No LAN IPv6 address with Track Interface on WAN
-
I've the same problem as a few other posters on this forum with my LAN interface not getting an IPv6 address when it's set to track the WAN interface.
My ISP provided modem is allocating IPv6 addresses via DHCP and my WAN interface is correctly acquiring one as is any other machine directly connected to the modem. The LAN interface did also acquire a public IPv6 address up until yesterday at which point it disappeared and hours of trial and error have not managed to get it back (including a restore of the pfsense configuration I took once I had it working correctly 11 days ago).
My pfSense version is: 2.4.5-RELEASE-p1 (amd64)
I've seen some tips about doing a packet capture on the link between the modem and the WAN to check the DHCPv6 packets. What sort of things would I look for? When the LAN gets set to track the WAN interface does that mean it's DHCPv6 request gets "passed through" to the modem? I did read the docs but wasn't able to grasp what the "Track Interface" mechanism does.
I don't know how relevant it is but here is the Interface section from my config:
<wan> <enable></enable> <if>em0</if> <descr><![CDATA[WAN]]></descr> <spoofmac></spoofmac> <ipaddr>192.168.0.2</ipaddr> <subnet>24</subnet> <gateway>WANGW</gateway> <ipaddrv6>dhcp6</ipaddrv6> <dhcp6-duid></dhcp6-duid> <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len> <adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface> </wan> <lan> <enable></enable> <if>em1</if> <descr><![CDATA[LAN]]></descr> <spoofmac></spoofmac> <ipaddr>192.168.11.2</ipaddr> <subnet>24</subnet> <ipaddrv6>track6</ipaddrv6> <track6-interface>wan</track6-interface> <track6-prefix-id>0</track6-prefix-id> </lan> ... </interface> -
A couple of points. First off, if it was working and then stopped, with nothing else changed, then it could be a problem with the ISP, as I had last year. Also, you don't even need a WAN IPv6 address, other than link local. With DHCPv6-PD, it provides a LAN prefix that's completely unrelated to the WAN.
What I did is I used a managed switch as a data tap and captured the DHCPv6 packets as pfSense booted up. With that, I was able to spot a problem with my ISP, though it took a lot of effort to prove it to them, as described in other threads. If you want, I can provide a capture of the full DHCPv6 sequence.
-
Thx for the tips!
Also, you don't even need a WAN IPv6 address, other than link local. With DHCPv6-PD, it provides a LAN prefix that's completely unrelated to the WAN.
But in order to have the LAN interface track the WAN interface the WAN has to have an IPv6 address option set. If I change the WAN IPv6 to "None" it can't be tracked. Or do you mean I should change it to "Static" and assign an arbitrary link local address?
If you want, I can provide a capture of the full DHCPv6 sequence.
If it's not too much trouble that would be very handy.
As an alternative to a the kind of data tap you mention couldn't I just run the capture from the pfSense unit itself and change the IPv6 DHCP settings to kick off the negotiation?
-
It's possible/likely I'm doing my IPv6 addressing completely wrong.
My modem has a DHCPv6 server with an address range of:
2a02:8084:xxxx:xxxx:/64
My pfSense WAN interface connects to my modem and I want the clients connected to the LAN interface to get IPv6 addresses in that range.
Is the correct approach?
-
Enable DHCPv6 on the WAN interface,
-
Enable IPv6 Track Interface - WAN on the LAN interface (this step is currently failing to get an IPv6 address assigned on the LAN interface),
-
Enable DHCPv6 relay on the WAN interface and set the "Destination Server" as the link local IPv6 address of my modem.
-
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
Thx for the tips!
Also, you don't even need a WAN IPv6 address, other than link local. With DHCPv6-PD, it provides a LAN prefix that's completely unrelated to the WAN.
But in order to have the LAN interface track the WAN interface the WAN has to have an IPv6 address option set. If I change the WAN IPv6 to "None" it can't be tracked. Or do you mean I should change it to "Static" and assign an arbitrary link local address?
Perhaps "track" is not the best choice of words there, as the WAN prefix has absolutely nothing to do with the LAN prefix. The WAN prefix is determined entirely by the DHCPv6-PD process. When you examine the sequence, you can read the assigned prefix.
If you want, I can provide a capture of the full DHCPv6 sequence.
If it's not too much trouble that would be very handy.
Attached.
As an alternative to a the kind of data tap you mention couldn't I just run the capture from the pfSense unit itself and change the IPv6 DHCP settings to kick off the negotiation?
It's a bit difficult to use Packet Capture, when you're rebooting pfSense. Those switches are cheap and there's no reason you couldn't use them for something else later.
-
Thx for the trace.
I did a packet capture from the pfSense diagnostics option and by comparing it to yours I think I found the problem. It looks like my ISP/modem doesn't support prefix delegation.
My next question is whether it's possible for pfSense to relay DHCPv6 requests to my modem but then still be able to route the traffic. I'll ask that as a separate question after I do a bit of research.
Update: This question https://forum.netgate.com/topic/154835/ipv6-dhcpv6-leases-not-being-assigned-on-pfsense-lan-network seems to be my exact problem. That means the answer is no, there is no way to have a IPv6 on my LAN without my modem supporting IPv6 prefix delegation...
The strange thing is that it did work at one point. I think what I did was set a static IPv6 on my LAN interface and enabled a DHCPv6 server on the LAN. I guess I just got lucky that the routing worked for a little while.
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
My modem has a DHCPv6 server with an address range of:
Perhaps you can clarify on this. Is your modem in gateway or bridge mode? You want bridge mode to work with pfSense (or any other router). With my modem, I get a single /64 in gateway mode, which cannot provide a prefix for the LAN. In bridge mode, I get a /56 prefix, which can be split into 256 /64s on the LAN side.
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
I did a packet capture from the pfSense diagnostics option and by comparing it to yours I think I found the problem. It looks like my ISP/modem doesn't support prefix delegation.
See my previous post. If you're getting address from the modem, and not from the ISP, then you're in gateway mode. You need bridge mode.
-
@JKnott said in No LAN IPv6 address with Track Interface on WAN:
See my previous post. If you're getting address from the modem, and not from the ISP, then you're in gateway mode. You need bridge mode.
It's in gateway mode as far as I can tell.
It's a pretty simple residential cable modem and there is no bridge option.
It does have a DHCPv6 server that is allocating addresses on a /64 prefix. Any machine that connects to the same LAN as the modem gets a public IPv6 address. But because the modem doesn't do prefix delegation then my understanding is there's no way to allocate public IPv6 addresses on the pfSense LAN.
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
It's in gateway mode as far as I can tell.
It's a pretty simple residential cable modem and there is no bridge option.If you post your ISP and modem model, someone may be able to advise on this. Or you could call support at your ISP. Also, DHCPv6 is normally not used on the LAN side. IPv6 generally uses SLAAC, where the router provides the prefix and the client adds the suffix. The suffix can be based on the MAC address or a random number. In addition, you will get a new privacy address every day, which lasts for a week.
-
If you post your ISP and modem model,
Virgin Media, Ireland (https://www.virginmedia.ie/)
Virgin Media Hub 3.0 device information
The information below shows current status of this Virgin Media Hub 3.0.
Standard specification compliant : DOCSIS 3.0
Hardware version : 5.01
Software version : CH7465LG-NCIP-6.12.18.26-3p7-1-NOSHI am going to contact my ISP and see if I can get a /56 IPv6 prefix.
IPv6 generally uses SLAAC, where the router provides the prefix and the client adds the suffix. T
After further experimentation and reading answers like this one, https://networkengineering.stackexchange.com/questions/30136/ipv6-is-it-possible-to-use-a-64-block-when-you-have-multiple-routers, it still seems like it's not possible to have pfSense further subnet a /64 address on the WAN such that clients on the LAN interface can use IPv6, whether they get an address from DHCPv6 or SLAAC.
What I found confusing on the pfSense GUI is when entering a static IPv6 address (and a few other places such as routing advertisements) the prefix can be set all the way down to /128. Almost everything I've read states that /64 is smallest the interface ID should be set.
I guess the ability to go smaller than /64 is for Unique Local Addresses (fc00::/7) rather than Global Unicast addresses.
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
it still seems like it's not possible to have pfSense further subnet a /64 address on the WAN such that clients on the LAN interface can use IPv6
You should be able to, but you can't use DHCPv6-PD to provide it. You have to manually configure routing to do it.
-
You should be able to, but you can't use DHCPv6-PD to provide it. You have to manually configure routing to do it.
I realise the manual set up would break as soon as my ISP assigned my modem a different IPv6 address but as an exercise I tried to set up the manual routing. I failed to get a usable IPv6 address on my machine. The steps I took were:
-
The DHCP range allocated to my cable modem from my ISP is:
2a02:8084:6981:7880::/64 -
On the pfSense WAN interface that's connected to the modem I set a static IPv6 of:
2a02:8084:6981:7880:2e0:67ff:fe09:9b10/80. I'm able to ping a public Internet address.
: ping6 -S 2a02:8084:6981:7880:2e0:67ff:fe09:9b10 2606:db00:0:62b::2 PING6(56=40+8+8 bytes) 2a02:8084:6981:7880:2e0:67ff:fe09:9b10 --> 2606:db00:0:62b::2 16 bytes from 2606:db00:0:62b::2, icmp_seq=0 hlim=116 time=137.717 ms- On the pfSense LAN interface I set a static IPv6 of
2a02:8084:6981:7880:2e1:67ff:fe09:9b11/80. I set the WAN interface link local address offe80::2e0:67ff:fe09:9b10as the LAN gateway address. I'm not able to ping a public Internet address.
: ping6 -S 2a02:8084:6981:7880:2e1:67ff:fe09:9b11 2606:db00:0:62b::2 PING6(56=40+8+8 bytes) 2a02:8084:6981:7880:2e1:67ff:fe09:9b11 --> 2606:db00:0:62b::2 ^C: netstat -rWn Routing tables Internet6: Destination Gateway Flags Use Mtu Netif Expire default fe80::362c:c4ff:febf:b8cb%em0 UG 642 1500 em0 ::1 link#5 UH 0 16384 lo0 2a02:8084:6981:7880::/64 link#1 U 6 1500 em0 2a02:8084:6981:7880:2e0::/80 link#1 U 0 1500 em0 2a02:8084:6981:7880:2e0:67ff:fe09:9b10 link#1 UHS 0 16384 lo0 2a02:8084:6981:7880:2e1::/80 link#2 U 0 1500 em1 2a02:8084:6981:7880:2e1:67ff:fe09:9b11 link#2 UHS 0 16384 lo0 fe80::2e0:67ff:fe09:9b10 fe80::2e0:67ff:fe09:9b10%em1 UGHS 0 1500 em1 fe80::362c:c4ff:febf:b8cb fe80::362c:c4ff:febf:b8cb%em0 UGHS 0 1500 em0 fe80::%em0/64 link#1 U 4870 1500 em0 fe80::2e0:67ff:fe09:9b10%em0 link#1 UHS 244 16384 lo0 fe80::%em1/64 link#2 U 4938 1500 em1 fe80::2e0:67ff:fe09:9b11%em1 link#2 UHS 793 16384 lo0 fe80::%lo0/64 link#5 U 0 16384 lo0 fe80::1%lo0 link#5 UHS 0 16384 lo0My thinking was that because the static IPv6 LAN address I've used is still within the modem's DHCPv6 range it should be routable but it doesn't seem to get past the modem.
-
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
I realise the manual set up would break as soon as my ISP assigned my modem a different IPv6 address but as an exercise I tried to set up the manual routing. I failed to get a usable IPv6 address on my machine. The steps I took were:
Have you got your modem in bridge mode yet? If not, you're wasting your time. It is possible to route /64s out of whatever prefix you get. I have done that here.
Once you're in bridge mode, you can choose 1 /64 for each interface. You can then route any size prefix through one of those interfaces to another router. In this respect, it's little different than IPv4.
-
Have you got your modem in bridge mode yet?
No and I doubt I ever will. The modem is extremely minimal and unless there's some hidden back door there is no option to switch to bridge mode.
If not, you're wasting your time. It is possible to route /64s out of whatever prefix you get.
Yes I understand that. No matter what I do on pfSense the routing table on the modem will always assume it's the last hop and will never be able to reach the pfSense LAN interface.
This also corresponds to my observations of setting a static IP address on the LAN interface and then on a my PC connected to it. Both within the same /64 the modem's DHCP range is using.
With this hacked together configuration, ICMP6 packets from my PC do get routed successfully to public hosts on the Internet BUT on the return journey they only get as far as the modem which rejects them.
I tried my luck with my ISP but as soon as I mentioned IPv6 prefixes in the chat that was the last I ever heard of them.
It's been a good exercise and thanks for all your pointers!
-
@azaclauson said in No LAN IPv6 address with Track Interface on WAN:
This also corresponds to my observations of setting a static IP address on the LAN interface and then on a my PC connected to it. Both within the same /64 the modem's DHCP range is using.
You can't do that. With IPv6, the LAN is supposed to be a /64 only. If you split it, you will break some things.
Why not call your ISP and see if they can put the modem into bridge mode or provide one that will. That's what I had to do years ago, with an earlier modem. These days I can switch it into bridge mode and restore gateway mode on my own. Are you allowed to buy your own? If all else fails, you can get a /48 over a tunnel from he.net.
-
You can't do that. With IPv6, the LAN is supposed to be a /64 only. If you split it, you will break some things.
That's what I'd read as well but a few posts above you mentioned it was possible to further subnet /64 with manually configured routing.
it still seems like it's not possible to have pfSense further subnet a /64 address on the WAN such that clients on the LAN interface can use IPv6
You should be able to, but you can't use DHCPv6-PD to provide it. You have to manually configure routing to do it.
The pfSense documentation also has an IPv6 Subnet Table which has prefix lengths > 64 bits.
Chasing my ISP will be fruitless. They are essentially a cable TV company who do everything they can to avoid support. I did take a look at the tunnel option and it should work but my goal was to have a seamless IPv6 experience. No extra dyndns etc.
I actually had another idea. The only reason I have separate WAN and LAN networks is for a firewall. If I switch to an Internal/External Bridge I should be able to use my modem's IPv6 DHCP server (which works well) and still keep my firewall.
-
https://www.boards.ie/ttfpost/108440018
Virgin Hub 3 has modem mode which is same as thing as bridge mode Modem only To have modem mode as an option you must be on a IPv4 address If you don't see modem mode listed your hub is using a Dslite IPv6 address You won't see modem mode when you are on a Dslite IPv6 address You can request virgin media to put your Hub on a IPv4 address to have access to modem mode Modem Mode you connect a Cat 5e or Cat 6 ethernet cable from a lan port on the hub to wan port on a different router All routing and wifi will be controlled by your own router -
@Bob-Dig thx. Any idea if getting Virgin to switch the modem back to IPv4 removes IPv6? It's IPv6 connectivity that I'd like to have working.
-
You can have other sizes for routing etc., but LANs require a /64. SLAAC depends on it.
