Understanding routing IPv6 through pfSense
-
Hi.
I am a newbie in IPv6 and likes to play with a newly given aaaa:bbbb:cccc::/48
subnet from my ISP. Because the first subnet is a transfer subnet, configured by my ISP, I have to staticly set my WAN interface to aaaa:bbbb:cccc::2 with a given gateway aaaa:bbbb:cccc::1 .I'd like to use pfSense as a router only, not as a firewall. My goal is, using static
IPv6 in a way I can handle. No SLAAC or DHCP6, no VPN or firewalling. Simply routing :-)My current setup is a box with 8 physical interfaces and pfSense 2.4.5:
- em0 -> "LAN" - IPv4/LAN (for webmanagement only
- em1 -> "WAN" - aaaa:bbbb:cccc::2/64 (with GW aaaa:bbbb:cccc::1)
- em2 -> aaaa:bbbb:cccc:2::1/64 (no GW defined)
- em3 -> aaaa:bbbb:cccc:3::1/64 (no GW defined)
- em4 -> aaaa:bbbb:cccc:4::1/64 (no GW defined)
- em5 -> aaaa:bbbb:cccc:5::1/64 (no GW defined)
- em6 -> aaaa:bbbb:cccc:6::1/64 (no GW defined)
- em7 -> aaaa:bbbb:cccc:7::1/64 (no GW defined)
System / General Setup / "Disable DNS Forwarder" is checked
System / Advanced / Firewall & NAT > "Disable Firewall" is checked
System / Advanced / Firewall & NAT > "IP Random id generation" is checked
System / Advanced / Firewall & NAT > "Static route filtering" is checked
System / Advanced / Networking > "Allow IPv6" is checked
System / Advanced / Networking > "IPv6 DNS entry" is checked
System / Routing / Gateways > Default gateway IPv6: aaaa:bbbb:cccc::1NO fw rules defined
em4 is connected to a Switch and on this Switch is a
Windows PC:
- IPv6 aaaa:bbbb:cccc:4::55/64
- GW is aaaa:bbbb:cccc:4::1
- DNS1 Quad9 IPv6 DNS
- DNS2 Google IPv6 DNS
- no active AV or firewall on Windows (yep, I know ;-))
What works:
- Ping6 from Windows to em4
- Ping6 from Windows to em1
- Ping6 from pfSense to ISP GW (aaaa:bbbb:cccc::1)
- Ping6 from pfSense to google . com (2a00:1450:4001:81d::200e)
- DNS from pfSense to IPv6 Quad9 + IPv6 Google
- HTTP(s) from pfSense to Package repository, can download packages.
What should work (but currently does not):
- Ping6 from Windows to ISP GW (aaaa:bbbb:cccc::1)
- DNS from Windows to Google/Quad9/my ISP
What I did:
Setup the Windows-Box to- ping6 the "Windows GW" (aaaa:bbbb:cccc:4::1)
- ping6 the em1 interface (aaaa:bbbb:cccc::2)
- ping6 the ISP GW (aaaa:bbbb:cccc::1) and
- a external IPv6 from heise . de (2a02:2e0:3fe:1001:302::) - that responds if doing a ping6 from the pfSense webinterface.
1 + 2 did, 3+4 dont.
Then I did a Wireshark session on a port (via mirror port) that goes to my ISP and I
saw PING requests from my Windows Box (aaaa:bbbb:cccc:4::55) to the ISP Gateway
(aaaa:bbbb:cccc::1). Wireshark saw a"Echo (ping) request id=x, seq=y, hop limit=127 (no response found!)".
Hm, now I am lost. What I am doing wrong?
Regards,
cwo
-
@cwo said in Understanding routing IPv6 through pfSense:
a external IPv6 from heise . de (2a02:2e0:3fe:1001:302::) - that responds if doing a ping6 from the pfSense webinterface.
Your clients need to know a gateway. This is via router advertising. Is it there on LAN)
https://docs.netgate.com/pfsense/en/latest/book/services/ipv6-dhcp-server-and-router-advertisements.html
-
Hi pfadmin
Your clients need to know a gateway. This is via router advertising. Is it there on LAN)
https://docs.netgate.com/pfsense/en/latest/book/services/ipv6-dhcp-server-and-router-advertisements.html
Hm... just to make sure I understand this correctly:
I do need to configure DHCPv6 even if I don't want to use DHCP or any auto config thing like SLAAC on any interface? I want to use staticly configured interfaces only. I heard about RA but as you can read above I have a static configured GW on my "client" Windows box:
(Windows) --|--> switch --|--> pfSense (em4) --|--> pfSense (em1/WAN) --|--> ISP "GW"
IPv6 :4::55/64 --|--> switch --|--> :4::1/64 --|--> ::2/64 --|--> ::1
GW :4::1 --|--> switch --|--> ................. --|--> ::1And when I read Wireshark correctly, I can see a ping request going from my Windows Box to the ISP GW (::1) on the ethernet port that goes to my ISP.
To clarify this, I try to print a picture of this and add it later.
Regards,
cwo
-
Here is a image of the setup. All IPs and GWs are statically configured.
-
@cwo if it is a router then it must send router announcements. You don’t need dhcpv6.
Configure the RA to “unmanaged” for each interface.
-
If you are newbie to ipv6 I would look thru the RFC's starting with:
RFC 8504 IPv6 Node Requirements Best Current Practice 220
This points to the lower level RFCs and guides to what is mandatory (MUST in their lingo). Support for SLAAC is a must, so you must accommodate it. You can still statically assign addresses if you want but it isn't needed.
Also, routing is almost always done via Link Local Addresses (fe80::). You can a do it by static global addresses, but you are getting into advanced ipv6 and at newbie level I would stick with default. In other words, at my windows host, ipconfig /all shows that my default gateway is:
Default Gateway . . . . . . . . . : fe80::1:1%11
It really is different enough at the lower level from ipv4 that you have to study on it first.
-
@cwo said in Understanding routing IPv6 through pfSense:
I do need to configure DHCPv6 even if I don't want to use DHCP or any auto config thing like SLAAC on any interface? I want to use staticly configured interfaces only.
No, you don't need to configure DHCPv6. However, you may want to config RAs anyway, even when using a static config.
-
-
IPv6 Essentials is a good reference.
-