Wan uses wrong IPv6 address

vsey · Aug 4, 2022, 4:47 PM

Hello,
I have the problem, that I don't get an ipv6 internet connection from the wan interface, the lan works fine. I now traced the problem back, to that I get four ipv6 subnets on the wan interface, but only one of them is routable.

Subnets on Wan:
login-to-view
The /128 address is the only address I get a connection with.
Is there a way I can force pfsense to use the /128 address as the wan interface address, because currently it is always using the top address from the list which isn't routable

JKnott · Aug 4, 2022, 8:13 PM

@vsey

I can't speak about your ISP, whoever that is, but link local addresses are often used for routing.

Maybe if you mentioned your ISP, someone here can provide more info.

vsey · Aug 5, 2022, 6:18 AM

My ISP is Vodafone and I think don't think it has anything to do with the link local address because the /128 address works which means I can communicate with my upstream gateway.

I tried a ping and traceroute from an external server to my pfsense in the case of the /128 address it works fine.

In the cases of the 2a02:3::/64 address I get a destination not reachable. I also found out, by checking the whois recoreds that the 2a02:3::/64 address don't even belong to my provider. I think that's the reason they don't work.

For the 2a02:80/64 address I can see the incoming packets in pfsense with a packet capture, which means that the path from the server to pfsense works fine and the return path (from pfsense to server) is the part which doesn't work

Bob.Dig · Aug 5, 2022, 6:18 AM

@vsey Vodafon where? What is in front of pfSense?

vsey · Aug 5, 2022, 10:10 AM

@bob-dig Vodafone Germany and in front of pfsense is the vodafone connect box in bridge mode

vsey · Aug 6, 2022, 1:41 PM

I believe that the problem is that pfense continues to accept Router Advertisements on WAN, despite that it uses DHCPv6.
This is also the reason why all ip addresses that do not work, have the addition autoconf, which means they were configured with slaac.

Is their a way to turn off slaac on wan when dhcp is in use or can I edit the hidden firewall rules on wan to block the RAs?

MikeV7896 · Aug 8, 2022, 9:44 PM

@vsey DHCPv6 doesn't provide gateway information like it does in IPv4. Just an IP address, DNS servers, and other DHCP options (NTP servers, PXE boot options, etc.). It's a way to formally manage IPv6 addresses, unlike SLAAC which takes everything from the router advertisement and leaves it up to the host to determine an IPv6 address to use.

The router advertisement that pfSense receives from your ISP's router tells pfSense where to route packets to. Most ISP's send RA's automatically every few minutes. Even your pfSense box sends them out over your LAN/OPT interfaces, so all your devices know how to route their data.

vsey · Aug 9, 2022, 2:26 PM

@mikev7896 My problem is that my ISP sends multiple /64 IP prefixes with its RAs although DHCPV6 is used
Pfsense than takes these Prefixes and configures multiple wan addresses. The problem is now that not all of these addresses work
My idea was then to switch off the Address Auto configuration on WAN, but I don't know exactly how I can do that