IPv6 from ISP works, but WAN address is link local, not global
So my ISP offers IPv6 via prefix delegation, and I managed to get it to work, up to a point, with my pfSense. Hosts on my LAN all get global IP addresses, and they can reach the internet via IPv6 through the pfSense. However, my pfSense does not end up with a global address on the WAN, which is a problem for me, as I would like to land a VPN on the WAN interface. The WAN interface ends up with a link-local address instead.
WAN config details:
My ISP does not offer IA-NA via DHCP6, only IA-PD. As such "Request only an IPv6 prefix" is enabled.
My ISP also does not provide router advertisements, so "Do not wait for a RA" is also enabled.
The "DHCPv6 Prefix Delegation size" is a /56, for the curious.
LAN config details:
IPv6 is set to "Track Interface". It is tracking the WAN interface.
As I said, the LAN interface ends up getting a global address, WAN does not.
I did some rudimentary tracing on my pfSense using ssh, and it seems like when rtsold is soliciting for my ISP's router (due to "Do not wait for RA"), the ISP is returning a link local address (!) for the gateway, and the pfSense gains its own link local address, presumably in order to communicate with that gateway.
How can I get my pfSense to also automatically dish out an IPv6 address to it's own WAN interface from the prefix delegation pool it received from the ISP?
First off, routers don't need a routeable WAN address. What does your ISP say? Putting an address from your own block won't get much. With IPv6, routing is normally done using the link local address. A routeable address on the WAN port would only be used for things like configuration, testing, etc..
Thanks for your reply, JKnott.
First off, routers don't need a routeable WAN address.
Agreed, clearly, IPv6 is working.
What does your ISP say?
They say "whats wrong with the box we gave you?", but when pressed, they say that their box gives itself a WAN address in the PD with the sla-id of ff. Presumably that is so they can "service" the box.
A routeable address on the WAN port would only be used for things like configuration, testing, etc..
... serving a VPN?
If pfSense were just a router, I would just have to be content, I suppose.
I already have a roadwarrior OpenVPN on the WAN interface with IPv4, I would also like it to listen and serve on IPv6.
WAN address in the PD with the sla-id of ff
Do you mean an address with the prefix ID of ff? That should still leave you with 255 prefixes available. So, if I'm reading your post correctly, the modem has the prefix ID of ff, leaving 0 - fe for your use, but nothing assigned to your WAN port. As for a VPN, there's no reason it has to terminate on the WAN port, if you have public addresses available on your LAN. Also, I run OpenVPN over IPv4, but it carries both IPv4 and IPv6. It uses my public IPv4 address.
Where you would need a routeable IPv6 address on your WAN port is for things like ping and traceroute to the WAN interface. Without it, you can still ping or traceroute to LAN addresses.
Grimson last edited by
You could try adding an IPv6 VIP as your VPN interface.
Do you mean an address with the prefix ID of ff?
Yeah, that is what I meant, my bad.
I also apologise for not being more clear that I'm not using my ISP's device; the pfSense is plugged directly into the demarcation, as I do not want to use their device. I was describing how the ISP's device ends up with an IP on its WAN interface given the ISP's spartan DHCP service. It issues itself an address on the WAN interface from the PD received from the DHCP, something I have yet to figure out how to do on the pfSense.
As for a VPN, there's no reason it has to terminate on the WAN port, if you have public addresses available on your LAN. Also, I run OpenVPN over IPv4, but it carries both IPv4 and IPv6. It uses my public IPv4 address.
I get what you are saying, and it makes sense. I would really like to run a single OpenVPN configuration but listening on IPv4 and IPv6 without having to a) duplicate configs and OpenVPN server instances and b) having to do some kind port forward trick so they can both land on the same adaptor to achieve that. I understand that serving OpenVPN just from IPv4 works for you, but I'd like the diversity of serving mine from IPv4 and IPv6.
I would also like my LAN firewall rules to pertain strictly to LAN traffic, and WAN firewall rules to pertain strictly to WAN traffic. If I served OpenVPN from the LAN interface, and for argument's sake wanted to filter incoming connections to the VPN service to those originating only from a certain block of IPs, I would have rules describing WAN traffic in my LAN rules. Not a big deal, I know, but when I come back to it 2 years from now, or have someone else look at it, it would be confusing for them or future me.
I think Grimson's suggestion is close to what I am looking for.
You could try adding an IPv6 VIP as your VPN interface.
This works until my ISP's DHCP decides to change my PD. If I could find a way to do this dynamically based on my PD, I think I'm golden. Any ideas?
They shouldn't change your PD. If they do they are doing it wrong. They should honor the DUID and issue you the same PD every time. At least as long as your router doesn't vanish from the network for an extended period of time or otherwise explicitly release the PD.
They should honor the DUID and issue you the same PD every time.
Make sure "Do not allow PD/Address release" is selected on the WAN interface.
Thanks everyone. I'm combining the last two posts from Derelict and JKnott and crossing my fingers to see if my ISP will do it right in the long term!