How to setup IPv6 on PFsense behind ER-X (ISP modem)
-
Actually, that's entirely normal. Link local addresses are often used for routing. If there is a public WAN address, it's likely not used for routing. Did you have one before?
-
@jknott yeah when I configured the WAN interface as DHCP6. But this means that I should see a Ipv6 Address on the LAN interface?
-
No, one has nothing to do with the other. I have DHCPv6-PD on the WAN side and SLAAC on the LAN side. The nice thing about SLAAC is it works without any configuration needed. The router advertises the 64 bit LAN prefix and the client provides the lower 64 bits, based on either the MAC address or a random number.
-
@appollonius333 said in How to setup IPv6 on PFsense behind ER-X (ISP modem):
eah when I do that I don't see any IPv6 addresses assigned to my WAN interface. It just has a Link Local address now
Here's my configuration. You should have 48, instead of 56 for the prefix size.
-
@jknott Would the /48 still apply when the PFsense machine gets a /64 address from the /64 LAN subnet on the ER-X? Also where do you use the DHCP6 Client Configuration on? The LAN interface?
-
This is how my Network looks:
-
Is that ER-X in bridge or gateway mode? You want bridge mode for pfsense to provide multiple /64s. Otherwise, you're only getting a single /64 from your ISP, not a /48.
-
@jknott the Er-X is a gateway, so it receives and has all the settings for TV, phones etc. KPN in the Netherlands is giving us a /48 subnet on residential connections
-
If you're in gateway mode, you do not have a /48. I have a similar setup, with Rogers in Canada. I have a box that provides Internet, IPTV and phone. I put it into bridge mode, as in gateway mode it would provide only a single /64. In bridge mode I get a /56. Also, in bridge mode you'll get a public IPv4 address, unless your ISP uses carrier grade NAT.
Bridge vs gateway mode should have no effect on the other services. In my case, the home phone plugs into the modem. The IPTV works on the same network as my LAN.
-
@jknott Yeah the ISP gives us a /48. But from that /48 a /64 is assigned to my LAN environment.
I don't think it is in either mode to be honest.
The bridge mode I know, but gateway mode well we don't use that here in NL I think. -
I noticed your IPv4 address, which is within the RFC1918 range and indicates NAT is used. You don't want that. Put it in bridge mode or you will not be able to use most of the /48. There's no two ways about it.
-
@jknott I think I need to get things a bit more straight. As I think the information that is giving or interpreted by you is not applicable to me. Of course thanks for that :)
My Network works as follows:
From KPN in the Netherlands I get a Public IPv4 address and a IPv6 /48 subnet assigned to my ER-X. Which is a replacement of the 'standard' ExperiaBox v10 which is provided by KPN.
On the ER-X are all the VLANS created for Telephone, TV and the LAN network itself, so all the information that would be standard on the ExperiaBox v10 are configured on the ER-X.From here on the LAN side on the ER-X is assigned a IPv4 192.168.2.x/24 and a IPv6 2a02:a44c:xxxx:1::1/64 network. So all my home devices are connected to that (Of course there is a switch connected to the ER-X, so we can use more ports).
On the ER-X I also connected my physical PFsense (Dell R210 II) machine directly to port 3. so this also gets a 192.168.2.x/24 IP-address on the WAN side.
The WAN side also gets an IPv6 address (When configured with DHCP6) 2a02:a44c:xxxx:1::xxxx/64 so it gets an IPv6 address from the ER-X. Now I also want to have IPv6 address on the LAN side of PFsense.
So I need to divide the IPv6 /64 subnet on the LAN side of PFsense to be able to have IPv6 addresses assigned to my VM's in VMware ESXi.
I don't want the PFsense to hold onto the whole home network, I only want to use it for my HomeLAB network.
I hope this makes it a bit clearer :)
-
Perhaps you should call your tech support and ask about this. As I mentioned, I had no problem putting a similar device in to bridge mode. You cannot split a /64 on a LAN and expect things to work properly, as the entire IPv6 address is based on a 64 bit network portion and 64 bit host portion. If you try to use a /80 or whatever, fundamental parts of IPv6, such as SLAAC, will fail.
-
@jknott Haha well to be honest 'calling tech support' at KPN is not the thing I would prefer to do. They just refer you to the 'forums' of KPN. Have had my 2 cents with them in the past, they do not know that 'much' about IPv6... unfortunately. Otherwise I wouldn't have bother this forum and especially not you :)
-
Please see what you can do about getting into bridge mode. I've tried to explain the facts to you as best I can. If you will not accept them, then I can't help you.
-
@appollonius333 The only way I could get IPv6 traffic from LAN to the Internet, was adding a Outbound NAT (SNAT) rule as follows:
Interface: WAN
Protocol: any
Source: Any
Destination: Any
Translation/Address: Interface Address
Port or Range: (blank)This is to force all the packets going out from LAN to have the WAN Interface Address.
Remember that the WAN interface on pfSense is the DMZ IP in the configuration of the ISP router/modem in the LAN interface of the router/modem. -
@tadao I forgot to mention that the WAN Interface Address of the pfSense must be set to DMZ IP on the ISP router/modem.
