Pfsense IPv6 behind AT&T Uverse 5268AC

  • In case others find this thread and want to know the general configuration behind the 5268AC (I spent a couple hours figuring it out)…

    This is not in a cascaded router configuration, but a DMZ+ configuration so the public IP is shared with the PFSense router
    Make sure IPv6 is enabled on the should be able to view the status of the broadband connection and see that the router is connected to IPv6 via 6rd with a gateway and a prefix delegation.  If you don't have this, don't bother with the rest of this configuration.

    On PFSense (latest stable version in the 2.3 train)
    WAN Interface:
    Request only an IPv6 prefix (checked)
    DHCPv6 Prefix Delegation size: 64
    Send IPv6 prefix hint (checked)
    Block Bogon Networks (unchecked)

    LAN Interface:
    DHCPv6: Tracking
    IPv6 Interface: WAN
    IPv6 Prefix: 0

    I'm not sure if you need to have bogon networks unchecked, it is good practice to block your LAN address space on your wan interface...

    The KEY Item for me once I had this general configuration was firewall rules (SMH).  Make sure that IPv6 ICMP is permitted to/from the WAN interface AND you have a rule for DHCPv6 (aka UDP 546).  The DHCP rules will look like the can obviously customize it as you like for more specificity:

    IPv6 UDP source: any:546 dest: any:any
    IPv6 UDP source: any:any dest: any:546

    This actually permits the DHCP request and reply (stateful should allow the return traffic anyway...but w/e).  You will also need to allow ICMP rules for v6.

  • Awesome details...worked like a charm!

    Thanks for figuring it out and then be kind enough to share it!!!

  • This worked for me too, but only if I request a /64 on the WAN interface.

    I've been perplexed for some time why pfSense doesn't seem to be able to request the rest of the address space that AT&T allows.

    Generally, the AT&T gateway is assigned a /60. The gateway reserves the lower 8 /64 subnets (0-7) and makes the upper 8 /64s available for use (8-f).

    The way pfSense requests the PD on the WAN interface means the WAN only gets one of those /64s (starting at ::xxx8::) and pfSense will then delegate it to whatever tracked interface is designated with the only available prefix "0" (zero).

    At least with the way the AT&T gateway currently hands out those PDs, it only hands them out one /64 PD at a time, and pfSense can't/doesn't request multiple, indexed, /64 requests across the WAN.

    Other firewalls are able to handle this use case (see this forum post) but not pfSense - at least not that I've been able to find in the pfSense GUI.

    This would all be easier if the AT&T gateway would offer a /62 and be done with it (if they chose to stick with reserving the first 8 of the /60), but that's not currently the case.

  • I also have AT&T (fiber) and I have a VLAN that I would like to get IPv6 addresses on. Right now, the DHCPv6 Prefix Delegation size is 64, but that limits me to one IPv6 Prefix ID when I select 'Track Interface', and so I can only use it for the main LAN. Any workaround for this?

  • @andrew_241
    I have not configured VLAN but I did manage to configure two LANs on AT&T Fiber using following:

    1. Turn off IPv6 on LAN1 and LAN2 (assuming two LANs)
    2. Go to WAN settings and set PD as /60, save settings
    3. Go to LAN1 and select IPv6 (track WAN interface) and select PD as 1 (default is 0)
    4. Go to LAN2 and select IPv6 (track WAN interface) and select PD as 2 (default is 0)
    5. Go to WAN settings and set PD as /64, save settings
    6. Reboot pfSense and all the interfaces (WAN, LAN1 and LAN2) would have IPv6 address

    Any details not mentioned above, follow the instructions of original post from jathemon above.

  • This post is deleted!

  • @pankaj13

    I followed jathemon's initial setup, and followed your steps, but unfortunately, I still can't get IPv6 on my VLAN using 'Track Interface'.

    How do other routers handle this situation, anyway? Perhaps this is an issue that needs to be raised with the ISP? (Like, for example, requesting a static block of IPv6 addresses with a smaller delegation size?)

  • @andrew_241
    The problem with AT&T is that it does not allow the modem to operate in true bridge mode so the IPv6 address assignment cannot be passed on to pfSense. So you are actually getting a block of IPv6 addresses but it is the modem level and the modem needs to distribute the addresses on everything inside the LAN. I also learned that the IPv6 addresses assigned by AT&T are all starting with 2601, these are global unicast addresses but are not routable outside of AT&T network.

    Originally I was also trying to set up a VLAN but later on realized that by putting an Ethernet card with 2 slots I can have two logical networks - LAN1 and LAN2 which provided the same functionality as VLAN would have given.

  • @andrew_241

    It almost slipped my mind, before I did any of the above steps I downgraded the firmware on 5268AC to v10.53 (installed version was 11.x). There were several complaints on other forums regarding the v11 firmware and several users reported that 10.53 worked better and I gave it a shot and it worked!

  • I've wondered if the AT&T modem assigns PDs based on physical interface. Has anyone tried to create a "WAN2" and use a second physical interface between pfSense & AT&T, and only use IPv6 as the protocol for WAN2 in pfSense? Perhaps (if my hypothesis is correct) WAN2 would get a second, unique, /64 PD to be delegated away to the LAN interface of your choosing.

    Notwithstanding the impact this would have to your pfSense configuration (multi-wan, multi-gateway, routing, ACLs, etc), of course.

  • @ttmcmurry
    I do not recall any options in 5268Ac which allows turning off IPv4 on WAN side and more problematic is the part that Pace 5268AC only allows one interface to be outside of DMZ which gets assigned the WAN side global IPv4 address. All other interfaces are forced to assume an internal IPv4 address behind its DMZ. I think this set up is designed for average users who may not be as knowledgeable but working with these limitations is quiet frustrating.

Log in to reply