IPv6 on SoCal Spectrum
-
@JKnott said in IPv6 on SoCal Spectrum:
On the LAN page, change IPv6 configuration to track interface and further down enter WAN for IPv6 interface. I am assuming they provide IPv6 via DHCPv6-PD.
When selecting Track Interface, the IPv6 Interface drop down is empty and won't allow me to select WAN for some reason.
-
LAN interface. Your looking at WAN.
-
Okay that sort of seems to work. WAN is now on DHCP6 (64prefix) and LAN set to Track Interface. I now have an IPv6 address on the WAN and LAN interfaces as well as my internal machines.
Also, when I run test-ipv6.com I get failures still.
Also, if i'm running through Track Interface, isn't that assigning public IPs to all my internal machines? Does that not expose my devices directly to the Internet?
-
@caskater4 said in IPv6 on SoCal Spectrum:
Also, if i'm running through Track Interface, isn't that assigning public IPs to all my internal machines? Does that not expose my devices directly to the Internet?
Yep, you should have 18.4 billion, billion addresses available, which makes it a tad difficult for attackers to find you. Also, that's why you're running a firewall. It will block unauthorized access. As for not getting to the Internet, I'd look at routing issues. You can use Packet Capture to see what's happening, though you'd probably want to download the captures and use Wireshark to analyze them.
Also, you can try different prefix delegation sizes to see what you can get.
-
@JKnott Okay new problem. IPv6 works great but now IPv4 is broken somehow.
I can verify that I can ping/tracert external IPv6 addresses no problem. I can ping/tracert local IPv4 addresses but any external addresses fail to make contact.
Am I going to have to make IPv4 traffic track interface as well? Can I not have a IPv4 NAT and public IPv6 setup? Surely this is common.
Here are my LAN firewall rules. The last two are for opening traffic to the outside world and look correct to me.
And my outbound NAT rules
-
The router can reach IPv4 external addresses no problem.
-
Alright I figured it out. I had some bad rules defined in the WAN interface firewall. Everything is resolved now. Thanks for all your help!
-
Were you able to determine what your available prefix size is?
Also, on the WAN page, there's a setting "Do not allow PD/Address release". Make sure that's checked.
-
I don't see anything that would tell me the prefix size. The subnet mask on the router is 128.
I have a new problem unfortunately. I use AdvancedTomato on a Asus R7000 for WiFi. This is hooked up to the pfsense box and offers multiple SSID bridging to different VLANs.
The problem I am seeing now is that any device connected over WiFi cannot access the internet. None have an IPv6 address but have an IPv4 address. For some reason these devices are also getting an IPv6 DNS server. I assume they are unable to access the Internet because they are trying to use the IPv6 DNS address and can't because they don't have an IPv6 address itself.
I've tried enabling IPv6 support on the Tomato box but it doesn't seem to work. Do any of you have a similar setup with IPv6 working on WiFi?
-
Correction, this appears to only affect IPv6 capable devices. Any device using WiFi that can only do IPv4 works fine without issue.
-
@caskater4 said in IPv6 on SoCal Spectrum:
I don't see anything that would tell me the prefix size. The subnet mask on the router is 128.
As I mentioned earlier, if you look at the text below the prefix ID box on the LAN page, it may say. For example, mine says the available range is 0-ff, which is correct for my /56.
The /128 means that address is only to identify the WAN interface. It is not used for routing and has nothing to do with the prefix size.
BTW, custom on IPv6 is to call that a prefix, not subnet mask. Same function, different name.
-
@caskater4 said in IPv6 on SoCal Spectrum:
I use AdvancedTomato on a Asus R7000 for WiFi.
Are you using that as a router or AP? If router, then it would have to be able to be configured for IPv6. If just as an AP, it would be transparent and any devices connected to it should behave as if directly on the LAN.
-
It's setup as an AP, not a router.
The text below Prefix ID reads: "(hexadecimal from 0 to 0) The value in this field is the (Delegated) IPv6 prefix ID. This determines the configurable network ID based on the dynamic IPv6 connection. The default value is 0."
I also tried adding my guest network as a track interface with Prefix set to 1 and it wouldn't let me.
-
So I enabled IPv6 DHCP6-PD on the Tomato AP and now most of my devices are getting IPv6 addresses. My laptops, tablets, TVs and alexa's are all connected now. However, for some reason our phones (Pixel 2XL and iPhone) are not getting internet access. They still don't show an IPv6 address. This is rather odd. I've tried restarting the phone and deleting the WiFi profile but nothing seems to fix it.
-
@caskater4 said in IPv6 on SoCal Spectrum:
So I enabled IPv6 DHCP6-PD on the Tomato AP
So, you were using it as a router. If it were just an AP, you wouldn't be able to do that. Also, where are you getting that DHCPv6-PD from? You certainly wouldn't get it from pfSense. Is that Tomato AP connected directly to the ISP?
-
No the Tomato is connected directly to pfsense on a port thats setup for VLAN trunking. The IPv4 DHCP server is disabled on it. In the basic settings theres a section on IPv6. It seems as though its a general IPv6 support, not enabling the DHCP server on the Tomato itself.
-
Charter will allow you a /56 if you select that on the "DHCPv6 Prefix Delegation size" config on the WAN interface. Then as stated you can use a 0-ff for the prefix ID on your internal interfaces to assign a /64 to that network.
