Rogers pfSense configuration
-
This info was provided by a Rogers Network Architect:
Rogers IPv6 Settings for pFSense firewall
In WAN Interface menu:
Use IPv4 connectivity as parent interface: yes
Request only a IPv6 prefix: no
DHCPv6 Prefix Delegation Size: 64
Send IPv6 prefix hint: yesIn LAN Interface menu:
IPv6 Configuration Type: track interface
IPv6 Interface: WAN
IPv6 Prefix ID: 0 -
Thanks for the info. Did it work?
Only a /64 PD? That is unfortunate.
-
Yes it does. I have been using that configuration for months. They plan to have /56s shortly. They still don't "officially" support IPv6, but it's been available since about April and was just rolled out to cell phones last week. The same network architect has provided other info on what they plan to do, such as 464XLAT support for smart phones.
-
Jknott, did he happen to give any info on the default gateway (which pfsense uses for monitoring). Mine comes up as an fe80 link local address and thus i set the google ipv6 dns servers for monitoring the link.
-
That is all the info provided. The default gateway is normally provided by DHCPv6 and is typically a link local address. Why do you need something other than the link local address for monitoring?
-
What about RA?
-
What about RA? It's provided by pfSense.
-
What about RA? It's provided by pfSense.
You don't set it up, and Rogers IPv6 works with pfSense? What I was asking is your RA Configuration
-
Probably assisted. That's not really dependent on the WAN provider though.
-
You don't set it up, and Rogers IPv6 works with pfSense? What I was asking is your RA Configuration
I don't recall any special config fo RA. The info Rogers provided was for connecting to their network. How you connect to your LAN is not their concern. Normally, the router (pfSense) is configured to provide a prefix via Router Advertisements, but that's not the only way.
-
You don't set it up, and Rogers IPv6 works with pfSense? What I was asking is your RA Configuration
I don't recall any special config fo RA. The info Rogers provided was for connecting to their network. How you connect to your LAN is not their concern. Normally, the router (pfSense) is configured to provide a prefix via Router Advertisements, but that's not the only way.
Thanks.
-
I have my modem in bridge mode, running firmware 4.5.8.22… and the settings above but my WAN interface is not picking up a IPV6 IP address.
Any suggestions?
-
What modem do you have? Not all are suitable.
-
What modem do you have? Not all are suitable.
I have the Gigabit modem (Hitron CGNM-3552-ROG) - I rebooted pfSense and now I pick up an IPV6 address:
However, within pfSense, the WAN_DHCP6 gateway is down?
WAN_DHCP6 fe80::217:10ff:fe91:55b1 0ms 0ms 100% Offline
Is there any other configuration that is required to get WAN_DHCP6 gateway to work properly?
-
Is it actually down? You can try ipv6.google.com to verify. I find that Gateway Monitoring to an address that didn't respond caused that situation. I just turn off monitoring, as you don't really need it, if you have only one route to the Internet. Turning it off also cuts down on traffic. That monitoring sends out a lot of pings.
-
Is it actually down? You can try ipv6.google.com to verify. I find that Gateway Monitoring to an address that didn't respond caused that situation. I just turn off monitoring, as you don't really need it, if you have only one route to the Internet. Turning it off also cuts down on traffic. That monitoring sends out a lot of pings.
Turns out that you can't ping Roger's gateway - I replaced the monitor IP with Google's IPV6 IP and now it is online.
But another question - how do clients obtain an IPV6 address. Does the DHCP6 Relay and/or DHCP6 Relay & RA need to be enabled?
Thanks.
-
But another question - how do clients obtain an IPV6 address. Does the DHCP6 Relay and/or DHCP6 Relay & RA need to be enabled?
If a prefix has been delegated to your router, you should use the dhcpv6 server, not the relay. When you enable the service, you will set the minimum and maximum range, such as ::1000 and ::2000 or whatever. If you will have a stateful and stateless devices on your network, set the router mode to assisted. (Android phones only support SLAAC.)
-
But another question - how do clients obtain an IPV6 address. Does the DHCP6 Relay and/or DHCP6 Relay & RA need to be enabled?
If a prefix has been delegated to your router, you should use the dhcpv6 server, not the relay. When you enable the service, you will set the minimum and maximum range, such as ::1000 and ::2000 or whatever. If you will have a stateful and stateless devices on your network, set the router mode to assisted. (Android phones only support SLAAC.)
Thanks, I got that working as well.
Last question, I have multiple LAN subnets - one regular one and one WiFi LAN … since Rogers is /64 prefix delegation, is it possible to "split" the IPV6 addresses across two LANs or am I SOL until Rogers changes the prefix delegation?
Thanks.
-
It may be possible to split a prefix, but it will break some things, including SLAAC.
-
I replaced the monitor IP with Google's IPV6 IP and now it is online.
Why not just turn off monitoring?
But another question - how do clients obtain an IPV6 address. Does the DHCP6 Relay and/or DHCP6 Relay & RA need to be enabled?
Normally, the router uses Router Advertisements to provide the local prefix. Then the various devices add another 64 bits to the prefix. Those 64 bits can be derived from the MAC address or be a random number.
-
If a prefix has been delegated to your router, you should use the dhcpv6 server, not the relay.
No need for DHCPv6 on the local LAN. Router Advertisements and SLAAC provide the addresses.
-
If a prefix has been delegated to your router, you should use the dhcpv6 server, not the relay.
No need for DHCPv6 on the local LAN. Router Advertisements and SLAAC provide the addresses.
However, if I run a server on a network, DHCP6 would allow me to set a static address correct - this would make it easier to setup firewall rules?
-
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
And I believe there is no way to turn off DHCP6 on an inside interface set to track.
"Assisted" is generally what you want on the RA settings since some devices (android) are SLAAC-only.
-
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
And I believe there is no way to turn off DHCP6 on an inside interface set to track.
"Assisted" is generally what you want on the RA settings since some devices (android) are SLAAC-only.
I'm still getting ramped up on IPv6, but it seems that support for DHCP-PD is still weak in pfSense - without the ability for static mappings to track the WAN PD, the entries will become nullified if the ISP updates the modem address assignment.
I guess I got the basics setup - for hosting a server seems like I'll still be on IPv4.
-
In my opinion support for DHCP-PD is weak on the ISP side.
They're the ones changing what should be static IP addresses.
Use tunnelbroker.net. They manage to issue static /48s. And they don't charge $90+/month.
-
I'm still getting ramped up on IPv6, but it seems that support for DHCP-PD is still weak in pfSense - without the ability for static mappings to track the WAN PD, the entries will become nullified if the ISP updates the modem address assignment.
I guess I got the basics setup - for hosting a server seems like I'll still be on IPv4.
Static mappings CAN track the WAN PD. When you create a static DHCPv6 mapping and the interface is set up to track another (i.e. LAN tracking WAN), then the only part of the IPv6 address you're entering is the host portion of the address. I've posted elsewhere that I've set up two hosts on my LAN with ::4001 and ::4002 as the static DHCPv6 addresses. That way if the prefix changes, the DHCPv6 server will adjust and on renewal a valid address will be provided to the host with the new prefix.
The area that still falls short is the firewall, which has no way to create a rule for an address with a dynamic prefix. I suppose you could create an alias with the hostname of your server(s)… but I'd prefer not to have to do that. That's just another piece in a puzzle where if one part fails, you get to figure out what isn't working.
-
However, if I run a server on a network, DHCP6 would allow me to set a static address correct - this would make it easier to setup firewall rules?
With SLAAC, you can have 2 types of address, MAC based and random number "privacy" addresses. For a server, you'd configure the firewall and DNS for the MAC based address, as it's static. You may have to configure the server to have a MAC address. It's usually available in Linux, but with Windows you have to specifically enable it.
-
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
With SLAAC and MAC based addresses, there's no setup at all. It just works.
-
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
With SLAAC and MAC based addresses, there's no setup at all. It just works.
Except that static DHCP/DHCPv6 also includes hostname resolution in DNS forwarder/resolver, while SLAAC would require a DNS Entry that would need to be changed every time the prefix changes.
-
@virgiliomi:
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
With SLAAC and MAC based addresses, there's no setup at all. It just works.
Except that static DHCP/DHCPv6 also includes hostname resolution in DNS forwarder/resolver, while SLAAC would require a DNS Entry that would need to be changed every time the prefix changes.
Agreed about the hostnames. Also, it's not like it's difficult to enable dhcpv6. Since it's being used for dhcpv4, you may as well also use it for dhcpv6.
-
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.
With SLAAC and MAC based addresses, there's no setup at all. It just works.
I know that. But change a NIC and you have to change all of that. Setting a static IP address on the server is probably easier over the long run. Or a push, like I said. It is pretty common practice to set static IP addresses in IPv4 for servers. Not really any need to change that.
-
If you're using DHCP, changing a NIC will require updating the server too, as the MAC address, which the server maps the address to, will change.
-
Not talking about using DHCP.
-
A bit of an update. When I started this thread, Rogers provided only a /64, but has been providing a /56 for quite some time. It appears they might now be offering a /48, as the DHCPv6 Prefix Delegation size on the WAN page now goes to /48, whereas it used to be /56. I haven't tried it yet, but someone else may be interested in trying a /48.
-
What you can select on the WAN page has nothing to do with what the ISP will or will not do.
You can set it to anything from /48 on down.
If you want to change it you probably need to copy out the DUID file to a safe place like /root so you can put it back if you need to, delete it, then change the prefix hint and save. Otherwise the ISP might ignore the prefix hint and give you your old delegation based on the DUID.
The DUID file is: /var/db/dhcp6c_duid
You might also need to clear it out of System > Advanced, Networking if you have saved it there (or change it there if you know what you are doing).
-
What you can select on the WAN page has nothing to do with what the ISP will or will not do.
You can set it to anything from /48 on down.
I don't recall ever seeing /48 before, though I could be mistaken. I'll give it a try later and see what happens.
-
What you can select on the WAN page has nothing to do with what the ISP will or will not do.
You can set it to anything from /48 on down.
My mistake. It appears you're right. I guess I'll just have to make do with a /56. ;)
-
Can anyone validate these settings still work? Trying to get IPV6 running on an XB6 Gateway in bridge mode running on PFSense 2.4 and no joy on getting the WAN interface to draw an IP. I've tried the settings above and various other combinations with no success.
-
@mjnr said in Rogers pfSense configuration:
Can anyone validate these settings still work? Trying to get IPV6 running on an XB6 Gateway in bridge mode running on PFSense 2.4 and no joy on getting the WAN interface to draw an IP. I've tried the settings above and various other combinations with no success.
Those settings are still good. Try connecting a computer directly to the modem, to see if that works. You should get an IPv6 address.
-
Use IPv4 connectivity as parent interface: yes
This can be set to no now. You no longer have to request over ipv4
