6rd subnet

  • I'm using 6rd for my ipv6. Because it doesn't look like I'll have native ipv6 any time soon I tried to setup a website on my network to be externally accessible on ipv6 and it would work perfectly fine for external users on different a isp. My issue is any external user who uses 6rd on the same isp as me can't access the site via ipv6. I'm thinking it has something to do with pfSense thinking they are inside my subnet as my ipv6 6rd on the wan has a /28 where my lan ipv6 subnet is /64. I'm thinking pfsense is believes that the external user is inside my subnet (on the wan side). Is my thinking correct or should I be looking somewhere else?

  • You have a /28???  That's huge.  Regardless, I don't think it's pfSense thinking those users are within your address range.  When you're assigned a prefix, you have exclusive use of all addresses within it.  Any other user, including on your 6rd server will have addresses in another prefix.  I suspect the problem may be a routing issue within the 6rd server.

  • It isn't really a /28. The prefix for 6rd is a /28 then my ipv4 address adds the next 32 bits to make my ipv6 prefix. But anyone else on my isp using 6rd will all have the same prefix. Because of this I'm wondering if pfsense see's their address as being inside my 6rd prefix and not sending it external even though it is outside my 6rd prefix + ipv4 address?

  • Well, a /28 + 32 bits = /60, so you should have a /60 prefix that's different from anyone else.  Anything that's outside of your prefix shouldn't confuse pfSense.  I used to use a 6in4 tunnel and don't recall any issues with it.  What does traceroute show, when you try to reach one of the other users?

    Perhaps you could mention who you're getting 6rd from, so someone else who has experience with them can help.

  • my 6rd is with Start.ca. I would expect a /60 subnet for the wan side too but in the interfaces status page it says it is a /28 subnet on the wan side. This is why I'm wondering if that might be what causes the problem.

  • The WAN side has nothing to do with the LAN side.  In fact, you don't even need a public address on the WAN side, as routing is usually done using the link local address.  In fact, routing doesn't even require any address. The route can be specified by a point to point interface.  However, your WAN IP address could easily be one out of a /64 prefix that's separate from your LAN prefix.  Having the WAN address within the LAN prefix wouldn't work.  I'll describe what I have here, though I'm no longer using a tunnel.  My WAN port has an IPv6 address and I also have a /56 prefix, which is then split into individual /64s.  The WAN prefix is significantly different from either my /56 or any of my /64 prefixes, so there's no conflict between the WAN and LAN sides.  Any address that's not within my /56 is elsewhere.  I don't care whether they're on my ISP or not, they're just elsewhere and pfSense sends packets for them out the WAN interface to my ISP.  Beyond that, I don't know or care what happens.  It should be the same with you on Start.  I suggested using traceroute, as it will show whether the packets actually leave your pfSense firewall or not.  If they do, the problem is elsewhere.  If they don't, it's with pfSense.

Log in to reply