 ... shouldn't that be possible as well?
-
No idea what the capabilities of the access points are or if that will respond to ping. As you can see in my example, one of the destinations was a VLAN on a lagg. That will leave with a VLAN tag on it.
-
Even if your ISP doesn't provide IPv6, you can still have it, using a tunnel from hurricane electric. They are free, they perform well, they are very reliable and they work. I used one for years before my ISP implemented IPv6. There are lots people here who can help you set it up.
