IPV6 - pfsense behind BT Hub



  • @stephenw10 said in IPV6 - pfsense behind BT Hub:

    It doesn't really matter what IP it's routed via, if you don't pull a PD from the upstream router how does it know where that is?

    In this example traffic has no way to reach 2a0X:xxxx:xxxx:xx02::/64 because it's not on a subnet connected to the BTHub directly.

    Steve

    @stephenw10 said in IPV6 - pfsense behind BT Hub:

    It doesn't really matter what IP it's routed via, if you don't pull a PD from the upstream router how does it know where that is?

    In this example traffic has no way to reach 2a0X:xxxx:xxxx:xx02::/64 because it's not on a subnet connected to the BTHub directly.

    Steve

    The ISP should know how to route the assigned prefix to his network, just like any other routing. Routers only need to know how to reach the next hop. With IPv6, that is often the link local address of the firewall/router. So, if 2a0X:xxxx:xxxx:xx02::/64 is part of the prefix assigned to the OP, then it should work.

    Again, on my network, pfSense has been assigned a WAN address, but it play no part in routing. The default gateway, both on the LAN and on the WAN is the appropriate link local address. So, when my ISP has a packet to send to my network, it is sent to the pfSense link local address on the WAN interface. Of course, all IP addresses resolve to a MAC address, which is what is actually used to carry the frame from the ISP router to mine. However, if the OP just assigned a static address when the ISP is expecting DHCPv6-PD to be used, then there will be problems.


  • Netgate Administrator

    Exactly the problem here is that the ISP routes the /56 PD to the BT Hub but since pfSense is not pullling a PD from the BT Hub it does not get the required route. So the BT Hub has no way to know the /64 on the pfSense LAN is behind a downstream router.
    Unfortunately I doubt the BT business hub has any static routing, additional gateway type ability. I could be wrong...

    Steve



  • @stephenw10 said in IPV6 - pfsense behind BT Hub:

    Exactly the problem here is that the ISP routes the /56 PD to the BT Hub but since pfSense is not pullling a PD from the BT Hub it does not get the required route. So the BT Hub has no way to know the /64 on the pfSense LAN is behind a downstream router.
    Unfortunately I doubt the BT business hub has any static routing, additional gateway type ability. I could be wrong...

    Steve

    That's not the impression I got from the OP. He said:

    "Thanks.
    The BT Hub gets ipv6 via DHCPv6-PD on its WAN(2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0df) BUT gave Pfsense WAN a
    fe80:: range ,WHICH i then changed to(2a0X:xxxx:xxxx:xx00:86a1:d1ff:fea1:f0ff /64 - STATIC) and used the Other /64 on the pfsense LAN side.
    The Default routes on the LAN clients is showing as fe80::,(EXpecting the LAN v6 gateway?) but ipv6 client is in the right range ,also DNS is Pfsense LAN ipv6 gateway and Google v6 dns."

    Based on that, it appears that he is being assigned a prefix, but not a WAN address. That is entirely normal, as the link local address will be used for routing and a WAN address is not necessary. He has the same thing on the LAN, with the link local address being used for the gateway. This is entirely normal. Based on what I've read in this thread is he can't reach the Internet from his LAN, which indicates a routing problem or perhaps a misconfigured firewall.


  • Netgate Administrator

    Indeed, BT don't usually give you a WAN IP just a Prefix. That's exactly what I see on my BT connection.

    But unlike the OP I am using pfSense to get that prefix, he is using the BT Hub router. I am setting up a PD in that edge pfSense device to pass a /60 to my inner pfSense device. He is just configuring it statically on pfSense with no way to tell the BT Hub about that route.

    Steve



  • @JKnott
    Will try the Capture and see what i find
    Regards


  • Netgate Administrator

    Is there any ability to add routes and gateways in the BT Business hub?



  • @stephenw10

    Yes exactly ,but i was expecting the BT hub to give Pfsence an ip in the 2a0X:xxxx:xxxx:xx00:: /64 but it wasnt but gave it a fe80:: ?? will try to keep this as fe80:: and then use the /64 from the BT wan range in the LAN ,BUT that will still pose the issue of the BT box knowing how to get to this /64.



  • @stephenw10
    Will look into this by weekend,so set a static route(BT hUB) for the /64 to the pfsense WAN (fe80::)??


  • Netgate Administrator

    Yes I would expect that to work. Odd that it doesn't assign the pfSense WAN a routable v6 IP though, it's set to DHCPv6? I assume other devices connected to the hub do get a v6 IP in that /64?



  • @stephenw10 said in IPV6 - pfsense behind BT Hub:

    he is using the BT Hub router

    I didn't see that. In that case prefix delegation won't work. He wants to put the modem in bridge mode. With it in gateway mode, only devices connected directly to it will get an address.



  • @Jid said in IPV6 - pfsense behind BT Hub:

    @stephenw10

    Yes exactly ,but i was expecting the BT hub to give Pfsence an ip in the 2a0X:xxxx:xxxx:xx00:: /64 but it wasnt but gave it a fe80:: ?? will try to keep this as fe80:: and then use the /64 from the BT wan range in the LAN ,BUT that will still pose the issue of the BT box knowing how to get to this /64.

    If that modem is in gateway mode, you can't put pfSense behind it and expect it to work properly. The pfSense WAN interface should get an address, but no prefix for the LAN. Every IPv6 capable device will have a link local fe80 address, no matter what it's connected to. That does not come from the ISP. It's often derived from the MAC address.



  • @JKnott
    "With it in gateway mode, only devices connected directly to it will get an address". That is the case here .
    The Probem is HOW do I get Devices on LAN side of Pfsense(connected directly to BT hub) to be able to route out in ipv6.



  • @stephenw10

    Yes they do in the 2a0X:xxxx:xxxx:xx00:: range, however in the pfsense WAN(directly connected to LAN of BT Hub) its showing in the fe80:: range.


  • Netgate Administrator

    Some sort of route on the BT Hub, static or added via a PD.

    Or put the hub in modem mode and just use pfSense directly.

    I know the Business hub used to do something funky with static IPv4 subnets though that caused problems with that.


  • Netgate Administrator

    What is the pfSense WAN set to for IPv6? Or what was it set to before you set it statically?

    If dhcpv6 doesn't work try SLAAC.

    Steve



  • @stephenw10
    DHCPV6 it gets fe80:: range , Static applied 2a0X:xxxx:xxxx:xx00:: /64 to match the 2a0X:xxxx:xxxx:xx00:: on the BT hub.



  • @stephenw10
    Just tried SLAAC and getting this fdaa:bbcc:ddee:0:215: is that good.
    But i cant access any Node to test now .


  • Netgate Administrator

    If other clients connected to the Hub do get an IPv6 IP as expected, what are they set to?

    That address with SLACC is not any better really.



  • @stephenw10

    Thanks ,Stv unfortunateley no device is currently connected to LANof BT hub ,apart from Pfsense.



  • @Jid
    Tried DHCPv6 now getting this fdaa:bbcc:ddee: ?
    For the LAN side what should it ? Statics? with DHCPv6 active?


  • Netgate Administrator

    I expect dhcpv6 to pull an routable v6 IP from a /64 withing the /56 BT are delegating to you.

    I think you probably need to confirm a laptop connected to the Hub is getting that before going further here.

    Steve



  • @stephenw10

    BT Hub IPv6 status:
    Enabled

    IPv6 network status:
    Enabled

    IPv6 WAN details
    Global unicast address:
    2a00:xxxx:xxxx:x801:86a1:d1ff:fea1:f0dd

    Global unicast prefix/length:
    2a00:xxxx:xxxx:x801::/64

    Link local address:
    fe80::86a1:d1ff:fea1:f0dd

    Remote link local address:
    fe80::1e6a:7aff:fe68:f00

    DNS:
    Not available

    IPv6 LAN details
    Global unicast address:
    2a00:xxxx:xxxx:x800:86a1:d1ff:fea1:f0df

    ULA prefix / length:
    fdaa:bbcc:ddee::/64

    Link local address:
    fe80::86a1:d1ff:fea1:f0df

    Pfsense Status:
    WAN : fdaa:bbcc:ddee:0:215:5dff:feb8:ea10 9 (DhcpV6)
    LAN: 2a00:xxxx:xxxx:x802:87a1:d1ff:fea1:1000 /64 (Static)
    Dhcpv6 server (enabled)
    Range: 2a00:xxxx:xxxx:x802::100 to 2a00:xxxx:xxxx:x802::250 (PC are getting this range)
    RA: RouterMOde Assisted.
    Priority Normal
    DNS Config. : 2001:4860:4860::8888

    Is any thing unusual here?



  • @stephenw10

    Thanks will try this later as its remote site .



  • @Jid
    Just looked further on the BT Hub(under connected devices) and saw this :

    GUA (Permanent)
    2a00:xxxx:xxxx:x800:215:5dff:feb8:ea10
    DHCP
    ULA
    fdaa:bbcc:ddee:0:215:5dff:feb8:ea10
    Assigned by device
    Link local address
    fe80::215:5dff:feb8:ea10
    Assigned by device
    SO the Pfsense is Actually getting ipv6 in the Right Prefix via Dhcp from HUb ,HOWEVER its prefers the link-local on the WAN interface.



  • @Jid said in IPV6 - pfsense behind BT Hub:

    @JKnott
    "With it in gateway mode, only devices connected directly to it will get an address". That is the case here .
    The Probem is HOW do I get Devices on LAN side of Pfsense(connected directly to BT hub) to be able to route out in ipv6.

    You don't. You're likely only getting a singe /64 from the modem. You can't take it further. You have to get the modem in bridge mode to do what you want.



  • @Jid said in IPV6 - pfsense behind BT Hub:

    fdaa:bbcc:ddee:0:215: is that good.

    That would be a Unique Local Address, the IPv6 equivalent of IPv4 RFC 1918 addresses. It is not usable for accessing the Internet.



  • @JKnott said in IPV6 - pfsense behind BT Hub:

    @Jid said in IPV6 - pfsense behind BT Hub:

    @JKnott
    "With it in gateway mode, only devices connected directly to it will get an address". That is the case here .
    The Probem is HOW do I get Devices on LAN side of Pfsense(connected directly to BT hub) to be able to route out in ipv6.

    You don't. You're likely only getting a singe /64 from the modem. You can't take it further. You have to get the modem in bridge mode to do what you want.

    I just did a quick search and came across this about putting your modem into bridge mode. This is what you have to do.


  • Netgate Administrator

    If you don't have reason not to have it in bridge mode then just do that and win. But there were some odd static v4 issues you may hit of you have a number of IPv4 addresses in a subnet they route to you.



  • @JKnott
    Thanks
    But got a /56 from BT ,i thought i could break this down into further /64 ,use one on the WAN to (same subnet as BT Lan range ,and use another in the Pfsense LAN?



  • @Jid said in IPV6 - pfsense behind BT Hub:

    @JKnott
    Thanks
    But got a /56 from BT ,i thought i could break this down into further /64 ,use one on the WAN to (same subnet as BT Lan range ,and use another in the Pfsense LAN?

    That would required configuring that hub in a way that wasn't intended, so you're not likely to have much luck. while BTprovides up to a /56, in gateway mode, you only get a single /64 and there's nothing pfSense can do with that, other than act as a straigth through firewall. It's the same situation as I have hear. I have a modem from my ISP, which I have in bridge mode. It passes the full /56 to pfSense, which I can then split into 256 /64s. If my modem was in gateway mode, I would only get a singe /64. In gateway mode, it won't even provide IPv6 on the guest WiFi.

    Bottom line, put it into bridge mode and pfSense will do what you want.



  • @stephenw10 said in IPV6 - pfsense behind BT Hub:

    If you don't have reason not to have it in bridge mode then just do that and win. But there were some odd static v4 issues you may hit of you have a number of IPv4 addresses in a subnet they route to you.

    In gateway mode, it's likely providing NAT to a single address.


  • Netgate Administrator

    It's been a while but the Business Hub was BTs device they gave you if you ordered a subnet of static IPv4s as well as some other "business" features. But I think it used a numberless PPP connection or something similar to give you the entire subnet on the LAN which pfSense cannot replicate.
    That may have changed, it was a few years ago I hit that.

    Steve


Log in to reply