pfSense as IPv6 client

  • I am trying to get adresses via IPv6 DHCP on my pfsense. And it dosent work. Ive attaced an overview over containing the details. Other clients on my vlan 1001 are able to get ipv6 adressesdnnw.png

  • @michaelpietzsch

    Does that main router provide DHCPv6-PD? If not, it will only provide a single /64 on the LAN. Can you put it into bridge mode?

  • The Main router provides each vlan i chose with a dedicated /64 network.

  • @michaelpietzsch said in pfSense as IPv6 client:

    The Main router provides each vlan i chose with a dedicated /64 network.

    @JKnott i attached a screen with the upstream router settings for vlan 1001


  • @michaelpietzsch

    There are 2 parts to DHCPv6-PD. The DHCPv6 part is similar to IPv4 DHCP in that it provides address info to the connected device. The PD part provides the prefix for a router to pass on to it's LANs. I get a /56 from my ISP with the modem in bridge mode. This means pfSense gets the entire /56. If the modem was in gateway mode, it would only pass a single /64 address space to a LAN. Routers this side of an ISP generally don't provide the PD. On Cisco routers, it's an extra cost option. Without PD, there is no way to get the prefix to pfSense.

  • @JKnott So basicly there is no way to get a interface from the pfsense to behave like a ipv6 windows client for example...

  • @michaelpietzsch

    The WAN side interface should behave the same way, in that an address is assigned. However, you will not have a prefix to use on the LAN side. You have to connect to the modem, without that main router in the way. However, if that router is a proper router and not SOHO level, then you may be able to manually configure it.

  • @JKnott VLAN3000 is, in this case, a regular local network that has a port forwarding on ipv4 basis to make the openvpn accessable

  • @michaelpietzsch

    This has nothing to do with IPv4. It depends on what pfSense gets. If it receives the PD, then it can provide the prefix to the LAN. However, with that router in the way, it gets the prefix and will assign it only to it's own inferfaces and not pass it on to pfSense.

  • So basicly there is a "WAN" type interface with ipv6 that is expecting to recieve PD... and LAN type interfaces arent

  • @michaelpietzsch

    The LAN type interfaces cannot PROVIDE it. About the only place the PD is used is for an ISP to provision a customer, without having to configure anything. Elsewhere either manual configuration or routing protocols, such as OSPF, would be used to manage this.

  • Okay, i understood? Any ideas on how to provide my client a dual stack vpn connection with this setup?

  • @michaelpietzsch

    Well, do you need that main router? If you get rid of it, then pfSense receives the PD and can pass it on to the LAN side.

  • IPv6 is much more complex than IPv4.

    First, IPv6 has nothing to do with IPv4. They are completely independent. Forget about IPv4 when u're trying to make IPv6 work.

    When connected to ISP link, a router receives 2 distinct things: its own IPv6 address, which is the address of its WAN port, and a IPv6 global prefix delegation. Its WAN's IPv6 address is outside PD range.

    I example, on my router:
    IPv6: 2804:xxxx:658b:1000:e019:13d5:a07b:d7ca/128
    IPv6-PD: 2804:xxxx:658b:5b86::/64

    With the global prefix, a router is capable of providing IPv6 addresses inside that prefix range for all devices on its LAN. Don't forget it, router's LAN port has an address inside PD's range, while its WAN's address is outside of it.

    If the router receives a /64 global prefix, all it's capable of doing is to provide IPv6 addresses for all devices on its LAN, and u're unable to have another router below it or have multiple VLANs. In example, one of my PC addresses: 2804:xxxx:658b:5b86::17

    If the router receives a gobal prefix bigger than /64, it will be able to do 2 things:

    1. As before, provide IPv6 addresses for all devices on its LAN. IDK the details of how pfSense does it, but addresses it provides should be inside the first /64. In the example, that's 2804:xxxx:658b:5b86::0

    2. Taking out this first /64 prefix, that it uses on its LAN, provide n-1 prefixes for any router below it that would request one. The router can either be configured for the size of the prefix it will delegate, or the below router can suggest a prefix size on its request, and the main router may follow that request or ignore it and follow its config.

    Prefixes are also used to setup multiple VLANs, VPNs, etc.

    If u have a router below another router, I guess u need them both or is forced so. You must first properly configure the main router's prefix delegation.

    Usually, any router with proper support for IPv6, in its default config, will request a PD on its WAN's network. If that network's router has prefixes available and prefix delegation enabled, it will respond the request delegating some prefix.

    The easiest way to test if your router is requesting and is capable of receiving one, is plug it on any ISP modem which has been connected to a router that is receiving a PD. If that router was receiving it properly and yours doesn't, then your router has some issue. If it receives, then you know that main router isn't providing a PD.

  • @Hikari said in pfSense as IPv6 client:

    IPv6: 2804:xxxx:658b:1000:e019:13d5:a07b:d7ca/128

    That WAN address is not used for routing. A link-local address is often used. That /128 prefix indicates it cannot be used for routing as it allows only 1 address and routing requires at least 2. It can be used for things like testing, VPNs, ssh to pfsense, etc..

  • It's not a prefix, it's a full address. It's equivalent to the public IPv4 we receive from ISP and we're seen as on Internet.

    I showed it to note that it's under prefix 2804:xxxx:658b:1000 while the /64 global prefix I receive is 2804:xxxx:658b:5b86::

    IDK if that address has any relation to WAN's MAC.

    As a comparison, my router as LAN default gateway is on IPv4 and fe80::xxxx:a8ff:fe5d:79d on IPv6.

  • @Hikari

    The /x indicates the prefix length. Your LAN gets a /64 prefix, which means 64 bits for the network address, leaving 64 for the device within the LAN. A /128 means the entire 128 bits is prefix leaving no bits for more than 1 device. I doubt it would have anything to do with the MAC, as it's assigned by DHCP. If it was MAC based, it would be obvious. Your LAN gateway demonstrates the link local address is used, not a public address.

Log in to reply