Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static IPv6 setup

    Scheduled Pinned Locked Moved IPv6
    14 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      voigon
      last edited by

      Hi,
      I am running a Proxmox server on a DC with a pfSense vm, some other vms and a static IPv6 address. The pfSense vm is connected on the WAN interface and the LAN interface, and the other vms connect to the internet on IPv4 through pfSense.
      I have received an IPv6 subnet and a gateway (on that subnet) from my provider and I want to route IPv6 traffic for my vms through my pfsense router vm into my provider gw.
      I would like to configure each VM with its own static IPv6 manually, so DHCP is not needed.
      I tried to google the problem but had no luck finding the solution.

      Can someone explain how the setup should work / point me in the right direction?

      S JKnottJ 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @voigon
        last edited by

        @voigon Typically you’d get two, one IPv6 address for WAN and a /64 block to use on LAN.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        V 1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @voigon
          last edited by

          @voigon

          Are you referring to the WAN interface or LAN? If WAN, it's simple, just select static configuration. If the LAN, you can follow my directions for Unique Local Addresses.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • V
            voigon @SteveITS
            last edited by

            @SteveITS said in Static IPv6 setup:

            @voigon Typically you’d get two, one IPv6 address for WAN and a /64 block to use on LAN.

            I got just one /64, can i split it into /80 subnets and use one for WAN and another for LAN?
            Can you explain why an additional address is needed?

            @JKnott said in Static IPv6 setup:

            @voigon

            Are you referring to the WAN interface or LAN? If WAN, it's simple, just select static configuration. If the LAN, you can follow my directions for Unique Local Addresses.

            IPv6 is working on the WAN interface on pfSense itself, but I want to connect clients through the LAN interface so they will get their own IPv6 address as well
            If I understand correctly, your guide shows how to use ULA addresses for inside the network, but my end goal is that each device on LAN will have a GUA (I don't mind implementing ULA as well to achieve that goal but its not needed by itself)
            If I follow your guide, should I be able to map the ULA to GUA using NPt?

            JKnottJ johnpozJ 2 Replies Last reply Reply Quote 0
            • JKnottJ
              JKnott @voigon
              last edited by

              @voigon

              It's the same with ULA and GUA addresses. I have never used NPT.

              I have never run pfSense in a VM, just on bare metal. However, splitting a /64 is a bad idea as it will break SLAAC and probably DHCPv6, as both expect the suffix to be 64 bits.

              I get a /56 prefix from my ISP.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              V 1 Reply Last reply Reply Quote 0
              • V
                voigon @JKnott
                last edited by

                What I am not clear on is what makes these addresses publicly reachable, can you explain?

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @voigon
                  last edited by

                  @voigon

                  The Global Unique Address range is what's allowed to be public. Any other address, such as ULA are not allowed on the Internet. So, routers, such as pfSense, are supposed to allow only GUA addresses on the net. Beyond that, GUA and ULA work the same.

                  In my case, I get a /56 prefix from my ISP, which provides a gazillion public addresses for me to use.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    voigon @JKnott
                    last edited by

                    @JKnott I get that, what I meant is that I don't understand what exactly routes traffic originating from my vm guests through pfsense to the internet?
                    Does pfsense just carry the packets from LAN to WAN since their ip address doesn't need to be rewritten? (seeing as it is a GUA)

                    JKnottJ 1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @voigon
                      last edited by

                      @voigon

                      This goes back to basic networking and applies equally to IPv4. A device, such as your VM looks at the address and decides whether the destination is on the local LAN or elsewhere. If on the local LAN, it determines the MAC address of the destination, using ARP on IPv4 or neighbor solicitation on IPv6 and then sends it to the destination directly. For this, pfSense does nothing with the traffic. If elsewhere, the device forwards the packet to pfSense, using the MAC address to do so. PfSense, like any other router, looks at the destination address to determine how to reach the next hop. On small networks, the next hop is usually the default route. However, there may be some other route instead.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        voigon @JKnott
                        last edited by

                        @JKnott As it stands right now, when selecting the LAN ipv6 address on pfsense (which is part of the GUA prefix assigned by my ISP) on the ping menu it does not reach the destination. When selecting the WAN address everything works as expected.
                        I face a similar from my VMs where they can ping pfSense itself but when trying to use it as next hop for internet traffic it just time outs, with no related firewall logs
                        Accessing other vlans through pfSense does work though, which leads me to believe something in the routes inside pfSense are not configured correctly

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @voigon
                          last edited by

                          @voigon said in Static IPv6 setup:

                          I got just one /64, can i split it into /80 subnets and use one for WAN and another for LAN?

                          that is a horrible plan and rife with problems and configuration..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          V 1 Reply Last reply Reply Quote 0
                          • V
                            voigon @johnpoz
                            last edited by

                            From what I understood it will break DHCPv6 and SLAAC, which I am not using anyway.
                            I need to explain to my host why I need more, can you specifically outline some of these problems?

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @voigon
                              last edited by

                              @voigon well for one.. you have a /64 on your wan.. And then your going to have overlapping networks on lan side interfaces with /80.. That by itself if even with IPv4 would/could be problematic..

                              Now if they routed you a prefix, and you broke it up on your end, not a big issue. But they are not routing this /64 to you.. You are directly attached to it.

                              Have them delegate a prefix to you a /60 a /56.. Or actually route a /prefix to you that you can break up.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott @voigon
                                last edited by

                                @voigon

                                I don't waste my time with that ping "menu". I just use ssh to pfSense and go from the command line. However, when resolving this sort of problem, packet capture is your friend, either the built in Packet Capture or Wireshark. You can then see if the ping is appearing where it's supposed to and with the correct addresses, etc..

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.