Understanding routing IPv6 through pfSense

cwo

Hi.

I am a newbie in IPv6 and likes to play with a newly given aaaa:bbbb:cccc::/48
subnet from my ISP. Because the first subnet is a transfer subnet, configured by my ISP, I have to staticly set my WAN interface to aaaa:bbbb:cccc::2 with a given gateway aaaa:bbbb:cccc::1 .

I'd like to use pfSense as a router only, not as a firewall. My goal is, using static
IPv6 in a way I can handle. No SLAAC or DHCP6, no VPN or firewalling. Simply routing :-)

My current setup is a box with 8 physical interfaces and pfSense 2.4.5:

• em0 -> "LAN" - IPv4/LAN (for webmanagement only
• em1 -> "WAN" - aaaa:bbbb:cccc::2/64 (with GW aaaa:bbbb:cccc::1)
• em2 -> aaaa:bbbb:cccc:2::1/64 (no GW defined)
• em3 -> aaaa:bbbb:cccc:3::1/64 (no GW defined)
• em4 -> aaaa:bbbb:cccc:4::1/64 (no GW defined)
• em5 -> aaaa:bbbb:cccc:5::1/64 (no GW defined)
• em6 -> aaaa:bbbb:cccc:6::1/64 (no GW defined)
• em7 -> aaaa:bbbb:cccc:7::1/64 (no GW defined)

System / General Setup / "Disable DNS Forwarder" is checked
System / Advanced / Firewall & NAT > "Disable Firewall" is checked
System / Advanced / Firewall & NAT > "IP Random id generation" is checked
System / Advanced / Firewall & NAT > "Static route filtering" is checked
System / Advanced / Networking > "Allow IPv6" is checked
System / Advanced / Networking > "IPv6 DNS entry" is checked
System / Routing / Gateways > Default gateway IPv6: aaaa:bbbb:cccc::1

NO fw rules defined

---

em4 is connected to a Switch and on this Switch is a

Windows PC:

• IPv6 aaaa:bbbb:cccc:4::55/64
• GW is aaaa:bbbb:cccc:4::1
• DNS1 Quad9 IPv6 DNS
• DNS2 Google IPv6 DNS
• no active AV or firewall on Windows (yep, I know ;-))

What works:

• Ping6 from Windows to em4
• Ping6 from Windows to em1
• Ping6 from pfSense to ISP GW (aaaa:bbbb:cccc::1)
• Ping6 from pfSense to google . com (2a00:1450:4001:81d::200e)
• DNS from pfSense to IPv6 Quad9 + IPv6 Google
• HTTP(s) from pfSense to Package repository, can download packages.

What should work (but currently does not):

• Ping6 from Windows to ISP GW (aaaa:bbbb:cccc::1)
• DNS from Windows to Google/Quad9/my ISP

What I did:
Setup the Windows-Box to

1. ping6 the "Windows GW" (aaaa:bbbb:cccc:4::1)
2. ping6 the em1 interface (aaaa:bbbb:cccc::2)
3. ping6 the ISP GW (aaaa:bbbb:cccc::1) and
4. a external IPv6 from heise . de (2a02:2e0:3fe:1001:302::) - that responds if doing a ping6 from the pfSense webinterface.

1 + 2 did, 3+4 dont.

Then I did a Wireshark session on a port (via mirror port) that goes to my ISP and I
saw PING requests from my Windows Box (aaaa:bbbb:cccc:4::55) to the ISP Gateway
(aaaa:bbbb:cccc::1). Wireshark saw a

"Echo (ping) request id=x, seq=y, hop limit=127 (no response found!)".

Hm, now I am lost. What I am doing wrong?

Regards,

cwo

pfadmin

@cwo said in Understanding routing IPv6 through pfSense:

a external IPv6 from heise . de (2a02:2e0:3fe:1001:302::) - that responds if doing a ping6 from the pfSense webinterface.

Your clients need to know a gateway. This is via router advertising. Is it there on LAN)

https://docs.netgate.com/pfsense/en/latest/book/services/ipv6-dhcp-server-and-router-advertisements.html

cwo

Hi pfadmin

Your clients need to know a gateway. This is via router advertising. Is it there on LAN)

https://docs.netgate.com/pfsense/en/latest/book/services/ipv6-dhcp-server-and-router-advertisements.html

Hm... just to make sure I understand this correctly:

I do need to configure DHCPv6 even if I don't want to use DHCP or any auto config thing like SLAAC on any interface? I want to use staticly configured interfaces only. I heard about RA but as you can read above I have a static configured GW on my "client" Windows box:

(Windows) --|--> switch --|--> pfSense (em4) --|--> pfSense (em1/WAN) --|--> ISP "GW"
IPv6 :4::55/64 --|--> switch --|--> :4::1/64 --|--> ::2/64 --|--> ::1
GW :4::1 --|--> switch --|--> ................. --|--> ::1

And when I read Wireshark correctly, I can see a ping request going from my Windows Box to the ISP GW (::1) on the ethernet port that goes to my ISP.

To clarify this, I try to print a picture of this and add it later.

Regards,

cwo

cwo

Here is a image of the setup. All IPs and GWs are statically configured.

IsaacFL

@cwo if it is a router then it must send router announcements. You don’t need dhcpv6.

Configure the RA to “unmanaged” for each interface.

IsaacFL

If you are newbie to ipv6 I would look thru the RFC's starting with:

RFC 8504 IPv6 Node Requirements Best Current Practice 220

This points to the lower level RFCs and guides to what is mandatory (MUST in their lingo). Support for SLAAC is a must, so you must accommodate it. You can still statically assign addresses if you want but it isn't needed.

Also, routing is almost always done via Link Local Addresses (fe80::). You can a do it by static global addresses, but you are getting into advanced ipv6 and at newbie level I would stick with default. In other words, at my windows host, ipconfig /all shows that my default gateway is:

Default Gateway . . . . . . . . . : fe80::1:1%11

It really is different enough at the lower level from ipv4 that you have to study on it first.

JKnott

@cwo said in Understanding routing IPv6 through pfSense:

I do need to configure DHCPv6 even if I don't want to use DHCP or any auto config thing like SLAAC on any interface? I want to use staticly configured interfaces only.

No, you don't need to configure DHCPv6. However, you may want to config RAs anyway, even when using a static config.

cwo

@JKnott
@IsaacFL

Thank you both :-) I have some IPv6 homework to do and will take a deeper look at RA and SLAAC.

Regards,

cwo

JKnott

@cwo

IPv6 Essentials is a good reference.

cwo

@JKnott

Good advice, thank you :-)

I bought a copy today.