ipv6 router behind router (static)
-
Hi all. I'm trying to solve an ipv6 connectivity problem and would appreciate opinions from those who know.
Outer router (residential moto mg7540) has all wireless traffic running on guest networks, significantly reducing trash traffic on the wired link.
For this reason, bridge mode is not preferable.Inner router (pfsense on qotom 6 port i5) has 3 lans. ipv4 is static configured, double natted, works fine, no problem.
So now, ipv6.
Outer router reports a prefix delegation of /60. This should mean that I have 16 subnets at my disposal, yes? The ipv6 gateway address is set by isp (not configurable) in the first /64 of the /60. pfsense wan is static set to same:subnet::2/64. I can ping6 from wan interface to outer router gateway and the outside world. Great, we used a whole subnet for that link, but we should have 15 left, eh?
Each pfsense lan ip is static set to next:adjacent:subnet::1/64. I can ping from any lan interface to wan interface, but not to gateway or world. At first I thought it was a routing problem even though routing table shows correct default iface and address. Then I tried ping6 -v -S from lan to gateway and got:
64 bytes from <gateway address>: Destination Unreachable, Bad Code: 5...Irony, gateway says it can't be reached. Anyway, code 5 translates to 'Bad source address'. Am I wrong in thinking I should be able to route my subnets out through the gateway? I thought about the DMZ, but it is ipv4-only and it doesn't have its own port, so that's out.
As a backup, I could split the one functioning /64 into /80's. Anybody know how to do that? Or nat? I know some folks get hives at the thought of it.
Thoughts? Opinions?
Thanks for reading.. -
By having another router ahead of pfsense, you're creating your problem. ISPs typically use DHCPv6-PD to pass the prefix on to the subscriber. That first router blocks that. This means you have to route the prefix to pfsense and I don't know that the first router is capable of that.
BTW, one of the reasons for a firewall/router such as pfsense is to keep the trash out.