Pfsense IPv6 behind AT&T Uverse 5268AC

ttmcmurry

This worked for me too, but only if I request a /64 on the WAN interface.

I've been perplexed for some time why pfSense doesn't seem to be able to request the rest of the address space that AT&T allows.

Generally, the AT&T gateway is assigned a /60. The gateway reserves the lower 8 /64 subnets (0-7) and makes the upper 8 /64s available for use (8-f).

The way pfSense requests the PD on the WAN interface means the WAN only gets one of those /64s (starting at ::xxx8::) and pfSense will then delegate it to whatever tracked interface is designated with the only available prefix "0" (zero).

At least with the way the AT&T gateway currently hands out those PDs, it only hands them out one /64 PD at a time, and pfSense can't/doesn't request multiple, indexed, /64 requests across the WAN.

Other firewalls are able to handle this use case (see this forum post) but not pfSense - at least not that I've been able to find in the pfSense GUI.

This would all be easier if the AT&T gateway would offer a /62 and be done with it (if they chose to stick with reserving the first 8 of the /60), but that's not currently the case.

andrew_241

I also have AT&T (fiber) and I have a VLAN that I would like to get IPv6 addresses on. Right now, the DHCPv6 Prefix Delegation size is 64, but that limits me to one IPv6 Prefix ID when I select 'Track Interface', and so I can only use it for the main LAN. Any workaround for this?

PM_13

@andrew_241
I have not configured VLAN but I did manage to configure two LANs on AT&T Fiber using following:

1. Turn off IPv6 on LAN1 and LAN2 (assuming two LANs)
2. Go to WAN settings and set PD as /60, save settings
3. Go to LAN1 and select IPv6 (track WAN interface) and select PD as 1 (default is 0)
4. Go to LAN2 and select IPv6 (track WAN interface) and select PD as 2 (default is 0)
5. Go to WAN settings and set PD as /64, save settings
6. Reboot pfSense and all the interfaces (WAN, LAN1 and LAN2) would have IPv6 address

Any details not mentioned above, follow the instructions of original post from jathemon above.

andrew_241

This post is deleted!

andrew_241

@pankaj13

I followed jathemon's initial setup, and followed your steps, but unfortunately, I still can't get IPv6 on my VLAN using 'Track Interface'.

How do other routers handle this situation, anyway? Perhaps this is an issue that needs to be raised with the ISP? (Like, for example, requesting a static block of IPv6 addresses with a smaller delegation size?)

PM_13

@andrew_241
The problem with AT&T is that it does not allow the modem to operate in true bridge mode so the IPv6 address assignment cannot be passed on to pfSense. So you are actually getting a block of IPv6 addresses but it is the modem level and the modem needs to distribute the addresses on everything inside the LAN. I also learned that the IPv6 addresses assigned by AT&T are all starting with 2601, these are global unicast addresses but are not routable outside of AT&T network.

Originally I was also trying to set up a VLAN but later on realized that by putting an Ethernet card with 2 slots I can have two logical networks - LAN1 and LAN2 which provided the same functionality as VLAN would have given.

PM_13

@andrew_241

It almost slipped my mind, before I did any of the above steps I downgraded the firmware on 5268AC to v10.53 (installed version was 11.x). There were several complaints on other forums regarding the v11 firmware and several users reported that 10.53 worked better and I gave it a shot and it worked!

ttmcmurry

I've wondered if the AT&T modem assigns PDs based on physical interface. Has anyone tried to create a "WAN2" and use a second physical interface between pfSense & AT&T, and only use IPv6 as the protocol for WAN2 in pfSense? Perhaps (if my hypothesis is correct) WAN2 would get a second, unique, /64 PD to be delegated away to the LAN interface of your choosing.

Notwithstanding the impact this would have to your pfSense configuration (multi-wan, multi-gateway, routing, ACLs, etc), of course.

PM_13

@ttmcmurry
I do not recall any options in 5268Ac which allows turning off IPv4 on WAN side and more problematic is the part that Pace 5268AC only allows one interface to be outside of DMZ which gets assigned the WAN side global IPv4 address. All other interfaces are forced to assume an internal IPv4 address behind its DMZ. I think this set up is designed for average users who may not be as knowledgeable but working with these limitations is quiet frustrating.

zxclord123

This post is deleted!