IPv6 address allocated but not working



  • Hi,

    I am new to pfSense and trying to make IPv6 work on my AT&T fiber optic network. In the pfSense console I see that all three interfaces (WAN, LAN1 & LAN2) gets an IPv6 address (see attached).
    ipv6.jpg

    Also I am able to use ping6 to reach ipv6.google.com and few other sites but when I try to reach any ipv6 website I am unable to do so. In fact I cannot even see the IPv6 address when I access website http://testmyipv6.com.

    Any idea what I need to be reviewing or potential source of this problem?
    Thanks,

    Pankaj



  • @pankaj13

    We can't tell if your WAN is within the same prefix as your LAN, as you blocked out too much. Also, the ifconfig command tells a lot more than what you've shown from the interfaces.



  • @JKnott thanks for the pointer, I ran the ifconfig on pfsense box and got following information:

    WAN - prefixlen 64 autoconf
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
    Also noticed that there is another ip6 address (starting with 2600) assigned on WAN with prefixlen 128

    LAN1 - prefixlen 64
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

    LAN2 - prefixlen 64
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

    PS: I read someone recommend on another thread not to post global IP addresses in forums here so blanked out the details in my earlier post.



  • I also see on AT&T 5268 AC modem following additional settings:

    ipv6-modem.png

    The modem also has following DHCP6 settings enabled
    modem-dhcp6.png

    Also I used "prefix ID =1" on LAN1 and "prefix ID = 2" for LAN2 on pfSense, if I do not use these setting then LAN1 and LAN2 does not get any IPv6 assigned



  • @pankaj13 said in IPv6 address allocated but not working:

    PS: I read someone recommend on another thread not to post global IP addresses in forums here so blanked out the details in my earlier post.

    Is the WAN prefix the same as the LAN? The prefix is the first 64 bits. Normally, the WAN address is in a different prefix from the LAN and in some cases may be a /128. A router can't work if the 2 interfaces are in the same prefix. Also, things are a bit different with IPv6. For example, the link local address is often used for routing and the WAN address is simply another address on the box that does not take part in routing.

    Also, even if someone does know your prefix, they'd still have a heck of a time finding a computer with the 2^64 addresses on your LAN. That's the entire IPv4 address space squared!



  • @pankaj13 said in IPv6 address allocated but not working:

    I also see on AT&T 5268 AC modem following additional settings:

    That looks like your modem is in gateway mode, which means pfSense can't pass on a prefix to devices behind it. Can you put that modem into bridge mode?



  • @JKnott

    Yes you are correct that WAN and LAN 1&2 have same prefix and might be the root cause of this problem.

    • Also read on another thread in other forum that AT&T modem does not work in bridge mode and have caused heartburns for several other pfSense members :-(

    Ok so assuming that AT&T is not going to changes its way for my needs, I have few questions for you and will appreciate if you can give me some guidance on following:

    1. Is it possible to just use local link address for routing LAN1 & LAN2 machines to WAN? If not then ignore rest of the questions below.
    2. If yes to 1) then do I need to set up routing individually for each machine?
    3. If yes to 2) how do I configure routing to WAN using link local on each machine for following machines:
      a) pfSense (LAN 1 and LAN 2)
      b) Ubuntu machine on LAN1
      c) Windows macine on LAN2

    Thanks and appreciate your insights which saved me lot of heartburn trying to configure a dumb AT&T hardware.

    PS: Also had a good laugh reading your comment about my paranoia about exposing 2^64 x 2 combinations :-) I am finding IPv6 somewhat confusing yet fascinating at the same time.



  • @pankaj13 said in IPv6 address allocated but not working:

    Is it possible to just use local link address for routing LAN1 & LAN2 machines to WAN?

    Sure, you could use the link local addresses for routing, but that's not the problem. You have only a single /64 and you'd need another for each local network. You can't just pick prefixes on your own. Then, your ISP has to know to route to those prefixes and there's no way for that to happen, without them running a routing protocol, such as OSPF, to subscribers.



  • @pankaj13 ,

    I've been playing with my BGW210-700 to test and learn IPv6 on my home network. My service has IPv4 static subnet, but IPv6 is dynamic.

    When looking at your screenshot, without seen the subnet on your v6 address, I don't know if you were receiving different /64 subnets on not.

    In my case, when looking the RG, I see a /64 address, so configured my pf WAN to DHCP6 and let the delegation at /64. tracking my LAN IPv6 to the WAN, I get an IPv6 address and all my devices behind the LAN are also getting their IPs and able to surf no problem.

    The WAN is getting a IPv6 address of xxx:xxx:xxx:2d80:xxx:xxx:xxx:xxx and the LAN a xxx:xxx:xxx:2d8f:xxx:xxx:xxx:xxx, the last subnet on that /60 range. I've tried to request different delegations from the ISP, but always get the same subnet and the LAN IPv6 breaks (no IPv6 IP is obtained).

    To stop playing with my production pf, I just created a VM, connected it's WAN to the RG, and the LAN was assigned to another switch. When looking at the assignments, I see the WAN on the same subnet, 2d80, but the LAN now is on 2dge.

    That 2d80 is the RG Global Unicast: Global Unicast IPv6 Address XXX:XXX:XXX:2d80::1
    IPv6 Addressing Subnet (including length) XXX:XXX:XXX:2d80::/64
    And now I see:

    IPv6 Delegated Prefix Subnet (including length) XXX:XXX:XXX:2d8e::/64 , XXX:XXX:XXX:2d8f::/64, listed in the RG network status.

    All working fine, by the way. Just trying to find out how to force the ISP to delegate the multiple /64 that I think are available ... at least 16 of them :)

    Just as info.



  • @amello said in IPv6 address allocated but not working:

    All working fine, by the way. Just trying to find out how to force the ISP to delegate the multiple /64 that I think are available ... at least 16 of them :)

    On the WAN page, you can select the number of /64s in the DHCPv6 Prefix Delegation size box. Also, you probably also want to enable Do not allow PD/Address release, so that your prefix doesn't change.



  • Hi @JKnott

    On my WAN configuration I see, under DHCP6 configuration: DHCPv6 Prefix Delegation size, set to /64, do you mean change it to /60 or something like that? I've tried that with no avail, if that's what you mean.

    Enabling Do not allow PD/Address release so won't change IPs, thanks for the tip.



  • @amello

    That Prefix Delegation size refers to the size of the address block you get from the ISP. I get a /56, so I select 56. If your ISP provides 16 /64s, you'd select 60 for the prefix size. Then, on the LAN side, for each interface, you use IPv6 Prefix ID to select which of the /64s you want to use for that interface. If only /64 works for Prefix Delegation, then that's all you're getting from the ISP. By "no avail" do you mean you see no difference? Or it stops working? As I mentioned, you need to use both those settings to make use of multiple /64s.



  • @JKnott

    Yes, I've tried setting my prefix delegation size to /60. The WAN gets an IPv6, but the tracking LAN won't.

    I don't know what the ISP provide. With two pf connected to the same ISP router, I get the same IPV6 on the WAN and two different IPv6 on the tracking LANs. They seem to be on different /64 subnets, as the WANs gets a 2d80 and the LANs get 2d8e and 2d8f, on the 4th quibble

    Looking at this I think those three subnets are part of a /60 (xxx:xxx:xxx:2d8::/60).

    I might need to play a little, setting some interfaces for opt1 and opt2 to a static IPv6 using 2d8d and 2d8c subnets, with the clients on matching IPv6 subnets, and see what would happen.



  • @amello

    With two pf connected to the same ISP router

    Do you have another router between you and the ISP? I asked about this earlier If so, you won't get any IPv6 addresses on the LAN side of pfSense. For pfSense to work properly, the modem MUST be in bridge mode.

    Once you've done that, you should be getting a prefix on the LAN side.

    Post the prefixes for the LAN side here, so we can see what you're getting.

    Have you asked on the AT&T forums to find out what's provided?



  • @JKnott

    @JKnott said in IPv6 address allocated but not working:

    Do you have another router between you and the ISP?

    Yes, as stated on my first post above, a BGW210-700.

    @JKnott said in IPv6 address allocated but not working:

    For pfSense to work properly, the modem MUST be in bridge mode.

    I don't know of anyway to bridge that device and could lose my IPv4 static subnet with that.

    @JKnott said in IPv6 address allocated but not working:

    Have you asked on the AT&T forums to find out what's provided?

    In fact, just got the information. The device has 16 LAN /64 subnets available:

    The first used for LAN-device IP address assignment using SLAAC and DHCPv6
    and the others for cascade routers using Prefix Delegation.

    The only way to do what I want is, to your point, let pf handles everything, from authentication to delegation, and that's not possible, with the type of service I get. Maybe with fiber ...

    Thanks again for your replies.



  • @amello said in IPv6 address allocated but not working:

    The only way to do what I want is, to your point, let pf handles everything, from authentication to delegation, and that's not possible, with the type of service I get. Maybe with fiber ...

    Maybe you should be asking in the AT&T forums about this. I don't know what sort of service you have, but I'm on a cable modem. In gateway mode, my modem provides a single /64. In bridge mode, with pfSense, I get up to 256 /64s. I suspect what you want is available. You just have to find out how. For example, why do you think your modem can't be placed in bridge mode?



  • @JKnott

    Again thanks for your reply.

    @JKnott said in IPv6 address allocated but not working:

    Maybe you should be asking in the AT&T forums about this.

    I was talking with some at&t guys about it today, but will expand to the forum.

    @JKnott said in IPv6 address allocated but not working:

    I don't know what sort of service you have

    It is u-verse, so DSL on dry line.

    @JKnott said in IPv6 address allocated but not working:

    I suspect what you want is available.

    It is, but not with that router.

    @JKnott said in IPv6 address allocated but not working:

    why do you think your modem can't be placed in bridge mode?

    For what I read so far. It seems that that Aris can handle IP Passthrough and Default Server, and as I understood the latter is like putting a host in DMZ.

    For now I'm keeping my LAN on IPv6 and the other interfaces on IPv4.

    Thanks again for all your help!



  • @amello said in IPv6 address allocated but not working:

    It is u-verse, so DSL on dry line.

    A couple of my friends have ADSL and get IPv6. I don't know the details though.

    For what I read so far. It seems that that Aris can handle IP Passthrough and Default Server, and as I understood the latter is like putting a host in DMZ.

    Perhaps the people in the forums can help with that.


Log in to reply