• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Static IPv6 setup

Scheduled Pinned Locked Moved IPv6
14 Posts 4 Posters 2.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    voigon
    last edited by Dec 25, 2023, 9:56 AM

    Hi,
    I am running a Proxmox server on a DC with a pfSense vm, some other vms and a static IPv6 address. The pfSense vm is connected on the WAN interface and the LAN interface, and the other vms connect to the internet on IPv4 through pfSense.
    I have received an IPv6 subnet and a gateway (on that subnet) from my provider and I want to route IPv6 traffic for my vms through my pfsense router vm into my provider gw.
    I would like to configure each VM with its own static IPv6 manually, so DHCP is not needed.
    I tried to google the problem but had no luck finding the solution.

    Can someone explain how the setup should work / point me in the right direction?

    S J 2 Replies Last reply Dec 25, 2023, 3:58 PM Reply Quote 0
    • S
      SteveITS Galactic Empire @voigon
      last edited by Dec 25, 2023, 3:58 PM

      @voigon Typically you’d get two, one IPv6 address for WAN and a /64 block to use on LAN.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      V 1 Reply Last reply Dec 26, 2023, 8:50 AM Reply Quote 0
      • J
        JKnott @voigon
        last edited by Dec 25, 2023, 3:59 PM

        @voigon

        Are you referring to the WAN interface or LAN? If WAN, it's simple, just select static configuration. If the LAN, you can follow my directions for Unique Local Addresses.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • V
          voigon @SteveITS
          last edited by Dec 26, 2023, 8:50 AM

          @SteveITS said in Static IPv6 setup:

          @voigon Typically you’d get two, one IPv6 address for WAN and a /64 block to use on LAN.

          I got just one /64, can i split it into /80 subnets and use one for WAN and another for LAN?
          Can you explain why an additional address is needed?

          @JKnott said in Static IPv6 setup:

          @voigon

          Are you referring to the WAN interface or LAN? If WAN, it's simple, just select static configuration. If the LAN, you can follow my directions for Unique Local Addresses.

          IPv6 is working on the WAN interface on pfSense itself, but I want to connect clients through the LAN interface so they will get their own IPv6 address as well
          If I understand correctly, your guide shows how to use ULA addresses for inside the network, but my end goal is that each device on LAN will have a GUA (I don't mind implementing ULA as well to achieve that goal but its not needed by itself)
          If I follow your guide, should I be able to map the ULA to GUA using NPt?

          J J 2 Replies Last reply Dec 26, 2023, 3:46 PM Reply Quote 0
          • J
            JKnott @voigon
            last edited by Dec 26, 2023, 3:46 PM

            @voigon

            It's the same with ULA and GUA addresses. I have never used NPT.

            I have never run pfSense in a VM, just on bare metal. However, splitting a /64 is a bad idea as it will break SLAAC and probably DHCPv6, as both expect the suffix to be 64 bits.

            I get a /56 prefix from my ISP.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            V 1 Reply Last reply Jan 7, 2024, 9:16 PM Reply Quote 0
            • V
              voigon @JKnott
              last edited by Jan 7, 2024, 9:16 PM

              What I am not clear on is what makes these addresses publicly reachable, can you explain?

              J 1 Reply Last reply Jan 7, 2024, 9:25 PM Reply Quote 0
              • J
                JKnott @voigon
                last edited by Jan 7, 2024, 9:25 PM

                @voigon

                The Global Unique Address range is what's allowed to be public. Any other address, such as ULA are not allowed on the Internet. So, routers, such as pfSense, are supposed to allow only GUA addresses on the net. Beyond that, GUA and ULA work the same.

                In my case, I get a /56 prefix from my ISP, which provides a gazillion public addresses for me to use.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                V 1 Reply Last reply Jan 16, 2024, 12:26 PM Reply Quote 0
                • V
                  voigon @JKnott
                  last edited by Jan 16, 2024, 12:26 PM

                  @JKnott I get that, what I meant is that I don't understand what exactly routes traffic originating from my vm guests through pfsense to the internet?
                  Does pfsense just carry the packets from LAN to WAN since their ip address doesn't need to be rewritten? (seeing as it is a GUA)

                  J 1 Reply Last reply Jan 16, 2024, 1:44 PM Reply Quote 0
                  • J
                    JKnott @voigon
                    last edited by Jan 16, 2024, 1:44 PM

                    @voigon

                    This goes back to basic networking and applies equally to IPv4. A device, such as your VM looks at the address and decides whether the destination is on the local LAN or elsewhere. If on the local LAN, it determines the MAC address of the destination, using ARP on IPv4 or neighbor solicitation on IPv6 and then sends it to the destination directly. For this, pfSense does nothing with the traffic. If elsewhere, the device forwards the packet to pfSense, using the MAC address to do so. PfSense, like any other router, looks at the destination address to determine how to reach the next hop. On small networks, the next hop is usually the default route. However, there may be some other route instead.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    V 1 Reply Last reply Jan 16, 2024, 2:38 PM Reply Quote 0
                    • V
                      voigon @JKnott
                      last edited by Jan 16, 2024, 2:38 PM

                      @JKnott As it stands right now, when selecting the LAN ipv6 address on pfsense (which is part of the GUA prefix assigned by my ISP) on the ping menu it does not reach the destination. When selecting the WAN address everything works as expected.
                      I face a similar from my VMs where they can ping pfSense itself but when trying to use it as next hop for internet traffic it just time outs, with no related firewall logs
                      Accessing other vlans through pfSense does work though, which leads me to believe something in the routes inside pfSense are not configured correctly

                      J 1 Reply Last reply Jan 16, 2024, 7:38 PM Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator @voigon
                        last edited by Jan 16, 2024, 3:33 PM

                        @voigon said in Static IPv6 setup:

                        I got just one /64, can i split it into /80 subnets and use one for WAN and another for LAN?

                        that is a horrible plan and rife with problems and configuration..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        V 1 Reply Last reply Jan 16, 2024, 3:39 PM Reply Quote 0
                        • V
                          voigon @johnpoz
                          last edited by Jan 16, 2024, 3:39 PM

                          From what I understood it will break DHCPv6 and SLAAC, which I am not using anyway.
                          I need to explain to my host why I need more, can you specifically outline some of these problems?

                          J 1 Reply Last reply Jan 16, 2024, 3:43 PM Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator @voigon
                            last edited by Jan 16, 2024, 3:43 PM

                            @voigon well for one.. you have a /64 on your wan.. And then your going to have overlapping networks on lan side interfaces with /80.. That by itself if even with IPv4 would/could be problematic..

                            Now if they routed you a prefix, and you broke it up on your end, not a big issue. But they are not routing this /64 to you.. You are directly attached to it.

                            Have them delegate a prefix to you a /60 a /56.. Or actually route a /prefix to you that you can break up.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • J
                              JKnott @voigon
                              last edited by Jan 16, 2024, 7:38 PM

                              @voigon

                              I don't waste my time with that ping "menu". I just use ssh to pfSense and go from the command line. However, when resolving this sort of problem, packet capture is your friend, either the built in Packet Capture or Wireshark. You can then see if the ping is appearing where it's supposed to and with the correct addresses, etc..

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received