Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN devices can ping IPv6 site but pfSense itself cannot

    Scheduled Pinned Locked Moved General pfSense Questions
    41 Posts 5 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      left4apple
      last edited by left4apple

      Hi everyone. I'm seeing a weird problem. I'm using AT&T Fiber which provides IPv6 service. WAN is set to DHCP6 with the following setting:
      63a3a3f2-a1fa-4369-ac2a-f60a4bf32b5b-image.png

      LAN is set to track WAN interface with the following setting:
      24ea0525-9725-4bf4-bbec-299d85e1a6ac-image.png

      Since AT&T ISP by default hands out a /64 net, an "IP Alias" on "WAN" is created with proper address, e.g., 2600:xxxx:xxxx:e11::48/64 if I get 2600:xxxx:xxxx:e10::48/64 from ISP. (Tips got from a reddit post )

      With all of the above setting, the clients in the LAN network can get IPv6 address and can pping6 www.google.com. However, pfSense itself cannot ping such IPs.

      Can I get some advice where to start look into? Thanks!
      Screenshot 2024-08-20 at 11.15.05.png

      Bob.DigB JKnottJ 2 Replies Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @left4apple
        last edited by

        @left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

        Tips got from a [reddit post]

        Maybe those tips from reddit which then came from chatgpt aren't working? Maybe don't craft a WAN-address yourself. Just maybe you don't need a IPv6-WAN-address.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Hmm, I wouldn't expect that to work. If you set request only a prefix and it hands you a /64 you can use that on one interface only.
          Setting another interface in a different /64 isn't going to do anything. I would think.

          L 1 Reply Last reply Reply Quote 0
          • L
            left4apple @stephenw10
            last edited by

            @stephenw10 It's a little weird how AT&T hands out IPv6 addresses. Their own fiber modem is able to request a /60, but in pass-through mode the router(PFSENSE in my case) can only request a /64. The AT&T technician said that the subsequent IPv6 address can be manually set, aka the IP alias case)

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @left4apple
              last edited by johnpoz

              @left4apple well not sure why you would think you would ever get anything other than a /64 when that is what your requesting, and also you have checked for pfsense to not get its own address on the wan.

              2024-08-20_142511.jpg

              Why would their modem get a /60, I don't think I have ever seen an ISP device that allows you to setup multiple networks or vlans.. Even when they create a guest network they still use the same network range, and just filter that network from talking to the wired network in the bridge, etc.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              L 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yeah, I'm pretty sure that is true because if you manage to remove the AT&T router entirely you can get a /60:
                https://github.com/MonkWho/pfatt?tab=readme-ov-file#ipv6-setup

                But if you don't do that you have to somehow know or set a route for other /64s. If might be using that /64 itself. Try a different one and hope!

                L 1 Reply Last reply Reply Quote 0
                • L
                  left4apple @johnpoz
                  last edited by

                  @johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:

                  well not sure why you would think you would ever get anything other than a /64 when that is what your requesting

                  I requested a /60 before but always get a /64 in the DHCP6 response. And the technician told me that the next available address is reserved for me even if I don't request it. I think that's how the AT&T modem works.

                  Not an IPv6 expert as most of my network knowledge are still on IPv4 era(I'm too old) so if the question sounds stupid please forgive.

                  1 Reply Last reply Reply Quote 0
                  • L
                    left4apple @stephenw10
                    last edited by

                    @stephenw10 AT&T doesn't allow the customer devices to authenticate for Internet and force us to use their own modem. The pass-through mode is what they provide that is similar to bridge mode but not entirely the same.

                    I guess they give their own modems some privileges.

                    Someone managed to crack the modem and get the identification, then camouflage their own router to look like an authentic AT&T modem. Costs is like $120 to buy a modem factory key.

                    Bob.DigB 1 Reply Last reply Reply Quote 0
                    • Bob.DigB
                      Bob.Dig LAYER 8 @left4apple
                      last edited by

                      @left4apple If your pfSense LAN has IPv6, than pfSense LAN-address has IPv6 too. And it can go out to the ipv6-internet. Maybe it does that automatically, try pinging something and leave source as auto.

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @left4apple
                        last edited by

                        @left4apple

                        Why are you requesting only a prefix? You're telling them you don't want a global WAN address. Also, you can't just pick an address and expect it to work.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        L 1 Reply Last reply Reply Quote 0
                        • L
                          left4apple @JKnott
                          last edited by

                          @JKnott said in LAN devices can ping IPv6 site but pfSense itself cannot:

                          Why are you requesting only a prefix?

                          Could you please elaborate on that? Does that mean requesting a /64 on WAN? I tried /60 but ISP still gave me /64.

                          JKnottJ 1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Mmm, pretty sure the AT&T router ill only pass a /64.

                            Did you try other /64s from the /60?

                            You can just use the LAN interface IP to connect, as suggested.

                            L 1 Reply Last reply Reply Quote 0
                            • L
                              left4apple @stephenw10
                              last edited by

                              @stephenw10 Yes I did get a /64 back even if I request a /61.

                              Aug 20 23:47:44 dhcp6c 39181 <3>[prefix] (6)
                              Aug 20 23:47:44 dhcp6c 39181 <3>[::] (2)
                              Aug 20 23:47:44 dhcp6c 39181 <3>[/] (1)
                              Aug 20 23:47:44 dhcp6c 39181 <3>[61] (2)
                              Aug 20 23:47:44 dhcp6c 39181 <3>[infinity] (8)
                              
                              Aug 20 23:47:48 dhcp6c 39399	IA_PD prefix: 2600:xxxx:xxxx:xxx::/64 pltime=3600 vltime=3600
                              

                              Can I get some suggestion on what's the best way to assign IPv6 addresses to LAN devices while maintaining the IPv6 ability for pfSense router itself? Thanks!

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                You can use a single /64 on the LAN and have devices within that. pfSense will use the LAN IP address for IPv6 connectivity if that's the only Pv6 address it has.

                                L 1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @left4apple
                                  last edited by

                                  @left4apple

                                  I'm on Rogers and I request an address as well as a prefix. I get a global WAN address and a /56 prefix. I don't know how big of a prefix AT&T provides, but if they only give a /64, then you can have only 1 LAN. With a /56, I can have up to 256, but am currently using only 5 /64s.

                                  Try running without requesting only a prefix and see if you get a global WAN address. Also, you don't really need one, as routing to your router/firewall is generally by link local addresses (fe80:...)

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • L
                                    left4apple @stephenw10
                                    last edited by

                                    @stephenw10 said in LAN devices can ping IPv6 site but pfSense itself cannot:

                                    You can use a single /64 on the LAN and have devices within that

                                    I'm trying to understand how to assign the /64 to LAN, since it's already tracking WAN interface but LAN doesn't have IPv6 address.

                                    @JKnott Sure I'm fine with only one LAN has IPv6 address. Just don't know how to let the LAN use it instead of giving everything to just WAN.

                                    JKnottJ 1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      The AT&T may not supply a prefix at all. Check the dhcp logs to see what's happening. You may need to enable DHCP6 Debug in Sys > Adv > Networking.

                                      L 1 Reply Last reply Reply Quote 0
                                      • L
                                        left4apple @stephenw10
                                        last edited by

                                        @stephenw10 Yes verbose log for DHCP is enabled, and from the following line I think AT&T does give me a /64 prefix plus a WAN address 2600:xxxx:xxxx:xxx::. But again my understanding could be wrong.

                                        Aug 20 23:47:48 dhcp6c 39399	IA_PD prefix: 2600:xxxx:xxxx:xxx::/64 pltime=3600 vltime=3600
                                        
                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @left4apple
                                          last edited by johnpoz

                                          @left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:

                                          AT&T does give me a /64 prefix plus a WAN address

                                          did you uncheck that box that says don't give your wan an IP, and select something other than a /64 say a /60

                                          So you tried asking for /61? Never ever heard of any isp giving out that.. would be /60 or /56 are normally what isps hand out

                                          You could also just go get a /64 from hurricane electric for free, which your wan will have its own IPv6 with, or you could even get a /48 as well.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          L 1 Reply Last reply Reply Quote 0
                                          • L
                                            left4apple @johnpoz
                                            last edited by

                                            @johnpoz Checking Only request an IPv6 prefix, do not request an IPv6 address is what I found to make my current setup work for LAN devices(but not pfSense). Might be a coincidence, or multiple error cancelling each other out.

                                            As to /61, it's just one of my testing from /60 to /64, all of which gets me a /64 from the ISP.

                                            I guess a seemingly possible solution is to assign the only, precious /64 to the LAN interface and find a way to let the WAN interface use it(for whatever purpose). Reading the doc now

                                            johnpozJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.