Coming back to PFsense but IPv6 doesn't appear to work

F022Y

Coming back to Pfsense with the release of 2.7 so made note of my port forwards on the ISP router and booted up and old Dell USFF machine running 2.7 and pfBlocker.

My ISP is offers up my connection via DHCP and DHCPv6 to which i have bought a static address due to CG-Nat, this static appears to be tied to the MAC of their Router so i "spoofed" it into pfsense, both the WAN_DHCP and WAN_DHCP6 show up and the gateways are the same as the old router yet all IPv6 tests say no IPv6 service.

I fear that i've stared at this for several hours and just overlooking a simple setting but as always the more you look the less you see.

The machine i'm testing this from has a IPv6 address.

Bob.Dig

@F022Y It was working here. Maybe show some screens.

F022Y

That would help wouldn't it......

Bob.Dig

@F022Y That is looking good, what do your LAN rules look like?

F022Y

This might be where it's gone pear shaped.

Bob.Dig

@F022Y Have you tried Track Interface?
Anyways you can not set the prefix to /128, it has to be /64.

And your firewall rules on LAN look like what?

Bob.Dig

@Bob-Dig said in Coming back to PFsense but IPv6 doesn't appear to work:

@F022Y That is looking good,

I take this back, it looks like you did everything manually, which could be wrong entirely.

F022Y

Just running back through the setup wizard again to "default" it and in doing so the IPv6 Gateway shows as down.

From the LAN firewall point of view very vanilla at the moment just defaults.

Bob.Dig

@F022Y Try DHCP on WAN and Track Interface on LAN. I see no reason why your WAN is "offline" now, "save" it again, to trigger it.

F022Y

Tried I assume you mean this?

However track get the hump in LAN

F022Y

So trying to get some help from ISP (LitFibre here in the UK), connection is fairly simple.

Fibre into the property, ONT with an RJ45 running to their router of my PFsense box.

Addressing is via DHCP and DHCPv6 according to what i got out of their router.

If i don't spoof the WAN MAC in PFsense i don't get my static IP with i presume is down to DHCP reservation but i'm now stumped, i have reached out to ISP incase there is a setting i need which clearly i've missed or if PFsense can't be used with them.

Bob.Dig

@F022Y said in Coming back to PFsense but IPv6 doesn't appear to work:

However track get the hump in LAN

No, you have to scroll down a bit...

F022Y

Sorry for the delay, work got in the way so couldn't down the connection then i think the little USFF pc i was using died so back to my good old ESXI host.

I tried the following configurations:-

WAN interface IPv4 DHCP (this stays the same throughout)
WAN interface IPv6 DHCP
LAN interface IPv4 Static IP (this stays the same throughout)
LAN interface IPv6 DHCP

WAN interface IPv4 DHCP (this stays the same throughout)
WAN interface IPv6 Track interface WAN
LAN interface IPv4 Static IP (this stays the same throughout)
LAN interface IPv6 None

WAN interface IPv4 DHCP (this stays the same throughout)
WAN interface IPv6 Track Interface LAN
LAN interface IPv4 Static IP (this stays the same throughout)
LAN interface IPv6 None

WAN interface IPv4 DHCP (this stays the same throughout)
WAN interface IPv6 WAN
LAN interface IPv4 Static IP (this stays the same throughout)
LAN interface IPv6 None

WAN interface IPv4 DHCP (this stays the same throughout)
WAN interface IPv6 DHCP
LAN interface IPv4 Static IP (this stays the same throughout)
LAN interface IPv6 Track Interface WAN

I'm afraid i'm not familar with DHCP from an ISP as i've always been a PPPoE user so still working it out.

I have left it in the following state:-

WAN interface IPv4 DHCP (this stays the same throughout)
WAN interface IPv6 DHCP
LAN interface IPv4 Static IP (this stays the same throughout)
LAN interface IPv6 Track Interface WAN

This isn't showing me a DHCPv6 address in the interfaces and IPv6 tests at thge likes of https://test-ipv6.com/ are still failing.

SteveITS

@F022Y There are, unfortunately, a bunch of ways to configure IPv6, instead of just one. You need to figure out what your ISP wants you to use. Your ISP will delegate you a /64 block to use on your LAN.

https://docs.netgate.com/pfsense/en/latest/interfaces/configure-ipv6.html
"The Track Interface choice works in concert with another IPv6 interface using DHCPv6 Prefix Delegation. When a delegation is received from the ISP, this option designates which interface will be assigned the IPv6 addresses delegated by the ISP and in cases where a larger delegation is obtained, which prefix inside the delegation is used."

Your recent photo above shows WAN tracking LAN which is backwards. (and the opposite of your text in the post)

Gertjan

@F022Y

You don't track LAN, but the WAN

Also : tip of the day : never presume that things are working : check it.
The 'thing' that that get an 'IPv6' for the WAN interface is called "dhcp6c".
The same process also asks 'prefixe(s)' so your LAN (or more LAN's) can have their own dedicated /64.

First, goto System > Advanced > Networking and check

Next : goto Status > System Logs > DHCP
Your looking for a known process : dhcp6c (and not dhcpd which is the dhcp server process for your LAN interfaces).
You should see something like this (read from bottom to top) :

2023-10-03 18:54:04.265573+02:00 	dhcp6c 	6769 	got an expected reply, sleeping.
2023-10-03 18:54:04.265548+02:00 	dhcp6c 	6769 	removing an event on ix3, state=RENEW
2023-10-03 18:54:04.265503+02:00 	dhcp6c 	6769 	script "/var/etc/dhcp6c_wan_script.sh" terminated
2023-10-03 18:54:04.265076+02:00 	dhcp6c 	21146 	dhcp6c renew, no change - bypassing update on ix3
2023-10-03 18:54:04.261992+02:00 	dhcp6c 	6769 	executes /var/etc/dhcp6c_wan_script.sh
2023-10-03 18:54:04.261982+02:00 	dhcp6c 	6769 	update a prefix 2a01:cbbb:beef:a6dc::/64 pltime=600, vltime=1800
2023-10-03 18:54:04.261970+02:00 	dhcp6c 	6769 	update an IA: PD-0
2023-10-03 18:54:04.261957+02:00 	dhcp6c 	6769 	Domain search list[0] home.
2023-10-03 18:54:04.261947+02:00 	dhcp6c 	6769 	nameserver[0] 2a01:cbaa:dead:beef:46d4:54ff:fe2a:3600
2023-10-03 18:54:04.261930+02:00 	dhcp6c 	6769 	dhcp6c Received INFO
2023-10-03 18:54:04.261919+02:00 	dhcp6c 	6769 	get DHCP option domain search list, len 6
2023-10-03 18:54:04.261910+02:00 	dhcp6c 	6769 	get DHCP option DNS, len 16
2023-10-03 18:54:04.261902+02:00 	dhcp6c 	6769 	preference: 255
2023-10-03 18:54:04.261894+02:00 	dhcp6c 	6769 	get DHCP option preference, len 1
2023-10-03 18:54:04.261881+02:00 	dhcp6c 	6769 	IA_PD prefix: 2a01:cb19:907:a6dc::/64 pltime=600 vltime=1800
2023-10-03 18:54:04.261862+02:00 	dhcp6c 	6769 	get DHCP option IA_PD prefix, len 25
2023-10-03 18:54:04.261853+02:00 	dhcp6c 	6769 	IA_PD: ID=0, T1=300, T2=480
2023-10-03 18:54:04.261845+02:00 	dhcp6c 	6769 	get DHCP option IA_PD, len 41
2023-10-03 18:54:04.261836+02:00 	dhcp6c 	6769 	DUID: 00:03:00:01:44:d4:54:2a:36:00
2023-10-03 18:54:04.261825+02:00 	dhcp6c 	6769 	get DHCP option server ID, len 10
2023-10-03 18:54:04.261816+02:00 	dhcp6c 	6769 	DUID: 00:01:00:01:2b:5a:d7:6b:90:ec:77:29:39:2c
2023-10-03 18:54:04.261801+02:00 	dhcp6c 	6769 	get DHCP option client ID, len 14
2023-10-03 18:54:04.261776+02:00 	dhcp6c 	6769 	receive reply from fe80::46d4:54ff:fe2a:3600%ix3 on ix3
2023-10-03 18:54:04.250458+02:00 	dhcp6c 	6769 	send renew to ff02::1:2%ix3
2023-10-03 18:54:04.250277+02:00 	dhcp6c 	6769 	set IA_PD
2023-10-03 18:54:04.250269+02:00 	dhcp6c 	6769 	set IA_PD prefix
2023-10-03 18:54:04.250258+02:00 	dhcp6c 	6769 	set option request (len 4)
2023-10-03 18:54:04.250248+02:00 	dhcp6c 	6769 	set elapsed time (len 2)
2023-10-03 18:54:04.250240+02:00 	dhcp6c 	6769 	set server ID (len 10)
2023-10-03 18:54:04.250232+02:00 	dhcp6c 	6769 	set client ID (len 14)
2023-10-03 18:54:04.250219+02:00 	dhcp6c 	6769 	a new XID (ff0494) is generated
2023-10-03 18:54:04.250208+02:00 	dhcp6c 	6769 	Sending Renew
2023-10-03 18:54:04.250174+02:00 	dhcp6c 	6769 	reset a timer on ix3, state=RENEW, timeo=0, retrans=10439
2023-10-03 18:54:04.250064+02:00 	dhcp6c 	6769 	IA timeout for PD-0, state=ACTIVE

This pure rocket science langue shows that my upstream ISP router gave me one prefix :

IA_PD prefix: 2a01:cbaa:beef:a6dc::/64 and that one is 'mapped' (by the tracking) on my LAN interface as it's static IPv6
The rest of the 2a01:cbaa:beef:a6dc::/64 is used by the dhcp6 SERVER so t can hand out IPv6 out off this /64 pool :

My dhcp6 server setup on LAN :

and now my IPv6 capable devices on my LAN are all getting an IPv6.
Most of them have "DUID static" IPv6 leases, so my printers, NAS, servers etc always get the same IPV6.

My interfaces :

as you can (can't see actually - I've barred it) see, the WAN IPv6 which is the 'range' of the LAN of my ISP router.

Btw : My ISP says in its GUI that it has a /56 for me, that is 256 prefixes of /64.
But it only gives me one !!

That's why I have this :

I can chose only 0 of 0 - actually 1 out of the 1 available prefixes obtained (see logs above).
But "0" is an hex index here. as these indexes go from 00 hex to FF hex = 255.
So "0" is the first valid one.

Also : the fe80:xxxxx adresses are like RFC1918 : so just like 192.168.1.1 - we all have the same addresses.
A 'real' rout-able IPv6 start with 2xxx:xx:xx:xx:xx:xx:xx:xx:x

F022Y

@SteveITS Sorry i did notice that it was backwards but by that point i had clicked submit and the work phone rang so apologies for the wrong info.

F022Y

@Gertjan Yeah i clicked submit then noticed my screenshot error (took it while testing) and then had a server issue at work so had to stop "playing".

Thats really helpful info and gives me something to work on, i'm a simple man of PPPoE so this is a new config type for me so it's all weird and wonderful.