Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get native IPv6 working behind pfSense

    Scheduled Pinned Locked Moved IPv6
    3 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lawrencedudley
      last edited by

      Hey,

      I'm trying to get native IPv6 going behind pfSense.

      Our ISP has assigned us a /56 as follows:

      2a00:xxxx:xxxx:800::/56
      2a00:xxxx:xxxx:800::1 is the gateway

      Initially I tried to add 2a00:xxxx:xxxx:800::4/56 as the WAN interface, which worked, but then adding, for example, 2a00:xxxx:xxxx:801::1/64 on the LAN interface caused a multicast storm that killed the port to the ISP.

      I did some more reading and from my understanding, the WAN subnet and LAN subnet should both be /64s (arguably /126 on WAN).

      So I setup 2a00:xxxx:xxxx:800::4/64 on WAN and 2a00:xxxx:xxxx:801::1/64 on LAN. ::2 and ::3 are reserved for VRRP purposes at the ISP end.

      All the autoconf and RA stuff seems to work - clients get an IP that's in the right subnet etc. however they can't ping out.

      I can ping the Internet from the pfSense box, but not from a client on the LAN.

      I can ping the pfSense's LAN and WAN interface addresses from the LAN.

      Does this suggest it's a routing issue at the ISP end?

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        How is the ISP assigning your IPv6 range, is it static or DHCP?

        If it is DHCP, then you need to set pfSense to DHCP6 on the WAN interface, and set the DHCPv6 prefix delegation size to something longer than 56, eg: 60, and check Send IPv6 prefix hint.
        Then set the LAN interface IPv6 Configuration type to Track Interface.  You can also set IPv6 prefix ID if you want to control where in the delegated block the prefix will be requested.
        This will auto-configure a non-adjustable (hopefully to be fixed in future versions) DHCPv6 server on the LAN interface that will assign prefix::1000 thru prefix::2000, along with the name servers obtained on the WAN side and domain name configured on the box.  Clients could also use SLAAC addressing, but won't show up in the DHCPv6 leases table.
        Additionally, it will configure the radvd daemon to send router advertisements, with prefix::SLAAC_address of the LAN interface.
        That is enough to get most clients working on the LAN side.
        Important: If you've already tried DHCPv6 on the LAN interface, you should flush the leases table to avoid having old data confuse things.
        See this post: https://forum.pfsense.org/index.php?topic=101417.msg565853#msg565853 for more details.

        If static assignment, you'll need the ISP to set a /64 on the WAN gateway, and route the remaining subnets to ::4, or preferably a single /64 on the link between their gateway and your router, then route the whole /56 to your router's IP.
        In the end, IPv6 works the same way as IPv4; you must have same subnet mask (prefix length) on each node of the link, and you must route traffic that is outside the scope of the current subnet.

        –A.

        1 Reply Last reply Reply Quote 0
        • L
          lawrencedudley
          last edited by

          Awesome, it's static.

          My thinking then is that they haven't routed the remainder of the /64 anywhere, just sort of lumped it on me.

          I'll drop them a line :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.