pfSense as IPv6 client
-
@JKnott VLAN3000 is, in this case, a regular local network that has a port forwarding on ipv4 basis to make the openvpn accessable
-
This has nothing to do with IPv4. It depends on what pfSense gets. If it receives the PD, then it can provide the prefix to the LAN. However, with that router in the way, it gets the prefix and will assign it only to it's own inferfaces and not pass it on to pfSense.
-
So basicly there is a "WAN" type interface with ipv6 that is expecting to recieve PD... and LAN type interfaces arent
-
The LAN type interfaces cannot PROVIDE it. About the only place the PD is used is for an ISP to provision a customer, without having to configure anything. Elsewhere either manual configuration or routing protocols, such as OSPF, would be used to manage this.
-
Okay, i understood? Any ideas on how to provide my client a dual stack vpn connection with this setup?
-
Well, do you need that main router? If you get rid of it, then pfSense receives the PD and can pass it on to the LAN side.
-
IPv6 is much more complex than IPv4.
First, IPv6 has nothing to do with IPv4. They are completely independent. Forget about IPv4 when u're trying to make IPv6 work.
When connected to ISP link, a router receives 2 distinct things: its own IPv6 address, which is the address of its WAN port, and a IPv6 global prefix delegation. Its WAN's IPv6 address is outside PD range.
I example, on my router:
IPv6: 2804:xxxx:658b:1000:e019:13d5:a07b:d7ca/128
IPv6-PD: 2804:xxxx:658b:5b86::/64With the global prefix, a router is capable of providing IPv6 addresses inside that prefix range for all devices on its LAN. Don't forget it, router's LAN port has an address inside PD's range, while its WAN's address is outside of it.
If the router receives a /64 global prefix, all it's capable of doing is to provide IPv6 addresses for all devices on its LAN, and u're unable to have another router below it or have multiple VLANs. In example, one of my PC addresses: 2804:xxxx:658b:5b86::17
If the router receives a gobal prefix bigger than /64, it will be able to do 2 things:
-
As before, provide IPv6 addresses for all devices on its LAN. IDK the details of how pfSense does it, but addresses it provides should be inside the first /64. In the example, that's 2804:xxxx:658b:5b86::0
-
Taking out this first /64 prefix, that it uses on its LAN, provide n-1 prefixes for any router below it that would request one. The router can either be configured for the size of the prefix it will delegate, or the below router can suggest a prefix size on its request, and the main router may follow that request or ignore it and follow its config.
Prefixes are also used to setup multiple VLANs, VPNs, etc.
If u have a router below another router, I guess u need them both or is forced so. You must first properly configure the main router's prefix delegation.
Usually, any router with proper support for IPv6, in its default config, will request a PD on its WAN's network. If that network's router has prefixes available and prefix delegation enabled, it will respond the request delegating some prefix.
The easiest way to test if your router is requesting and is capable of receiving one, is plug it on any ISP modem which has been connected to a router that is receiving a PD. If that router was receiving it properly and yours doesn't, then your router has some issue. If it receives, then you know that main router isn't providing a PD.
-
-
@Hikari said in pfSense as IPv6 client:
IPv6: 2804:xxxx:658b:1000:e019:13d5:a07b:d7ca/128
That WAN address is not used for routing. A link-local address is often used. That /128 prefix indicates it cannot be used for routing as it allows only 1 address and routing requires at least 2. It can be used for things like testing, VPNs, ssh to pfsense, etc..
-
It's not a prefix, it's a full address. It's equivalent to the public IPv4 we receive from ISP and we're seen as on Internet.
I showed it to note that it's under prefix 2804:xxxx:658b:1000 while the /64 global prefix I receive is 2804:xxxx:658b:5b86::
IDK if that address has any relation to WAN's MAC.
As a comparison, my router as LAN default gateway is 192.168.xxx.1 on IPv4 and fe80::xxxx:a8ff:fe5d:79d on IPv6.
-
The /x indicates the prefix length. Your LAN gets a /64 prefix, which means 64 bits for the network address, leaving 64 for the device within the LAN. A /128 means the entire 128 bits is prefix leaving no bits for more than 1 device. I doubt it would have anything to do with the MAC, as it's assigned by DHCP. If it was MAC based, it would be obvious. Your LAN gateway demonstrates the link local address is used, not a public address.
