Dynamic IPv6 Prefix assignment issue in xDSL users



  • It's a setting in pfSense, on the WAN interface, that tells it to not release the prefix. IPv6 uses something called DUID to retain the same prefix. If that setting is not selected, the prefix will not be retained.



  • In the WAN configuration, ensure "Do not allow PD/Address release" is selected. That should keep your prefix from changing.

    That is true and works, but it don't works if the prefix changed nevertheless (hope my english is ok) at power loss or so.
    In my opinion pfsense is not accepting changing ipv6 adresses as they exist in germany and maybe somwhere else. so there is no solution to changing firewallrules or their sideeffects. So you can not build rules with the prefix as variable plus identifyer.

    pfadmin


  • LAYER 8 Netgate

    Get a new ISP. They are probably not properly honoring the DUID. pfSense can only work with what it is given.

    Right. It is a complete pain when your PD is changed by your ISP. That is why they are not supposed to do that.



  • That is what I mean. You ignore the reality in germany. A few changes and it is out of world. A changing IPv6 is nothing forbidden, but you want that I change my provider. AVM can work whith it. Why you won't?


  • LAYER 8 Netgate

    If you need a firewall that will automatically track a changing prefix delegation and adjust firewall rules, etc, pfSense is not for you. A lot of effort has been put into working with ISPs that do the right thing - and it works well. Ultimately the ISP controls the user experience here. Yours apparently doesn't care and wants to treat IPv6 like IPv4+NAT.

    You can probably ease the pain somewhat using firewall aliases but it will still require manual intervention.

    You can see if someone has opened a similar feature request on redmine.pfsense.org and, if not, do so. I am not going to do it since I do not know all of the specifics of your situation.



  • @derelict said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    Get a new ISP. They are probably not properly honoring the DUID. pfSense can only work with what it is given.

    Many German ISPs actually enforce a regular IP change for IPv4 and prefix change for IPv6. That is intended by the ISPs because a fixed IP is a premium option for their business offerings. You cannot change this with any option on pfSense, but for IPv6 you can switch to using a tunnel broker like He.net.


  • LAYER 8 Netgate

    @grimson said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    Many German ISPs actually enforce a regular IP change for IPv4 and prefix change for IPv6.

    Criminal.



  • @grimson said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    @derelict said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    Get a new ISP. They are probably not properly honoring the DUID. pfSense can only work with what it is given.

    Many German ISPs actually enforce a regular IP change for IPv4 and prefix change for IPv6. That is intended by the ISPs because a fixed IP is a premium option for their business offerings. You cannot change this with any option on pfSense, but for IPv6 you can switch to using a tunnel broker like He.net.

    That's nuts! I can understand static addresses being considered premium on IPv4, where there is a severe shortage of addresses, but that doesn't hold with IPv6, with it's incredibly huge address space. That's just blatant greed.

    There is a possible work around for this, assuming you're only using host name lookup for the local LAN and not from outside. It's possible to assign Unique Local Addresses, in addition to the global addresses. Just configure your DNS so that it points to the ULA rather than global addresses.


  • LAYER 8 Netgate

    There is no equivalent in the IPv4 world. If you are provisioned such that you have routed IPv4 space and use that space on inside subnets, the ISP simply cannot change them on you. Everything would break.

    It is ludicrous to think IPv6 would be different.

    The only reason they have gotten away with dynamic IPv4 addressing for so long is we all use NAT and set our own static inside addresses.

    The answer is not to work around their nonsense but to stop paying them until they do it right. Penalize the stupid ones and reward those who do it correctly.



  • I can stop paying with stopping be a part of the internet. Thats it what you want from me if you say this. Maybe you are right, but it helps nothing here. There is a feature request from someone else, I will look for it and paste it here.


  • LAYER 8 Netgate

    As has been stated, if your ISP has broken IPv6 (and it sounds like that is the case), I would bug them about it. The S in ISP is for Service.

    In the meantime, as has been mentioned, you can get a static /48 - free - from www.tunnelbroker.net.



  • I'm sorry but "change of ISP" or "stop paying" is not an answer...

    I live in Belgium and I've the exact same problem, ALL the ISP give dynamic prefix and they don't give a shit about my complains.

    There is a feature request for this problem on the tracker

    https://redmine.pfsense.org/issues/4881

    With this feature, we could use ULA on the LAN and nat the prefix... But it's dead since 2-3 years :(

    Pfsense has already static NPT, just make it dynamic please

    English is not my first language, sorry


  • LAYER 8 Netgate



  • "Yeah, just use a tunnel broker and add 10-15ms of latency for each ipv6 connexion, it's fine"

    No, it's not. I realy don't understand your attitude... Pfsense is already capable of doing static NPT, you know it's a thing and there is a feature request for dynamic NPT... You can implement it and solve this stupid issue...



  • @chaispaquichui said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    "Yeah, just use a tunnel broker and add 10-15ms of latency for each ipv6 connexion, it's fine"

    So what? Those few ms won't kill you.

    NAT is ugly and has to die as fast as possible, reviving it for IPv6 would be more than stupid.


  • LAYER 8 Global Moderator

    There is a HE pop in Amsterdam, NL - I doubt that is going to A 10-15ms to your path.. Maybe 2 or 3 tops.. Its only what 200 miles from one side of belgium to the other side of NL.. So yeah lets at worse call it 3 ms..

    Also one in Frankfort - about the same distance.. Paris as well isn't far from any point in Belgium... So you have like 3 that I know of that are what 3ms from anywhere you could be Belgium.. I could see your point if closest pop was 3000 miles away from you... But EU is pretty freaking tiny when it comes to total latency anywhere.. Adding 3ms is not going to be any sort of issue.

    Added bonus is the /48 you get.. You can use that on ANY isp you move too.. I have had the same /48 since 2013.. My current isp doesn't even have any ipv6.. Same addressing...

    That is going to be way better than doing some nonsense nat on ipv6 because your isp is stupid.


  • LAYER 8 Netgate

    @chaispaquichui said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    "Yeah, just use a tunnel broker and add 10-15ms of latency for each ipv6 connexion, it's fine"

    No, it's not. I realy don't understand your attitude... Pfsense is already capable of doing static NPT, you know it's a thing and there is a feature request for dynamic NPT... You can implement it and solve this stupid issue...

    Your ISP can deploy IPv6 correctly and solve this stupid issue.



  • I understood you are not going the implement dynamic NPT but I will stand my case until the end !

    Thx for you answer jognpoz but ironically, I know this pop in Amsterdam... I used it during 2 years, before my ISP start giving me native IPv6 addresses. I know for a fact that it gives me 10 or 15 ms of extra latency, I experimented it :(

    "NAT is ugly and has to die as fast as possible, reviving it for IPv6 would be more than stupid."

    There is no such thing as an "evil" protocol. The NAT you are referring to is "'PAT", NPT is not the same.

    I'm not saying you should always do NAT with IPv6, far from it ! But NPT has some uses cases

    • You want to do IPv6 multihoming withouth BGP ? You can use NPT
    • You want to be able to leave your ISP without having to renumbered your LAN ? You can use NPT
    • You want to give the middle finger to greedy ISP who gives you dynamic prefix ? You can use NPT

    "That is going to be way better than doing some nonsense nat on ipv6 because your isp is stupid."

    It's not "nonsense", it's a solution to a real problem :( My ISP is not supid, he is greedy. If I want a static prefix, I can... I just need to pay 2 or 3 times the actual price of my connexion. And this ISP is not the first to do that and he is not going to be last.

    You know what is truly ironic ? I just discovered that pfsense is able to do PAT for IPv6 !

    0_1547304536611_79aa8f9c-def8-4bb3-97b5-d2d8e15462bc-image.png

    My problem is solved !

    But it's ugly and I don't want to do that... Pfsense can do static NPT and PAT for IPv6, please add dynamic NPT, it's less ugly



  • 0_1547304942258_efdd7ed1-d0e5-4c29-927b-b046f4566e37-image.png

    Are you kidding me ?

    Edit : okey, thx for the clarification !


  • Galactic Empire

    It could be the forum seeing you post from a different IP address, its not people disliking your post.

    https://forum.netgate.com/topic/137638/posts-being-marked-as-spam-on-my-lan


  • LAYER 8 Global Moderator

    Well its possible your ISP doesn't peer with HE and your taking a long path to get to that pop, try one of the other pops in EU that are also only about 200 some miles from anywhere in Belgium.



  • If you need a firewall that will automatically track a changing prefix delegation and adjust firewall rules, etc, pfSense is not for you.

    You should maybe put that on the SG-1100 product page. I bet tens of millions of residential users in the US can't get static IPv6.

    @chaispaquichui Thank you for pointing out that NAT (or PAT, whatever) works fine with IPv6. Though ugly it solves a real problem, and perhaps allows Multi-WAN without static IPv6 from either provider.


  • LAYER 8 Global Moderator

    Rules are dynamically adjusted for when the tracked prefix changes on the lan side interfaces, that is the whole point of using the built in "network" aliases... They allow you to create rules so even if the interfaces network changes the rules would allow clients in this new network to still be allowed through the rules, etc.

    If you hard code a cidr and that network changes - that would be on you.


  • LAYER 8 Netgate

    @dem said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    If you need a firewall that will automatically track a changing prefix delegation and adjust firewall rules, etc, pfSense is not for you.

    You should maybe put that on the SG-1100 product page. I bet tens of millions of residential users in the US can't get static IPv6.

    Right, but many providers understand how IPv6 works and honor the DUID and very, very rarely change the prefix delegation. A change in PD is nearly always due to mitigating circumstances, such as you changing the DUID you send.

    I personally have dynamic IPv6 from Cox and get the same PD every time. This is because Cox "gets it."

    Dynamic IPv6 works fine when properly-implemented at the ISP side. Have you complained to them? If they want to do something nonstandard, you might be relegated to using their "residential gateway" hardware if you choose to use them for ISP service.

    @grimson said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    Many German ISPs actually enforce a regular IP change for IPv4 and prefix change for IPv6. That is intended by the ISPs because a fixed IP is a premium option for their business offerings.

    This, if factual, is the problem. Not lack of documentation on the pfSense site. And this is nothing specific to the SG-1100.


  • LAYER 8 Netgate

    @johnpoz said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    Rules are dynamically adjusted for when the tracked prefix changes on the lan side interfaces, that is the whole point of using the built in "network" aliases... They allow you to create rules so even if the interfaces network changes the rules would allow clients in this new network to still be allowed through the rules, etc.

    If you hard code a cidr and that network changes - that would be on you.

    Right but that is only part of the problem.

    Making things like DMZs you would have to take great care when blocking access to other local subnets. Since we can't just use the Block Everything RFC1918 hammer any more.

    For instance you could get a /56 PD and route a /60 or whatever to a downstream switch. That would not be contained in any interface subnet auto-alias. So there's another place that would need to be changed when a PD was maliciously changed by the ISP. I'm sure there are hundreds of places.

    The whole point is to put public addresses everywhere on the inside. This type of behavior is unheard of in the IPv4 space. Why should it be tolerated in IPv6?

    ISPs should not change PDs willy-nilly or should be killed by customer dissatisfaction and churn.


  • LAYER 8 Global Moderator

    @derelict said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    ISPs should not change PDs willy-nilly or should be killed by customer dissatisfaction and churn.

    Yup completely agree!!! Once they give me my /48 it should be mine until I am no longer a customer.. It should never change.. If they only want to give a /56 or even a /60 ok... But once given to me, it should never change..



  • with duid telekom change the IPv6 rarely, but it changes. Thats reality, a fact we can not change. So ignore the users, it's ok. Or do a little bit of coding! Give us an alias which I can add to my rules. I can build my rules with this alias and have not to look and change manualy. And give this alias to DNS Resolver where I can build the server IP with alias and known interface identifyer. We can discus what one of the biggest telko should do or not or we can just solve the problems/wishes of potentialy millions of users in europe.

    thanks


  • LAYER 8 Netgate

    @pfadmin Pull requests are always appreciated.




  • LAYER 8 Netgate

    A feature request is not a pull request.

    A pull request is "here's proposed code to implement/fix this."



  • I really don't understand... You could solve this problem and use it for marketing purpose...

    Something like "Yep, we know some ISP give you a dynamic prefix but don't worry, pfsense as a solution for that !"

    Instead, you completely ignore the users and tell them to complain to the ISP (who doesn't care because it's their business model)

    Anyway, it's not important anymore. I switched to OPNsense. They have a ticket for this problem and are working on it.

    https://github.com/opnsense/core/issues/2544



  • @chaispaquichui said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    Instead, you completely ignore the users and tell them to complain to the ISP (who doesn't care because it's their business model)

    How is pfSense supposed to fix something that's been broken by the ISP? If they change your prefix, you can't keep using the old one. This means any existing connections will break. As for more than one address, the normal operation with SLAAC is to use privacy addresses for outgoing connections. These will change daily, but remain within the prefix. There is also a fixed address that does not change daily and can be used for incoming connections. It does not matter if the privacy address changes daily, as a new connection will always use the newest. Older ones remain for a week, to support any existing connection. So, the problem is not that you have multiple addresses, but that the addresses are in different prefixes. That is entirely the ISP's doing. They are the ones that are breaking how IPv6 is supposed to work.


  • LAYER 8 Global Moderator

    And to be honest - any sort of work around on the part of pfsense or any router distro doesn't do anyone any favors at all.. Since it just allows the ISP to remain broken..

    Broken or half assed deployments doesn't help promote the movement to IPv6... it just slows it down even more..



  • It's kind of funny seeing comments such as "the ISP has a broken implementation of IPv6" or "you should change your ISP". I wonder what world you guys who suggest these things are living in. Most people have few choices for ISP. For example, my ISP is Telus, which has a somewhat interesting implementation of IPv6. I have a contact in the engineering department who is surprisingly candid about their design decisions. He doesn't necessarily agree with them, but at least he is open to discuss things such as prefixes. IF I don't like Telus, there is Shaw which doesn't support IPv6 at all.

    As was said, many ISPs force prefix changes, in order to extract extra $$ from the customers who want stable prefixes. Most ISPs have no f*cks to give if you say you will switch unless they "fix" things that their subscribers consider to be broken. For most people, the first and only point of contact is telephone support, which might be outsourced to a third-world country. Does anyone seriously think complaining to Rajinder will change anything?

    As for using a tunnel, Hurricane Electric is maybe the only ISP in the world that listens to feedback. I wish they offered full internet service. If they did, I would pay more to use them. A tunnel is a good way to get IPv6 if you have no other choice, but it has limitations. For one, Netflix doesn't work over it. For another, unless HE's server is in the same city where you live, it tends to mess up location specific websites.

    ISPs are widely known for providing terrible service and that's not going to change because they are listening to their subscribers. This is why people ask for pfSense to help "fix" things that the ISP got wrong.


  • LAYER 8 Netgate

    Nobody would tolerate that sort of change with routable IPv4 addresses for all of the same reasons it sucks for IPv6. Why should IPv6 be any different? IPv6 is supposed to be "better."

    ISPs need to get a clue. The only thing that will change their mind is 💵 or 💶 .

    If you use a broken ISP you are probably limited to using their (probably crappy) residential gateways.

    I guess if you want IPv6 you could always pay the tax to get it for real if your ISP sucks.

    sonic.net also seems to listen, but has a limited footprint (Bay area mostly)



  • @derelict said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    Nobody would tolerate that sort of change with routable IPv4 addresses for all of the same reasons it sucks for IPv6. Why should IPv6 be any different? IPv6 is supposed to be "better."

    ISPs need to get a clue. The only thing that will change their mind is 💵 or 💶 .

    If you use a broken ISP you are probably limited to using their (probably crappy) residential gateways.

    I guess if you want IPv6 you could always pay the tax to get it for real if your ISP sucks.

    sonic.net also seems to listen, but has a limited footprint (Bay area mostly)

    I don't think it's a matter of people tolerating bad behaviour from clueless ISPs. For many, there simply is no choice. ISPs behave badly because they know many people have no choice.

    My ISP has native dual-stack IPv4/IPv6. That's more than some other ISPs offer. Also, fortunately, they chose to allow subscribers to bridge the port on the modem/router so they can use their own router. I have a main pfsense router, plus other routers that I run just to keep on top of them working as they are developed. I haven't encountered any limits such as the number of leases or prefixes. It could be better but it could also be worse.

    The benefit that pfsense can offer is a way to help subscribers with broken IPv6 implementations. I think that's why there are repeated requests for some help with dynamic prefixes. Some of the ideas are unworkable, but that's not to say improvements could not be made.


  • LAYER 8 Global Moderator

    @bimmerdriver said in Dynamic IPv6 Prefix assignment issue in xDSL users:

    Netflix doesn't work over it.

    So what - use IPv4 for that... While I am all for IPv6 and would love to see it move more mainstream... In the BIG picture its not here yet.. There is ZERO reason for you to have to use it, especially as a home user. Sure if you are hosting services to the public you should make sure your services are available on IPv6..

    I have been playing with IPv6 for years and years and years.. Way before the root servers for dns were even on IPv6.. Was one of the first few hundred to get my sage cert from HE..

    Sorry but there are ZERO reasons to deal with nonsense ISPs that don't get it... Use a freaking tunnel if you are forced to use the ISP you have.. My current isp doesn't even provide IPv6 - I don't give 2 shits because I have 5X the speed for 1/2 the price of comcast..

    Multiple threads around here about blocking AAAA for netflix if that is your only concern.. Here is the thing I have IPv6 on my network, I even host to the public ntp on IPv6... Through a tunnel - my devices that I use to watch netflix.. I just don't enable IPv6 on them its that freaking easy.

    Its great that you want to learn and play and participate in the future, which for sure is IPv6.. But there is nothing forcing you to use it... Please name 1 actual public resource that is you HAVE to have IPv6 to access... Just 1... Other than some odd ball p0rn fetish site (which there are 100,000 others to choose from)... Or maybe a few sites on the darkweb. How fast you think ISP would get their shit in order if users actually complained about IPv6 issues. Problem is the only ones that give 2 shits about it are people like you.. 1 in 1000, maybe 10000 of their users..

    I would love nothing more to just use IPv6.. Sorry not here yet - I am pretty freaking sure I will be retired from the biz well before that happens.. So while I understand your grief - your ranting to the wrong place... Its not the router distro your using problem to fix a BORKED deployment from your ISP..

    And to be honest, the few developers have way more important things to worry about than some odd ball ipv6 hack to help some users on some borked isp setup ;) As already mentioned if you want a fix or hack or whatever you want to call it to handle your isp nonsense... Then submit your pull request :)

    Or just do the simple thing and use a HE tunnel to get your IPv6 fix...

    Or get your own IPv6 space from your local RIR, and get an ISP that will route it to you.. Expecting your typical residential ISP that has billy wanting to download porn and stream internet really doesn't give 2 shits about proper IPv6 deployment nor do they hire the appropriate skilled level engineers to deploy it correctly..