Pfsense IPv6 behind AT&T Uverse 5268AC

  • In case others find this thread and want to know the general configuration behind the 5268AC (I spent a couple hours figuring it out)…

    This is not in a cascaded router configuration, but a DMZ+ configuration so the public IP is shared with the PFSense router
    Make sure IPv6 is enabled on the should be able to view the status of the broadband connection and see that the router is connected to IPv6 via 6rd with a gateway and a prefix delegation.  If you don't have this, don't bother with the rest of this configuration.

    On PFSense (latest stable version in the 2.3 train)
    WAN Interface:
    Request only an IPv6 prefix (checked)
    DHCPv6 Prefix Delegation size: 64
    Send IPv6 prefix hint (checked)
    Block Bogon Networks (unchecked)

    LAN Interface:
    DHCPv6: Tracking
    IPv6 Interface: WAN
    IPv6 Prefix: 0

    I'm not sure if you need to have bogon networks unchecked, it is good practice to block your LAN address space on your wan interface...

    The KEY Item for me once I had this general configuration was firewall rules (SMH).  Make sure that IPv6 ICMP is permitted to/from the WAN interface AND you have a rule for DHCPv6 (aka UDP 546).  The DHCP rules will look like the can obviously customize it as you like for more specificity:

    IPv6 UDP source: any:546 dest: any:any
    IPv6 UDP source: any:any dest: any:546

    This actually permits the DHCP request and reply (stateful should allow the return traffic anyway...but w/e).  You will also need to allow ICMP rules for v6.

  • Awesome details...worked like a charm!

    Thanks for figuring it out and then be kind enough to share it!!!

  • This worked for me too, but only if I request a /64 on the WAN interface.

    I've been perplexed for some time why pfSense doesn't seem to be able to request the rest of the address space that AT&T allows.

    Generally, the AT&T gateway is assigned a /60. The gateway reserves the lower 8 /64 subnets (0-7) and makes the upper 8 /64s available for use (8-f).

    The way pfSense requests the PD on the WAN interface means the WAN only gets one of those /64s (starting at ::xxx8::) and pfSense will then delegate it to whatever tracked interface is designated with the only available prefix "0" (zero).

    At least with the way the AT&T gateway currently hands out those PDs, it only hands them out one /64 PD at a time, and pfSense can't/doesn't request multiple, indexed, /64 requests across the WAN.

    Other firewalls are able to handle this use case (see this forum post) but not pfSense - at least not that I've been able to find in the pfSense GUI.

    This would all be easier if the AT&T gateway would offer a /62 and be done with it (if they chose to stick with reserving the first 8 of the /60), but that's not currently the case.

  • I also have AT&T (fiber) and I have a VLAN that I would like to get IPv6 addresses on. Right now, the DHCPv6 Prefix Delegation size is 64, but that limits me to one IPv6 Prefix ID when I select 'Track Interface', and so I can only use it for the main LAN. Any workaround for this?

  • @andrew_241
    I have not configured VLAN but I did manage to configure two LANs on AT&T Fiber using following:

    1. Turn off IPv6 on LAN1 and LAN2 (assuming two LANs)
    2. Go to WAN settings and set PD as /60, save settings
    3. Go to LAN1 and select IPv6 (track WAN interface) and select PD as 1 (default is 0)
    4. Go to LAN2 and select IPv6 (track WAN interface) and select PD as 2 (default is 0)
    5. Go to WAN settings and set PD as /64, save settings
    6. Reboot pfSense and all the interfaces (WAN, LAN1 and LAN2) would have IPv6 address

    Any details not mentioned above, follow the instructions of original post from jathemon above.