Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configuring static IPv6 just isn't working; what am I screwing up?

    IPv6
    2
    8
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Keith_Rettig
      last edited by

      My datacenter has given me aaaa:bbbb:1::1 /48

      I setup System/Routing/Gateways/Edit to 'address_type' of "IPv6" and the 'gateway IP address' as "aaaa:bbbb:1::1" and then set it as the default gateway for IPv6

      Under Interfaces/WAN; I set 'IPv6 Configuration Type' to "Static IPv6", the 'IPv6 address' to "aaaa:bbbb:1::2 /48" and selected the above gateway as the "IPv6 Upstream gateway"

      Under Interfaces/LAN; I have 'IPv6 Configuration Type' set to "Static IPv6", the 'IPv6 address' to "aaaa:bbbb:13::1 /64" and did not select anything for 'IPv6 Upstream gateway'. [If I try to set the address as "aaaa:bbbb:1::1 /64", the pfSense says that is overlapping with the "aaaa:bbbb:1::1 /48" and won't let me do it. So I thought I am supposed to pick one of the /64 spaces for the LAN side.]

      I manually set all of the machines to IPv6 addresses. For instance, the email server is set to "aaaa:bbbb:13::7" and one of the web servers is set to "aaaa:bbbb:13::14".

      In my DNS at Godaddy, I have mail.mydomain.com set to type = "AAAA" and the IP address as "aaaa:bbbb:13::7". a DNS query returns the correct answer.

      From my home I ping6 to "aaaa:bbbb:1::2" but I can't connect to it. From home I can not ping6 to "aaaa:bbbb:13::7" and I cannot connect to it. All of the machines can ping6 each other but can not ping6 google.com. If I use 'Diagnostics/Ping' to ping google using the WAN interface it works.
      PING6(56=40+8+8 bytes) aaaa:bbbb:1::2 --> 2607:f8b0:400a:80a::200e
      16 bytes from 2607:f8b0:400a:80a::200e, icmp_seq=0 hlim=118 time=1.348 ms
      If I use 'Diagnostics/Ping' to ping google using the LAN interface it fails.
      PING6(56=40+8+8 bytes) aaaa:bbbb:13::1 --> 2607:f8b0:400a:805::200e
      --- google.com ping6 statistics ---
      3 packets transmitted, 0 packets received, 100.0% packet loss

      I duplicated the "Default allow LAN to any rule" from IPv4 to IPv6 in 'Firewall/Rules/LAN'. So I am expecting IPv6 to at least get out, but alas it does not.

      So what am I doing wrong?
      I am so frustrated. When I started this, I thought to myself "you mostly understand this stuff, this shouldn't be too difficult". But now my ego is smashed and I am pretty sure I don't know jack about IPv6. I am sure it is something stupid.
      Some please enlighten me!

      Thank you in advance for any guidance.
      Keith.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Keith_Rettig
        last edited by

        @keith_rettig well you wouldn't put a /48 on an interface.. What is the transit network they gave you that routes that /48 to you? Do they expect you to use the first /64 prefix as the transit?

        But if you put a /48 on an interface, and then try to put a /64 out of that /48 on some other interface - sure pfsense is going to scream at you because of the overlap.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        K 1 Reply Last reply Reply Quote 0
        • K
          Keith_Rettig @johnpoz
          last edited by Keith_Rettig

          @johnpoz So what is the solution?
          Just pick one of the /64s under that /48 they gave me and set that as my WAN?
          Ask the data center some pointed question? "You said you gave me aaaa:bbbb1::1 /48 ; what are you expecting me to use?"
          I have tried to enlist their help already. They did traceroute6 and responded with "all packets are making it to aaaa:bbbb:1::1 so you must be doing something wrong with your firewall". So it would seem that they are comfortable with me using aaaa:bbbb1::1.

          Here is what I am hearing from you...
          do the following...
          Under Interfaces/WAN; I set 'IPv6 Configuration Type' to "Static IPv6", the 'IPv6 address' to "aaaa:bbbb:1::2 /64" and selected the above gateway as the "IPv6 Upstream gateway"

          I appreciate the help.

          K 1 Reply Last reply Reply Quote 0
          • K
            Keith_Rettig @Keith_Rettig
            last edited by

            I didn't think I should change the LAN side to aaaa:bbbb:1::2 with no upstream gateway but I figured I would try any ways. This is what I get...

            The following input errors were detected:
            IPv6 address aaaa:bbbb:1::2/64 is being used by or overlaps with: WAN (aaaa:bbbb:1::2/64)

            So I am leaving it as aaaa:bbbb:13::1/64 .

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Keith_Rettig
              last edited by johnpoz

              If they assigned you a /48 just attached - they are MORONS!!

              You would never put a /48 on an interface.. A /48 would be routed to you.. Via a transit, that transit could be some other ipv6 /64, it could be link-local.. It could be some /128. It might be the first /64 out of the /48, the last, etc.. But a /48 is not a network you you would directly assign to an interface..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              K 1 Reply Last reply Reply Quote 0
              • K
                Keith_Rettig @johnpoz
                last edited by Keith_Rettig

                @johnpoz ; This is what I got from the data center network guy;

                I have made a few changes. Your connected ipv6 block is now aaaa:bbbb:0:1::/64
                Gateway IP: aaaa:bbbb:0:1::1/64
                Your WAN IP: aaaa:bbbb:0:1::2/64
                aaaa:bbbb:1::/48 has been routed to aaaa:bbbb:0:1::2
                Please let me know if this resolves your issue.

                So where do I put all of these values?
                System/Routing/Gateways has aaaa:bbbb:0:1::1
                Interfaces/WAN gets aaaa:bbbb:0:1::2 /64
                Interfaces/LAN to would be set to aaaa:bbbb:0:13::1 /64
                and each machine would get one of the addresses between aaaa:bbbb:0:13::2 through aaaa:bbbb:0:13::52
                I am assuming it was a typo in the second to last sentence and that he meant that "aaaa:bbbb:0:1::/48 has been routed to..."

                Thanks.
                I am so damn frustrated.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @Keith_Rettig
                  last edited by johnpoz

                  @keith_rettig said in Configuring static IPv6 just isn't working; what am I screwing up?:

                  I am assuming it was a typo in the second to last sentence

                  Why would you assume that? You can not assume they typo'd the network they routed to you..

                  Its difficult to know what is what when your changing the info.. to aaaa"bbbb .

                  PM me exactly what they sent you.

                  But yes the /64 would be the transit and that would go on your wan.. Then the /64's out of the /48 they sent you that you want to use would go on your lan side interfaces.

                  edit: where did you come up with aaaa:bbbb:0:13::

                  if you wanted to use a 13 in your prefix from that /48 it would be.
                  aaaa:bbbb:1:13::/64

                  The transit network does not have to be part of the /48, normally it would NOT be.. So not sure why you think they typo'd anything..

                  example: My tunnel is
                  2001:470:aaaa:bbbb::/64

                  My routed /48 is
                  2001:470:caaa::/48

                  What they sent you as /48 looks normal to me, it is different then your transit. But with you obfuscating can not be sure. But if your not going to use what they sent - then yeah not going to work because the network you used isn't routed to you.

                  Can pfsense ping its ipv6 gateway via what they sent you.. That is step one, before you do anything on the lan side out of that /48

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • K
                    Keith_Rettig
                    last edited by

                    Success!

                    Thanks so much for the help.
                    Very much appreciated.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.