Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 Multi-LAN Problem

    Scheduled Pinned Locked Moved IPv6
    7 Posts 4 Posters 853 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pwmaloney
      last edited by

      I am having trouble getting IPv6 working with multiple LANs.

      • The WAN is set to DHCP6 with a prefix delegation size of 59.
      • There are 4 LAN interfaces (LAN, Guest, TestLAN, and TestWAN) set to track the WAN interface with prefix IDs set to 0, 1, 2, and 3, respectively.
      • Devices connected to each of the LAN interfaces are getting global and link-local IPv6 addresses.
      • From the GUI, Diagnostics / Ping, I can IPv6 ping hosts on the Internet from any of the 4 LAN interfaces.
      • I can IPv6 ping the corresponding pfSense interface from devices connected to any of the 4 LAN interfaces.
      • The pfSense version is 2.7.2 (amd64)

      The problem is that I can only access hosts on the Internet from devices connected to the "LAN" interface, not from the other three. Hosts connected to the "LAN" interface can IPv6 ping the WAN interface, but hosts connected to the other 3 interfaces cannot. There are no rules blocking IPv6 WAN access from the Guest, TestLAN, or TestWAN interfaces.

      Screenshot from 2024-09-23 12-55-55.png

      The routing table appears correct.

      Screenshot from 2024-09-23 15-27-31.png

      Any suggestions as to what I have misconfigured or how to troubleshoot this would be much appreciated.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @pwmaloney
        last edited by

        @pwmaloney said in IPv6 Multi-LAN Problem:

        The WAN is set to DHCP6 with a prefix delegation size of 59

        Is that the largest prefix your ISP provides?

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        P 1 Reply Last reply Reply Quote 0
        • P Offline
          pwmaloney @JKnott
          last edited by

          @JKnott - Well, I didn't know, so I called them (Comcast) just now. The max is 56. So I set that in pfSense, and the problem is resolved. Thank you!

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks @pwmaloney
            last edited by bmeeks

            @pwmaloney said in IPv6 Multi-LAN Problem:

            Well, I didn't know, so I called them (Comcast) just now. The max is 56.

            Most ISPs handing out IPv6 prefix delegations are going to issue one of three prefix sizes:

            1. if they are generous, you get a /56;
            2. if they are thrifty, you get a /60;
            3. if they are a total Scrooge, you get a single /64;

            An IPv6 prefix smaller than /64 is both atypical and non-standard. Also, an odd-numbered prefix would be atypical.

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @bmeeks
              last edited by

              @bmeeks said in IPv6 Multi-LAN Problem:

              if they are generous, you get a /56;

              And then there is Hurricane Electric Free IPv6 Tunnel Broker

              405ca1e3-6b96-45ea-a97e-e622474143a0-image.png

              that give you a /64 to get warm up. And a /48 to create your own "Fortune 500".
              /48 means 65536 prefixes of /64 each, so 65536 LANs ..... or 65536 x 2^16 = 65536 x 18 446 744 073 709 551 616 = 1 208 925 819 614 629 174 706 176 (static !) IPv6 addresses.

              I'm not sure about the bandwidth, and as it is a free service, and sometimes their POPs are considered as VPN end-points, it's not perfect, but a good plan B and perfect to learn about IPv6.
              Pass the certification test and get a free T-shirt.
              I used it for years, had IPv6 everywhere using the set-it-and-forget-it-mode.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB Offline
                bmeeks @Gertjan
                last edited by bmeeks

                @Gertjan said in IPv6 Multi-LAN Problem:

                And then there is Hurricane Electric Free IPv6 Tunnel Broker

                Yep, HE is a good thing. I still have an account and an assigned /48 delegation, but two things made me give up using that for now:

                1. My ISP moved me behind CGNAT. Currently both providers in my small town do CGNAT with their IPv4 space and offer no IPv6. Can't do the HE tunnel with CGNAT. My current provider promises IPv6 soon, but "soon" is now more than one year late 😞.
                2. The major streaming providers started automatically blocking Hurricane Electric IPv6 space. That's a major pain. I know there are tricks to be done to get around that with unbound and blocking IPv6 returns for certain domain DNS lookups, but that's a hassle to maintain.

                So, I've decided for now to just exist in IPv4 space only and keep hoping that the "soon" promise of IPv6 from my ISP eventually materializes.

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan @bmeeks
                  last edited by

                  @bmeeks

                  @bmeeks said in IPv6 Multi-LAN Problem:

                  My ISP moved me behind CGNAT

                  That, NAT, shouldn't break the tunnel to the HE pop, but he.net has a condition : your 'WAN IPv4' as seen by them must answer to ICMP (ping). And yous doesn't .... so it's game over for you.
                  For me, he.net isn't possible anymore for another reason : my new "state of the art newest ISP router" that has an ONT integrated for the fiber access can't handle the '6in4' protocol (41), so pfSense can't connect to the he.net pop server 😰

                  6in4 isn't ICMP (1), isn't TCP (6), isn't UDP (17), neither GRE (4) but something else.
                  So, I contacted them. This took me weeks to get in contact with someone who could actually understand my question.
                  They : We've dropped protocol 41 support on our newest models because ... here it comes .... We, Orange, in France (10+ million subscribers) are now proposing IPv4 and IPv6.
                  Me : Yeah, right, but your IPv6 for my usage is broken !?
                  They : You have a static IPv4 and your IPv6 works, I can see that from here.
                  Me : Yeah, sure, but as the (my) subscription implies : I'm using the Pro subscription as I'm a company, I would like to actually use the /56 as advertised. Your router, needed to connect to the Orange fiber, only has one (1) LAN, and I have a company with several LAN's - not just one.
                  They : Wow, what ? Multiple LANs ? But that's not supported.
                  Me : I have that covered : I chained on to a pfSense router, and it wants prefixes - your (my) prefixes.
                  They [10+ minutes on hold, waiting while listing Cherry FM] : Right, there is a issue that only one prefix gets announced by our router.
                  Me : Then why announcing /56 as only one /64 works ?

                  Then they told me to do what others already do : "ditch our ISP router, use an FTP RJ45 to Fiber plug", as my 4100 supports such a connection, create some serious DHCP 4 and 6 options and behold, now I can tap into the full IPv6 /56 advertised. Champagne !

                  Of course, I'll loose all the ISP "TV" facilities and/or phone support (one phone line, but who cares, we have 6 lines on a PABX), I don't need these.

                  So, I - and many, many other, are waiting for the router update that delivers us the needed IPv6 support.

                  edit : let it be known : In France, ISP Orange : less people then you have fingers on your hand know that there is more then "UDP" and "TCP" ....

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • GertjanG Gertjan referenced this topic on
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.