Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN with /64 Delegation

    Scheduled Pinned Locked Moved IPv6
    33 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      meluvalli
      last edited by

      Hello. My ISP only offers /64 delegation on WAN side.

      From pfSense, I can ping out the WAN side IPv6 addresses because it has an IPv6 address from the ISP.

      But I cannot get LAN IPv6 working, I tried assigning my local LAN side fc00::/7 addresses. All my clients now have an IPv6 address within this subnet and can ping pfSense via IPv6 however, I don't know how to get them to get out on the WAN side.

      I assumed I needed to setup NPt. So, I created an NPt rule as follows:
      Interface: WAN
      Source IPv6 Prefix: fc00:: / 7
      Destination IPv6: NOT Prefix fc00:: / 7

      However this didn't get my clients online. Any thoughts on how I would go about doing this?

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @meluvalli
        last edited by Bob.Dig

        @meluvalli For a start, set your WAN IPv6 to DHCP, set one LAN IPv6 to Track Interface WAN and 0. See if this works.

        M 1 Reply Last reply Reply Quote 0
        • M
          meluvalli @Bob.Dig
          last edited by

          @Bob-Dig It doesn't. The ISP is only providing /64. LAN side never gets IP with that setup because of this.

          That's why I was trying to set fc00 internal IP addresses and having it NPt out.

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @meluvalli
            last edited by Bob.Dig

            @meluvalli said in WAN with /64 Delegation:

            It doesn't.

            Have you rebooted pfSense with this settings?
            If it doesn't work, there is nothing you can do about it.

            M 1 Reply Last reply Reply Quote 0
            • M
              meluvalli @Bob.Dig
              last edited by

              @Bob-Dig
              Yes. And it still didn't. The WAN get's an IPv6 address, but it's a /64 Delegation. So with providers that only supply a /64 delegation, you just can't use IPv6 with pfSense?

              Bob.DigB 1 Reply Last reply Reply Quote 0
              • Bob.DigB
                Bob.Dig LAYER 8 @meluvalli
                last edited by

                @meluvalli What ISP, what country?
                Usually you get one IPv6-Address for your WAN via DHCP and a Prefix for your LAN. If your Prefix is only /64, it is only enough for one LAN. But if even this isn't working, then there is nothing pfSense can do for you.

                M 1 Reply Last reply Reply Quote 0
                • M
                  meluvalli @Bob.Dig
                  last edited by

                  @Bob-Dig
                  But the WAN and LAN can't both use the same Prefix can they? They would have to be different. So how would one ever get a /64 prefix to work if that's all that's provided by the provider?
                  The prefix range is big enough for sextillion IP addresses and I can't get it to work? That seems strange!

                  Bob.DigB GertjanG 2 Replies Last reply Reply Quote 0
                  • Bob.DigB
                    Bob.Dig LAYER 8 @meluvalli
                    last edited by

                    @meluvalli said in WAN with /64 Delegation:

                    That seems strange

                    Strange to me is that you don't provide meaningful information about your setup, ISP, country etc. So we will never find what is wrong with your IPv6.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      meluvalli @Bob.Dig
                      last edited by

                      @Bob-Dig
                      Sorry, I can give more details...

                      I am using Verizon 5G Home Internet here in the United States. I have a XCI55AX modem/gateway that is setup in Bridge mode. IPv4 works fine and obtains and outside IP address.

                      Unfortunately, IPv6 has very limited configuration in the gateway itself. It can only hand out Stateless and Stateful IP addresses with a LAN Prefix already defined in the gateway. It doesn't appear to "bridge".

                      Bob.DigB JKnottJ 2 Replies Last reply Reply Quote 0
                      • Bob.DigB
                        Bob.Dig LAYER 8 @meluvalli
                        last edited by Bob.Dig

                        @meluvalli said in WAN with /64 Delegation:

                        It can only hand out Stateless and Stateful IP addresses with a LAN Prefix already defined in the gateway. It doesn't appear to "bridge".

                        My guess is, that thing isn't in bridge-mode, maybe doesn't have it at all.

                        Anyways, if it uses the /64 for its LAN, then you can not use that /64 a second time. You only have IPv6 on your pfSense WAN-Address.

                        So the only thing you could do is to NAT that one IPv6-Address on your WAN the same way you already do with the IPv4-Address on WAN.
                        With that you will not gain any benefits you usually get with using IPv6. But if you really really want to use IPv6, you can do it like that. ๐Ÿ˜‰
                        For this to work, go to FirewallNATOutbound (not NPt), select Hybrid Outbound NAT and then mimic all the Automatic Rules for IPv4 with IPv6 yourself. You have to use ULAs on all your LANs.

                        M 1 Reply Last reply Reply Quote 1
                        • M
                          meluvalli @Bob.Dig
                          last edited by

                          @Bob-Dig
                          Ok. That's what I was thinking. And I also attempted that once and couldn't get it to work. But, I will try that route again. I understand I wouldn't get all the benefits of IPv6, but at least my clients would be able to access a website that is strictly only IPv6 this way...

                          So, to NAT it, I would just assign a static IP address then on the LAN side just as I would with IPv4 correct?

                          So for example, If I chose a prefix of fd00:0000:0000:0001, I would use Static IP of fd00:0000:0000:0001::1/64 with no gateway in pfSense on the LAN side and then all clients would have to have an IP of fd00:0000:0000:00001::/64 subnet with the gateway set as fd00:0000:0000:0001::1.

                          Then, as you stated, in Outbound Nat, I would create a rule on WAN interface with Source: fd00:0000:0000:0001::/64 NAT Wan Address.

                          Does this sound correct to you?

                          Bob.DigB 1 Reply Last reply Reply Quote 0
                          • GertjanG
                            Gertjan @meluvalli
                            last edited by

                            @meluvalli said in WAN with /64 Delegation:

                            But the WAN and LAN can't both use the same Prefix can they?

                            See it like this, using some twisted IPv4 analogy :
                            No, you can't have a LAN using 192.168.1.1 and a WAN using 192.1568.1.2 - that will break routing entirely.

                            @meluvalli said in WAN with /64 Delegation:

                            So how would one ever get a /64 prefix to work if that's all that's provided by the provider?

                            That's the good question.
                            If an ISP providing just one /64 then that is actually completely wrong.

                            @meluvalli said in WAN with /64 Delegation:

                            That seems strange!

                            Not really, its more like the same story all over again.
                            Like the early IPv4 days, when it became clear that "there might be not enough IPv4 for everybody".
                            NAT didn't existed yet. It was patched together later on by a simple guy who didn't realize that he just saved the Internet so it could serve the planet for a couple of decades more.
                            IPv6 was build from the ground up with a lot of knowledge already known. It's somewhat a written rule that every ISP end user should have a /56 or even a /48 (he.net does so).
                            Just offering a /64 is lie,; saying : just one 'LAN' network for you. This LAN network is the LAN of your ISP device, so, as usual, a user @home can now add 18446744073709551616 devices to its LAN.
                            If one of these devices is a router, it will need a IPv6 from this LAN and another block (prefix) of /64 of each LAN network (there can be more the one).
                            The thing is : this isn't implement well (understatement) by many ISP/their equipment.
                            Dono why ...
                            Maybe a simple /64 is for "home user", and if you want more, you have to sign up for a pro (?) subscription ? Something like that.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            Bob.DigB 1 Reply Last reply Reply Quote 0
                            • Bob.DigB
                              Bob.Dig LAYER 8 @meluvalli
                              last edited by Bob.Dig

                              @meluvalli They are called ULA for a reason. But technically you are not wrong.

                              Do it something like this:
                              LAN1= fd42:1966:a4fc:5941 : f866:8ab8:5f3b:1a61 /64
                              LAN2= fd42:1966:a4fc:5942 : f866:8ab8:5f3b:1a62 /64
                              LAN3= fd42:1966:a4fc:5943 : f866:8ab8:5f3b:1a63 /64
                              LAN4= fd42:1966:a4fc:5944 : f866:8ab8:5f3b:1a64 /64

                              M 1 Reply Last reply Reply Quote 0
                              • M
                                meluvalli @Bob.Dig
                                last edited by

                                @Bob-Dig
                                Perfect. I was able to get it up and running using NAT! All my clients can get out on the one single IPv6 address my pfSense has on the WAN side.

                                Now for my next project... Incoming port forwarding.... I expected it to work the exact same way as IPv4 does using Firewall/NAT/Port Forwarding, but for some reason, it isn't that simple.... I guess back to the drawing board for that part :)

                                Either way, thank you so much @Bob-Dig for your help! I at least got my outbound IPv6 up and running!

                                Bob.DigB GertjanG 2 Replies Last reply Reply Quote 0
                                • Bob.DigB
                                  Bob.Dig LAYER 8 @meluvalli
                                  last edited by Bob.Dig

                                  @meluvalli said in WAN with /64 Delegation:

                                  Now for my next project... Incoming port forwarding.... I expected it to work the exact same way as IPv4 does using Firewall/NAT/Port Forwarding

                                  Actually it is. If it is not working it may be a problem with your ISP? It has been some days (years) when I ran pfSense like this though. ๐Ÿ˜‰

                                  M 1 Reply Last reply Reply Quote 0
                                  • M
                                    meluvalli @Bob.Dig
                                    last edited by

                                    @Bob-Dig
                                    I did a packet capture in pfSense for port 443 (It's a website) and it sees it coming in, but never gets to my server... So I know the ISP isn't blocking it... It's got to be something I have screwed up :(. I'll keep looking into it! Again, I really appreciate your help! Thanks again!

                                    Bob.DigB 1 Reply Last reply Reply Quote 0
                                    • GertjanG
                                      Gertjan @meluvalli
                                      last edited by

                                      @meluvalli said in WAN with /64 Delegation:

                                      I expected it to work the exact same way as IPv4 does using Firewall/NAT/Port Forwarding, but for some reason

                                      IPv6 - if implemented correctly, doesn't need NAT anymore.

                                      Just a firewall rule on the WAN that says :

                                      abb0633e-57b6-45ad-8167-97e672d405c0-image.png

                                      As the WAN interface will be "all the prefixes" so, a /56 or whatever
                                      and

                                      • example here -the alias DiskSaton2IPv6 is the GUA IPv6 (an IPv6 in one of my prefixes used on one of my LANs)

                                      this is all it needs to make it accessible.

                                      There is no more Network Address Translation. You can of course still use Port Address Translation, like port "443" to "8443"
                                      After all, the IPv6 my Diskstation2 is using is an IP address that is usable (addressable) world wide.

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      1 Reply Last reply Reply Quote 0
                                      • Bob.DigB
                                        Bob.Dig LAYER 8 @meluvalli
                                        last edited by

                                        @meluvalli said in WAN with /64 Delegation:

                                        I did a packet capture in pfSense

                                        I did too and it is working. Now I don't run anything on that IP, will have to look if I find something to test easily.
                                        Screenshot 2024-08-15 112048.png

                                        M 1 Reply Last reply Reply Quote 0
                                        • M
                                          meluvalli @Bob.Dig
                                          last edited by

                                          @Bob-Dig
                                          I got it working! It was my Linux server didn't have the gateway set :) Once I inputted the gateway for IPv6 all is well!

                                          Thanks again!!!!

                                          JKnottJ 1 Reply Last reply Reply Quote 1
                                          • Bob.DigB
                                            Bob.Dig LAYER 8 @Gertjan
                                            last edited by Bob.Dig

                                            @Gertjan said in WAN with /64 Delegation:

                                            If an ISP providing just one /64 then that is actually completely wrong.

                                            Not completely. ๐Ÿ˜‰

                                            If you have only one /64, it is still good for some NPtv6. Because with that there is some end-to-end reachability for outgoing.
                                            The firewall has not to "change ports" for outbound traffic, as long as real ULAs are used.

                                            Example: Lets say we have 3 interfaces with ULAs:
                                            fd1::123
                                            fd2::456
                                            fd3::789

                                            fd2::456 gets translated to 2001::456 and goes out to google.
                                            Now the firewall has a firewall state for google and fd2::456.
                                            When traffic comes back in from google to 2001::456 it will be translated to all three ULAs. Two will be dropped but one will pass because there is a state.

                                            At least that is how I think this works. ๐Ÿ˜‰

                                            For unsolicited incoming traffic this is not done, maybe it is to dangerous? It will be translated only to the first ULA-Prefix in the list.

                                            Maybe I made this up and there is a NAT-Table for NPT, although it is said that NPT is stateless.

                                            @stephenw10 can slap me if I am wrong. But I do think that you can use one GUA-/64 and use it with several ULA-/64 in pfSense for outgoing. Would be interesting to know how that is actually working.

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.