IPv6 on Telekom Business Line
I have problems getting IPv6 to work on a Telekom Fibre Business Line.
What I get from the ISP:
I already called them - I need to configure the pfSense WAN side static - the 2003:foo:bar::1 (ISP router) will be the gateway for the WAN side.
All docs that I find refer to the WAN side being DHCPv6 and using tracking for the LAN side. But in my case this will not work.
What I tried:
WAN: Set up IPv6 static as requested by the ISP. I used 2003:foo:bar::3/64 as WAN IP. I set the 2003:foo:bar::1 (ISP router) as gateway. I can ping "foreign" IPv6 addresses, e.g. the DNSv6 of Google, with the Ping tool in the pfsense GUI and from SSH-command-line. So the pfSense itself is fine with IPv6.
LAN: I set up 2003:foo:bar:10::1/64 as static IPv6, because this is what I want to propagate in my LAN as IPv6 address subnet. I also turned on DHCPv6 on LAN and activated RA. Clients in the LAN get the desired subnet.
Problem: No client can ping/access "external"/"foreign" IP addresses. They can ping the LAN IPv6 address 2003:foo:bar:10::1, but NEITHER the WAN IPv6 2003:foo:bar::3 NOR any other internet IPv6. It seems like the routing is f*cked.
So maybe someone can help me - how to setup one /64 subnet of the large /48 range for my LAN with IPv6? I'm really stuck.
Best from Berlin
You can't have the same prefix on both sides of a router. Are they actually telling you to do that? Normally, when used with a router, you need a transit network to carry your prefix to you. With IPv6, this is often a link local address, but it doesn't have to be. The reason clients can't ping beyond the router is that pfSense can't route with the same prefix on both sides.
On my system, I use DHCPv6-PD, which provides my prefix, but the WAN side address is not within my prefix. In fact, it's not even used in routing, as link local addresses are used on both the WAN and LAN sides for that.
About all you can do with your prefix is set up pfSense for pass through, rather than routing. However, I have never done that and don't know if it's even possible with pfsense. There are some firewalls available that will filter without routing. Even then, I don't see how you could properly use a /48, as LANs are supposed to be only /64s.
Yeah, I had a call today when they told me to configure the WAN IPv6 like my WAN IPv4 with using the network they told me, staic, with a gateway specified.
So I will give them another call tomorrow. They told me an additional phone line for "technical questions". Seems like I have one... :-D
On IPv4, do you set up their default gateway on the router? Or on the devices without a router? If you have a router, then your WAN address would not be within your network. The same principle applies with IPv6, although link local addresses are often used for routing.
On IPv4, I get a a.b.c.128/28, with a.b.c.129 being the ISP gateway/router (a "black" box in my data center). I used this values in the configuration of the WANv4 in the pfSense and used a.b.c.142 as WANv4 address.
The same I did after the phone call with IPv6, as specified above in my start posting.
Maybe the Deutsche Telekom does no Prefix Delegation? So the traffic from my LANv6 does not know where to go?
And I always thought it will be easier with IPv6... it's a mess!
A /28 on IPv4 gives 16 addresses of which 14 are usable and 1 of those goes to the gateway, leaving 13 for your use. On IPv6, you could do similar with a /64, but there's no way to do that with a /48. IPv6 is built on the concept of /64s on LANs and nothing else. To properly use that /48, it has to be routed to you over a transit network and then your router would split the /48 into up to 65536 /64s. I do the same here with my /56 providing 256 /64s.
Well, had my phone call today.
The Telekom will change the setup - 2003:foo:bar::/64 will be the transfer net, with 2003:foo:bar::a and 2003:foo:bar::b my two pfsense firewalls and 2003:foo:bar::1 the ISP gateway.
They will then route 2003:foo:bar:a000::/52 to the IPv6 2003:foo:bar::a and accordingly with a b-prefix. I asked several times what they mean with "we will do static routes from these subnets to the IP addresses of your firewalls"... as far as I understood they will advertise the /52 prefixes to the firewall IPs.
Nevertheless - the WAN configuration of the pfsense will remain static in any case. They absolutely do not offer DHCPv6 in business lines. So how will I have to configure the LAN side in the pfsense? I cannot use "track" cause the WAN is static IPv6. Will pfsense automatically (by IPv6 magic) find out that these /52 are routed to it?
I hope the transit network is not within your /52 prefix. My ISP avoids the issue entirely by using link local addresses for the transit network.
As for the LAN side, you configure the Router Adverisements for whatever /64 within your /52 that you want to use on your LAN. I have only done this with Unique Local Addresses, so someone else may be able to help you with your static config.
No, as far as I understand IPv6 2003:foo:bar:0000::/64 is not within 2003:foo:bar:a000::/52 or vice-versa... please correct me if I'm wrong... :-D
To your second comment - the problem that I see is that the routed /52 end at the WAN side of the pfsense. And how do they go now "within" the pfsense towards the LAN that I can split them up? The "how to split them up" with DHCPv6/RA on the LAN side is known by me, but the "internal routing" within the pfsense from LAN to WAN and vice-versa is a mystery in that case to me.
JKnott last edited by JKnott
On each (V)LAN configuration, you select the prefix ID you want to use for it. On my system, prefix ID 0 is my main LAN, 4 a test LAN and ff for an OpenVPN tunnel. You can only use each ID once. Of course, with a /52, you have only 4096 prefixes to choose from.
As I mentioned, you may have to specify the LAN network address on the Router Advertisements page for each interface. The address has to match the prefix. However, I have no experience setting up pfSense with a static WAN configuration, so someone else might have better advice.