No LAN IPv6 address with Track Interface on WAN
-
If you post your ISP and modem model,
Virgin Media, Ireland (https://www.virginmedia.ie/)
Virgin Media Hub 3.0 device information
The information below shows current status of this Virgin Media Hub 3.0.
Standard specification compliant : DOCSIS 3.0
Hardware version : 5.01
Software version : CH7465LG-NCIP-6.12.18.26-3p7-1-NOSHI am going to contact my ISP and see if I can get a /56 IPv6 prefix.
IPv6 generally uses SLAAC, where the router provides the prefix and the client adds the suffix. T
After further experimentation and reading answers like this one, https://networkengineering.stackexchange.com/questions/30136/ipv6-is-it-possible-to-use-a-64-block-when-you-have-multiple-routers, it still seems like it's not possible to have pfSense further subnet a /64 address on the WAN such that clients on the LAN interface can use IPv6, whether they get an address from DHCPv6 or SLAAC.
What I found confusing on the pfSense GUI is when entering a static IPv6 address (and a few other places such as routing advertisements) the prefix can be set all the way down to /128. Almost everything I've read states that /64 is smallest the interface ID should be set.
I guess the ability to go smaller than /64 is for Unique Local Addresses (fc00::/7) rather than Global Unicast addresses.
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
it still seems like it's not possible to have pfSense further subnet a /64 address on the WAN such that clients on the LAN interface can use IPv6
You should be able to, but you can't use DHCPv6-PD to provide it. You have to manually configure routing to do it.
-
You should be able to, but you can't use DHCPv6-PD to provide it. You have to manually configure routing to do it.
I realise the manual set up would break as soon as my ISP assigned my modem a different IPv6 address but as an exercise I tried to set up the manual routing. I failed to get a usable IPv6 address on my machine. The steps I took were:
-
The DHCP range allocated to my cable modem from my ISP is:
2a02:8084:6981:7880::/64 -
On the pfSense WAN interface that's connected to the modem I set a static IPv6 of:
2a02:8084:6981:7880:2e0:67ff:fe09:9b10/80. I'm able to ping a public Internet address.
: ping6 -S 2a02:8084:6981:7880:2e0:67ff:fe09:9b10 2606:db00:0:62b::2 PING6(56=40+8+8 bytes) 2a02:8084:6981:7880:2e0:67ff:fe09:9b10 --> 2606:db00:0:62b::2 16 bytes from 2606:db00:0:62b::2, icmp_seq=0 hlim=116 time=137.717 ms- On the pfSense LAN interface I set a static IPv6 of
2a02:8084:6981:7880:2e1:67ff:fe09:9b11/80. I set the WAN interface link local address offe80::2e0:67ff:fe09:9b10as the LAN gateway address. I'm not able to ping a public Internet address.
: ping6 -S 2a02:8084:6981:7880:2e1:67ff:fe09:9b11 2606:db00:0:62b::2 PING6(56=40+8+8 bytes) 2a02:8084:6981:7880:2e1:67ff:fe09:9b11 --> 2606:db00:0:62b::2 ^C: netstat -rWn Routing tables Internet6: Destination Gateway Flags Use Mtu Netif Expire default fe80::362c:c4ff:febf:b8cb%em0 UG 642 1500 em0 ::1 link#5 UH 0 16384 lo0 2a02:8084:6981:7880::/64 link#1 U 6 1500 em0 2a02:8084:6981:7880:2e0::/80 link#1 U 0 1500 em0 2a02:8084:6981:7880:2e0:67ff:fe09:9b10 link#1 UHS 0 16384 lo0 2a02:8084:6981:7880:2e1::/80 link#2 U 0 1500 em1 2a02:8084:6981:7880:2e1:67ff:fe09:9b11 link#2 UHS 0 16384 lo0 fe80::2e0:67ff:fe09:9b10 fe80::2e0:67ff:fe09:9b10%em1 UGHS 0 1500 em1 fe80::362c:c4ff:febf:b8cb fe80::362c:c4ff:febf:b8cb%em0 UGHS 0 1500 em0 fe80::%em0/64 link#1 U 4870 1500 em0 fe80::2e0:67ff:fe09:9b10%em0 link#1 UHS 244 16384 lo0 fe80::%em1/64 link#2 U 4938 1500 em1 fe80::2e0:67ff:fe09:9b11%em1 link#2 UHS 793 16384 lo0 fe80::%lo0/64 link#5 U 0 16384 lo0 fe80::1%lo0 link#5 UHS 0 16384 lo0My thinking was that because the static IPv6 LAN address I've used is still within the modem's DHCPv6 range it should be routable but it doesn't seem to get past the modem.
-
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
I realise the manual set up would break as soon as my ISP assigned my modem a different IPv6 address but as an exercise I tried to set up the manual routing. I failed to get a usable IPv6 address on my machine. The steps I took were:
Have you got your modem in bridge mode yet? If not, you're wasting your time. It is possible to route /64s out of whatever prefix you get. I have done that here.
Once you're in bridge mode, you can choose 1 /64 for each interface. You can then route any size prefix through one of those interfaces to another router. In this respect, it's little different than IPv4.
-
Have you got your modem in bridge mode yet?
No and I doubt I ever will. The modem is extremely minimal and unless there's some hidden back door there is no option to switch to bridge mode.
If not, you're wasting your time. It is possible to route /64s out of whatever prefix you get.
Yes I understand that. No matter what I do on pfSense the routing table on the modem will always assume it's the last hop and will never be able to reach the pfSense LAN interface.
This also corresponds to my observations of setting a static IP address on the LAN interface and then on a my PC connected to it. Both within the same /64 the modem's DHCP range is using.
With this hacked together configuration, ICMP6 packets from my PC do get routed successfully to public hosts on the Internet BUT on the return journey they only get as far as the modem which rejects them.
I tried my luck with my ISP but as soon as I mentioned IPv6 prefixes in the chat that was the last I ever heard of them.
It's been a good exercise and thanks for all your pointers!
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
This also corresponds to my observations of setting a static IP address on the LAN interface and then on a my PC connected to it. Both within the same /64 the modem's DHCP range is using.
You can't do that. With IPv6, the LAN is supposed to be a /64 only. If you split it, you will break some things.
Why not call your ISP and see if they can put the modem into bridge mode or provide one that will. That's what I had to do years ago, with an earlier modem. These days I can switch it into bridge mode and restore gateway mode on my own. Are you allowed to buy your own? If all else fails, you can get a /48 over a tunnel from he.net.
-
You can't do that. With IPv6, the LAN is supposed to be a /64 only. If you split it, you will break some things.
That's what I'd read as well but a few posts above you mentioned it was possible to further subnet /64 with manually configured routing.
it still seems like it's not possible to have pfSense further subnet a /64 address on the WAN such that clients on the LAN interface can use IPv6
You should be able to, but you can't use DHCPv6-PD to provide it. You have to manually configure routing to do it.
The pfSense documentation also has an IPv6 Subnet Table which has prefix lengths > 64 bits.
Chasing my ISP will be fruitless. They are essentially a cable TV company who do everything they can to avoid support. I did take a look at the tunnel option and it should work but my goal was to have a seamless IPv6 experience. No extra dyndns etc.
I actually had another idea. The only reason I have separate WAN and LAN networks is for a firewall. If I switch to an Internal/External Bridge I should be able to use my modem's IPv6 DHCP server (which works well) and still keep my firewall.
-
https://www.boards.ie/ttfpost/108440018
Virgin Hub 3 has modem mode which is same as thing as bridge mode Modem only To have modem mode as an option you must be on a IPv4 address If you don't see modem mode listed your hub is using a Dslite IPv6 address You won't see modem mode when you are on a Dslite IPv6 address You can request virgin media to put your Hub on a IPv4 address to have access to modem mode Modem Mode you connect a Cat 5e or Cat 6 ethernet cable from a lan port on the hub to wan port on a different router All routing and wifi will be controlled by your own router -
@Bob-Dig thx. Any idea if getting Virgin to switch the modem back to IPv4 removes IPv6? It's IPv6 connectivity that I'd like to have working.
-
You can have other sizes for routing etc., but LANs require a /64. SLAAC depends on it.
-
@azaclauson
Having the modem in bridge mode allows pfSense to work with what's behind it. To use IPv6, the ISP normally uses DHCPv6-PD, which provides the prefix that pfSense assigns to the LANs. You may also have an IPv6 WAN address, which has absolutely nothing to do with the LAN prefixes, or routing for that matter. -
To use IPv6, the ISP normally uses DHCPv6-PD
Yes but as best I can tell that's my exact problem. My ISP is not providing Prefix Delegation. Instead a single /64 network is available on the modem.
I have been relatively successful switching pfSense from operating as a router between the WAN and LAN interfaces to instead operating as a transparent bridge. I've now got usable DHCP IPv6 addresses on my Windows and Linux machines and I can set firewall rules. I think there's still something missing with Router Advertisements but I can play around with that further. For the moment I know have a local firewalled IPv6 network.
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
Yes but as best I can tell that's my exact problem. My ISP is not providing Prefix Delegation. Instead a single /64 network is available on the modem.
How can you tell that, when you're not set up to use prefix delegation? You will not see it coming from a modem in gateway mode, ever. You will see it only in bridge mode. All you'll see in gateway mode is router advertisements containing the prefix for the connected LAN.
I posted a full DHCPv6 sequence earlier, which shows the PD part. Do you see anything like that coming from your modem? If not, you don't have it. If you want to have more than 1 /64, you must use bridge mode. There is no way around that.
-
Hi very new to IPv6 but I am in exact same scenario. Modem is in gateway mode and cannot but put into bridge.
Modem's IPv6 is /64 and plugged into WAN on pfsense and pfsense gets an IPv6 ip on WAN.
What I am a little confused about is what DHCPv6 Relay is for? Was thinking I could relay the DHCPv6 IPs my modem is handing out to my LAN but apparently not as I'm not seeing that suggested. I'm guessing if the LAN did pick up these relayed addresses that would be a routing problem I'm not quite grasping?
Thanks
-
As on IPv4, the relay simply means your DHCP server is elsewhere, instead of on the local network. It forwards the DHCP requests to that remote server.
-
Thanks @JKnott
So I was thinking thats why this would be viable in this scenario where WAN which sees DHCPv6 server (my non bridged modem) and could theoretically relay and hand out address on my lan. I guess though there would be routing problems without a lot of static routes. ie gateway modem wouldn't know how to route to the IPV6 LAN clients through pfsesne unless it could take static routes (and mine cant) and pfsense would think any traffic it gets on LAN for the locally assigned IPv6 addresses should go out WAN without static routes as well. -
@Jim-Coogan what ended up being a show stopper for me was my ISP only allocating a /64 range to my modem. For DHCPv6 relay to work with pfSense acting as a router you need to be able to use DHCPv6 with Prefix Delegation. To do that you need a bigger allocation than /64, e.g. /56 or /60 etc.
