Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 unable to access internet on LAN interface

    Scheduled Pinned Locked Moved IPv6
    25 Posts 5 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ
      JKnott @Derelict
      last edited by JKnott

      @Derelict said in IPv6 unable to access internet on LAN interface:

      Glad it's working.

      Note: Even though the ULA space is assigned as fc00::/7, only fd00::/8 should be used. And specifically in /48 prefixes.

      https://en.wikipedia.org/wiki/Unique_local_address#Definition

      I thought fd00 was for when you picked your own prefix and fc00 was when you got it from some central server. The idea for the server was to avoid the possibility of a collsion, though it would be hard to collide, when you can choose a random number with 32 bits. I created my prefix by using the command "ps aux|md5sum" on a Linux box and taking enough of it to fill out the prefix.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • X
        xayumi
        last edited by

        @Derelict Thanks! I do the re-addressing,

        with OpenVPN as fd00::2:0:0:0:0:1/64
        With LAN as fd00:0:1::/48, and DHCPv6 with allow PD on fd00:0:1:ffff::/64

        Now all works finally like a Cham !! Cheers !!

        @JKnott Thanks for your tips too !!

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by Derelict

          OK. That is not right either, unfortunately.

          You should ALWAYS set an interface network to /64. Always.

          You should generate 40 random bits and append them to fd so you have `fd(forty-random-bits)::/48 to use at THAT SITE.

          There are 65536 /64 networks to use out of that prefix, 256 /56 prefixes.

          For instance, generate a random prefix using a site such as this:

          https://cd34.com/rfc4193/

          Plug in any MAC address from your network (pretty much guaranteed to be globally-unique) and get the result. That is your /48.

          I got this:

          Your Private IPv6 network is:
fda9:e2c2:07be::/48

giving you access to the to the following /64s:
fda9:e2c2:07be:0::/64 through fda9:e2c2:07be:ffff::/64

This page uses the first method suggested by IETF using the current
timestamp plus the mac address, sha1 hashed, and the lower 40 bits to
generate your random ULA. Consequently, if two organizations hit this page
within the same second, with the same mac address to generate a ULA, they
could have identical ULAs.

          So you use address bits 49-63 from 0 to ffff as the subnet identifier to place on interfaces.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Derelict
            last edited by

            @Derelict said in IPv6 unable to access internet on LAN interface:

            You should ALWAYS set an interface network to /64. Always.

            I read some discussion a while ago, about how that doesn't apply to point to point links, where a /126 or /127 should be used, for security reasons. However, it certainly applies on LANs so that SLAAC can work properly.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by Derelict

              We're not talking about point-to-point links, bro.

              I don't have time to make every forum response cover every possible caveat.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.