ISP-assigned static IPv6 /48 issues
-
Hello,
I am struggling setting up IPv6 on my pfsense box.
So the ISP gave me this:
- a /48 to use (2a02:xxxx:aaaa:: /48)
- a link local address for the wan interface - not the gateway (fe80::2a02:xxxx:aaaa::)
- an upstream gateway (fe80::xxxx/64)
- IPv6 DNS servers
What I tried:
- I started adding DNS servers to the setup (in /system.php)
- For the WAN interface, I set a static IPv6, with 2a02:xxxx:aaaa:1::1 /64, with the upstream gateway they sent me
- For the LAN interface, I set a static IPv6, with 2a02:xxxx:aaaa:2::1 /64
- Enabled DHCPv6 on LAN, with the full pool (2a02:xxxx:aaaa:2:: - 2a02:xxxx:aaaa:2::ffff)
- Set RA to Managed
- tried other settings/combinations in the DHCPv6/RA as well, but since this didn't work, and since I tried for over 18hrs, I won't, unless somebody needs me to, write them all down
What's actually happening:
- Pinging from WAN to internet works.. for a while, then it just stops working, after a few minutes (it works, while it does, because I have set up a firewall rule to allow ping on both IPv4 and IPv6)
- While WAN to internet ping works, pinging from the internet the WAN IPv6 address also works
- Pinging from WAN the IPv6 of LAN works, and pinging from LAN the IPv6 of WAN also works
- LAN clients receive IPv6 addresses, but pinging the world doesn't work
I ran out of ideas. I contacted the ISP and their exact words were:
- to set that link local address on the WAN interface (so not about the gateway)
- to set the gateway they sent me
- to set 2a02:xxxx:aaaa::1/48 on the LAN interface
- to manually set IPv6 addresses on the LAN clients (IP: 2a02:xxxx:aaaa::2/48, GW: 2a02xxxx:aaaa::1, and those 2 DNS servers)
I do not want to set up manually IPv6 addresses on the clients. For me, their suggestion is strange.
I would like to be able to set up IPv6 on WAN, LAN, VLANs I have, using DHCPv6 on LAN and the other VLANs.
I greatly appreciate any feedback. Thank you all. -
@peter-fyri said in ISP-assigned static IPv6 /48 issues:
to manually set IPv6 addresses on the LAN clients (IP: 2a02:xxxx:aaaa::2/48, GW: 2a02xxxx:aaaa::1, and those 2 DNS servers)
I do not want to set up manually IPv6 addresses on the clients. For me, their suggestion is strange.
I would like to be able to set up IPv6 on WAN, LAN, VLANs I have, using DHCPv6 on LAN and the other VLANs.
I greatly appreciate any feedback. Thank you all.You shouldn't have to do that. You should be using SLAAC or DHCPv6 to provide local addresses.
-
@jknott
Yep, this is what I think as well.
In my setup, did I do something wrong? Normally, if the entire /48 is routed to me, I think my setup should work, right?
Also, what do you think about the link local address of the WAN interface, they keep referring to? I never heard of setting custom link local addresses to interfaces. But, not being much of an expert in IPv6, I'm not sure.Thank you for your answer.
-
I also don't know why they need a specific link local address, but it shouldn't make any difference. The /48 is assigned to pfsense, which can then distribute the individual /64s. However, I have no experience with an ISP that provides a static prefix. Mine uses DHCPv6-PD. Regardless, you have to configure the LAN interface for DHCPv6 or SLAAC. You will also have to provide a prefix ID, to select one /64 for an interface.
-
On pfSense, your LAN interfaces should be set to "Static IPv6". Put in the IPv6 address within your prefix that you want for each interface on pfSense (maybe something like
aaaa:bbbb:cccc:dddd::1) and the subnet size (the drop-down to the right of the address) to /64. Then you would set up DHCPv6/RA for each interface to use SLAAC or DHCPv6 to configure all your other devices.The setting for whether to use DHCPv6 or not is actually the "Router Mode" setting in the RA settings. If you want to use it (i.e. Assisted, Managed, or Stateless DHCP mode), make sure to also set up DHCPv6 then. If you want more info on the router modes, the documentation covers them all: IPv6 Router Advertisements
-
Thank you guys for your answers.
Well.. I did all this even before posting. Unfortunately, the next time I will be able to do some tests in this w/e, because it is production server and I'm breaking things while doing all these tests.
Anyway, I'll return once I have some results.Thank you again.
-
Right, it won't work, according to the ISP, I absolutely need to configure the link-local address of the WAN.
Is there any way to do it in pfSense? -
I don't have pfsense running at the moment, as the computer it was running on died recently. However, if you can't set a MAC address in pfsense, you should be able to do it in the underlying FreeBSD with the ifconfig command.
-
-
Now I got a different issue.
So IPv6 works. But, I can't ping anything from one subnet to another.For example I have my LAN with a /64, ping works across the LAN clients, and internet, and from the internet.
Then I have a VLAN, with it's own /64, of course different from the LAN, also ping works across clients in the VLAN and internet.But if I try to ping from LAN to VLAN, it doesn't work. If I try to ping from VLAN to LAN, it doesn't work.
I have firewall rules set up on pfSense to allow ping from any to any on both LAN and VLAN interfaces, firewalls on the clients allow ping from any network (ICMPv4 and v6).
It simply should work.. I'm running out of ides. What am I missing?
-
If you can't communicate between LAN or VLANs it's either a routing or firewall rule issue. One thing though is to get routing working before adding rules that may block traffic. As I mentioned, I can't check my system at the moment but, IIRC, you have to specifically allow traffic between (V)LANs. When I set up a VLAN recently for my guest WiFi, I had the opposite issue. I wanted to prevent guests, on the VLAN, from accessing anything on the LAN.
-
@jknott said in ISP-assigned static IPv6 /48 issues:
If you can't communicate between LAN or VLANs it's either a routing or firewall rule issue. One thing though is to get routing working before adding rules that may block traffic. As I mentioned, I can't check my system at the moment but, IIRC, you have to specifically allow traffic between (V)LANs. When I set up a VLAN recently for my guest WiFi, I had the opposite issue. I wanted to prevent guests, on the VLAN, from accessing anything on the LAN.
Between those particular interfaces, the LAN and VLAN, I must allow traffic, so there is a firewall rule in place on both, which allows any kind of traffic, both ipv4 and 6, between the two. I can ping from any direction, from pfSense, both interfaces IP addresses (from LAN interface to the IPv6 of VLAN and vice-versa), but not the clients behind the interfaces (so from VLAN to a static client of LAN). The client responds (or should) to ping from anywhere, as its local firewall is set to respond. The LAN client responds to ping coming from the internet, from another network.
-
Perhaps you can post your rules, so we're not guessing.
-
@jknott
Sure thing, here they are (well, the relevant ones, from top to bottom). So the two interfaces i am talking about is LAN and WIFI (WIFI being a vlan). These two should communicate between each other. And they do on IPv4, but they don't on IPv6.
Thank you!
-
@peter-fyri said in ISP-assigned static IPv6 /48 issues:
And they do on IPv4, but they don't on IPv6
Well, the first thing to do is find out what the differences are between IPv4 & IPv6. The only IPv4 rule I see is for ICMP and also IPv6. I expect you're using NAT on IPv4, which can also affect this. As I mentioned, I can't check my system to see what's what. My rule is to start simple, get it working before getting fancy, so you could try a single allow everything rule initially.
-
@jknott
Yes, I unfortunately I cannot share the rules below, as It exposes sensitive data.
However, for testing purposes, I only need ping to work, from that point forward, I will surely manage to work out any other issues. But, also for testing purposes, the rules that limit IPv6 connectivity to/from these two subnets, were before (like a few hours ago) set to any (so any IPv6 source was allowed). But ping or any other connectivity still failed. And these rules were at the top of the rules, before any other limiting... and.. still didn't work :( -
@peter-fyri said in ISP-assigned static IPv6 /48 issues:
as It exposes sensitive data
I assume you mean addresses, as there's no need to hide ports. If that's a concern, one way around that is to use an alias, such as the way you used "LAN net" or "WIFI net". Still, start simple to get it working then add rules as needed. That way, you have some idea what breaks it.
-
@jknott
Well, it doesn't work. Can't communicate between subnets no matter what I do. I'm 99% sure it is not about firewall rules (not excluding the possibility of course). Maybe it has to do with that link-local address I added for the WAN from the CLI and things are not properly routed because of it. I don't know.
In the worst case, I'll move the WiFi clients in the same subnet as the LAN, for both IPv4 and 6. -
Link local addresses are never routed. With IPv6, they're used for things like router advertisements, neighbour discovery, etc.. As I mentioned, I had to add rules to prevent my guest WiFi/VLAN from reaching my main LAN. I can't tell you what my rules are, though they have been posted on some other thread, until I get pfsense up & running again.
-
@peter-fyri said in ISP-assigned static IPv6 /48 issues:
to set 2a02:xxxx:aaaa::1/48 on the LAN interface
If you are not past it yet, this advice is absolutely incorrect.
You have 65536 /64 networks to use out of your /48:
2a02:xxxx:aaaa:0::/64
2a02:xxxx:aaaa:1::/64
2a02:xxxx:aaaa:2::/64
2a02:xxxx:aaaa:3::/64
2a02:xxxx:aaaa:4::/64
2a02:xxxx:aaaa:5::/64
...
2a02:xxxx:aaaa:fffb::/64
2a02:xxxx:aaaa:fffc::/64
2a02:xxxx:aaaa:fffd::/64
2a02:xxxx:aaaa:fffe::/64
2a02:xxxx:aaaa:ffff::/64LAN should be numbered with something like:
2a02:xxxx:aaaa:1:/64
WIFI with something like:
2a02:xxxx:aaaa:2:/64
