IPv6 Router behind router

abuttino

@matthewgcampbell The problem is not really pfSense, like I said very early on, it's getting Unifi WAN and LAN to work.

The Unifi WAN gets the IP address and that address won't reach the internet and then the RA from pfSense isn't getting to the LAN.

The lan IPv6 setup on Unifi is asking the WAN to give the RA. This should be coming from pfsense..

The network topology is:

Modem to pfSense to USG (Unifi)

So, my real question is, why do I even need the pfSense DHCPV6 server? Why won't it issue IPv6 to the Unifi WAN?

JKnott

@abuttino said in IPv6 Router behind router:

So, my real question is, why do I even need the pfSense DHCPV6 server?

You don't. SLAAC is normally used. Some packet captures may be useful in this area. However, as I have said, pfsense will not provide the prefix to the USG, unless you configure that some how. You can configure routing, as I have described or you can configure pfsense to provided DHCPv6-PD, which is something I haven't tried.

abuttino

@matthewgcampbell Your thoughts about getting the Unifi WAN and LAN an IP? You say you've done it, I've been hoping to see how :)

JKnott

@abuttino

In place of your USG, I used a Cisco router. I manually configured the routing so that the IPv6 prefix was routed to the Cisco. You have to do the same thing with the USG and I have been trying to show you how to do that. As I said, the easiest way is to do it on IPv4 and then replicate on IPv6.

abuttino

@jknott

Network??
What is the network if the USG Wan isn't giving me an IP address?

Gateway??
What would be the gateway for this if it hasn't given me any IP addresses?

I am trying to use RA mode only and it's not giving any IP addresses at all. That means I have nothing to fill out in a static route.

abuttino

Wellll!!!

I rebooted pfSense and it started to give the USG WAN IP and subnet /64 plus internet access.

Pretty sure my that /56 address hasn't changed since the last time I fooled with this and that could mean my ticket to get off of tunnelbroker.

I guess the next step is to get the USG LAN set up with the static routes for pfSense and play around a little more.

Rebooting for every little thing when it comes to pfSense gets a little annoying,.

JKnott

@abuttino

As I have said several times now, get it working with IPv4, as you said you know how to do that. Then do the same with IPv6, using IPv4 as your guide. Once again, you will have to manually configure routing IPv6 to the USG, unless you're prepared to enable DHCPv6-PD on the LAN side of pfsense or use something like OSPF. There is no other way to get IPv6 to that USG. Get your networks set up. Have you even selected the IPv6 prefix and IPv4 subnet to use on the USG? If so, manually configure both. Then go back to pfsense and configure IPv4 routing to the USG. Once you've done that, you can do the same on IPv6, using the IPv6 addresses, instead of IPv4. This is why I mentioned using the same prefix as as 3rd octet on IPv4. It makes it easy to keep track of what you're doing. Perhaps you should start with a sketch to show where you want what. Mark on that sketch what subnet & prefix you want on the LAN side of that USG. Then determine what addresses you have to route through to get there. I can't do that for you, as I don't know what your requirements are.

abuttino

@jknott
As mentioned, I have IPv4 connected and properly routed for the USG WAN and LAN.

pfSense uses the LAN v4 /16 address of 172.16.1.1 and the USG uses 172.16.1.2

USG LAN is a /24 at 10.2.0.1 and it is the DHCP server for the network.

As far as IPv6, pfSense has the RA server set up and is giving the USG WAN a /64 address.

This is as far as I've gotten and want to plan the network out for the rest of the USG LAN side first, such as what VLANs I'm going to give IPv6 to and not.

A major concern of mine at this point is that these addresses do not change. Such as addresses for the web services. I have a static IPv4 but Cox doesn't offer static IPv6.

JKnott

@abuttino

So, configure IPv6 on the LAN side of the USG, just as you did with IPv4. Then configure routing for IPv6, just as you did for IPv4. Pfsense providing an IPv6 address for the WAN side of the USG will not provide addresses on the LAN side of it. You have to configure that using one of the methods I described above. You apparently routed for IPv4. You should be able to route a /64 to the USG using the same method.

abuttino

@jknott will do. I'll check back to this thread for reference and questions should I have any.

The difference was all in the reboot of pfsense, it was not giving me IPv6 addresses until I did the reboot, and changing any ipv6 settings also requires more reboots.. Lots and lots of reboots..... Senseless to me. Other routers don't have the issue where it needs a reboot after changing a simple setting, just restarting the service/daemon should help (Apply settings).

JKnott

@abuttino

That's not been my experience. The only thing I recall that required a reboot was a system update.

abuttino

@jknott
Not to get on a tangent here but just last night I was fixing another pfSense for UPnP and it also required reboots for all things NAT. Resetting firewall states was not enough.

Unless I'm doing work with HAProxy, I pretty much know it's going to have to be rebooted.

abuttino

@JKnott

Well, it looks like I am plugging right along but I may have hit a road block..

First, the static routing needed to be done the USG to get to the internet.

::/0 next hop "pfsenseLANcard" ---- on USG, after that, internet.

I have all the static routes for the subnets for my VLANs in USG but it wasn't getting to the internet until I put that route in. 80% certain that this was wrong.

As mentioned earlier, I got a /64 from the pfSense LAN RA. Now, I would like to make sure these computers will be able to be routable from/to the internet. What is required for that?

I was looking at this tool:
http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

Current Static routes in pfsense:
2001:xxxx:xxxx:1300::/64 Gateway "USGsWAN64"
2001:xxxx:xxxx:1301::/64 Gateway "USGsWAN64"
2001:xxxx:xxxx:1302::/64 Gateway "USGsWAN64"
2001:xxxx:xxxx:1303::/64 Gateway "USGsWAN64"

pfSense CANNOT ping (from LAN) USGsWAN64

Is this looping?

2001:xxxx:xxxx:1300::/64 Gateway "USGsWAN64" BECAUSE:

2001:xxxx:xxxx:1300:yyyy:zzzz:aaaa:bbbb is the USG WAN's address

What should I really be doing instead of what I am doing?

JKnott

@abuttino

As I said, I haven't worked with the USG, so I can't provide specific help with it. However, what it appear's you're doing is just setting up the default route. With IPv6, that should be provided with the RA, likely a link local address. Do you not see that? BTW, for something like this, packet captures REALLY come in handy.

What does the USG show for the default route?

abuttino

@jknott

The WAN_DHCP6 coming from the modem is a link-local, I was editing my post when it got denied and saw you posted here..

I would guess, since I can't capture packets from 3000 miles away, I should try the LUA address to allow the internet to find the servers?

Such as:
::/0 next-hop fe80::b290:xxx:yyyy:7819

Is I did exactly as you said with the pfSense static, but didn't know about the 1300 address subnet. Wouldn't that cause a loop as stated in the last post?

The USG's default route is the pfSense_v6_LAN

abuttino

@matthewgcampbell Can you help finish this issue?

pfSense cannot ping the USG WAN's IP but can ping computers/devices inside the with ONLY the LAN.

The computers are accessible on the internet, but I had to use this:

SSH to USG:
"set interfaces ethernet eth2 ipv6 address autoconf"
"set protocols static route6 ::/0 next-hop pf:sense:wan:dhcp:link:local:addr"

After I commit that the routes are fine to the net but again, the USG just won't ping from pfSense, neither will any VLAN gateway I set up in Unifi.

The routes are all good, so, I am lost as to why I can ping the IPv4 side fine and replicate the IPv4 ICMP rule for IPv6 and get "no reply". As far as I remember, ICMP is pretty important to IPv6.

abuttino

@abuttino

Nevermind on the Ping..

Had to do a WAN Local rule on the Firewall in USG..

Finally have this all set up after almost a year!

JKnott

@abuttino said in IPv6 Router behind router:

@jknott

The WAN_DHCP6 coming from the modem is a link-local, I was editing my post when it got denied and saw you posted here..

I would guess, since I can't capture packets from 3000 miles away, I should try the LUA address to allow the internet to find the servers?

Such as:
::/0 next-hop fe80::b290:xxx:yyyy:7819

Is I did exactly as you said with the pfSense static, but didn't know about the 1300 address subnet. Wouldn't that cause a loop as stated in the last post?

The USG's default route is the pfSense_v6_LAN

The link local address should work. Also, who says you can't do a packet capture from 3000 miles away. If you can access the pfsense configuration, you can run Packet Capture and download the capture.

You shouldn't have looping if you don't have loops. Are you configuring an address that's on the USG for the gateway?

abuttino

After returning home, I tried to get it all set up, but now all clients are not connecting to IPv6 properly.

@JKnott

I can ping Google on IPv6 on all clients but all computers say they aren't getting internet on the IPv6 side and ipv6-test.com says there is no internet.

What am I missing? I don't get why it sees the IPv6 connection by ping but won't connect to sites or pass any tests. Seems like a routing issue to me, any insights?

JKnott

@abuttino

Is pfsense still behind another router? If so, you won't be able to get IPv6 to work properly. It has to see DHCPv6-PD to provide the prefix to the LAN.