• I have a /48 block of IP addresses provided by a datacenter. I'm trying to create an internal LAN with pfsense running on a vm. I've setup the WAN interface up with the IP address xxxx:xxxx:xxxx::82/48 and the gateway is xxxx:xxxx:xxxx::1. The LAN interface I setup with the IP address xxxx:xxxx:xxxx:2::1/64. I can ping from the WAN interface on the diagnostics page but I can't ping from the LAN interface. I also can't get a route outside on servers behind the LAN interface, although I can ping the LAN and WAN interface addresses.

  • anyone?

  • My ipv6 "WAN" is a GIF interface…

    Other than that, I assume the rest would be the same.  However, You will need to share.

    I need to see your LAN interface setup, WAN interface setup, firewall rules for all interfaces,  ServicesDHCPv6 Server & RALANDHCPv6 Server for all interfaces

    We can start there...

  • LAYER 8 Global Moderator

    "I've setup the WAN interface up with the IP address xxxx:xxxx:xxxx::82/48"

    Well that is not correct…  If the DC routed the /48 to you then you would create /64 out of that /48 and use them on your lan side interfaces behind pfsense.

  • I meant /64 on the WAN interface, my mistake.  I've attached a screenshot of the WAN,LAN,DHCP and the RA config.

  • LAYER 8 Global Moderator


    Dude did they route the /48 to you or not.. If they just gave you the /48 as directly attached to their router then you can not really do anything with it… How stupid can these companies be??

    If they routed the /48 to use - what is the transit network?  The first subnet?  You can not just set the mask to /64 vs /48..

  • A /48 block is routed. I set /64 on the WAN interface. I think the /48 block might be directly attached. :/

  • LAYER 8 Global Moderator

    If the the /48 was routed then they should of given you a /64 as the transit in their info, etc.  Its possible that they assumed you would use the 1st prefix as the transit, etc.  But to be honest that is bad practice..

    If they just directly attached the /48 to their device your connected too.. Then they are clueless ;)  As it seems many a ISP or DC networking guys are when it comes to IPv6.. I would clarify with them that you want the /48 routed to you, and via what transit?  They should give you a /64 that is not part of your /48 as your transit.. They could use link-local for the transit.  But that is also just not good design..

    Once they give you a routed /48 then you can break that up into the /64s you want to use behind pfsense for as many segments as you want, since a /48 is freaking HUGE ;)  Your not going to exceed 65K /64s are you ;)

  • They could use link-local for the transit.  But that is also just not good design.

    Take a look at your WAN port.  While there may be a global address on it, the gateway is via link local address, as is generally the case with IPv6 routing.  While it's certainly nice to have a global address, it's usually not used in routing, even on the local LAN.  Even on IPv4, a transit network isn't needed on a point to point link.  All that's needed is the interface that connects to the remote network.

  • LAYER 8 Global Moderator

    "Even on IPv4, a transit network isn't needed on a point to point link."

    Might not be needed, but pointless to do such a thing.. And makes it even that more difficult to work with, and depending hard to route when there is no IP to send it too, etc.

    Who said his ISP would be using a point to point to him in a DC.. Normally there would be a transit later where customers are connected.. Just easier to give them an IP on this transit that should be a global /64 used as that transit network..

    While the device might actually use the link local to talk to the gateway.. The global IP makes it nice and simple for troubleshooting and traceroute.. Now you get a valid hop in your trace since you will hit the global IP on the end of the transit network.

    Like I said its bad design to not use a transit.

  • Like I said its bad design to not use a transit.

    Perhaps I used the wrong expression.  I took your description as requiring public IPv6 addresses on the WAN side of the firewall.  I do have one that's completely different from what my /56 contains.  However, that public address is not used in routing my /56 to me.  It also has a /128 prefix.  Netstat -r shows a link local address that's not on my firewall for the default route.  With IPv6, routing is normally done using the link local address, so not having a public IPv6 address on my WAN interface would not break anything.  All that IPv6 address does is allow connection to my firewall from elsewhere.  This contrasts with IPv4, where a routed IP address is necessary, except with point to point links.

Log in to reply