IPv6 only on LAN



  • Hi, I want to start experimenting with IPv6 so I think it could be a good idea to "just deploy IPv6 only on my LAN" for now….

    My setup is as follows....

    
    WAN1 ---
            |     __________________                ____________    |          ________
             ----|                  |              |  TP-Link   |----         |        |-----
                 | pfSense 2.3.3-RC |-----LAN------|  WDR-3600  |-----LAN-----| switch |-----
             ----|__________________|              |____________|----         |________|-----
            |                                                       |
    WAN2 ---
    
    

    As you can see I have two wan interfaces (aDSL and cable), and a TP-Link WDR3600 router acting as an AP (with DHCP turned off) with stock firmware that have some wired clients, also a switch (so I can add more wired clients) and obviously many wifi clients too.

    My DHCP server is the pfSense box and I know I have to configure IPv6 on pfSense and on the WDR3600 also.

    I have configured IPv6 on the LAN interface of pfSense with an static IP set to fd83:6d20:2ec5:732c::
    I have also enabled DHCPv6 server, assigned available range from: fd83:6d20:2ec5:732c:: to: fd83:6d20:2ec5:732c:ffff:ffff:ffff:ffff (I know, I know, I do not need such a BIIIIIG range!!).

    Then I need to configure my WDR-3600 but I do not know how to make it work with my DHCPv6 server being the pfSense box; as the WDR-3600 seems so force me to choose from either SLAAC or DHCPv6 Server, also I do not know how to manually assign a static IPv6 address to my router.

    I know this is probably more a router issue than a pfSense one, but I think that someone here may have done something similar and perhaps can help me, as I'm kind of lost here and I would like to know if there is any tutorial that explains this kind of setup or if someone can help me with my setup.

    Also, dou you think my approach is correct or it should be better to configure also my wan interfaces through a 6to4 channel?

    Thanks,
    Pablo



  • Do both upstream providers deliver IPv6 natively? Do you get static or dynamic prefixes?
    Why do you plan to use another Router between pfSense and your clients?

    What you look for is IPv6 Prefix Delegation. This is a mechanism that automatically handys through a full prefix you can utilize at your downstream router.
    I've never tried such setup with two upstream providers though. This will make things more complex of course.

    Generally speaking I suggest to avoid IPv6 tunnel provider. Native v6 connection from provider is the way to go. If they don't support it, urge them to do so.



  • @pmisch:

    Do both upstream providers deliver IPv6 natively? Do you get static or dynamic prefixes?

    I was not planning to use IPv6 with my both ISPs, just inside my own network…

    @pmisch:

    Why do you plan to use another Router between pfSense and your clients?

    Mainly because it's a wifi router (as an AP) because my pfSense box does not have any wi-fi network card.

    @pmisch:

    What you look for is IPv6 Prefix Delegation. This is a mechanism that automatically handys through a full prefix you can utilize at your downstream router.
    I've never tried such setup with two upstream providers though. This will make things more complex of course.

    Generally speaking I suggest to avoid IPv6 tunnel provider. Native v6 connection from provider is the way to go. If they don't support it, urge them to do so.

    Yeah, but as I said earlier, can't I just use IPv6 in my LAN and leave my WAN links on IPv4?. I was only planning to experiment with IPv6, that's why I just want it on my LAN.



  • Do you have the access point running as a bridge or is it acting as a router? I strongly suggest to use it as a bridge instead of a router.


  • LAYER 8 Global Moderator

    What would be the point of ipv6 if just internal.. At a loss to the point of that sort of setup..

    "Generally speaking I suggest to avoid IPv6 tunnel provider. Native v6 connection from provider is the way to go."

    I would suggest the complete opposite of this - Tunnel is the much more stable way to go, there are few if any ISP that really have their shit together for native ipv6.  But tunnel is very easy to setup and stable as stable can be..

    If you want to play with IPv6 and your isp does not provide it or not yet really workable/stable then get a tunnel.. If its not global ipv6 connected to the rest of the world I really don't see a point of setting it up internally.



  • @johnpoz:

    I would suggest the complete opposite of this - Tunnel is the much more stable way to go, there are few if any ISP that really have their shit together for native ipv6.  But tunnel is very easy to setup and stable as stable can be..

    I suspect you refer to the US. For Germany I would not concur. There are even ISP who actually do IPv6 better than lPv4 (CGN). I myself utilize a provider that hands me a static /48 prefix which is excellent. Our direct neighbor Belgium for example also does it quite well.

    What is so shitty about YOUR native IPv6 connectivity? ;-)
    Schaumburg is a funny city name btw  :o



  • @johnpoz:

    What would be the point of ipv6 if just internal.. At a loss to the point of that sort of setup..

    "Generally speaking I suggest to avoid IPv6 tunnel provider. Native v6 connection from provider is the way to go."

    I would suggest the complete opposite of this - Tunnel is the much more stable way to go, there are few if any ISP that really have their shit together for native ipv6.  But tunnel is very easy to setup and stable as stable can be..

    If you want to play with IPv6 and your isp does not provide it or not yet really workable/stable then get a tunnel.. If its not global ipv6 connected to the rest of the world I really don't see a point of setting it up internally.

    ok, so you advise me to better implement IPv6 on the wan, right?

    I was planning to deploy it first on my LAN just because I want to learn and though it would be better to start on my LAN, but from your comments it's probably better to start it on the wan interfaces.

    Ok, I have two wan interfaces and I'm sure that will make things a little more difficult, any advise on IPv6 on multiwan?



  • @pmisch:

    Do you have the access point running as a bridge or is it acting as a router? I strongly suggest to use it as a bridge instead of a router.

    Yes, but I cannot see how to switch the wdr3600 to "bridge" mode, I can only just set it up as an AP and don't use the WAN. I think this is not the same, do you think that can bring me some problems?



  • With consumer routers, you just use the LAN side and don't connect through the WAN port.



  • More specifically you follow this wiki entry to turn your wireless router into a bridged access point:

    https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense

    This method works with just about every wireless router because they bridge the WLAN with the LAN ports on the device and you use one of the LAN ports as the "WAN" connection instead of the port that is normally used as the WAN on the router.



  • @pablot:

    @pmisch:

    Do you have the access point running as a bridge or is it acting as a router? I strongly suggest to use it as a bridge instead of a router.

    Yes, but I cannot see how to switch the wdr3600 to "bridge" mode, I can only just set it up as an AP and don't use the WAN. I think this is not the same, do you think that can bring me some problems?

    When I understand you correctly you have your access point already in bridged mode, which is fine. You can check if the router's LAN IP is in the same subnet as your clients are and your client's default gateway is the pfSense box and not the AP's IP.

    Check which provider offers the better v6 support.
    Start IPv6 only with that one provider. I suggest not to try IPv6 on both WAN interfaces at the same time.

    Just go ahead and enable IPv6 for one WAN interface of your pfsense router and then also enable Router Advertisement for your LAN. That should generally be it.
    Some IPv6 configuration parameters look a bit overwhelming at first but don't stop to try. Also: read a lot about IPv6.


  • LAYER 8 Global Moderator

    "I myself utilize a provider that hands me a static /48 prefix which is excellent."

    Yeah that would be fantastic if you could get ISPs in the US to do that.. But this is not the case.. Here in the use your lucky to get a /60 and it quite often changes when the wind blows… So its like impossible to keep the same network address space..  I really don't get why they won't just give you a /60, /56 or /48 if you want and always hand you the same one.

    Does your isp allow you to set the PTR records for this address space - HE does when you get a tunnel from them.

    But just because your isp provides you good ipv6, why would you tell him to avoid tunnel if his isp doesn't provide him any ipv6 at all or its crappy.  There are some that will only give you 1 /64, etc.

    As to using any wifi router as just AP.. Yeah any wifi router can do that - just use lan, turn off its dhcp server - give its lan an IP on your network = AP..



  • @pmisch:

    @pablot:

    @pmisch:

    Do you have the access point running as a bridge or is it acting as a router? I strongly suggest to use it as a bridge instead of a router.

    Yes, but I cannot see how to switch the wdr3600 to "bridge" mode, I can only just set it up as an AP and don't use the WAN. I think this is not the same, do you think that can bring me some problems?

    When I understand you correctly you have your access point already in bridged mode, which is fine. You can check if the router's LAN IP is in the same subnet as your clients are and your client's default gateway is the pfSense box and not the AP's IP.

    Yes, I though it was right and verified that I have everything as the docs says about using a router with pfSense, so I'm right with that.

    But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?

    @pmisch:

    Check which provider offers the better v6 support.
    Start IPv6 only with that one provider. I suggest not to try IPv6 on both WAN interfaces at the same time.

    Just go ahead and enable IPv6 for one WAN interface of your pfsense router and then also enable Router Advertisement for your LAN. That should generally be it.
    Some IPv6 configuration parameters look a bit overwhelming at first but don't stop to try. Also: read a lot about IPv6.

    ok, will try that and will let you know. None of my both ISPs provide native IPv6 support, so besides asking them, I will try a HE tunnel.

    Thanks everybody!



  • More specifically you follow this wiki entry to turn your wireless router into a bridged access point:

    Actually, the DHCP server doesn't have to be turned off.  There's nothing wrong with having multiple DHCP servers on a network and is often done on larger networks.  You just have to ensure that duplicate addresses are not issued, but that can be done by simply having the servers hand out different portions of the address block.  Also, these days, gratuitous ARP requests are often used to ensure duplicates don't occur.



  • @johnpoz:

    Does your isp allow you to set the PTR records for this address space - HE does when you get a tunnel from them.

    That's the only thing I'm not happy about. My provider has generated PTR for the whole prefix but I cannot request to set a specific PTR. For most purposes those generic PTR records suffice. You are right. The HE features are great. I used to run such a tunnel for over a year until I got my native connection.

    @johnpoz:

    But just because your isp provides you good ipv6, why would you tell him to avoid tunnel if his isp doesn't provide him any ipv6 at all or its crappy.  There are some that will only give you 1 /64, etc.

    All I was saying is that native IPv6 is generally a better idea than a tunnel. I don't presume that native IPv6 ALWAYS is better. This seems to be one of those exceptions.
    It's really sad that your provider just fuxxxs IPv6 up :-( I would write a letter to customer satisfaction.
    Anyhow I think even a dynamic IPv6 prefix is something you can work with. If I had to deal with a dynamic prefix I would update the changing IPs into valid DNS names. That can be done with pfSense by using DDNS. That way pfSense automatically updates the A record for a host if the IP changes.
    I'm referring to: Services - DHCPv6 Server & RA - DHCPv6 Server - Dynamic DNS



  • @pablot:

    But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?

    Just to be clear. It's no router when you run it as a bridge.
    Yes, it's transparent. You don't have to setup anything on the Access Point. The only thing you might want to do is to configure an IPv6 address for the AP so you can access it through its IPv6 address. There are several different methods like static configuration, stateful or stateless.
    -> https://tools.ietf.org/html/rfc3736
    -> https://tools.ietf.org/html/rfc3315
    -> https://tools.ietf.org/html/rfc4862



  • @pablot:

    But I have one question, do I have to "setup something" for IPv6 on my router or everything must be done on the pfSense box it's "transparent" for the router?

    Just to be clear. It's no router when you run it as a bridge.
    Yes, it's transparent. You don't have to setup anything on the Access Point. The only thing you might want to do is to configure an IPv6 address for the AP so you can access it through its IPv6 address. There are several different methods like static configuration, stateful or stateless.
    -> https://tools.ietf.org/html/rfc3736
    -> https://tools.ietf.org/html/rfc3315
    -> https://tools.ietf.org/html/rfc4862


  • LAYER 8 Global Moderator

    Actually, the DHCP server doesn't have to be turned off.  There's nothing wrong with having multiple DHCP servers on a network and is often done on larger networks.

    Yeah that is bad idea!!  Most soho wifi routers dhcp server is very limited, many of them will not even allow you point to a different gateway other than its own IP.  I would suggest TURN it off - you have zero use for it since pfsense would be your dhcp server.



  • ok, it's working!. I have sucessfully connected a HE tunnel and it's working, as I can ping from the pfSense box to ipv6 sites and it works (with horrible lantency, but it works).

    But it seems I have not been able to make DHCP work as it should, because the DHCPv6 leases does not appear except for and iPad I have on my network, but when checking on the iPad it only seems to receive the ipv6 dns servers and no ipv6 address, and the test-ipv6.com check does not show any ipv6 address…

    I can post the screenshots of my configuration if anyone can help me.


  • Banned

    First, you need RADVD enabled and working (In Unmanged or Assisted mode). Leave DHCPv6 alone for now, it's badly broken on Windows, not implemented on Android, and used in whacky ways on Bitten Fruit Co. products.



  • @doktornotor:

    First, you need RADVD enabled and working (In Unmanged or Assisted mode). Leave DHCPv6 alone for now, it's badly broken on Windows, not implemented on Android, and used in whacky ways on Bitten Fruit Co. products.

    the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.



  • @pablot:

    the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.

    Automagical options for you for RA are: "Unmanaged" (SLAAC method)

    Even with RA="Router Only", you can always manually give a host on a LAN an IPv6subnet/64-number yourself.
    Config your LAN static as you like.
    The /48-part is HE, the next Word-part is your-subnet, then the last 64-bits are up to you, like say ::abe  8)



  • @hda:

    @pablot:

    the services status shows radvd working, but I'm not sure if its well configured… I have tried in Managed and Assited mode and seems to make no difference.

    Automagical options for you for RA are: "Unmanaged" (SLAAC method)

    Even with RA="Router Only", you can always manually give a host on a LAN an IPv6subnet/64-number yourself.
    Config your LAN static as you like.
    The /48-part is HE, the next Word-part is your-subnet, then the last 64-bits are up to you, like say ::abe  8)

    You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.
    I have more that 20 devices/computers, I would like to leave that work to the DHCPv6 server.



  • I have started a new thread because of my DHCP problems on https://forum.pfsense.org/index.php?topic=126054.0 because I think the subject has changed from the original one. Please follow it there.

    Thanks.
    Pablo


  • Banned

    @pablot:

    You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.

    There is no need to set up any addresses manually with RA set to "Unmanaged".



  • @doktornotor:

    @pablot:

    You mean that I'd better swich to "Unmanaged" and set up every device/computer IP manually?.

    There is no need to set up any addresses manually with RA set to "Unmanaged".

    Ah, ok, I see. And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?
    Because I have changed to Assisted (I understand that it somehow "includes" the "Unmannaged" behaviour, right?) and I think al least some devices are getting ipv6 addresses but they are not on the range I configured on DHCPv6 page (but they do are on my LAN) and also I think I'm not getting the defauylt ipv6 gateway on this clients as for example I can ping inside the LAN, but not outside.



  • And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

    SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.



  • @JKnott:

    And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

    SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

    ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)



  • @pablot:

    @JKnott:

    And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

    SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

    ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)

    No such way. The RA daemon that advertises the route and the prefix does absolutely nothing else but those functions, selection of the address from the advertised prefix happens completely on the client (of course assisted with duplicate address detection but even that does not involve the RA daemon).



  • @kpa:

    @pablot:

    @JKnott:

    And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

    SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

    ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)

    No such way. The RA daemon that advertises the route and the prefix does absolutely nothing else but those functions, selection of the address from the advertised prefix happens completely on the client (of course assisted with duplicate address detection but even that does not involve the RA daemon).

    ok, thanks for your help, I'm learning a lot!!!! :)

    Just one more… I cannot make my clients to ping a host on internet, the names resolve ok to the IPv6 addresses, but somehow I guess I do not have a gateway configured properly or something is "closed" at the pfSense box that blocks traffic.



  • ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)

    No.  You can only check on the device.  There is no server, as there is with DHCP.



  • @pablot:

    @kpa:

    @pablot:

    @JKnott:

    And the addresses being leased by SLAAC cant't be viewed on the DHCPv6 lease status, right?

    SLAAC has nothing to do with DHCPv6.  It gets the prefix via RADVD and provides the rest of the address, using either a MAC based or random 64 bit number.  If DHCPv6 is used, it's generally for providing things like server addresses.  However, it's not needed for DNS servers, as that can be provided by RDNSS.

    ok, and is there a way to check what IP addresses have been asigned by SLAAC? (like the way I can see the DHCP Leases)

    No such way. The RA daemon that advertises the route and the prefix does absolutely nothing else but those functions, selection of the address from the advertised prefix happens completely on the client (of course assisted with duplicate address detection but even that does not involve the RA daemon).

    ok, thanks for your help, I'm learning a lot!!!! :)

    Just one more… I cannot make my clients to ping a host on internet, the names resolve ok to the IPv6 addresses, but somehow I guess I do not have a gateway configured properly or something is "closed" at the pfSense box that blocks traffic.

    I had this issue when I first setup a 6rd tunnel. The fix for me was to disable gateway monitoring on the ipv6 gateway. It wasn't responding to pings so pfSense would treat it as being down.


Log in to reply