LAN devices can ping IPv6 site but pfSense itself cannot

left4apple

Hi everyone. I'm seeing a weird problem. I'm using AT&T Fiber which provides IPv6 service. WAN is set to DHCP6 with the following setting:

LAN is set to track WAN interface with the following setting:

Since AT&T ISP by default hands out a /64 net, an "IP Alias" on "WAN" is created with proper address, e.g., 2600:xxxx:xxxx:e11::48/64 if I get 2600:xxxx:xxxx:e10::48/64 from ISP. (Tips got from a reddit post )

With all of the above setting, the clients in the LAN network can get IPv6 address and can pping6 www.google.com. However, pfSense itself cannot ping such IPs.

Can I get some advice where to start look into? Thanks!
Screenshot 2024-08-20 at 11.15.05.png

Bob.Dig

@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

Tips got from a [reddit post]

Maybe those tips from reddit which then came from chatgpt aren't working? Maybe don't craft a WAN-address yourself. Just maybe you don't need a IPv6-WAN-address.

stephenw10

Hmm, I wouldn't expect that to work. If you set request only a prefix and it hands you a /64 you can use that on one interface only.
Setting another interface in a different /64 isn't going to do anything. I would think.

left4apple

@stephenw10 It's a little weird how AT&T hands out IPv6 addresses. Their own fiber modem is able to request a /60, but in pass-through mode the router(PFSENSE in my case) can only request a /64. The AT&T technician said that the subsequent IPv6 address can be manually set, aka the IP alias case)

johnpoz

@left4apple well not sure why you would think you would ever get anything other than a /64 when that is what your requesting, and also you have checked for pfsense to not get its own address on the wan.

Why would their modem get a /60, I don't think I have ever seen an ISP device that allows you to setup multiple networks or vlans.. Even when they create a guest network they still use the same network range, and just filter that network from talking to the wired network in the bridge, etc.

stephenw10

Yeah, I'm pretty sure that is true because if you manage to remove the AT&T router entirely you can get a /60:
https://github.com/MonkWho/pfatt?tab=readme-ov-file#ipv6-setup

But if you don't do that you have to somehow know or set a route for other /64s. If might be using that /64 itself. Try a different one and hope!

left4apple

@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:

well not sure why you would think you would ever get anything other than a /64 when that is what your requesting

I requested a /60 before but always get a /64 in the DHCP6 response. And the technician told me that the next available address is reserved for me even if I don't request it. I think that's how the AT&T modem works.

Not an IPv6 expert as most of my network knowledge are still on IPv4 era(I'm too old) so if the question sounds stupid please forgive.

left4apple

@stephenw10 AT&T doesn't allow the customer devices to authenticate for Internet and force us to use their own modem. The pass-through mode is what they provide that is similar to bridge mode but not entirely the same.

I guess they give their own modems some privileges.

Someone managed to crack the modem and get the identification, then camouflage their own router to look like an authentic AT&T modem. Costs is like $120 to buy a modem factory key.

Bob.Dig

@left4apple If your pfSense LAN has IPv6, than pfSense LAN-address has IPv6 too. And it can go out to the ipv6-internet. Maybe it does that automatically, try pinging something and leave source as auto.

JKnott

@left4apple

Why are you requesting only a prefix? You're telling them you don't want a global WAN address. Also, you can't just pick an address and expect it to work.

left4apple

@JKnott said in LAN devices can ping IPv6 site but pfSense itself cannot:

Why are you requesting only a prefix?

Could you please elaborate on that? Does that mean requesting a /64 on WAN? I tried /60 but ISP still gave me /64.

stephenw10

Mmm, pretty sure the AT&T router ill only pass a /64.

Did you try other /64s from the /60?

You can just use the LAN interface IP to connect, as suggested.

left4apple

@stephenw10 Yes I did get a /64 back even if I request a /61.

Aug 20 23:47:44 dhcp6c 39181 <3>[prefix] (6)
Aug 20 23:47:44 dhcp6c 39181 <3>[::] (2)
Aug 20 23:47:44 dhcp6c 39181 <3>[/] (1)
Aug 20 23:47:44 dhcp6c 39181 <3>[61] (2)
Aug 20 23:47:44 dhcp6c 39181 <3>[infinity] (8)

Aug 20 23:47:48 dhcp6c 39399	IA_PD prefix: 2600:xxxx:xxxx:xxx::/64 pltime=3600 vltime=3600

Can I get some suggestion on what's the best way to assign IPv6 addresses to LAN devices while maintaining the IPv6 ability for pfSense router itself? Thanks!

stephenw10

You can use a single /64 on the LAN and have devices within that. pfSense will use the LAN IP address for IPv6 connectivity if that's the only Pv6 address it has.

JKnott

@left4apple

I'm on Rogers and I request an address as well as a prefix. I get a global WAN address and a /56 prefix. I don't know how big of a prefix AT&T provides, but if they only give a /64, then you can have only 1 LAN. With a /56, I can have up to 256, but am currently using only 5 /64s.

Try running without requesting only a prefix and see if you get a global WAN address. Also, you don't really need one, as routing to your router/firewall is generally by link local addresses (fe80:...)

left4apple

@stephenw10 said in LAN devices can ping IPv6 site but pfSense itself cannot:

You can use a single /64 on the LAN and have devices within that

I'm trying to understand how to assign the /64 to LAN, since it's already tracking WAN interface but LAN doesn't have IPv6 address.

@JKnott Sure I'm fine with only one LAN has IPv6 address. Just don't know how to let the LAN use it instead of giving everything to just WAN.

stephenw10

The AT&T may not supply a prefix at all. Check the dhcp logs to see what's happening. You may need to enable DHCP6 Debug in Sys > Adv > Networking.

left4apple

@stephenw10 Yes verbose log for DHCP is enabled, and from the following line I think AT&T does give me a /64 prefix plus a WAN address 2600:xxxx:xxxx:xxx::. But again my understanding could be wrong.

Aug 20 23:47:48 dhcp6c 39399	IA_PD prefix: 2600:xxxx:xxxx:xxx::/64 pltime=3600 vltime=3600

johnpoz

@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

AT&T does give me a /64 prefix plus a WAN address

did you uncheck that box that says don't give your wan an IP, and select something other than a /64 say a /60

So you tried asking for /61? Never ever heard of any isp giving out that.. would be /60 or /56 are normally what isps hand out

You could also just go get a /64 from hurricane electric for free, which your wan will have its own IPv6 with, or you could even get a /48 as well.

left4apple

@johnpoz Checking Only request an IPv6 prefix, do not request an IPv6 address is what I found to make my current setup work for LAN devices(but not pfSense). Might be a coincidence, or multiple error cancelling each other out.

As to /61, it's just one of my testing from /60 to /64, all of which gets me a /64 from the ISP.

I guess a seemingly possible solution is to assign the only, precious /64 to the LAN interface and find a way to let the WAN interface use it(for whatever purpose). Reading the doc now