IPv6 from ISP works, but WAN address is link local, not global

cra

Thanks for your reply, JKnott.

First off, routers don't need a routeable WAN address.

Agreed, clearly, IPv6 is working.

What does your ISP say?

They say "whats wrong with the box we gave you?", but when pressed, they say that their box gives itself a WAN address in the PD with the sla-id of ff. Presumably that is so they can "service" the box.

A routeable address on the WAN port would only be used for things like configuration, testing, etc..

... serving a VPN?

If pfSense were just a router, I would just have to be content, I suppose.

I already have a roadwarrior OpenVPN on the WAN interface with IPv4, I would also like it to listen and serve on IPv6.

JKnott

@cra said in IPv6 from ISP works, but WAN address is link local, not global:

WAN address in the PD with the sla-id of ff

Do you mean an address with the prefix ID of ff? That should still leave you with 255 prefixes available. So, if I'm reading your post correctly, the modem has the prefix ID of ff, leaving 0 - fe for your use, but nothing assigned to your WAN port. As for a VPN, there's no reason it has to terminate on the WAN port, if you have public addresses available on your LAN. Also, I run OpenVPN over IPv4, but it carries both IPv4 and IPv6. It uses my public IPv4 address.

Where you would need a routeable IPv6 address on your WAN port is for things like ping and traceroute to the WAN interface. Without it, you can still ping or traceroute to LAN addresses.

Grimson

You could try adding an IPv6 VIP as your VPN interface.

cra

Do you mean an address with the prefix ID of ff?

Yeah, that is what I meant, my bad.

I also apologise for not being more clear that I'm not using my ISP's device; the pfSense is plugged directly into the demarcation, as I do not want to use their device. I was describing how the ISP's device ends up with an IP on its WAN interface given the ISP's spartan DHCP service. It issues itself an address on the WAN interface from the PD received from the DHCP, something I have yet to figure out how to do on the pfSense.

As for a VPN, there's no reason it has to terminate on the WAN port, if you have public addresses available on your LAN. Also, I run OpenVPN over IPv4, but it carries both IPv4 and IPv6. It uses my public IPv4 address.

I get what you are saying, and it makes sense. I would really like to run a single OpenVPN configuration but listening on IPv4 and IPv6 without having to a) duplicate configs and OpenVPN server instances and b) having to do some kind port forward trick so they can both land on the same adaptor to achieve that. I understand that serving OpenVPN just from IPv4 works for you, but I'd like the diversity of serving mine from IPv4 and IPv6.

I would also like my LAN firewall rules to pertain strictly to LAN traffic, and WAN firewall rules to pertain strictly to WAN traffic. If I served OpenVPN from the LAN interface, and for argument's sake wanted to filter incoming connections to the VPN service to those originating only from a certain block of IPs, I would have rules describing WAN traffic in my LAN rules. Not a big deal, I know, but when I come back to it 2 years from now, or have someone else look at it, it would be confusing for them or future me.

I think Grimson's suggestion is close to what I am looking for.

You could try adding an IPv6 VIP as your VPN interface.

This works until my ISP's DHCP decides to change my PD. If I could find a way to do this dynamically based on my PD, I think I'm golden. Any ideas?

Derelict

They shouldn't change your PD. If they do they are doing it wrong. They should honor the DUID and issue you the same PD every time. At least as long as your router doesn't vanish from the network for an extended period of time or otherwise explicitly release the PD.

JKnott

@derelict said in IPv6 from ISP works, but WAN address is link local, not global:

They should honor the DUID and issue you the same PD every time.

Make sure "Do not allow PD/Address release" is selected on the WAN interface.

cra

Thanks everyone. I'm combining the last two posts from Derelict and JKnott and crossing my fingers to see if my ISP will do it right in the long term!

jeroenh

I am facing the exact same issue as the topic starter. Are there any ways added to recent versions to achieve this without creating additional interfaces?

JKnott

@jeroenh said in IPv6 from ISP works, but WAN address is link local, not global:

Are there any ways added to recent versions to achieve this without creating additional interfaces?

????

What do you mean by that?

jeroenh

@JKnott I misunderstood that I needed an extra interface to tie the VIP to. But I see I can just create one and tie it to the WAN interface. I just confirmed this works as expected.