Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ipv6 router behind router (static)

    IPv6
    2
    2
    483
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xyz
      last edited by

      Hi all. I'm trying to solve an ipv6 connectivity problem and would appreciate opinions from those who know.

      Outer router (residential moto mg7540) has all wireless traffic running on guest networks, significantly reducing trash traffic on the wired link.
      For this reason, bridge mode is not preferable.

      Inner router (pfsense on qotom 6 port i5) has 3 lans. ipv4 is static configured, double natted, works fine, no problem.

      So now, ipv6.

      Outer router reports a prefix delegation of /60. This should mean that I have 16 subnets at my disposal, yes? The ipv6 gateway address is set by isp (not configurable) in the first /64 of the /60. pfsense wan is static set to same:subnet::2/64. I can ping6 from wan interface to outer router gateway and the outside world. Great, we used a whole subnet for that link, but we should have 15 left, eh?

      Each pfsense lan ip is static set to next:adjacent:subnet::1/64. I can ping from any lan interface to wan interface, but not to gateway or world. At first I thought it was a routing problem even though routing table shows correct default iface and address. Then I tried ping6 -v -S from lan to gateway and got:
      64 bytes from <gateway address>: Destination Unreachable, Bad Code: 5

      ...Irony, gateway says it can't be reached. Anyway, code 5 translates to 'Bad source address'. Am I wrong in thinking I should be able to route my subnets out through the gateway? I thought about the DMZ, but it is ipv4-only and it doesn't have its own port, so that's out.

      As a backup, I could split the one functioning /64 into /80's. Anybody know how to do that? Or nat? I know some folks get hives at the thought of it.

      Thoughts? Opinions?
      Thanks for reading..

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @xyz
        last edited by

        @xyz

        By having another router ahead of pfsense, you're creating your problem. ISPs typically use DHCPv6-PD to pass the prefix on to the subscriber. That first router blocks that. This means you have to route the prefix to pfsense and I don't know that the first router is capable of that.

        BTW, one of the reasons for a firewall/router such as pfsense is to keep the trash out.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.