IPV6 - pfsense behind BT Hub

Jid

Hi All,
Hoping someone can help!.
SetUp:
Internet ==>BT Business Hub==>Pfsense ==LAN
From BT= 2a0X:xxxx:xxxx:x00:: /56
Bt Hub has address 2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0df /64
Pfsense WAN = 2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0ff /64 - STATIC
Pfsense LAN = 2a0X:xxxx:xxxx:xx02:86a1:d1ff:fea1:1000 /64 - STATIC
dhcpv6 SERVER ON pfsense giving CLIENTS ipv6 in expected range 2a0X:xxxx:xxxx:xx02::100 to 2a0X:xxxx:xxxx:xx02::250,
DNS(set to forwarding to 2001:4860:4860::8888google ) is 2a00:23a8:431e:b802:87a1:d1ff:fea1:1000( i.e. pfsense LAN gateway ip)

• client getting ipv6 address Normal.
  Issues :
  CANT ping from LAN devices to Internet (2001:4860:4860::8888)?
  BUT can ping from LAN devices to LAN Gateway and pfsense WAN
  CAN also ping from pfsense WAN to internet, But NOT from LAN.
  Firewall rule- ipv6 LAN to any and ICMPV6 from WAN to any.
  Router ADV mode Assisted.
  Am i missing somethig ?? Version 2.4.4-RELEASE-p3
  Thanks in advance

JKnott

@Jid

How are you getting IPv6? Most ISPs use DHCPv6-PD, which provides both the WAN address and LAN prefix. Do you see router advertisements on the LAN? The RAs provide the default route to devices on the LAN. Do computers on your LAN have a default route?

Jid

@JKnott
Thanks.
The BT Hub gets ipv6 via DHCPv6-PD on its WAN(2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0df) BUT gave Pfsense WAN a
fe80:: range ,WHICH i then changed to(2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0ff /64 - STATIC) and used the Other /64 on the pfsense LAN side.
The Default routes on the LAN clients is showing as fe80::,(EXpecting the LAN v6 gateway?) but ipv6 client is in the right range ,also DNS is Pfsense LAN ipv6 gateway and Google v6 dns.
Hope this is clear.
Thanks

JKnott

@Jid

IPv6 is different from IPv4 in a few ways. First off, the WAN address is not used for routing and therefore not needed. It is entirely possible to get by without it. Also, routing is normally done using link local addresses. For example, the default route on my network is fe80::1:1. This is where packet capture comes in handy. When you try to connect to something outside your LAN, do you see any attempt to pass through pfSense? That is does the frame have the pfSense MAC address as the destination? Do you see anything leaving on the WAN interface? PfSense includes Packet Capture, but you can also use Wireshark on the computers.

stephenw10

I have a similar setup to this except I have another pfSense device where you have the BT Business hub. That makes it much easier for me to play with the variables.
Like you BT gives me a /56 PD on the incoming PPPoE connection. I can then use /64s withing that on the internal interfaces.
What I'm now doing is further delegating a /60 from withing the /56 to an internal pfSense box from where I can use /64s inside that on it's internal interfaces.

In your setup with everything static I don't see how the BT Hub knows to route 2a0X:xxxx:xxxx:xx02::/64 via 2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0ff

Steve

JKnott

@stephenw10 said in IPV6 - pfsense behind BT Hub:

In your setup with everything static I don't see how the BT Hub knows to route 2a0X:xxxx:xxxx:xx02::/64 via 2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0ff

Routing is likely via the link local address, not WAN address. On my system, my WAN address is a /128, which means nothing can pass directly through it.

stephenw10

It doesn't really matter what IP it's routed via, if you don't pull a PD from the upstream router how does it know where that is?

In this example traffic has no way to reach 2a0X:xxxx:xxxx:xx02::/64 because it's not on a subnet connected to the BTHub directly.

Steve

JKnott

@stephenw10 said in IPV6 - pfsense behind BT Hub:

It doesn't really matter what IP it's routed via, if you don't pull a PD from the upstream router how does it know where that is?

In this example traffic has no way to reach 2a0X:xxxx:xxxx:xx02::/64 because it's not on a subnet connected to the BTHub directly.

Steve

@stephenw10 said in IPV6 - pfsense behind BT Hub:

It doesn't really matter what IP it's routed via, if you don't pull a PD from the upstream router how does it know where that is?

In this example traffic has no way to reach 2a0X:xxxx:xxxx:xx02::/64 because it's not on a subnet connected to the BTHub directly.

Steve

The ISP should know how to route the assigned prefix to his network, just like any other routing. Routers only need to know how to reach the next hop. With IPv6, that is often the link local address of the firewall/router. So, if 2a0X:xxxx:xxxx:xx02::/64 is part of the prefix assigned to the OP, then it should work.

Again, on my network, pfSense has been assigned a WAN address, but it play no part in routing. The default gateway, both on the LAN and on the WAN is the appropriate link local address. So, when my ISP has a packet to send to my network, it is sent to the pfSense link local address on the WAN interface. Of course, all IP addresses resolve to a MAC address, which is what is actually used to carry the frame from the ISP router to mine. However, if the OP just assigned a static address when the ISP is expecting DHCPv6-PD to be used, then there will be problems.

stephenw10

Exactly the problem here is that the ISP routes the /56 PD to the BT Hub but since pfSense is not pullling a PD from the BT Hub it does not get the required route. So the BT Hub has no way to know the /64 on the pfSense LAN is behind a downstream router.
Unfortunately I doubt the BT business hub has any static routing, additional gateway type ability. I could be wrong...

Steve

JKnott

@stephenw10 said in IPV6 - pfsense behind BT Hub:

Exactly the problem here is that the ISP routes the /56 PD to the BT Hub but since pfSense is not pullling a PD from the BT Hub it does not get the required route. So the BT Hub has no way to know the /64 on the pfSense LAN is behind a downstream router.
Unfortunately I doubt the BT business hub has any static routing, additional gateway type ability. I could be wrong...

Steve

That's not the impression I got from the OP. He said:

"Thanks.
The BT Hub gets ipv6 via DHCPv6-PD on its WAN(2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0df) BUT gave Pfsense WAN a
fe80:: range ,WHICH i then changed to(2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0ff /64 - STATIC) and used the Other /64 on the pfsense LAN side.
The Default routes on the LAN clients is showing as fe80::,(EXpecting the LAN v6 gateway?) but ipv6 client is in the right range ,also DNS is Pfsense LAN ipv6 gateway and Google v6 dns."

Based on that, it appears that he is being assigned a prefix, but not a WAN address. That is entirely normal, as the link local address will be used for routing and a WAN address is not necessary. He has the same thing on the LAN, with the link local address being used for the gateway. This is entirely normal. Based on what I've read in this thread is he can't reach the Internet from his LAN, which indicates a routing problem or perhaps a misconfigured firewall.

stephenw10

Indeed, BT don't usually give you a WAN IP just a Prefix. That's exactly what I see on my BT connection.

But unlike the OP I am using pfSense to get that prefix, he is using the BT Hub router. I am setting up a PD in that edge pfSense device to pass a /60 to my inner pfSense device. He is just configuring it statically on pfSense with no way to tell the BT Hub about that route.

Steve

Jid

@JKnott
Will try the Capture and see what i find
Regards

stephenw10

Is there any ability to add routes and gateways in the BT Business hub?

Jid

@stephenw10

Yes exactly ,but i was expecting the BT hub to give Pfsence an ip in the 2a0X:xxxx:xxxx:xx00:: /64 but it wasnt but gave it a fe80:: ?? will try to keep this as fe80:: and then use the /64 from the BT wan range in the LAN ,BUT that will still pose the issue of the BT box knowing how to get to this /64.

Jid

@stephenw10
Will look into this by weekend,so set a static route(BT hUB) for the /64 to the pfsense WAN (fe80::)??

stephenw10

Yes I would expect that to work. Odd that it doesn't assign the pfSense WAN a routable v6 IP though, it's set to DHCPv6? I assume other devices connected to the hub do get a v6 IP in that /64?

JKnott

@stephenw10 said in IPV6 - pfsense behind BT Hub:

he is using the BT Hub router

I didn't see that. In that case prefix delegation won't work. He wants to put the modem in bridge mode. With it in gateway mode, only devices connected directly to it will get an address.

JKnott

@Jid said in IPV6 - pfsense behind BT Hub:

@stephenw10

Yes exactly ,but i was expecting the BT hub to give Pfsence an ip in the 2a0X:xxxx:xxxx:xx00:: /64 but it wasnt but gave it a fe80:: ?? will try to keep this as fe80:: and then use the /64 from the BT wan range in the LAN ,BUT that will still pose the issue of the BT box knowing how to get to this /64.

If that modem is in gateway mode, you can't put pfSense behind it and expect it to work properly. The pfSense WAN interface should get an address, but no prefix for the LAN. Every IPv6 capable device will have a link local fe80 address, no matter what it's connected to. That does not come from the ISP. It's often derived from the MAC address.

Jid

@JKnott
"With it in gateway mode, only devices connected directly to it will get an address". That is the case here .
The Probem is HOW do I get Devices on LAN side of Pfsense(connected directly to BT hub) to be able to route out in ipv6.

Jid

@stephenw10

Yes they do in the 2a0X:xxxx:xxxx:xx00:: range, however in the pfsense WAN(directly connected to LAN of BT Hub) its showing in the fe80:: range.