IPv6 not routed passed the first hop
-
Hi.
I have been trying for a couple of months to set up native IPv6 on pfsense 2.3, just updated to 2.3.3_1.
My ISP provides me with a static /48. I'm using an address on the first /64 on the WAN interface and have added the gateway IP from my ISP as the default IPv6 route. IPv6 works perfectly fine on pfsense itself, I can ping external ipv6 addresses from it just fine.
The lan network is on another /64 with a client machine statically configured to use the IPv6 address of the client interface. I can successfully ping both the IPv6 addresses of the wan and lan interfaces from a client machine on the lan network. Doing a ping or a traceroute to any external address just stops at pfsense though, so for some reason I can't make it passed the first hop.
Is there anything I have missed that I should do to make this work?
I'm not trying to set up something fancy. Just unfiltered IPv6 routing and static configuration. The documentation I have found suggests that doing something like that should pretty much just work, so my guess is that there is something obvious I have missed.
Just to make sure the problem isn't anything old in the configuration I have even disabled all IPv6 configuration, installed pfsense on a different machine, added IPv6 to it with no additional firewall rules or other setup, manually set it to the default route and still having the same problem.
-
"My ISP provides me with a static /48. I'm using an address on the first /64 on the WAN interface and have added the gateway IP from my ISP as the default IPv6 route. IPv6 works perfectly fine on pfsense itself, I can ping external ipv6 addresses from it just fine."
So your isp told you that the first /64 is to be used as the transit? For a network to be routed it has to have a dest.. So what did they tell you to use for your IP? So they could route the whole /48 to that IP?
Or did they just give you a /48 to use? And its not really routed anywhere? Just hung off their network..
-
So your isp told you that the first /64 is to be used as the transit? For a network to be routed it has to have a dest.. So what did they tell you to use for your IP? So they could route the whole /48 to that IP?
Or did they just give you a /48 to use? And its not really routed anywhere? Just hung off their network..
They didn't actually tell me that much, only that I can use the entire /48 and that I should use the [prefix]::1 address as the default gateway. I gave the WAN interface the [prefix]::2/64 address since I thought that sounded reasonable, and I can reach that IP from the outside so that IP should at least be routed.
-
System / Advanced / Networking > Allow IPv6 == checked
Interfaces / LAN > Block bogon networks == unchecked -
So your isp told you that the first /64 is to be used as the transit? For a network to be routed it has to have a dest.. So what did they tell you to use for your IP? So they could route the whole /48 to that IP?
Or did they just give you a /48 to use? And its not really routed anywhere? Just hung off their network..
They didn't actually tell me that much, only that I can use the entire /48 and that I should use the [prefix]::1 address as the default gateway. I gave the WAN interface the [prefix]::2/64 address since I thought that sounded reasonable, and I can reach that IP from the outside so that IP should at least be routed.
Sounds awfully like they did the worst thing possible and the /48 is terminated at their own router. Your options are very limited if that is really the case because you won't be able to use any of the /48 behind your pfSense.
A proper routed setup would have a separate /64 transit on the WAN and the pfSense WAN IPv6 address (from the transit /64) would be the destination address for your routed /48.
-
^ yup that would be my guess.. Which is just plain moronic.. How could an ISP really be that stupid??
There really should be a transit network.. Using the first /64 of the /48 as the transit bad way to do it if you ask me. There really should be a different transit network.. Not like there is not plenty of address space to use ;) They give you a /64 as your transit, and then route the /48 through that transit.
-
Thanks for the help everyone. I contacted my ISP and they were quick to give me a transit network and now everything works.
-
Glad to hear.. So they just forgot to give you that info before or did they have to fix it?
-
Glad to hear.. So they just forgot to give you that info before or did they have to fix it?
Thanks. No, they had to fix it.
-
