Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 WAN configuration for static IP address range but gateway from RA message?

    Scheduled Pinned Locked Moved IPv6
    27 Posts 4 Posters 3.8k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate @JKnott
      last edited by

      @jknott But in this case the ISP would need a mechanism to discover the correct link-local address to route the /48 to. There is no defined method for doing that.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @Derelict
        last edited by

        @derelict

        That would depend on the connection method. With DHCPv6-DP, that's part of the process. There was also another thread recently, where the ISP assigned a link local address to be used.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        DerelictD 1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate @JKnott
          last edited by

          @jknott This particular user does not have DHCP6. Nor have they stated that they were assigned anything specific to use on WAN.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @Derelict
            last edited by

            @derelict

            Part of the problem is we have no idea what that ISP is doing (and maybe they don't either).

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • J Offline
              JesperTreetop
              last edited by JesperTreetop

              There's been a lot of small events here, but something happened that was so confounding as to make me think it was worth asking here.

              Our ISP has set up a DHCPv6 server now, and when they attach a virtual machine running pfSense to the same subnet as us, everything works fine for them. But when we try to use DCHPv6 from our pfSense, it doesn't. Turning on client logging in both places, their log sees an RA message and ours doesn't.

              Here's their log:
              Mar 24 15:03:03 dhcp6c 46241 Sending Solicit
              Mar 24 15:03:03 dhcp6c 46241 set client ID (len 14)
              Mar 24 15:03:03 dhcp6c 46241 set identity association
              Mar 24 15:03:03 dhcp6c 46241 set elapsed time (len 2)
              Mar 24 15:03:03 dhcp6c 46241 set option request (len 4)
              Mar 24 15:03:03 dhcp6c 46241 send solicit to ff02::1:2%vtnet0
              Mar 24 15:03:03 dhcp6c 46241 reset a timer on vtnet0, state=SOLICIT, timeo=15, retrans=118860
              Mar 24 15:03:03 dhcp6c 46241 receive advertise from fe80::xxxx:xxxx:xxxx:2e00%vtnet0 on vtnet0
              Mar 24 15:03:03 dhcp6c 46241 get DHCP option identity association, len 60
              Mar 24 15:03:03 dhcp6c 46241 IA_NA: ID=0, T1=0, T2=0
              Mar 24 15:03:03 dhcp6c 46241 get DHCP option status code, len 44
              Mar 24 15:03:03 dhcp6c 46241 status code: no addresses
              Mar 24 15:03:03 dhcp6c 46241 get DHCP option client ID, len 14
              Mar 24 15:03:03 dhcp6c 46241 DUID: 00:01:00:01:27:ed:xx:xx:xx:xx:xx:xx:xx:xx
              Mar 24 15:03:03 dhcp6c 46241 get DHCP option server ID, len 14
              Mar 24 15:03:03 dhcp6c 46241 DUID: 00:01:00:01:26:ad:xx:xx:xx:xx:xx:xx:xx:xx
              Mar 24 15:03:03 dhcp6c 46241 get DHCP option DNS, len 32
              Mar 24 15:03:03 dhcp6c 46241 get DHCP option domain search list, len 19
              Mar 24 15:03:03 dhcp6c 46241 server ID: 00:01:00:01:26:ad:xx:xx:xx:xx:xx:xx:xx:xx, pref=-1
              Mar 24 15:03:03 dhcp6c 46241 advertise contains no address/prefix

              And here's ours:
              Mar 24 16:24:49 dhcp6c 68621 Sending Solicit
              Mar 24 16:24:49 dhcp6c 68621 a new XID (561ccc) is generated
              Mar 24 16:24:49 dhcp6c 68621 set client ID (len 14)
              Mar 24 16:24:49 dhcp6c 68621 set elapsed time (len 2)
              Mar 24 16:24:49 dhcp6c 68621 send solicit to ff02::1:2%igb0
              Mar 24 16:24:49 dhcp6c 68621 reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1006
              Mar 24 16:24:50 dhcp6c 68621 Sending Solicit
              Mar 24 16:24:50 dhcp6c 68621 set client ID (len 14)
              Mar 24 16:24:50 dhcp6c 68621 set elapsed time (len 2)
              Mar 24 16:24:50 dhcp6c 68621 send solicit to ff02::1:2%igb0
              Mar 24 16:24:50 dhcp6c 68621 reset a timer on igb0, state=SOLICIT, timeo=1, retrans=2004
              Mar 24 16:24:52 dhcp6c 68621 Sending Solicit

              But here's the really strange thing. Doing a packet capture on our pfSense (only ICMPv6, only on the WAN interface), we see that a router advertisement message is being sent, the same type as warrants a "receive advertise" line in their log. Adding a firewall rule to WAN which allows all ICMPv6 and logs it does not result in any logs nor any built-up state.

              Are there any good leads as to what could cause this?

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate @JesperTreetop
                last edited by

                @jespertreetop Where do you see RAs there?

                RAs really have nothing to do with DHCP6. Unlike IPv4 the addressing from DHCP6 and acquiring the router/gateway settings are two distinct processes.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                J 1 Reply Last reply Reply Quote 0
                • J Offline
                  JesperTreetop @Derelict
                  last edited by

                  @derelict Of course, it was one of the DHCPv6 messages. That makes a lot of sense. (I thought this was RA-related since as discussed before, the DHCPv6 mode is the only way aside from SLAAC to make pfSense pick the gateway from the RA message.) So we're back to not receiving the DHCPv6 messages at all. I added similar rules for DHCPv6 messages, and we just don't see them at all. But that's not an issue for this thread.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.