IPv6 Segmented Network Setup on AT&T

andrew_241

I found here, a process that might help me set up IPv6 with a few VLANs.

Any comments on this sort of configuration, and whether or not some adjustments can be made to the pfSense GUI to support it?

JKnott

@andrew_241

What do they mean by pfSense can't request multiple /64s? It most certainly can. I get 256 of them from my ISP, using dhcpv6-pd. On the WAN side, you can specify whatever size you want, up to whatever the ISP offers.

stions

Comcast apparently just rolled out IPv6 in my area, as I discovered that my pfSense box had picked up an IPv6 address on its WAN that it hadn't had last week. I followed the steps here to make sure everything was configured right; I see IPv6 addresses on my WAN and LAN interfaces, as well as on my laptop, yet my devices don't seem to have IPv6 connectivity.

My WAN shows an address beginning with 2001:, my LAN and devices show addresses beginning with 2601:, and I have DNS servers of 2001:558:feed::1 and 2001:558:feed::2. From my laptop, an ifconfig en1 | grep inet6 yields the following:
inet6 2601:AAAA:BBBB:CCCC:XXXX:XXXX:XXXX:XXXX prefixlen 64 autoconf
inet6 2601:AAAA:BBBB:CCCC:YYYY:YYYY:YYYY:YYYY prefixlen 64 autoconf temporary
(in addition to the link-local address) where the "AAAA:BBBB:CCCC" parts are the same across the two (but not those literal hexadecimal digits) and the rest differs between them.

When I try to ping the DNS servers (i.e. ping6 2001:558:feed::1) from my laptop it just times out. If I run the ping from pfsense I get replies. I also can't ping the WAN's 2001: address or the WLAN's 2601: address, so it seems the problem is that my laptop can't talk to the router over IPv6. Strangely, if I do "ping6 ipv6.google.com", it resolves:
PING6(56=40+8+8 bytes) 2601:AAAA:BBBB:CCCC:YYYY:YYYY:YYYY:YYYY –> 2607:f8b0:4006:802::1002
(yes, it seems to be using the "temporary" address – is that normal?) but still times out.

Here are screenshots of my configuration. I entirely disabled and re-enabled the WAN interface after making changes, as well as releasing/renewing in Status>Interfaces, but can't get my laptop to connect. I also made sure "Allow IPv6" was enabled under "System>Advanced>Networking". What am I missing, Is It IP like 192.168.0.1?

(P.S.: I'm running 2.1.2-RELEASE (amd64) / nanobsd (1g) if it makes a difference)

JKnott

@stions said in IPv6 Segmented Network Setup on AT&T:

Comcast apparently just rolled out IPv6 in my area, as I discovered that my pfSense box had picked up an IPv6 address on its WAN that it hadn't had last week. I followed the steps here to make sure everything was configured right; I see IPv6 addresses on my WAN and LAN interfaces, as well as on my laptop, yet my devices don't seem to have IPv6 connectivity.

My WAN shows an address beginning with 2001:, my LAN and devices show addresses beginning with 2601:, and I have DNS servers of 2001:558:feed::1 and 2001:558:feed::2. From my laptop, an ifconfig en1 | grep inet6 yields the following:
inet6 2601:AAAA:BBBB:CCCC:XXXX:XXXX:XXXX:XXXX prefixlen 64 autoconf
inet6 2601:AAAA:BBBB:CCCC:YYYY:YYYY:YYYY:YYYY prefixlen 64 autoconf temporary
(in addition to the link-local address) where the "AAAA:BBBB:CCCC" parts are the same across the two (but not those literal hexadecimal digits) and the rest differs between them.

One of those, like the link local address, is your consistent Global Unique Address and the one you'd use for servers, etc.. The other is a random privacy address. You'll get a new one every day for a week, until you have 7 of them. The older ones will then disappear.

When I try to ping the DNS servers (i.e. ping6 2001:558:feed::1) from my laptop it just times out. If I run the ping from pfsense I get replies. I also can't ping the WAN's 2001: address or the WLAN's 2601: address, so it seems the problem is that my laptop can't talk to the router over IPv6. Strangely, if I do "ping6 ipv6.google.com", it resolves:
PING6(56=40+8+8 bytes) 2601:AAAA:BBBB:CCCC:YYYY:YYYY:YYYY:YYYY –> 2607:f8b0:4006:802::1002
(yes, it seems to be using the "temporary" address – is that normal?) but still times out.

The temporary privacy addresses are normally used for outgoing connections. Given that you can resolve addresses, but not ping the DNS servers suggest pings are blocked at the server. As long as you're getting addresses back, you're OK. However, you can try going to testipv6.com to see what you get.

Here are screenshots of my configuration. I entirely disabled and re-enabled the WAN interface after making changes, as well as releasing/renewing in Status>Interfaces, but can't get my laptop to connect. I also made sure "Allow IPv6" was enabled under "System>Advanced>Networking". What am I missing, Is It IP like 192.168.0.1?

(P.S.: I'm running 2.1.2-RELEASE (amd64) / nanobsd (1g) if it makes a difference)

Perhaps someone else on Comcast can help here. I'm on a different ISP, so there may be some difference. However, what are you actually seeing with ifconfig? Can you include that? Otherwise we're just guessing, as my crystal ball is on the fritz (again).

riften

@andrew_241
Yes this has helped me get a vlan setup with its own ipv6 /64. The issue with ATT is that darn Pace 5268ac. Yes you get a /60 from ATT, and the first /64 gets used by the Pace . Then you stick your WAN in the DMZ and it shares the Pace's IPs. I set the LAN to dhcp6 and it gets 2600.xxxx.xxxx.xxx8.... It skips everything between 0-8, you don't get those 7 subnets. Now you think you are home free and will just set static your VLAN at a /64 between 9-f but they don't route. DHCP6, Static, whatever. Doesn't work. No route. Only the LAN routes. So I tried the setup at this link and it works. I set my VLAN static ipv6 and gave it the /64 'F' subnet and it routes. IPV6 test websites work, I can ping from that subnet ipv6 sites. FYI if you are dealing with that crap ATT Pace 5268ac.

JKnott

@riften

I'm on Rogers, with a Hitron modem. I get all 256 /64s to myself.

andrew_241

@riften Yep, I get the same behavior from the Arris BGW210-700.