Problem routing IPv6

riceri · Jul 30, 2017, 8:36 AM

I have been struggling with getting IPv6 working for a day and now i give up and ask for help. My ISP have given me a /48 subnet to use as i want, the only instruction i got is that the router is advertised by RA.

The setup is as follows
Subnet from ISP: 2XX1:2XX0:5XX0::/48
WAN interface: 2XX1:2XX0:5XX0::2/64
LAN interface: 2XX1:2XX0:5XX0:1::1/64
Desktop: 2XX1:2XX0:5XX0:1::10/64
The firewall is open for all IPv6 traffic on both WAN and LAN. It have already a working IPv4 setup with NAT.

The desktop can ping the WAN and LAN interface on the pfSense. From internet i can ping the WAN interface.

What can i have missed?
Can i mix NAT (IPv4) and public (IPv6)?

pfadmin · Aug 8, 2017, 11:59 AM

@riceri:

Can i mix NAT (IPv4) and public (IPv6)?

Hi,

yes, you can.

I think, your ISP gives you an /48 for your LAN site of the router. You should not use ist on wan as you did with

WAN interface: 2XX1:2XX0:5XX0::2/64

pfadmin

pfadmin · Aug 8, 2017, 12:02 PM

And do you realy want your firewall open for connections from the internet?

Allow ICMPv6 in all matters.

pfadmin

riceri · Aug 13, 2017, 6:10 PM

@pfadmin:

And do you realy want your firewall open for connections from the internet?

Allow ICMPv6 in all matters.

pfadmin

I only have that firewall rule to get anything to work. Once i see that the traffic is routed i will lock it down with more normal firewalls rules. :)

riceri · Aug 13, 2017, 6:15 PM

@pfadmin:

I think, your ISP gives you an /48 for your LAN site of the router. You should not use ist on wan as you did with

WAN interface: 2XX1:2XX0:5XX0::2/64

Aha, but don't i need a adress on the WAN side to?

Derelict · Aug 13, 2017, 7:51 PM

There needs to be a WAN interface subnet and they should route the /48 to you there. It could also be link-local but they still need to route the /48 to you somehow.

They should have some sort of instructions for how the WAN interface should be configured.

What, exactly, did their instructions say?

What ISP/service plan is it?

riceri · Aug 13, 2017, 10:02 PM

@Derelict:

There needs to be a WAN interface subnet and they should route the /48 to you there. It could also be link-local but they still need to route the /48 to you somehow.

They should have some sort of instructions for how the WAN interface should be configured.

What, exactly, did their instructions say?

What ISP/service plan is it?

There is not much instructions, it just said that i got a subnet and that i should not use a gateway as the RA protocol was used. Since this is my first time to add public IP:s behind a firewall everything is new to me and it makes it harder. :)

The ISP is Telia Prolane.

This is all the info i got:

Information about IP-address
IP-version IPv6
IP-adresser 2XX1:2XX0:5XX0::/48
Default gateway *
Name on reversezon 0.X.X.5.0.X.X.2.1.X.X.2.ip6.arpa.

(*) Normally, you do not need to manually configure any default gateway on ipv6. The router announces the default gateway via Route Advertisment to the computers that are connected directly to Telia's CPE. There may be situations when manually entering the default gateway. In that case, enter the link-local address fe80 :: 1.

JKnott · Aug 13, 2017, 10:23 PM

@riceri:

@Derelict:

There needs to be a WAN interface subnet and they should route the /48 to you there. It could also be link-local but they still need to route the /48 to you somehow.

They should have some sort of instructions for how the WAN interface should be configured.

What, exactly, did their instructions say?

What ISP/service plan is it?

There is not much instructions, it just said that i got a subnet and that i should not use a gateway as the RA protocol was used. Since this is my first time to add public IP:s behind a firewall everything is new to me and it makes it harder. :)

The ISP is Telia Prolane.

This is all the info i got:

Information about IP-address
IP-version IPv6
IP-adresser 2XX1:2XX0:5XX0::/48
Default gateway *
Name on reversezon 0.X.X.5.0.X.X.2.1.X.X.2.ip6.arpa.

(*) Normally, you do not need to manually configure any default gateway on ipv6. The router announces the default gateway via Route Advertisment to the computers that are connected directly to Telia's CPE. There may be situations when manually entering the default gateway. In that case, enter the link-local address fe80 :: 1.

My ISP also uses RAs, but also DHCPv6-PD to assign my local prefix. On the WAN side, while it's assigned a global address, it uses a link local address for the router.

Guest · Aug 14, 2017, 11:44 AM

Your ISP is doing something similar to mine, how is the initial negotiation for IPv4 handled is it PPPoE?

What version of pfSense are you running, It may be in an earlier message but I did not see it.

riceri · Aug 14, 2017, 8:11 PM

@JKnott:

My ISP also uses RAs, but also DHCPv6-PD to assign my local prefix. On the WAN side, while it's assigned a global address, it uses a link local address for the router.

When i setup my WAN on DHCP i do get a IPv6 address.

@marjohn56:

Your ISP is doing something similar to mine, how is the initial negotiation for IPv4 handled is it PPPoE?

What version of pfSense are you running, It may be in an earlier message but I did not see it.

We have been given a subnet of IPv4 addresses so no DHCP or anything at the IPv4.

Guest · Aug 14, 2017, 9:37 PM

Silly I know, but have you allowed IPv6 in System->Advanced->Networking?

riceri · Aug 14, 2017, 9:51 PM

@marjohn56:

Silly I know, but have you allowed IPv6 in System->Advanced->Networking?

Yes, that is checked. :)

Guest · Aug 15, 2017, 5:03 AM

If you leave the WAN side as dhcp6 you should get something. Set it to dhcp6 and then look at the dhcp logs and look for dhcp6c entries, see if anything is there.

riceri · Aug 15, 2017, 6:18 AM

@marjohn56:

If you leave the WAN side as dhcp6 you should get something. Set it to dhcp6 and then look at the dhcp logs and look for dhcp6c entries, see if anything is there.

I do, then i try to use the 2XX1:2XX0:5XX0::/48 on the LAN side but it still don't route.

Guest · Aug 15, 2017, 6:30 AM

Set your lan v6 to track the Wan interface. Set up your dhcp6 server on lan too. You do not want the whole 48 on your lan, 64 is fine.

riceri · Aug 15, 2017, 9:11 PM

I got a call from Telia today they will take a session with me tomorrow and try to solve this. :)

riceri · Aug 16, 2017, 8:06 AM

Telia added a route to my route for the /48 i have got and now it works. So the problem was that Telia didn't route the traffic back to my router.

Case closed! Thanks for all your help!

JKnott · Aug 16, 2017, 10:59 AM

@riceri:

Telia added a route to my route for the /48 i have got and now it works. So the problem was that Telia didn't route the traffic back to my router.

Case closed! Thanks for all your help!

Do you now have multiple /64s available?

Guest · Aug 16, 2017, 9:04 PM

@riceri:

Telia added a route to my route for the /48 i have got and now it works. So the problem was that Telia didn't route the traffic back to my router.

Case closed! Thanks for all your help!

Good stuff, they are not the only ISP to have done that, seems a common problem.

riceri · Aug 20, 2017, 8:36 AM

@JKnott:

Do you now have multiple /64s available?

Yes, they route the whole /48 to my router and i can split it to multiple /64 and my router takes care of that routing.