How to correctly setup static IPv6?
-
Good afternoon,
I have some odd, odd problems getting IPv6 to work for the LAN devices/clients here and even though I think I have set it up correctly, reality is, I have not and things aren't working. Given that remote-debugging/finding the error might be a bit complicated, I was wondering what the correct way would be to set things up.
The goal is to have a very basic ISP > pfSense > LAN devices/clients. No further downstream routers etc.
So what I have received from my ISP is:
- A static 2001:XXX:YYYY:ZZZZ::88b4/126 network for the WAN interface, so basically I got the ::88b6/126 for the pfSense WAN interface and the ISPs gateway/router is ::88b5/126.
- A 2001:XXX:VVVV::/48 for my side of things beyond the pfSense
At the most basic setup I did what I said above - assign the WAN interface the ::88b6/126 and the GW for it to ::88b5/126. I did/do nothing on LAN interface side of things, yet at this stage. Neither FW rules wise.
So what works:
- IPv6 monitoring on the WAN GW to the ::88b5/126
- traceroute6 out on the pfSense works perfectly fine to wherever I choose (google.com, any akamai host etc)
- If I (temporarily and generously) allow all IPv6 traffic in on the WAN interface / rules to the ::88b6/126 as destination, I can use i.e. http://www.traceroute6.net/ to traceroute6 also back to the pfSense's WAN interface just fine.
Good, so far it seems to work & I removed said wide-open FW rule again.
As the goal is to have LAN side's devices IPv6 access, I would be wondering/asking, what's the correct way to proceed:
- Assign the LAN interface an IPv6 address out of the /48 .. i.e. a /56's ::1 with the intent then to take at least one /64 for the actual devices/client behind it
... well or what would be the correct approach? There will be only clients/devices, no further downstream routers/gateways...?
I don't want to overcomplicate things (just yet?), so what address + network out of said /48 would/should I assign where now?
Thanks!
-JB -
@jbattermann Split up your /48 into /64's i.e:-
2a02:1234:1234::/48 split :- 2a02:1234:1234::/64 Start Range: 2a02:1234:1234:0:0:0:0:0 End Range: 2a02:1234:1234:0:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:1::/64 LAN Start Range: 2a02:1234:1234:1:0:0:0:0 End Range: 2a02:1234:1234:1:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:2::/64 USER Start Range: 2a02:1234:1234:2:0:0:0:0 End Range: 2a02:1234:1234:2:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:3::/64 GUEST Start Range: 2a02:1234:1234:3:0:0:0:0 End Range: 2a02:1234:1234:3:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:4::/64 IOT Start Range: 2a02:1234:1234:4:0:0:0:0 End Range: 2a02:1234:1234:4:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:5::/64 DMZ Start Range: 2a02:1234:1234:5:0:0:0:0 End Range: 2a02:1234:1234:5:ffff:ffff:ffff:ffff No. of host: 18446744073709551616 2a02:1234:1234:6::/64 VOICE Start Range: 2a02:1234:1234:6:0:0:0:0 End Range: 2a02:1234:1234:6:ffff:ffff:ffff:ffff No. of host: 18446744073709551616I use the last quartet as the vlan number and the ::1 as the gateway, makes things easy to remember.
Go here to test afterwards https://ipv6-test.com
-
@jbattermann said in How to correctly setup static IPv6?:
As the goal is to have LAN side's devices IPv6 access, I would be wondering/asking, what's the correct way to proceed:
Assign the LAN interface an IPv6 address out of the /48 .. i.e. a /56's ::1 with the intent then to take at least one /64 for the actual devices/client behind it
With a /48 you have 65536 possible prefix IDs, ranging 0-ffff. You pick one of those for each interface or VLAN as you wish. You can use them to match VLAN ID, as I do, or whatever you wish, so long as the ID is unique.
-
Thanks @NogBadTheBad & @JKnott .. that's exactly what I did last time.. or at least I think I did.
In the easiest picture with just one non-VLAN-seperated LAN (again, keeping VLAN out for simplicity) and assuming @NogBadTheBad's LAN example:
- What would you assign the pfSense's LAN interface as address - i.e. 2001:XXX:VVVV:1::1/64 out of the 2001:XXX:VVVV:1::/64 LAN net taken as an example?
- And further on after that, what would you use/configure DHCPv6/RA wise on the LAN interface... both, just one.. neither?
- And finally, would you add/have any WAN or LAN IPv6 rules?
It may sound like a trivial setup and questions.. my problem basically ended up being that everything worked on the pfSense box but while LAN clients could traceroute6/ping6 out just fine, i.e. no IPv6 websites could be reached without timing out and browsers/applications etc behaving the way they do in that case (if at all).. falling back to IPv4 after a while (some very quickly, some in very odd ways/extremely long timeouts etc).
So if you would ignore that last paragraph and what I am trying to not run into again (and again.. not wanting to make things too complicated and more as a step-by-step and going/re-configuring along kind of approach), how would you go about the three bullet points above?
Thanks!
-
@jbattermann said in How to correctly setup static IPv6?:
Thanks @NogBadTheBad & @JKnott .. that's exactly what I did last time.. or at least I think I did.
In the easiest picture with just one non-VLAN-seperated LAN (again, keeping VLAN out for simplicity) and assuming @NogBadTheBad's LAN example:What would you assign the pfSense's LAN interface as address - i.e. 2001:XXX:VVVV:1::1/64 out of the 2001:XXX:VVVV:1::/64 LAN net taken as an example?
And further on after that, what would you use/configure DHCPv6/RA wise on the LAN interface... both, just one.. neither?
And finally, would you add/have any WAN or LAN IPv6 rules?I haven't set up static IPv6 for GUA addresses. I've always used track interface, where pfSense provides the base address for my /56 and then set up each interface and prefix ID. Looking at the config for static, it appears you select each /64 address from within your /48 and assign it to the interface. You also have to select /64 for the network size.
You normally don't use DHCPv6 on the LAN side, unless you have a specific need to. Just use SLAAC. Also, Android devices don't work with DHCPv6. You can thank some genius at Google for that one.
-
@jbattermann I used :1::1/64 as the gateway address and the following in the RA section as I have Apple devices :-
