How to setup IPv6 on PFsense behind ER-X (ISP modem)
-
Hello all,
I am already struggling with this issue for 2 days now and I cannot seem to get it to work...
What I am trying to accomplish is to get IPv6 addresses to my LAN(s) network.
From my ISP I am getting a /48 subnet which divides it to a /64 subnet on my ER-X (For my homenetwork itself).Now I have a small rack with servers and I got a dedicated box which I am using for PFsense.
So on my PFsense box on the WAN interface I got the following configurations applied:
IPv6 Configuration Type: DHCPv6
Use IPv4 connectivity as parent interface: Check marked
DHCPv6 Prefix Delegation size: 64 (This is because the LAN on the ER-X is /64 as well.)
Send IPv6 prefix hint: Check markedUntil this far there are no issues, the WAN interface gets an IPv6 from the ER-X so all is fine. Now it is the LAN side with multiple LAN interfaces (No VLANS).
Here are the LAN configuration(s):
IPv6 Configuration Type: Static
IPv6 Address: IPv6 address/80
Use IPv4 connectivity as parent interface: Check MarkedAfter this I also configured the DHCPv6 & RA server:
Here is a screenshot of the DHCPv6 server:
And here is a screenshot of the RA configurations:
And after applying these configurations I still dont get any IPv6 address assigned to my VM's within the ESXi environment.
Does someone know what the problem is here? I am at lost currently..
-
What's with that /80 subnet mask? LANs are supposed to b /64. Since you have a /48 prefix, you have 65536 to choose from. Also, you have to use a unique prefix ID for each interface.
-
@jknott Well someone told me it is 'best practice' to use /80 because from my ISP I get /48 and my ER-X assigns a /64 from that to my home network. But my PFsense which is behind the ER-X has a /64 on the WAN port as well. So they said it is best practice to use /80 on LAN(s).
This PFsense machine is specifically used for my HomeLAB environment, the ER-X is used for all ISP related connectivities, also the Home LAN network.
-
That is not best practice. Best practice is a /64, as anything else will break things such a SLAAC. I know you have only 65536 /64s to work with, but you still shouldn't need a /80.
-
@jknott I will keep that in mind, thank you for the tip :) As I am not that experienced with IPv6. So looking at my main post what would be the first thing to do for me to get my setup to work?
-
Yep. BTW, I have been using IPv6 on my network for almost 11 years.
One piece of advice I often give is to keep things simple. Get it working first. Since you apparently have multiple LANs, get one going first, then add the others, repeating what you did with the first, but using a unique prefix ID.
Just last week, I built a new pfsense firewall, as the computer I had previously run it on died. My first goal was to get it working with just the WAN & LAN. Then I imported my previous config and made sure my VLAN and test LAN worked. And this morning, I redid my OpenVPN config. When you do things in a step by step manner, instead of Trying to do everything at once, you can see what might be causing the problems.
Also, get in the habit of downloading config backups. It just takes a few seconds, but make it easy to back out of a bad config.
-
@jknott What do you mean by Unique Prefix ID? The /subnet notation or this part:
-
In the "IPv6 Prefix ID" box, you put a unique ID for each interface. Typically, you'd use 0 for the main LAN, but you could choose whatever you want within the range of 0 - ffff. I have a /56 and use 0 for main, 3 for my guest WiFi VLAN, 4 for my test LAN and ff for my OpenVPN tunnel. As I mentioned, the subnet should always be /64 for LANs.
-
@jknott Ahh, but when I do that I get this error and I don't know why, couldnt find anything about it which I could understand...
The specified IPv6 Prefix ID is out of range. (wan) - (0) - (0)
-
Are you getting a /48? And what values are you selecting?
-
@jknott Yeah I am getting a /48 on the ER-X, which delegates a /64 to my HomeLAN, where my PFsense is connected to.
I have selected these values on the WAN interface and DHCP6 configuration:
-
Any reason you're using DHCPv6? Generally, SLAAC is used. Also, Android devices won't work with DHCPv6, as for some unfathomable reason it's not supported.
-
@jknott Yeah when I do that I don't see any IPv6 addresses assigned to my WAN interface. It just has a Link Local address now
-
Actually, that's entirely normal. Link local addresses are often used for routing. If there is a public WAN address, it's likely not used for routing. Did you have one before?
-
@jknott yeah when I configured the WAN interface as DHCP6. But this means that I should see a Ipv6 Address on the LAN interface?
-
No, one has nothing to do with the other. I have DHCPv6-PD on the WAN side and SLAAC on the LAN side. The nice thing about SLAAC is it works without any configuration needed. The router advertises the 64 bit LAN prefix and the client provides the lower 64 bits, based on either the MAC address or a random number.
-
@appollonius333 said in How to setup IPv6 on PFsense behind ER-X (ISP modem):
eah when I do that I don't see any IPv6 addresses assigned to my WAN interface. It just has a Link Local address now
Here's my configuration. You should have 48, instead of 56 for the prefix size.
-
@jknott Would the /48 still apply when the PFsense machine gets a /64 address from the /64 LAN subnet on the ER-X? Also where do you use the DHCP6 Client Configuration on? The LAN interface?
-
This is how my Network looks:
-
Is that ER-X in bridge or gateway mode? You want bridge mode for pfsense to provide multiple /64s. Otherwise, you're only getting a single /64 from your ISP, not a /48.