1. Home
  2. pfSense® Software
  3. IPv6
  4. IPv6 not routed passed the first hop

IPv6 not routed passed the first hop

  • M

    Hi.

    I have been trying for a couple of months to set up native IPv6 on pfsense 2.3, just updated to 2.3.3_1.

    My ISP provides me with a static /48. I'm using an address on the first /64 on the WAN interface and have added the gateway IP from my ISP as the default IPv6 route. IPv6 works perfectly fine on pfsense itself, I can ping external ipv6 addresses from it just fine.

    The lan network is on another /64 with a client machine statically configured to use the IPv6 address of the client interface. I can successfully ping both the IPv6 addresses of the wan and lan interfaces from a client machine on the lan network. Doing a ping or a traceroute to any external address just stops at pfsense though, so for some reason I can't make it passed the first hop.

    Is there anything I have missed that I should do to make this work?

    I'm not trying to set up something fancy. Just unfiltered IPv6 routing and static configuration. The documentation I have found suggests that doing something like that should pretty much just work, so my guess is that there is something obvious I have missed.

    Just to make sure the problem isn't anything old in the configuration I have even disabled all IPv6 configuration, installed pfsense on a different machine, added IPv6 to it with no additional firewall rules or other setup, manually set it to the default route and still having the same problem.

    0
  • johnpoz
    LAYER 8 Global Moderator

    "My ISP provides me with a static /48. I'm using an address on the first /64 on the WAN interface and have added the gateway IP from my ISP as the default IPv6 route. IPv6 works perfectly fine on pfsense itself, I can ping external ipv6 addresses from it just fine."

    So your isp told you that the first /64 is to be used as the transit?  For a network to be routed it has to have a dest.. So what did they tell you to use for your IP?  So they could route the whole /48 to that IP?

    Or did they just give you a /48 to use?  And its not really routed anywhere?  Just hung off their network..

    0
  • M

    @johnpoz:

    So your isp told you that the first /64 is to be used as the transit?  For a network to be routed it has to have a dest.. So what did they tell you to use for your IP?  So they could route the whole /48 to that IP?

    Or did they just give you a /48 to use?  And its not really routed anywhere?  Just hung off their network..

    They didn't actually tell me that much, only that I can use the entire /48 and that I should use the [prefix]::1 address as the default gateway. I gave the WAN interface the [prefix]::2/64 address since I thought that sounded reasonable, and I can reach that IP from the outside so that IP should at least be routed.

    0
  • H

    System / Advanced / Networking > Allow IPv6 == checked
        Interfaces / LAN > Block bogon networks == unchecked

    0
  • K

    @mjgtall:

    @johnpoz:

    So your isp told you that the first /64 is to be used as the transit?  For a network to be routed it has to have a dest.. So what did they tell you to use for your IP?  So they could route the whole /48 to that IP?

    Or did they just give you a /48 to use?  And its not really routed anywhere?  Just hung off their network..

    They didn't actually tell me that much, only that I can use the entire /48 and that I should use the [prefix]::1 address as the default gateway. I gave the WAN interface the [prefix]::2/64 address since I thought that sounded reasonable, and I can reach that IP from the outside so that IP should at least be routed.

    Sounds awfully like they did the worst thing possible and the /48 is terminated at their own router. Your options are very limited if that is really the case because you won't be able to use any of the /48 behind your pfSense.

    A proper routed setup would have a separate /64 transit on the WAN and the pfSense WAN IPv6 address (from the transit /64) would be the destination address for your routed /48.

    0
  • johnpoz
    LAYER 8 Global Moderator

    ^ yup that would be my guess.. Which is just plain moronic.. How could an ISP really be that stupid??

    There really should be a transit network..  Using the first /64 of the /48 as the transit bad way to do it if you ask me.  There really should be a different transit network.. Not like there is not plenty of address space to use ;)  They give you a /64 as your transit, and then route the /48 through that transit.

    0
  • M

    Thanks for the help everyone. I contacted my ISP and they were quick to give me a transit network and now everything works.

    0
  • johnpoz
    LAYER 8 Global Moderator

    Glad to hear.. So they just forgot to give you that info before or did they have to fix it?

    0
  • M

    @johnpoz:

    Glad to hear.. So they just forgot to give you that info before or did they have to fix it?

    Thanks. No, they had to fix it.

    0
  • T

    @mjgtall:

    @johnpoz:

    Glad to hear.. So they just forgot to give you that info before or did they have to fix it?

    Thanks. No, they had to fix it.

    Just out of curiosity, is your ISP Comcast?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy