Globally-scoped unicast address for pfsense WAN
-
In TR-124 Issue 4 (https://www.broadband-forum.org/technical/download/TR-124_Issue-4.pdf), there is a requirement regarding a globally-scoped address for a gateway:
WAN.IPv6. 12 If the RG does not have a globally-scoped address on its WAN interface after having been delegated a prefix, it MUST create addresses for itself from the delegated prefix. It MUST have at least one address and MAY have more
There is currently no algorithm defined for address creation. It should be assumed that different service providers will want different rules for how to create the address, how many addresses to create, and in the case of multiple addresses, how the different addresses are used.In the case of my ISP (Telus), their edge router does not allocate such an address. Their gateway allocates its global WAN address in prefix+ff/64, using RFC 2464.
I'm wondering what the purpose of such an address is, other than to verify reachability of the WAN interface using ICMPv6. Are there any other purposes?
Also, I'm not clear how to allocate such an address. Is there a mechanism within pfsense?
-
As far as I understand TR-124 it doesn't seem mandatory getting a Unique Global Address on then WAN interface. While also this seems to me to be unusual, the routing itself should work fine as long as your firewall actually owns a UGA; might be a non WAN interface.
Excerpt of https://www.broadband-forum.org/technical/download/TR-124_Issue-4.pdf
If the RG does not have a globally-scoped address on its WAN
interface after having been delegated a prefix, it MUST create
addresses for itself from the delegated prefix. It MUST have at
least one address and MAY have more.
There is currently no algorithm defined for address creation. It
should be assumed that different service providers will want
different rules for how to create the address, how many addresses
to create, and in the case of multiple addresses, how the different
addresses are used.I also can't detect any distinct disadvantages of not getting a UGA on your WAN interface. On the contrary, the provider might save quite a lot of address space depending on how much customers he serves. ;D
Does pfsense not handle that correctly?
-
@pmisch:
As far as I understand TR-124 it doesn't seem mandatory getting a Unique Global Address on then WAN interface. While also this seems to me to be unusual, the routing itself should work fine as long as your firewall actually owns a UGA; might be a non WAN interface.
Excerpt of https://www.broadband-forum.org/technical/download/TR-124_Issue-4.pdf
If the RG does not have a globally-scoped address on its WAN
interface after having been delegated a prefix, it MUST create
addresses for itself from the delegated prefix. It MUST have at
least one address and MAY have more.
There is currently no algorithm defined for address creation. It
should be assumed that different service providers will want
different rules for how to create the address, how many addresses
to create, and in the case of multiple addresses, how the different
addresses are used.I also can't detect any distinct disadvantages of not getting a UGA on your WAN interface. On the contrary, the provider might save quite a lot of address space depending on how much customers he serves. ;D
Does pfsense not handle that correctly?
Thanks for the reply. The way I read the above quotation from TR-124, it's not mandatory that the edge router assign a UGA to the WAN interface of the gateway, but if it doesn't, the gateway "MUST" assign itself a UGA out of its delegated prefix. As I said below, my ISP, Telus, chose the latter. I asked an engineer there why they do not assign a UGA. His reply was that they didn't want to increase the complexity of their infrastructure. All they worry about is making best effort to maintain a "pseudo-static" prefix as long as the gateway continues to use the same DUID and doesn't go offline for an extended period of time.
AFAIK, there is no way to configure pfSense to assign itself a WAN UGA, for example, in prefix+ff/64, using RFC 2464, or some other method. The only place I noticed anything about it is the setting to only request a prefix, not an address. As it is, the only UGA it has is on the LAN, which it assigned itself.
I'm still not clear what the purpose of a UGA on the WAN would be. I assume the edge router would use the link local address. Maybe it just doesn't matter.
-
but if it doesn't, the gateway "MUST" assign itself a UGA out of its delegated prefix
Your router actually assigns itself an address out of the delegated prefix, by assigning such address to the LAN interface. TR doesn't force you to also give your WAN interface such address.
What kind of prefix does your provider give you? If it's a prefix size < 64 you should be able to just pick one of the networks you can make out of it and assign it manually to your WAN, just to make sure that it's just not impossible per se.
Please tell me what exactly is not working for you? Then we can try to make more sense out of this.
-
@pmisch:
but if it doesn't, the gateway "MUST" assign itself a UGA out of its delegated prefix
Your router actually assigns itself an address out of the delegated prefix, by assigning such address to the LAN interface. TR doesn't force you to also give your WAN interface such address.
What kind of prefix does your provider give you? If it's a prefix size < 64 you should be able to just pick one of the networks you can make out of it and assign it manually to your WAN, just to make sure that it's just not impossible per se.
Please tell me what exactly is not working for you? Then we can try to make more sense out of this.
Thanks for the reply. Here are the addresses on my gateway (the one provided by my ISP, not pfsense):
WAN MAC Address: 4c:8b:30:19:f9:39
IPv6 Prefix of Delegated: 2001:569:XXXX:8500::/56
IPv6 WAN Address: 2001:569:XXXX:85ff:4e8b:30ff:fe19:f939/64
IPv6 WAN Link Local Address: fe80::4e8b:30ff:fe19:f939
IPv6 LAN Link Local Address: fe80::4e8b:30ff:fe19:f938
IPv6 Unique Local Address: N/AYou can see that the gateway assigned itself a UGA for the WAN interface in prefix+ff/64, using RFC 2464. I have no idea what this address is used for (possibly for remote management). You can also see that for whatever reason, the gateway did not assign itself a UGA for the LAN interface. It's not shown above, but the gateway assigns LAN addresses in prefix+00/64. The ISP suggested that any user-provided gateway should do the same thing, which is based on TR-124 - Issue 4.
I'm wondering about two things.
First, is there any reason why it should be necessary to provide a UGA for the WAN interface of pfsense, as above? Aside from it being useful to ping pfsense, I can't think of any other reason.
Second, is it possible to "emulate" scheme above using pfsense (i.e., prefix+ff/64, using RFC 2464)?
I hope that clarifies my question.
-
In the case of my ISP (Telus), their edge router does not allocate such an address. Their gateway allocates its global WAN address in prefix+ff/64, using RFC 2464.
Are you using both pfSense and their modem in gateway mode? If so, put the modem in bridge mode and use pfSense for your firewall. pfSense is expecting to be assigned a prefix. But the modem, in gateway mode, is taking that prefix. I'm on Rogers and have a Hitron cable modem. It's configured in bridge mode and I have a computer running pfSense as my firewall/router.
-
In the case of my ISP (Telus), their edge router does not allocate such an address. Their gateway allocates its global WAN address in prefix+ff/64, using RFC 2464.
Are you using both pfSense and their modem in gateway mode? If so, put the modem in bridge mode and use pfSense for your firewall. pfSense is expecting to be assigned a prefix. But the modem, in gateway mode, is taking that prefix. I'm on Rogers and have a Hitron cable modem. It's configured in bridge mode and I have a computer running pfSense as my firewall/router.
No, that's not what's happening. The modem is in bridged mode. (Actually one port is bridged, not the entire modem.) pfSense is getting its own prefix. It's working perfectly, albeit using the "dhcp before RA" patches. (FYI, I'm running two pfSense VMs on the server, each getting its own prefix.)