Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 sanity check

    Scheduled Pinned Locked Moved IPv6
    24 Posts 5 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mygeeknc
      last edited by

      I've been trying, unsuccessfully, to turn up a network that is native IPv6 with a static WAN. I believe my issues are in the router advertisements but I'm not 100% on it.

      From my pfsense box, under "Diagnostics -> Ping" I can successfully ping ipv6.google.com and my ISP gateway, however internally I can not. From a client, I can ping my pfsense box but can not ping the ISP gateway nor ipv6.google.com.

      This is my first experience with IPv6 so this is definitely a learning experience. Thanks for any assistance.

      Information:

      • ISP: AT&T

      • IP Block: 2001:xxxx:xxxx:6900::/56

      • First usable: 2001:xxxx:xxxx:6900::2/56

      • Gateway: 2001:xxxx:xxxx:6900::1/56

      So I statically assigned the WAN interface with 2001:1890:120C:6900:2/56 and added the upstream gateway as you can see here: http://d.pr/i/gn7JxT/2v4i9YP9

      On the LAN interface, I set a static IPv4 as 192.168.1.1 and then IPv6 as 2001:xxxx:xxxx:6901::1/64 - http://d.pr/i/FXmiTA/yHmtdyUd

      Under DHCPv6 and RA I have the DHCPv6 server turned off for the LAN (and WAN for that matter). http://d.pr/i/bZhTuy/DY8Ayxj7

      And then under RA, I have it set to Unmanaged. http://d.pr/i/9HZvj3/msv03Uab

      My DNS servers are set to the ones provided by the ISP under General Setup.

      So what am I doing wrong here?

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Your LAN address should not be  2001:xxxx:xxxx:6901::1/64

        Try 2001:xxxx:xxxx:6900:1::1/64

        Your entire subnet is a /56, which are the first 56 bits

        2001: = 16 +
        xxxx  = 16 +
        xxxx  = 16 +
        6900  = 16 +
                  –------
                      48
                    -------

        Plus 8 bits from the 5th so your allocated range is:  2001:xxxx:xxxx:6900:00 = /56

        The rest is yours to play with, so on your Lan side do this

        2001:xxxx:xxxx:6900:0001 or  2001:xxxx:xxxx:6900:1

        Now add the address for pfSense itself on the LAN side, we'll make it 1

        2001:xxxx:xxxx:6900:1::1

        And that should work.

        1 Reply Last reply Reply Quote 0
        • M
          mygeeknc
          last edited by

          I must still have something wrong. I can resolve ipv6.google.com but I can not ping it or browse to it. I've made the LAN IP 2001:xxxx:xxxx:6900:1::1 as suggested and assumed this was a /64. Is that right?

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            What have you got set up in your dhcp6 server?

            It should be something like

            from  2001:xxxx:xxxx:6900:1::2 to 2001:xxxx:xxxx:6900::ffff:ffff and set the RA mode to assisted.

            1 Reply Last reply Reply Quote 0
            • M
              mygeeknc
              last edited by

              This is what I have now on the DHCPv6 side and the RA is set to assisted. http://d.pr/i/nLHmPX/5bVlaMj8

              Another interesting point is now I can't ping ipv6.google.com from the diagnostics interface where I could before.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                Ok, lets' do this stage by stage.

                In Diagnostics Ping, Set the Hostname to 2001:41c1:4008::bbc:1 ( BBC UK )

                Protocol IPv6
                Source Address WAN

                Max Pings 3

                Do you get a response?

                Now, if you do, good.

                Now before we go further, do you have a valid V6 address on your LAN  interface?

                1 Reply Last reply Reply Quote 0
                • M
                  mygeeknc
                  last edited by

                  I was able to ping 2001:41c1:4008::bbc:1 but I also tried ipv6.google.com again and was not able to get there.

                  The IP I have on my LAN interface is 192.168.1.1 for IPv4 and 2001:xxxx:xxxx:6900:1::1 for IPv6.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    Well if you can ping the BBC address then ipv6 is working.

                    So now you have enabled the dhcpv6 ranges, what address(es) do you see on your PC when doing ipconfig ( if windows ) ?

                    1 Reply Last reply Reply Quote 0
                    • M
                      mygeeknc
                      last edited by

                      Connection-specific DNS Suffix  . : localdomain
                        IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:6900:806a:e655:2a58:123
                        IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:6900:ffff::7966
                        Temporary IPv6 Address. . . . . . : 2001:xxxx:xxxx:6900:bccd:35e8:9436:f0f2
                        Link-local IPv6 Address . . . . . : fe80::806a:e655:2a58:123%10
                        IPv4 Address. . . . . . . . . . . : 192.168.1.101
                        Subnet Mask . . . . . . . . . . . : 255.255.255.0
                        Default Gateway . . . . . . . . . : fe80::2e0:b6ff:fe13:6ea2%10
                                                            192.168.1.1

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        Those addresses should be xxxx:6900:1:*

                        Sorry, it Looks like it might be my typo in an earlier message.

                        It should read from  2001:xxxx:xxxx:6900:1::2 to 2001:xxxx:xxxx:6900:1:ffff:ffff

                        DHCPv6 addresses on the LAN need to be in the same 64 range as the LAN address.

                        Once that's done then disable and re-enable the LAN port on the PC, then ipconfig and check the address is in the right 64.

                        Use this address to check your IPv6 with a browser.

                        http://ipv6-test.com/

                        1 Reply Last reply Reply Quote 0
                        • M
                          mygeeknc
                          last edited by

                          Are you sure that range is correct? It's giving me a "valid range must be specified" error.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mygeeknc
                            last edited by

                            I changed it to: 2001:xxxx:xxxx:6900:1::2 to 2001:xxxx:xxxx:6900:1::ffff

                            That should work correct?

                            1 Reply Last reply Reply Quote 0
                            • ?
                              Guest
                              last edited by

                              Yes it should, can't see instantly why it complained. I'll fire it up on my test unit as soon as I get the chance and see whats wrong.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                No.

                                2001:xxxx:xxxx:6900:1::2

                                That will still be on the WAN subnet.

                                Set your WAN IPv6 address to 2001:xxxx:xxxx:6900::2/64

                                Set the default IPv6 gateway on that interface to: 2001:xxxx:xxxx:6900::1

                                That leaves 255 /64 networks to assign to inside interfaces:

                                2001:xxxx:xxxx:6901::/64 through 2001:xxxx:xxxx:69ff::/64

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  Guest
                                  last edited by

                                  thanks Derelict,  not enough sleep and too many work hours the last couple of weeks, silly mistakes are creeping in!

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mygeeknc
                                    last edited by

                                    I have the WAN set as 2001:xxxx:xxxx:6900::2/64 and the LAN IP set as 2001:xxxx:xxxx:6901::1/64.

                                    On the DHCPv6 page, I have the range set to 2001:xxxx:xxxx:6901::2 - 2001:xxxx:xxxx:6901::ffff.

                                    From the Diagnostics screen, I can now ping ipv6.google.com but I still can not ping either the BBC IP listed above nor ipv6.google.com from a client machine. What am I missing?

                                    1 Reply Last reply Reply Quote 0
                                    • awebsterA
                                      awebster
                                      last edited by

                                      What IP are you getting on the machine inside the LAN?
                                      Check IP and default gateway.

                                      –A.

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        On the DHCPv6 page, I have the range set to 2001:xxxx:xxxx:6901::2 - 201:xxxx:xxxx:6901:ffff.

                                        When trying to solicit help from someone remote, specific details and accuracy are important.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mygeeknc
                                          last edited by

                                          Ethernet adapter Ethernet:

                                          Connection-specific DNS Suffix  . : localdomain
                                            IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:6901::f966
                                            IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:6901:806a:e655:2a58:123
                                            Temporary IPv6 Address. . . . . . : 2001:xxxx:xxxx:6901:e023:5e95:6d44:5c7b
                                            Link-local IPv6 Address . . . . . : fe80::806a:e655:2a58:123%10
                                            IPv4 Address. . . . . . . . . . . : 192.168.1.101
                                            Subnet Mask . . . . . . . . . . . : 255.255.255.0
                                            Default Gateway . . . . . . . . . : fe80::2e0:b6ff:fe13:6ea2%10
                                                                                192.168.1.1

                                          This is what a client is getting. Thank you all very much for your help.

                                          1 Reply Last reply Reply Quote 0
                                          • awebsterA
                                            awebster
                                            last edited by

                                            2 things:

                                            • Verify that the fe80::2e0:b6ff:fe13:6ea2 address you see actually belongs to the LAN interface on your pfSense.

                                            • Check DNS settings, does nslookup return the expected results?

                                            eg:
                                            Non-authoritative answer:
                                            Name:    ipv6.l.google.com
                                            Address:  2607:f8b0:400b:809::200e
                                            Aliases:  ipv6.google.com

                                            Lastly tracert -d ipv6.google.com, see how far it gets before stopping.

                                            –A.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.