Ipv6 setup for Telus
-
I have tried to get ipv6 working with pfsense and have had no luck .I am running pfsense from the bridged port 1 on the telus router .
-
This is what worked for me:
- Navigate to Interfaces -> WAN
- IPv6 configuration should be DHCPv6
- Under the DHCP6 config, select “Request only an IPv6 prefix”, prefix size 56, “Do not wait for a RA”, and “Do not allow PD/Address release”.
- Under the DHCP config, select advanced configuration and add “supersede dhcp-lease-time 1800;” under Option modifiers. I found this necessary to keep the IPv6 prefix working for longer than a few hours.
- Under your LAN interface, select track interface for IPv6, and pick a prefix ID of 0. Other interfaces can use nonzero IDs but I found if I didn’t use zero I would eventually lose the prefix and pfsense wouldn’t recover.
You could also add some rules to allow the relevant ICMPv6 packets through the firewall.
-
This is what i did and works perfect
You should have the following WAN settings:
IPV4: dhcp
IPV6: dhcp6
request prefix only
/56 prefix
do not wait for ra
do not allow pd release
You should have the following LAN settings:
ipv4: static
ipv6: track interface
upstream gateway: none
track ipv6 interface: WAN -
The latest pfsense patch seems to have broken something. Can’t get an ipv6 address at all now. Don’t have time to debug it now but maybe in a few weeks I’ll look into it.
-
@eternalglue Works fine here no problems at all
-
The latest update works for me too. I'm on Rogers.
-
A reboot fixed it. Not sure what was going on, but an error in the system logs said something like “couldn’t allocate interface”. Wish I’d saved it now.
-
@eternalglue said in Ipv6 setup for Telus:
This is what worked for me:
- Navigate to Interfaces -> WAN
- IPv6 configuration should be DHCPv6
- Under the DHCP6 config, select “Request only an IPv6 prefix”, prefix size 56, “Do not wait for a RA”, and “Do not allow PD/Address release”.
- Under the DHCP config, select advanced configuration and add “supersede dhcp-lease-time 1800;” under Option modifiers. I found this necessary to keep the IPv6 prefix working for longer than a few hours.
- Under your LAN interface, select track interface for IPv6, and pick a prefix ID of 0. Other interfaces can use nonzero IDs but I found if I didn’t use zero I would eventually lose the prefix and pfsense wouldn’t recover.
You could also add some rules to allow the relevant ICMPv6 packets through the firewall.
Just noticed this thread about Telus. Telus has played with lease times quite a bit. Lately, at least for DSL, the lease time is 10 minutes, so you will see it renew every 5 minutes. This happens in the background, so it makes no difference to the service.
The only mandatory settings for Telus are: request prefix only, /56 prefix, and do not wait for ra.
It's not strictly necessary to use do not allow pd release, unless you want the dynamic prefix to be as stable as possible. Telus will delegate the same prefix to the same DUID, unless another system requested a prefix while there was no active lease on it. The only difference do not allow pd release makes is that the prefix won't go back into the queue immediately, it will go back in after it expires. That's 10 minutes (BFD). In practice, if you keep your system running, the prefix won't change. As long as you keep an active lease on it, the prefix will stay the same.
-
Hi All,
I know this is a very old topic but I have a doubt.
Since Telus only allow for asking PD and not an address, how can I set an IPv6 to the WAN interface of the firewall?
Thanks
Jose -
@jrbenito said in Ipv6 setup for Telus:
how can I set an IPv6 to the WAN interface of the firewall?
You don't need one. Routing is done through the link local address. If you need a destination for a VPN, server etc., you can use the address of your LAN interface.
-
For routing I don't need one, but for reverse proxy (load balancing with HA Proxy) and mainly, for DNS connectivity over IPv6 I need one. For the DNS, what I made was select one of the LAN interfaces as outbound for DNS server. However, I think it is a bit cumbersome have to think in "going out" through the LAN side. It works, sure.
Another point is, I agree with all arguments regarding prefix delegated should not change. But in reality it does change (almost never but also no guarantee it won't change). A dynamic DNS to the WANs IPv6 would help a lot with the load balance situation, I believe that it is impossible to have a DynDNS config attached to a LAN instead of the WAN side of the Pfsense, right?
BRs,
Jose -
As for load balancing, isn't the link local address good enough? I'm not aware of a way to manually assign an address using the GUI, but perhaps you could write a script that adds an address to the interface. That address would have to be from an unused prefix, and given a /128 prefix length.
Incidentally, with Rogers, I have a WAN address. But since it has a /128 prefix, it doesn't actually communicate with anything directly. This is one difference with IPv6 vs IPv4. Routing is often done with link local addresses and all traffic for any interface on the router would be carried over the link local/MAC address. This sort of thing was also possible with IPv4, but wasn't seen very often.
Also, are you load balancing with Telus? Or something else?
-
I did not realize we are more or less on the same timezone. Nice!
So, what I meant with load balancing was http/https reverse proxy/load balance. I use HA Proxy for that on IPv4 and my point of entry is the PfSense. With IPv6 sure I could still have the IPv4 being terminated at pfsense and ipv6 direct to the server itself (and load balance there). This has the downside of using two entry points. Another solution would be transfer the HA Proxy from pfsense to the internal server and port forward the IPv4 to it, so now a single entry point and a firewall rule for the port forward (better solution).
The script is good call, sounds simple and can keep the current HA Proxy configuration.
Very good insights by the way, thanks.
-
The thing to bear in mind is that everything on pfsense or behind it arrives on the same link local address. Does it really matter which internal address? If you have an address on the WAN interface, it behaves the same as any other address. Also, the WAN address has absolutely nothing to do with your prefix. So, what is it you're hoping to achieve by putting an address on the WAN port. As far as I can tell, you need a destination address. Does it really matter what that address is, so long as it's always there? Perhaps I'm missing something. Again, if you absolutely need a WAN address, you can do it at the FreeBSD level.
As for time zones, Rogers covers 5.5 of them, all the way from the Atlantic to the Pacific. I'm not sure how far east Telus goes. Do they provide Internet outside of B.C. and Alberta. I've only worked with them on jobs in Edmonton, Calgary and Vancouver. I'm near Toronto. About the only thing Telus around here is cell phone service and that's often over Bell's network.
I'm surprised Telus isn't providing a WAN address. Are you sure that's the case? Or are you just following the instructions above to only request a prefix?
-
@jknott said in Ipv6 setup for Telus:
As for time zones, Rogers covers 5.5 of them, all the way from the Atlantic to the Pacific. I'm not sure how far east Telus goes. Do they provide Internet outside of B.C. and Alberta. I've only worked with them on jobs in Edmonton, Calgary and Vancouver. I'm near Toronto. About the only thing Telus around here is cell phone service and that's often over Bell's network.
Toronto is "neighborhood" since I often have meetings with Netherlands, China and Australia :D. I am in Vancouver area. I don't know about Telus coverage outside BC... What I do know is that Rogers will be my mobile operator because I don't have good 4G inside my unit and it sucks when the buzzer goes to my voicemail. The only thing holding me yet is the time they ask for migration... crazy how it can take a week to migrate the number. I was used to have it done in 30 hours. Well, this is way out of topic.
I'm surprised Telus isn't providing a WAN address. Are you sure that's the case? Or are you just following the instructions above to only request a prefix?
Yes, i am sure. First thing a tested :). There is also instructions from Telus support on the forum saying that IA_PD only requests are preferred but in case IA_PD/IA_NA requests are sent, the later will receive answer with no addresses and client shall be prepared to handle it. Of course I tested it and indeed the answer comes with no addresses in it.
Thanks man.
-
@jrbenito said in Ipv6 setup for Telus:
I don't have good 4G inside my unit and it sucks
Try WiFi calling. I have the same issue and WiFi calling gives me a great signal.
-
@jknott said in Ipv6 setup for Telus:
Try WiFi calling. I have the same issue and WiFi calling gives me a great signal.
Good advice, will try.
-
@jknott said in Ipv6 setup for Telus:
The thing to bear in mind is that everything on pfsense or behind it arrives on the same link local address. Does it really matter which internal address? If you have an address on the WAN interface, it behaves the same as any other address. Also, the WAN address has absolutely nothing to do with your prefix. So, what is it you're hoping to achieve by putting an address on the WAN port. As far as I can tell, you need a destination address. Does it really matter what that address is, so long as it's always there? Perhaps I'm missing something. Again, if you absolutely need a WAN address, you can do it at the FreeBSD level.
As for time zones, Rogers covers 5.5 of them, all the way from the Atlantic to the Pacific. I'm not sure how far east Telus goes. Do they provide Internet outside of B.C. and Alberta. I've only worked with them on jobs in Edmonton, Calgary and Vancouver. I'm near Toronto. About the only thing Telus around here is cell phone service and that's often over Bell's network.
I'm surprised Telus isn't providing a WAN address. Are you sure that's the case? Or are you just following the instructions above to only request a prefix?
Telus definitely does not provide a WAN address. The settings for pfSense to work with Telus are:
Request only an IPv6 prefix is mandatory. It will not work otherwise.
The prefix delegation size must be /56. Nothing else will work.
Do not wait for RA is mandatory. It will not work otherwise.
Do not allow PD/Address release is recommended, but not necessary. Telus will delegate the same prefix to a given DUID, unless it was reallocated in the interim. This should only happen if the router is offline for quite a while. Note also that Telus will not delegate a prefix if there is currently an active lease on the same MAC.
-
@JrBenito There's no need for an 'external' IP6 address. Everything to your network(s) simply gets routed through the link-local address on your outside interface.
If you really, really, really want an official 'outside' address for your router (e.g. you want to build a IPv6 NAT system, for some reason), you can assign one of the eight /64 networks that you get with your /56 assignment to be your 'external' network with the outside address being one of the trillions of addresses available on that network.
Unlike IP4, which needed NAT because it started it's existence with a predicted exhaustion of addresses, IPv6 gives each user billions more addresses than the world ever had with IP4. -
@darkonc
To my knowledge, this needs to be configured manually in pfSense. The LAN interfaces get their subnets by following the WAN interface, however, the WAN cannot follow itself. In other words: if the prefix change, one needs to manually configure it again - or have some sort of scripting to do this.
All tho I get that "providers should keep prefix fixed, preferably, for the time the contract is active", in reality, most of them do not. They change the prefix if you change/upgrade your router and depending on the configuration you change on the router it can trigger a new prefix (it is based on the DUID in the case of Telus). In my mom's house (Brazil), the IPv6 prefix changes almost every 3 weeks with default configuration (why? to annoy users maybe...).In short, I agree with everything you said, I would like to have the IPv6 set to the WAN, but I can live without it.
Thanks,
JrBenito.
