How to setup IPv6 on PFsense behind ER-X (ISP modem)
-
That is not best practice. Best practice is a /64, as anything else will break things such a SLAAC. I know you have only 65536 /64s to work with, but you still shouldn't need a /80.
-
@jknott I will keep that in mind, thank you for the tip :) As I am not that experienced with IPv6. So looking at my main post what would be the first thing to do for me to get my setup to work?
-
Yep. BTW, I have been using IPv6 on my network for almost 11 years.
One piece of advice I often give is to keep things simple. Get it working first. Since you apparently have multiple LANs, get one going first, then add the others, repeating what you did with the first, but using a unique prefix ID.
Just last week, I built a new pfsense firewall, as the computer I had previously run it on died. My first goal was to get it working with just the WAN & LAN. Then I imported my previous config and made sure my VLAN and test LAN worked. And this morning, I redid my OpenVPN config. When you do things in a step by step manner, instead of Trying to do everything at once, you can see what might be causing the problems.
Also, get in the habit of downloading config backups. It just takes a few seconds, but make it easy to back out of a bad config.
-
@jknott What do you mean by Unique Prefix ID? The /subnet notation or this part:
-
In the "IPv6 Prefix ID" box, you put a unique ID for each interface. Typically, you'd use 0 for the main LAN, but you could choose whatever you want within the range of 0 - ffff. I have a /56 and use 0 for main, 3 for my guest WiFi VLAN, 4 for my test LAN and ff for my OpenVPN tunnel. As I mentioned, the subnet should always be /64 for LANs.
-
@jknott Ahh, but when I do that I get this error and I don't know why, couldnt find anything about it which I could understand...
The specified IPv6 Prefix ID is out of range. (wan) - (0) - (0)
-
Are you getting a /48? And what values are you selecting?
-
@jknott Yeah I am getting a /48 on the ER-X, which delegates a /64 to my HomeLAN, where my PFsense is connected to.
I have selected these values on the WAN interface and DHCP6 configuration:
-
Any reason you're using DHCPv6? Generally, SLAAC is used. Also, Android devices won't work with DHCPv6, as for some unfathomable reason it's not supported.
-
@jknott Yeah when I do that I don't see any IPv6 addresses assigned to my WAN interface. It just has a Link Local address now
-
Actually, that's entirely normal. Link local addresses are often used for routing. If there is a public WAN address, it's likely not used for routing. Did you have one before?
-
@jknott yeah when I configured the WAN interface as DHCP6. But this means that I should see a Ipv6 Address on the LAN interface?
-
No, one has nothing to do with the other. I have DHCPv6-PD on the WAN side and SLAAC on the LAN side. The nice thing about SLAAC is it works without any configuration needed. The router advertises the 64 bit LAN prefix and the client provides the lower 64 bits, based on either the MAC address or a random number.
-
@appollonius333 said in How to setup IPv6 on PFsense behind ER-X (ISP modem):
eah when I do that I don't see any IPv6 addresses assigned to my WAN interface. It just has a Link Local address now
Here's my configuration. You should have 48, instead of 56 for the prefix size.
-
@jknott Would the /48 still apply when the PFsense machine gets a /64 address from the /64 LAN subnet on the ER-X? Also where do you use the DHCP6 Client Configuration on? The LAN interface?
-
This is how my Network looks:
-
Is that ER-X in bridge or gateway mode? You want bridge mode for pfsense to provide multiple /64s. Otherwise, you're only getting a single /64 from your ISP, not a /48.
-
@jknott the Er-X is a gateway, so it receives and has all the settings for TV, phones etc. KPN in the Netherlands is giving us a /48 subnet on residential connections
-
If you're in gateway mode, you do not have a /48. I have a similar setup, with Rogers in Canada. I have a box that provides Internet, IPTV and phone. I put it into bridge mode, as in gateway mode it would provide only a single /64. In bridge mode I get a /56. Also, in bridge mode you'll get a public IPv4 address, unless your ISP uses carrier grade NAT.
Bridge vs gateway mode should have no effect on the other services. In my case, the home phone plugs into the modem. The IPTV works on the same network as my LAN.
-
@jknott Yeah the ISP gives us a /48. But from that /48 a /64 is assigned to my LAN environment.
I don't think it is in either mode to be honest.
The bridge mode I know, but gateway mode well we don't use that here in NL I think. -
I noticed your IPv4 address, which is within the RFC1918 range and indicates NAT is used. You don't want that. Put it in bridge mode or you will not be able to use most of the /48. There's no two ways about it.
-
@jknott I think I need to get things a bit more straight. As I think the information that is giving or interpreted by you is not applicable to me. Of course thanks for that :)
My Network works as follows:
From KPN in the Netherlands I get a Public IPv4 address and a IPv6 /48 subnet assigned to my ER-X. Which is a replacement of the 'standard' ExperiaBox v10 which is provided by KPN.
On the ER-X are all the VLANS created for Telephone, TV and the LAN network itself, so all the information that would be standard on the ExperiaBox v10 are configured on the ER-X.From here on the LAN side on the ER-X is assigned a IPv4 192.168.2.x/24 and a IPv6 2a02:a44c:xxxx:1::1/64 network. So all my home devices are connected to that (Of course there is a switch connected to the ER-X, so we can use more ports).
On the ER-X I also connected my physical PFsense (Dell R210 II) machine directly to port 3. so this also gets a 192.168.2.x/24 IP-address on the WAN side.
The WAN side also gets an IPv6 address (When configured with DHCP6) 2a02:a44c:xxxx:1::xxxx/64 so it gets an IPv6 address from the ER-X. Now I also want to have IPv6 address on the LAN side of PFsense.
So I need to divide the IPv6 /64 subnet on the LAN side of PFsense to be able to have IPv6 addresses assigned to my VM's in VMware ESXi.
I don't want the PFsense to hold onto the whole home network, I only want to use it for my HomeLAB network.
I hope this makes it a bit clearer :)
-
Perhaps you should call your tech support and ask about this. As I mentioned, I had no problem putting a similar device in to bridge mode. You cannot split a /64 on a LAN and expect things to work properly, as the entire IPv6 address is based on a 64 bit network portion and 64 bit host portion. If you try to use a /80 or whatever, fundamental parts of IPv6, such as SLAAC, will fail.
-
@jknott Haha well to be honest 'calling tech support' at KPN is not the thing I would prefer to do. They just refer you to the 'forums' of KPN. Have had my 2 cents with them in the past, they do not know that 'much' about IPv6... unfortunately. Otherwise I wouldn't have bother this forum and especially not you :)
-
Please see what you can do about getting into bridge mode. I've tried to explain the facts to you as best I can. If you will not accept them, then I can't help you.
-
@appollonius333 The only way I could get IPv6 traffic from LAN to the Internet, was adding a Outbound NAT (SNAT) rule as follows:
Interface: WAN
Protocol: any
Source: Any
Destination: Any
Translation/Address: Interface Address
Port or Range: (blank)This is to force all the packets going out from LAN to have the WAN Interface Address.
Remember that the WAN interface on pfSense is the DMZ IP in the configuration of the ISP router/modem in the LAN interface of the router/modem. -
@tadao I forgot to mention that the WAN Interface Address of the pfSense must be set to DMZ IP on the ISP router/modem.
