Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPV6 setup with Hyperoptic (UK ISP)

    Scheduled Pinned Locked Moved IPv6
    27 Posts 7 Posters 8.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ
      JKnott @yellowbrick
      last edited by

      @yellowbrick said in IPV6 setup with Hyperoptic (UK ISP):

      Setting the WAN interface to SLAAC results IPv6 not working at all...no WAN IPv6, no LAN/OPT IPv6 addresses, cannot route out, etc.
      Changing WAN back to DHCPv6 means WAN gets a /128, /56 PD is received, and LAN/OPT clients start working.
      strange...

      That's the way mine works. DHCPv6-PD assigns an address to the WAN interface and supplies the prefix for the LANs.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • Y
        yellowbrick
        last edited by

        I don't see anything in the logs indicating blocked packets on WAN or LAN.

        Not sure if this has anything to do with it, but I do have my WAN using a MAC clone from the ISP's router. Without this, I am not able to get a DHCPv6 address on WAN at all.

        1 Reply Last reply Reply Quote 0
        • A
          adhodgson
          last edited by

          Hi,

          Did you ever get this sorted? I am getting the same issue (though I didn't clone any MAC or anything else). Clients on the LAN are getting IPV6 ok, but the pfSense box itself cannot go out via it's WAN address to the Internet over IPV6. I suspect some type of routing on the Hyperoptic side is broken.

          Andrew.

          Y 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            So you're on this same ISP?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @yellowbrick
              last edited by

              @yellowbrick said in IPV6 setup with Hyperoptic (UK ISP):

              On the WAN interface, I do not get a ‘real’ IPV6 Gateway. The WAN gets a Link Local IPv6 Gateway only (fe80:: …) . (This was true even with the Hyperoptic ZTE router). Is this ‘normal’?

              I just noticed this. If pfSense doesn't have a WAN address, other than link local, it can't communicate with anything. On my system, I have a /128 WAN address. Devices on the LAN will still work fine though, as that /128 address is not used for routing.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Poster is not saying there is no IPv6 GUA address on WAN, just that the gateway is link-local, which is normal.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                JKnottJ 1 Reply Last reply Reply Quote 0
                • Y
                  yellowbrick @adhodgson
                  last edited by

                  @adhodgson
                  I am getting pretty much the same as you:
                  -WAN gets a /128 GUA
                  -WAN gateway is a LLA
                  -LAN clients can ping6 OK
                  -Firewall itself cannot ping6 (other than to WAN gateway)

                  I gave up on trying to figure it out...pfSense updates were slow, as IPv6 is preferred so it has to fail before going to IPv4. I fixed this by preferring IPv4 in System->Advanced->Networking

                  Will try to find time to dig in deeper...

                  1 Reply Last reply Reply Quote 0
                  • A
                    adhodgson
                    last edited by

                    Hi,

                    Yes I am using the same ISP as the original poster. Just for reference my WAN output is:

                    WAN Interface (wan, igb0)
                    Status: up
                    DHCP: up
                    MAC Address: 00:1a:8c:4b:36:6c
                    IPv4 Address: 88.98.222.211
                    Subnet mask IPv4: 255.255.255.248
                    Gateway IPv4: 88.98.222.209
                    IPv6 Link Local: fe80::21a:8cff:fe4b:366c%igb0
                    IPv6 Address: 2a01:4b00:367b:5801:641a:32ef:9a9f:817a
                    Subnet mask IPv6: 128
                    Gateway IPv6: fe80::2ab4:48ff:fe87:c9fb
                    DNS servers: 127.0.0.1, 188.172.144.120, 141.0.144.64
                    MTU: 1500
                    Media: 1000baseT <full-duplex>

                    I believe this is normal, the problem is that for some reason the IP address 2a01:4b00:367b:5801:641a:32ef:9a9f:817a is not being routed correctly. I can see traffic going to the default gateway on a packet capture, but no return traffic, and if I try and ping that host from an external interface the traffic doesn't even seem to be visible at the pfSense box. My fix is to do what the original poster has done, prefer IPV4 to IPV6 connectivity.

                    I am still probably going to raise a case with the ISP in the first instance but am not hugely hopeful of a fix until I do more work at my end. The main question I want to get an answer to is whether they expect traffic on this WAN address to be routable or not, because in the situation where you have the customer provided router, you probably wouldn't even see this scenario in day-to-day operation, we are only seeing it because we are trying to access sites on the firewall box itself.

                    Thanks.
                    Andrew.

                    JKnottJ NogBadTheBadN 2 Replies Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @Derelict
                      last edited by

                      @Derelict said in IPV6 setup with Hyperoptic (UK ISP):

                      Poster is not saying there is no IPv6 GUA address on WAN, just that the gateway is link-local, which is normal.

                      He also said "On the WAN interface, I do not get a ‘real’ IPV6 Gateway." and he can't ping from pfSense, but can from the LAN. He won't be able to ping very far using only a link local address.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @adhodgson
                        last edited by

                        @adhodgson said in IPV6 setup with Hyperoptic (UK ISP):

                        I believe this is normal, the problem is that for some reason the IP address 2a01:4b00:367b:5801:641a:32ef:9a9f:817a is not being routed correctly. I can see traffic going to the default gateway on a packet capture, but no return traffic, and if I try and ping that host from an external interface the traffic doesn't even seem to be visible at the pfSense box. My fix is to do what the original poster has done, prefer IPV4 to IPV6 connectivity.

                        What does traceroute show? If you can, also try a traceroute to your WAN address from elsewhere. I tethered to my cell phone for that.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • A
                          adhodgson
                          last edited by

                          I can ping and trace route to the address from inside the LAN but that should be expected behaviour as pfSense knows about that address. Trace route from outside stops well before the Hyperoptic routers:

                          andrew@samwise:~$ traceroute 2a01:4b00:367b:5801:641a:32ef:9a9f:817a
                          traceroute to 2a01:4b00:367b:5801:641a:32ef:9a9f:817a (2a01:4b00:367b:5801:641a:32ef:9a9f:817a), 30 hops max, 80 byte packets
                          1 2001-41c8-0051-0500-0000-0000-0000-0003.no-reverse-dns-set.uk0.bigv.io (2001:41c8:51:500::3) 1.892 ms 1.917 ms 1.834 ms
                          2 4008.be1.cr4.man.bytemark.co.uk (2001:41c8:2000:4::1) 1.528 ms 1.524 ms 1.589 ms
                          3 2001:1b40:f900:8a61::1:1 (2001:1b40:f900:8a61::1:1) 1.100 ms 1.293 ms 1.259 ms
                          4 be16.asr01.ld5.as20860.net (2001:1b40:f000:10a:202::1) 12.704 ms 12.436 ms 12.555 ms
                          5 * * *
                          [...]
                          30 * * *

                          Andrew.

                          JKnottJ 1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott @adhodgson
                            last edited by

                            @adhodgson said in IPV6 setup with Hyperoptic (UK ISP):

                            I can ping and trace route to the address from inside the LAN but that should be expected behaviour as pfSense knows about that address. Trace route from outside stops well before the Hyperoptic routers:

                            Then it's a problem with the ISP. They're supposed to advertise the prefix via a routing protocol such as OSPF. If they don't do that, then the rest of the world can't reach it. You can use ping6 -S <source address> to force the ping from the LAN interface, which does work.

                            This indicates one of the differences between IPv4 & IPv6. With IPv4, you need a routeable address on the WAN interface. With IPv6, link local is often used. To reach pfSense from elsewhere, you can use any routeable address on the box. In my case, I have a /128 address on the WAN interface. In your case, you have to use the LAN address.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            A 1 Reply Last reply Reply Quote 0
                            • NogBadTheBadN
                              NogBadTheBad @adhodgson
                              last edited by NogBadTheBad

                              This post is deleted!
                              1 Reply Last reply Reply Quote 0
                              • A
                                adhodgson @JKnott
                                last edited by

                                Hi,

                                I have had discussions with the ISP (Hyperoptic) about this. The suggestion is now that I assign a fixed IPV6 IP to the WAN interface from the /67 block if I want outbound traffic to work from the firewall itself. Is this even possible, what is the best way to do this without causing issues for the LAN clients where IPV6 is working well? I take it I will need to give a /64 subnet to the WAN, and override the default gateway?

                                Thanks.
                                Andrew.

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @adhodgson
                                  last edited by

                                  @adhodgson

                                  I assume you mean /64, not /67. Regardless, you can't. You cannot have more than 1 interface with the same prefix. However, what traffic will you be sending from the firewall? Other than ping and traceroute, I don't see you doing much. Does the pfSense update work without a WAN address? As far as services such as VPN, SSH and so on, you should be able to use the LAN address.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    chrcoluk
                                    last edited by

                                    The solution is this.

                                    Have the fixed address on WAN which gets assigned using DHCPv6 mode on WAN interface.

                                    On WAN interface have "Use IPv4 connectivity as parent interface" ticked.

                                    The next bit depends on isp, I will post both methods.

                                    This one I think is likely to be more common across isp's.

                                    On LAN interface set the prefix given to you by the isp manually.
                                    Leave ipv6 upstream gateway set to none, I would initially leave use ipv4 connectivity as parent unticked, but tick it if you have no internet routing.

                                    Once its assigned on LAN, things like DHCP6 etc. LAN side should work.

                                    The second method is if isp supplies dynamic prefix.

                                    Configure LAN interface to "track interface" for ipv6 configuration type. This should make pfSense automatically assign an ip to LAN based on the PD-Prefix sent to you by isp, and should also automatically populate prefix on LAN DHCP6.

                                    On both methods you may or may not also need to specify the prefix delegation size in WAN settings, on my first isp (sky) I set it, my current isp (aaisp) is set to none based on their instructions.

                                    If your isp uses DHCP auth for ipv4, you will probably also need to tick the "do not wait for a RA" box.

                                    Given that you have already stated you getting assigned a PD Prefix from the isp, then the likely only missing piece of jigsaw is probably the LAN interface configuration.

                                    pfSense CE 2.7.2

                                    Y 1 Reply Last reply Reply Quote 0
                                    • Y
                                      yellowbrick @chrcoluk
                                      last edited by

                                      Hi @chrcoluk ,

                                      You have described a couple of different ways to get the delegated prefixes onto the LAN segment. If you will read above, that is not the problem. Both @adhodgson and I have been able to get LAN interface and LAN clients to work without problems using Track Interface.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        chrcoluk
                                        last edited by

                                        I also described how to get WAN interface assigned an ipv6 as well.

                                        So what is the problem I missed?

                                        pfSense CE 2.7.2

                                        A 1 Reply Last reply Reply Quote 0
                                        • A
                                          adhodgson @chrcoluk
                                          last edited by

                                          This all worked for a couple of years but we have had some Hyperoptic upgrade done in the area and it has broken IPV6 connectivity using DHCPV6 (default configuration). Trying to work out what is best to do at the moment but wondering if anyone else has seen this? Only way of getting IPV6 right now is using the ISP provided kit which isn't giving much away about configuration.

                                          I'm not hopeful of a solution right now as I've seen several other forum posts where people have either been able to get IPV6 working on their connection or not and if it works it seems to just work in the way described above but if it isn't working nothing seems to get it on, but will be trying a couple of options with PFSense over the next few days as we have a lot more info from the logs than on most of the other routers out there.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.