Verizon Fios and IPV6, Which Settings Work?

MikeV7896

I do, but only because I didn’t want the lack of an interface address to slow everything else down. It wasn’t giving me an address on WAN with that option unchecked.

MikeV7896

I've since gone back and unchecked the "Use IPv4 as parent interface" option and things still seem to work. I slogged through the whole DSLR thread and found someone else with pfSense and IPv6 on Fios, and they also had to check the "Request only an IPv6 Prefix"... so that appears to be necessary. No big deal really... if I want to ping from the outside, I just need to allow ICMP Echo Requests to my LAN (or set up an interface with a prefix ID and just use it for that purpose).

Hopefully it won't cause issues when my ACME cert comes up for renewal... but that's set to use DNS, so it shouldn't be a problem.

Paint

It does not seem like FiOS in NYC (Manhattan) has IPV6 yet.

However, I know IPV6 is supported by FiOS in other places in the Tri-State area.

Anyone in NYC have any luck getting IPV6 working with FiOS (besides with a HE.NET tunnel)?

MikeV7896

The only places I'm aware of it being available so far are select areas in Northern and Central VA (areas served by five different Verizon central offices have been confirmed) and Waltham MA (where a Verizon Technology Development Center is - or at least was - located).

But determining what areas it might be available in is kind-of off topic for here since that's not directly pfSense-related. The settings to make it work are above, and there's also a script you can set up to detect when Verizon is sending out IPv6 router advertisements in your area.
https://forum.netgate.com/topic/137478/fios-users-waiting-for-ipv6-script-to-let-you-know-when-it-s-ready

There's a topic over in the FiOS forum on DSLReports that might be a better place for tracking availability. Don't feel the need to read all 2 years worth of posts... the most current list is within the last two pages (and was just quoted by someone on the last page).
https://www.dslreports.com/forum/r32136440-Networking-IPv6-working

MikeV7896

Just wanted to note, for any Fios customers that might be following this... over on DSLR, a user with a business account in Maryland posted that on or after January 10 2022, they would have IPv6 available. So it looks like wider availability might be coming soon. It also appears that business service will be getting a /56, just as I've been getting with my residential service.

Edit to add: Another user in another state also received the email, but with a date in February, so this may be a regional rollout over a longer period of time.

jeremy.duncan

I am also in Northern Virginia (Lorton) waiting for FiOS to upgrade their nodes for IPv6. I have heard about Ashburn/Leesburg people getting it. I got notice for Jan 2022, then Feb, then March... still nothing. I have an HE.net tunnel in the meantime - funny thing is if you use the newest FIOS Router, it block 6in4 tunnel traffic. I just removed it totally and terminated FIOS directly on my opnsense firewall. Still not seeing any RAs or DHCPv6 responses. One day maybe...

mattlach

This post is deleted!

mattlach

@jknott said in Verizon Fios and IPV6, Which Settings Work?:

@virgiliomi

I saw the same thing when my ISP was getting ready to provide IPv6.
They also initially provided a single /64, but later a /56.

Honestly, I am a little ambivalent about moving to IPV6.

I started this thread as I want to be prepared when the time comes I have to make the transition, but honestly, I think the standard is awful.

IPV4 address exhaustion is a real problem, but they solved it in the worst possible way going totally overkill on the address space (we don't need enough IP addresses for every atom on planet earth to have its own) and making it not user friendly.

The IETF literally could not have done a worse job if they had tried.

We went from an easy to understand four block format with regular numbers, to a nasty 128bit hexadecimal system with odd colon based abbreviations which is not intuitive in the slightest and makes it very difficult to memorize IP addresses.

That, and the insistence on making the internet all 1:1 is annoying. I LIKE having a segregated local network behind a single IP address that NAT provides me. I may still try to use NAT66, even though I understand it is "not recommended".

They should have just added another 8bit block to IPV4 making it 40bit, and providing over 1 trillion addresses, and just called it a day. That would still have been ~140 addresses per person on the planet. If we taper off at about 11B people on earth as most scientists predict, that would be enough for ~100 addresses per person, way more than enough.

I'm not exactly excited about IPV6. If I could I'd send it back to the drawing board. It is amazing to me this nonsense ever got approved and adopted.

I'm not looking forward to having to rewrite all of my complicated firewall rules again.

Seriously, IPV6 makes me want to stab people.

JKnott

@mattlach

All these "fixes" on IPv4 are just hacks that often cause other problems. One reason for such a large address space is to ensure we don't run out for a VERY long time. There are other changes that enhance router performance and security. Given other issues with IPv4, a clean break was needed. Incidentally, that internet all 1:1 is the way IPv4 was supposed to work originally. NAT broke that, along with a few other things. You can still have private (ULA) addresses, in addition to global ones. Also, with IPv6, you only have one size local network, that is /64. IPv4 used to be the same originally, but classes were introduced to provide more networks and then CIDR to provide even more, but there still are nowhere near enough.

With the portion of IPv6 addresses allocated to global addresses, there are only enough to give each person on earth a bit over 4000 /48s.

SirSilentBob

May 2022 - Hampton Roads, Virginia has IPv6 connectivity with Verizon FIOS!

(I am not sure how long ago this became available, but I started messing with it after midnight on May 7th and by 1am had it working. I guess not TOO bad for my first time having native IPv6 and not a tunnel.)

I wanted to thank @MikeV7896 for the info summary, as well as others who contributed info to use for configuring pfSense to work with FIOS and get IPv6 connectivity. A friend of mine in the neighborhood is also in the process of configuring his freebsd firewall/router to get going on IPv6.

Just wondering, what additional firewall options (if any) are any of you using, who have IPv6 on Verizon FIOS? All I currently have is the "Default allow LAN IPv6 to any" rule.

I have not set up any of the stuff to let ICMP through to IPv6 hosts or anything like that. I have seen that supposedly you can have issues if you don't allow those, but so far I have not had any problems.

MikeV7896

@sirsilentbob said in Verizon Fios and IPV6, Which Settings Work?:

May 2022 - Hampton Roads, Virginia has IPv6 connectivity with Verizon FIOS!

(I am not sure how long ago this became available, but I started messing with it after midnight on May 7th and by 1am had it working. I guess not TOO bad for my first time having native IPv6 and not a tunnel.)

I wanted to thank @MikeV7896 for the info summary, as well as others who contributed info to use for configuring pfSense to work with FIOS and get IPv6 connectivity. A friend of mine in the neighborhood is also in the process of configuring his freebsd firewall/router to get going on IPv6.

Just wondering, what additional firewall options (if any) are any of you using, who have IPv6 on Verizon FIOS? All I currently have is the "Default allow LAN IPv6 to any" rule.

I have not set up any of the stuff to let ICMP through to IPv6 hosts or anything like that. I have seen that supposedly you can have issues if you don't allow those, but so far I have not had any problems.

I believe pfSense allows through the ICMP traffic that needs to be allowed through behind the scenes. It is very specific packet types, so not everything is allowed.

I actually use a single rule to allow both IPv4 and v6, rather than two separate rules. Nothing else special though.

Glad to hear another user in SE VA has it now... over on DSLR, there had been one report from Yorktown, but that was it. If you want to have your location added to the list I'm keeping, post over there with the info I ask for in my posts on page 48 of the thread. Anonymous posting is allowed there if you don't want to register.

jeremy.duncan

@sirsilentbob can you share your WAN configuration? that allows for this? I have a deployment in Chesapeake and have DHCPv6-PD configured for a /56 prefix but I am not seeing anything.

MikeV7896

@jeremy-duncan it should be noted that Verizon’s rollout of IPv6 is very limited at this point. They’ve only recently expanded it in parts of Maryland and Virginia, and the rollout is on a CO-by-CO basis. They seemed to pick a few CO’s around Baltimore and a couple in Newport News/Hampton area as their current wave. I think it’s a test of expansion, and we’ll see further ramping up of things in coming weeks. The current expansion happened about two weeks ago now, and there didn’t seem to be anything new last week so they may be just looking at things to make sure everything’s working properly before moving forward again.

SirSilentBob

@mikev7896 I will try to remember to do that soon!

SirSilentBob

@jeremy-duncan Sure! Basically exactly what Mike shared, let me know if there is anything else more specific you need (photos). I am honestly not fully understanding why the WAN interface is getting an IPv6 "link local" address (FE80) but the actual address is showing on the LAN interface. I have had an interest in IPv6 for probably 10, 12-ish years, and it just looked so... intimidating that I didn't start looking into and messing with it till now. Still much to learn, I am sure.

@MikeV7896 A weird thing I had happen since I got this working, I attempted to duplicate the IPv6 settings on additional LANs, not just my primary one, except of course under "Track IPv6 Interface" I put a different IPv6 prefix ID. My primary I used 0, on two more I used 1 and 2. Doing that, I appeared to get IPv6 IPs on those additional LAN segments, but I lost all IPv6 connectivity and everything fell back to IPv4. I saved my config files of course, and just rolled back to how it was with just one LAN configured for IPv6 and then IPv6 began working again. I would expect that there's plenty of IPv6 IPs to provide to other LAN segments, but something escapes me on that. I'm good with just the one LAN having IPv6, but I had hoped that I could allow my RIPE Atlas Probe (which is on an un-filtered network, it needs unrestricted internet access for the measurements it does) to get IPv6 access. Maybe some other time I can try to figure out why other lans kills all IPv6.

SirSilentBob

@MikeV7896 I've submitted as detailed info to you as I can over at DSLR. (I think it needed mod approval) I've done some searching on the subject of taking an isp /56 and being able to put a /64 on each LAN segment. There's tons of reddit posts on it, and like 1 or two here on the Netgate forums. Tracking interface to WAN on each LAN and changing the prefix ID does indeed seem to be the way to do it, but I am seeing posts from a lot of others who are having the same issue, where it just doesn't work, and no resolution. I DID notice that if I check Advanced Configuration that there is a prefix interface drop-down, and only a single LAN is selectable. Maybe only one LAN can get the prefix delegation? Idk, I'll dig into this more I guess.

I don't think this is an issue that is specific to Verizon FIOS, as I see many others failing to take a isp /56 and cut it down to multiple /64's on multiple LANs. So, I'll just settle with moving my Atlas Probe that you noticed show up near City Center on the map off it's own LAN onto the one which is getting IPv6 without issues.

@jeremy-duncan Have you had success with your Chesapeake FIOS deployment, or is it still just a tiny bit out of reach of IPv6 for the moment?

MikeV7896

@sirsilentbob Just wanted to note that I've had no problem taking my /56 and dividing into multiple /64's... I have addresses from four different /64's in use on my pfSense box... my primary LAN, a "test" LAN for a WiFi mesh product I've been testing, an "ATLAS" network for just my probe, and a virtual IP for my WAN interface, and all are working without issue. I don't allow much communication between the networks, (primary LAN can get to everything else, but test and atlas can't get to anything but internet) but everything is working fine on all three, both IPv4 and IPv6.

I'll try and grab some screenshots of my settings over the weekend, but it sounds like your settings are right, so not sure why it would work on one but not others.

jeremy.duncan

@sirsilentbob i'm still waiting to see some IPv6 router advertisements or them to respond to my DHCPv6 solicits. Either way, my IPv6 is limited to a hurricane electric tunnel until then...

JKnott

@jeremy-duncan

Router advertisements should happen frequently. Take a packet capture of the DHCPv6 sequence.

To do that:

Shutdown pfsense and unplug WAN cable.
Reboot pfsense and start Packet Capture, filtering on DHCPv6.
Reconnect WAN cable.
After a couple of minutes, download packet capture and examine with Wireshark.

jeremy.duncan

@jknott way ahead of you i am doing a tcpdump on the external interface... bupkiss. just my DHCPv6 solicits

tcpdump -ni lagg0_vlan2 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lagg0_vlan2, link-type EN10MB (Ethernet), capture size 262144 bytes

16:11:02.856512 IP6 fe80::eef4:bbff:fed3:a3e8.546 > ff02::1:2.547: dhcp6 solicit
16:11:59.768654 IP6 fe80::eef4:bbff:fec1:d2e8.546 > ff02::1:2.547: dhcp6 solicit
16:13:14.636935 IP6 fe80::eef4:bbff:fed3:a3e8.546 > ff02::1:2.547: dhcp6 solicit
16:14:02.094810 IP6 fe80::eef4:bbff:fec1:d2e8.546 > ff02::1:2.547: dhcp6 solicit

jeremy.duncan

@jknott i also force router solicitations..

16:17:57.834172 IP6 fe80::eef4:bbff:fed3:a3e8 > ff02::2: ICMP6, router solicitation, length 16
16:18:01.846522 IP6 fe80::eef4:bbff:fed3:a3e8 > ff02::2: ICMP6, router solicitation, length 16
16:18:05.848481 IP6 fe80::eef4:bbff:fed3:a3e8 > ff02::2: ICMP6, router solicitation, length 16

MikeV7896

@jeremy-duncan Guessing it's just not on in Chesapeake yet then... the only reports from other DSLR users have been Newport News and Yorktown so far... nothing from Norfolk/Chesapeake/VA Beach.

jeremy.duncan

@mikev7896 understood thanks

SirSilentBob

@MikeV7896 Thank you! I'd greatly appreciate it. From what you are saying, it sounds like you are maybe using an on-board NIC for one of your connections and you have four LANs, maybe with a four-port NIC? I am using a 4-port intel gigabit card, and disabled my on-board NIC so I've just got 1 WAN and three LANs. But I'm looking to do a similar setup, a primary lan, a "spare/experimentation" lan and a Atlas Probe lan.

@jeremy-duncan Sorry it isn't working yet for you. Maybe once Verizon finishes up with rolling it out in Newport News & Hampton then they'll migrate over to the southside and start deploying it there...

MikeV7896

@sirsilentbob

My pfSense box has a SuperMicro motherboard with five onboard NICs... one is OS-accessible but is also shared with the built-in out-of-band management firmware (which I don't use and have disabled in the BIOS), the other four are all dedicated Intel Gigabit NICs. One WAN, 3 LAN. Main LAN connects to a switch for everything else, LAN2 connects to the mesh router, and ATLAS connects directly to the device my Atlas probe is running on.

Our WAN settings vary a little, but I don't think the variances are significant to where your LANs would be affected.

LAN settings, well... there's not much there. I will admit that I'm not using prefix 0 though... LAN = 10, LAN2 = 20, ATLAS = 50...

I did look at the advanced DHCP6 config on my WAN interface (since I didn't see any advanced options on my LANs) and I did see this...

Though I don't have advanced configuration checked normally, and none of the other options in that section are enabled or filled out. WAN was selected by default.

SirSilentBob

@mikev7896 Hmm, thanks for sharing. Your drop-down prefix interface being set to WAN is quite interesting to me, I'll try duplicating that! I'll try changing some things when everyone is asleep and won't miss the internet. Also I'll try changing the LAN prefixes from single digit (0, 1 & 2) to double digit ones too.

Could you share how you have your Router Advertisements / Router Mode set, if you get a chance, please? Just wondering if that is a hang-up.

Thanks again!

MikeV7896

@sirsilentbob My RA router mode setting is Unmanaged. I let SLAAC and RDNSS do its thing, and I've had no issues with any device.

JKnott

@jeremy-duncan

Do they even support IPv6?

JKnott

@mikev7896

It doesn't matter which prefix ID you use, so long as they're unique for each interface. I don't use advanced IPv6 settings.

MikeV7896

@jknott they’re beginning to roll it out on a larger scale. Over the past couple of weeks, reports of IPv6 now being available have come in from five areas near Baltimore MD and three in VA. A business account in NY (don’t remember where in the state) received an email that it should be rolling out up there in June.

SirSilentBob

@MikeV7896 Thanks for your gracious help and sharing of config info.

Unfortunately I guess at this time I think all I can do is go back to my "wrong" configuration that is only allowing IPv6 on a single LAN. I've pretty much duplicated your setup exactly, but it isn't working, WAN_DHCP6 just stays in a Pending state. I checked the box to start DHCP6 client in debug mode, the only "hint" I have is this below log entry, and a search on that missing dhcp6cctlkey file has been fruitless, and even found posts saying that error is unimportant. It must have some sort of importance though, because my config that gives a single LAN IPv6 (when the prefix interface is set to that LAN and not WAN) does not generate that error. I'm just not sure why I can't get it to work on all LAN interfaces.

May 14 13:30:57	dhcp6c	29013	skip opening control port
May 14 13:30:57	dhcp6c	29013	failed initialize control message authentication
May 14 13:30:57	dhcp6c	29013	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory

If anyone has any thoughts or things to try, I am open to suggestions...

Edit: Something else I am seeing, the Service Status for RADVD disappears from the dashboard too but according to the command line it is still running? I have a backup I can roll back to though that should get me back to a single LAN with IPv6. Just changing the settings back doesn't restore connectivity, so something is sticking somewhere... I might save another config file to compare differences between files and then restore to the working single-lan config.

SirSilentBob

Well after a few resets, and messing around with configurations, IPv6 just "started working" on a second LAN... I can't claim to understand what change allowed it, but it works now, so hopefully it will continue to do so.

Hopefully over time my knowledge of IPv6 and the process of setting up routers will improve and this will be easier for those who come to use it after us!

Thanks @MikeV7896 !

MikeV7896

Something of note that has been discovered...

It appears that the Alcatel-Lucent ONTs that Verizon provides have firmware that is mangling IPv6 packets by adding additional data after the packet checksum, and Intel wired NICs with hardware checksum offloading are being negatively affected by this (only Intel NICs have been identified as being affected by this issue so far). While the issue has been discovered with other routers (especially Verizon's own G1100 router) and Intel NICs on Windows PCs, it sounds like this could affect pfSense routers where an Intel NIC is used for your WAN connection AND you have hardware checksum offloading enabled.

I personally have always had it disabled... when I started using pfSense, I had seen some articles or posts about problems with it being enabled for some NICs, so I just never chanced it and kept it turned off (I don't remember exactly, but it might've been that I started using pfSense on a PC with Realtek NICs, and just left it disabled after moving my hardware over to Intel NICs). I have not tried enabling the setting to see if things break.

So if you have an Intel NIC for your WAN AND you're experiencing problems with IPv6 connectivity, you might want to try disabling the Hardware Checksum Offload setting in System > Advanced > Networking. My understanding is that it's only the checksum offloading that needs to be disabled... the other hardware offload settings should be fine.

As I've mentioned before also... IPv6 is still very much being rolled out throughout the Fios service areas (still currently only in DC/MD/VA). So you might want to leave your hardware checksum offloading enabled until you know IPv6 is available in your area, then see if it affects your ability to connect via IPv6 or not.

mattlach

@mikev7896 said in Verizon Fios and IPV6, Which Settings Work?:

Something of note that has been discovered...

It appears that the Alcatel-Lucent ONTs that Verizon provides have firmware that is mangling IPv6 packets by adding additional data after the packet checksum, and Intel wired NICs with hardware checksum offloading are being negatively affected by this (only Intel NICs have been identified as being affected by this issue so far). While the issue has been discovered with other routers (especially Verizon's own G1100 router) and Intel NICs on Windows PCs, it sounds like this could affect pfSense routers where an Intel NIC is used for your WAN connection AND you have hardware checksum offloading enabled.

I personally have always had it disabled... when I started using pfSense, I had seen some articles or posts about problems with it being enabled for some NICs, so I just never chanced it and kept it turned off (I don't remember exactly, but it might've been that I started using pfSense on a PC with Realtek NICs, and just left it disabled after moving my hardware over to Intel NICs). I have not tried enabling the setting to see if things break.

So if you have an Intel NIC for your WAN AND you're experiencing problems with IPv6 connectivity, you might want to try disabling the Hardware Checksum Offload setting in System > Advanced > Networking. My understanding is that it's only the checksum offloading that needs to be disabled... the other hardware offload settings should be fine.

As I've mentioned before also... IPv6 is still very much being rolled out throughout the Fios service areas (still currently only in DC/MD/VA). So you might want to leave your hardware checksum offloading enabled until you know IPv6 is available in your area, then see if it affects your ability to connect via IPv6 or not.

Sounds like Verizon is up to its evil non-removable fingerprinting of users again in order to data mine them.

At some point collection use of user data HAS TO be made illegal. It's an outright assault on peoples right to privacy.

MikeV7896

@mattlach It's not only a Verizon issue... The first item I read about the issue was in the Intel community and was from a user of a fiber service in Canada... no Verizon there. They have an Alcatel-Lucent ONT though.

SirSilentBob

@mikev7896 said in Verizon Fios and IPV6, Which Settings Work?:

@mattlach It's not only a Verizon issue... The first item I read about the issue was in the Intel community and was from a user of a fiber service in Canada... no Verizon there. They have an Alcatel-Lucent ONT though.

Mike, I'm curious, how are your other offloading settings configured?

I checked mine, and apparently I have hardware checksum offloading enabled. I checked what ONT I have, and I believe it was installed in mid-late 2011. Going by the ONT S/N, which the first 4 characters are T0211, I'm assuming that means it was made in February of 2011. The ONT I have is a Motorola DBBU-1238 Firmware rev. C (This might just be the model number of the in-door unit with battery and power supply though.) Assuming the outside guts are also Motorola, then I guess this old Motorola unit doesn't have the IPv6 bug. (Frankly I'm amazed that Motorola seems to have passed on an opportunity for a bug/deficiency!)

So I guess this can be a confirmation that this particular Motorola ONT doesn't have the same issue.

Here's my settings, just curious how they compare to what you are running:

SirSilentBob

I have sent a local friend of mine a message to check what ONT he has, he's on the same street and CO as me, so he should have IPv6 but it's just not working. If he's got an Alcatel/Lucent unit then he'll just have to figure out how to disable hardware checksum offloading in BSD and try again, as I'm 99% sure he's got a quad intel gigabit card like I'm running. If disabling that makes it work, I'll see if I can get him to provide the info on his ONT so it can be confirmed as a "bugged" one if anyone is keeping track.

MikeV7896

@sirsilentbob said in Verizon Fios and IPV6, Which Settings Work?:

Here's my settings, just curious how they compare to what you are running:

I have all of the hardware offloading settings disabled. I'm guessing my CPU is powerful enough to handle everything, because with gigabit service I can still get full 940 Mbps results on speed tests.

As far as the ONT tracking, I think that's a bit outside of the scope of this community. The original issue has only been mentioned as happening with the Alcatel-Lucent ONTs, and I don't believe there have been any reports of other ONTs having a similar issue.

kohenkatz

@sirsilentbob said in Verizon Fios and IPV6, Which Settings Work?:

this old Motorola unit

Since the beginning of FiOS rollouts, Verizon has used at least 24 different Motorola ONT models, 11 Tellabs models, and 14 Alcatel models. Of those, all the Tellabs models and 10 of the Motorola models were using a technology (BPON) that Verizon no longer uses. DSLReports has a list. As far as I can tell, the Motorola units have never exhibited this IPv6 issue.

nolaquen

For the folks that have had IPv6 up and running for a while, has anyone had the /56 prefix change on them? It just went active for me this week, and curious how much effort I need to put into insulating my configuration (to the extent I can) from WAN prefix changes.

For IPv4, the only time in recent memory that it changed was actually this week when it went down and the link came back up with IPv6. Prior to that, it was consistent through power outages, equipment poweroffs, etc.