Static IPv6 setup
-
Hi,
I am running a Proxmox server on a DC with a pfSense vm, some other vms and a static IPv6 address. The pfSense vm is connected on the WAN interface and the LAN interface, and the other vms connect to the internet on IPv4 through pfSense.
I have received an IPv6 subnet and a gateway (on that subnet) from my provider and I want to route IPv6 traffic for my vms through my pfsense router vm into my provider gw.
I would like to configure each VM with its own static IPv6 manually, so DHCP is not needed.
I tried to google the problem but had no luck finding the solution.Can someone explain how the setup should work / point me in the right direction?
-
@voigon Typically you’d get two, one IPv6 address for WAN and a /64 block to use on LAN.
-
Are you referring to the WAN interface or LAN? If WAN, it's simple, just select static configuration. If the LAN, you can follow my directions for Unique Local Addresses.
-
@SteveITS said in Static IPv6 setup:
@voigon Typically you’d get two, one IPv6 address for WAN and a /64 block to use on LAN.
I got just one /64, can i split it into /80 subnets and use one for WAN and another for LAN?
Can you explain why an additional address is needed?@JKnott said in Static IPv6 setup:
Are you referring to the WAN interface or LAN? If WAN, it's simple, just select static configuration. If the LAN, you can follow my directions for Unique Local Addresses.
IPv6 is working on the WAN interface on pfSense itself, but I want to connect clients through the LAN interface so they will get their own IPv6 address as well
If I understand correctly, your guide shows how to use ULA addresses for inside the network, but my end goal is that each device on LAN will have a GUA (I don't mind implementing ULA as well to achieve that goal but its not needed by itself)
If I follow your guide, should I be able to map the ULA to GUA using NPt? -
It's the same with ULA and GUA addresses. I have never used NPT.
I have never run pfSense in a VM, just on bare metal. However, splitting a /64 is a bad idea as it will break SLAAC and probably DHCPv6, as both expect the suffix to be 64 bits.
I get a /56 prefix from my ISP.
-
What I am not clear on is what makes these addresses publicly reachable, can you explain?
-
The Global Unique Address range is what's allowed to be public. Any other address, such as ULA are not allowed on the Internet. So, routers, such as pfSense, are supposed to allow only GUA addresses on the net. Beyond that, GUA and ULA work the same.
In my case, I get a /56 prefix from my ISP, which provides a gazillion public addresses for me to use.
-
@JKnott I get that, what I meant is that I don't understand what exactly routes traffic originating from my vm guests through pfsense to the internet?
Does pfsense just carry the packets from LAN to WAN since their ip address doesn't need to be rewritten? (seeing as it is a GUA) -
This goes back to basic networking and applies equally to IPv4. A device, such as your VM looks at the address and decides whether the destination is on the local LAN or elsewhere. If on the local LAN, it determines the MAC address of the destination, using ARP on IPv4 or neighbor solicitation on IPv6 and then sends it to the destination directly. For this, pfSense does nothing with the traffic. If elsewhere, the device forwards the packet to pfSense, using the MAC address to do so. PfSense, like any other router, looks at the destination address to determine how to reach the next hop. On small networks, the next hop is usually the default route. However, there may be some other route instead.
-
@JKnott As it stands right now, when selecting the LAN ipv6 address on pfsense (which is part of the GUA prefix assigned by my ISP) on the ping menu it does not reach the destination. When selecting the WAN address everything works as expected.
I face a similar from my VMs where they can ping pfSense itself but when trying to use it as next hop for internet traffic it just time outs, with no related firewall logs
Accessing other vlans through pfSense does work though, which leads me to believe something in the routes inside pfSense are not configured correctly -
@voigon said in Static IPv6 setup:
I got just one /64, can i split it into /80 subnets and use one for WAN and another for LAN?
that is a horrible plan and rife with problems and configuration..
-
From what I understood it will break DHCPv6 and SLAAC, which I am not using anyway.
I need to explain to my host why I need more, can you specifically outline some of these problems? -
@voigon well for one.. you have a /64 on your wan.. And then your going to have overlapping networks on lan side interfaces with /80.. That by itself if even with IPv4 would/could be problematic..
Now if they routed you a prefix, and you broke it up on your end, not a big issue. But they are not routing this /64 to you.. You are directly attached to it.
Have them delegate a prefix to you a /60 a /56.. Or actually route a /prefix to you that you can break up.
-
I don't waste my time with that ping "menu". I just use ssh to pfSense and go from the command line. However, when resolving this sort of problem, packet capture is your friend, either the built in Packet Capture or Wireshark. You can then see if the ping is appearing where it's supposed to and with the correct addresses, etc..