IPv6 Router behind router
-
Don't confuse the end point address with transit addresses. While the end point has to be GUA, the transit networks can be anything.
-
Ok, maybe back to the drawing board...
The WAN /56 Prefix:
IPv6 Address
fe80::2222:4444:ffff:dddd%em0
Gateway IPv6
fe80::bbbb:7777:ffff:7777The LAN Track IP is:
IPv6 Address
2001:579:8144:1111:9999:bbbb:ffff:fxxx
Subnet mask IPv6
64The DHCPv6 Delegation From:
2001:579:8144:1111::
To:
2001:579:8144:2222::The USG WAN is getting:
2001:579:8144:1111::771(obviously anonymized)
So,
What I need to do is add a static route (in pfSense) for the LAN which won't distribute v6 addresses. to the GW address 2001:579:8144:1111::771...However, that is getting ahead of myself because USG LAN won't delve out a single address on a stateless RA.
Any guesses of what I am obviously doing wrong here? Because ping6 on the usg wan doesn't have internet.
-
You have to plan how you want your network. Start with your /56 prefix and all the /64s. What I did was use 172.16.0.0 /16 for my IPv4 addresses. I then match the 3rd octet with the prefix ID for each local interface. So, my main LAN has 0 for the prefix ID and also the 3rd IPv4 octet. Then decide what you want on the downstream router. For example how many /64s? Next you have to consider how that router is connected to pfsense. I used a separate transit network, with it's own IPv4 and IPv6 prefixes, though you should also be able to just connect it to the main LAN or other interface. My transit network was on my 3rd Ethernet port. Once you have all the addresses figured out, you then have to specify the routes. This means for any address on the downstream router you have to provide a route from pfsense.
Here is what I have just set up on IPv4:
CISCO is the 4th Ethernet port on my Qotom computer. The two lines show the route to two networks on the Cisco router are reachable via gateway 192.168.37.0. Since this is a point to point connection, it has a /31 mask and the Cisco end is 192.168.37.1. This is my transit network to the Cisco router. I also have routing back from the Cisco to pfsense. However, I'm not familiar with your USG router, so I can't help with it. With this, I can ping from a computer (172.16.2.7) on the LAN side of my Cisco router to pfsense on 192.168.37.0.
Once you have IPv4 working, you can do IPv6 (I haven't yet this time, though I had done previously) using the same principles as with IPv4. Since I used 37 for my IPv4 transit network, I'd pick prefix ID 25 on IPv6 to be consistent with my pattern, though any other unused prefix could have been used. I could have also used ULA or link local addresses.
This is something I tossed together to demonstrate what you have to do to get started. I still have to do IPv6 and check the routing fully for IPv4.
Here's what routing looks like from the Cisco end:
Router>en
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static routeGateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.2.0 is directly connected, FastEthernet0/0
192.168.37.0/31 is subnetted, 1 subnets
C 192.168.37.0 is directly connected, FastEthernet1/0BTW, I have no idea why that 172.16.0.0 line is highlighted. It's not in the terminal app. I'm using Minicom on Linux.
-
@jknott IPv4 never has been a problem. It's just IPv6
-
If you have a /56, configuring the interfaces and routing is exactly the same process. The only difference is the address length. So, get what you want going with IPv4 and duplicate with IPv6, allowing for differences such as SLAAC instead of configuring addresses. As I mentioned, you may want to have the prefix ID match up with the IPv4 subnet to keep things consistent. Another example where I do that is with my guest WiFi/VLAN, where I use prefix ID 3, 3 in the 3rd octet, on VLAN 3. As you work through this and get stuck, I or someone else can offer advice. One other area to watch is in filter rules. Some you can use the same rule for both IPv4 and IPv6. Others, you need separate rules for each. So, plan your networks, do what you need in IPv4 and replicate in IPv6. That should get you started.
Here are some examples. Your /56 is aaa:bbbb:cccc:1300:: to aaaa:bbbb:cccc:13ff:ffff:ffff:ffff:fffff (Not 1400 since you have 256 prefixes, not 257. Also, the :: represents all 0s.). You could match that up with 172.16.0.0 - 172.16.255.255. Then when you set up your networks, you could have 172.16.4.0 /24 and aaa:bbbb:cccc:1304:eeee::/64 on one interface. It's as simple as that when working with IPv4 & IPv6.
-
My tips for figuring out your IPv6 setup.
- Figure out how much is delegated to you by your ISP in my case a /48 (LAB) (ignore the other checked boxes as that only applies to my system)
make sure "start DHCP client in debug mode" is checked - go to status > system logs > DHCP
find this entry
Mar 24 12:04:02 dhcp6c 22277 update a prefix 2001:db8:1::/48 pltime=3600, vltime=3600 - I use this website to split my address and I don't fully understand how to do so myself
- Divide it into something bigger than /64 as a /64 only allows for one subnet, if that applies to you (if you want more that one IPv6 network behind the USG
- So something like this
than spin up a dhcpv6 server with two of those addresses in the "Prefix Delegation Range" section- make sure your router mode is properly set!
and this is unchecked - leases should show up here:
Maybe @JKnott can assist if my tutorial had any errors?
- Figure out how much is delegated to you by your ISP in my case a /48 (LAB) (ignore the other checked boxes as that only applies to my system)
-
He has a /56, so no need for a calculator. The only variable is the last 8 bits of the prefix, which range from 0 to ff. Very simple. In fact far simpler than IPv4, where the divider can move according to subnet mask.
As I mentioned earlier, the best way to learn is to do. If he has problems, he can ask more questions.
-
@jknott Just saw that now, hadn't been keeping up with the thread.
-
@matthewgcampbell The problem is not really pfSense, like I said very early on, it's getting Unifi WAN and LAN to work.
The Unifi WAN gets the IP address and that address won't reach the internet and then the RA from pfSense isn't getting to the LAN.
The lan IPv6 setup on Unifi is asking the WAN to give the RA. This should be coming from pfsense..
The network topology is:
Modem to pfSense to USG (Unifi)
So, my real question is, why do I even need the pfSense DHCPV6 server? Why won't it issue IPv6 to the Unifi WAN?
-
@abuttino said in IPv6 Router behind router:
So, my real question is, why do I even need the pfSense DHCPV6 server?
You don't. SLAAC is normally used. Some packet captures may be useful in this area. However, as I have said, pfsense will not provide the prefix to the USG, unless you configure that some how. You can configure routing, as I have described or you can configure pfsense to provided DHCPv6-PD, which is something I haven't tried.
-
@matthewgcampbell Your thoughts about getting the Unifi WAN and LAN an IP? You say you've done it, I've been hoping to see how :)
-
In place of your USG, I used a Cisco router. I manually configured the routing so that the IPv6 prefix was routed to the Cisco. You have to do the same thing with the USG and I have been trying to show you how to do that. As I said, the easiest way is to do it on IPv4 and then replicate on IPv6.
-
Network??
What is the network if the USG Wan isn't giving me an IP address?Gateway??
What would be the gateway for this if it hasn't given me any IP addresses?I am trying to use RA mode only and it's not giving any IP addresses at all. That means I have nothing to fill out in a static route.
-
Wellll!!!
I rebooted pfSense and it started to give the USG WAN IP and subnet /64 plus internet access.
Pretty sure my that /56 address hasn't changed since the last time I fooled with this and that could mean my ticket to get off of tunnelbroker.
I guess the next step is to get the USG LAN set up with the static routes for pfSense and play around a little more.
Rebooting for every little thing when it comes to pfSense gets a little annoying,.
-
As I have said several times now, get it working with IPv4, as you said you know how to do that. Then do the same with IPv6, using IPv4 as your guide. Once again, you will have to manually configure routing IPv6 to the USG, unless you're prepared to enable DHCPv6-PD on the LAN side of pfsense or use something like OSPF. There is no other way to get IPv6 to that USG. Get your networks set up. Have you even selected the IPv6 prefix and IPv4 subnet to use on the USG? If so, manually configure both. Then go back to pfsense and configure IPv4 routing to the USG. Once you've done that, you can do the same on IPv6, using the IPv6 addresses, instead of IPv4. This is why I mentioned using the same prefix as as 3rd octet on IPv4. It makes it easy to keep track of what you're doing. Perhaps you should start with a sketch to show where you want what. Mark on that sketch what subnet & prefix you want on the LAN side of that USG. Then determine what addresses you have to route through to get there. I can't do that for you, as I don't know what your requirements are.
-
@jknott
As mentioned, I have IPv4 connected and properly routed for the USG WAN and LAN.pfSense uses the LAN v4 /16 address of 172.16.1.1 and the USG uses 172.16.1.2
USG LAN is a /24 at 10.2.0.1 and it is the DHCP server for the network.
As far as IPv6, pfSense has the RA server set up and is giving the USG WAN a /64 address.
This is as far as I've gotten and want to plan the network out for the rest of the USG LAN side first, such as what VLANs I'm going to give IPv6 to and not.
A major concern of mine at this point is that these addresses do not change. Such as addresses for the web services. I have a static IPv4 but Cox doesn't offer static IPv6.
-
So, configure IPv6 on the LAN side of the USG, just as you did with IPv4. Then configure routing for IPv6, just as you did for IPv4. Pfsense providing an IPv6 address for the WAN side of the USG will not provide addresses on the LAN side of it. You have to configure that using one of the methods I described above. You apparently routed for IPv4. You should be able to route a /64 to the USG using the same method.
-
@jknott will do. I'll check back to this thread for reference and questions should I have any.
The difference was all in the reboot of pfsense, it was not giving me IPv6 addresses until I did the reboot, and changing any ipv6 settings also requires more reboots.. Lots and lots of reboots..... Senseless to me. Other routers don't have the issue where it needs a reboot after changing a simple setting, just restarting the service/daemon should help (Apply settings).
-
That's not been my experience. The only thing I recall that required a reboot was a system update.
-
@jknott
Not to get on a tangent here but just last night I was fixing another pfSense for UPnP and it also required reboots for all things NAT. Resetting firewall states was not enough.Unless I'm doing work with HAProxy, I pretty much know it's going to have to be rebooted.