Setting up IPv6 on my Netgate

CatSpecial202

Re: How to setup IPv6 for Comcast or similar ISP?

I have a Netgate firewall and followed the steps in the above post with a re-annotation below. One of the options is on a different page than the post mentions. I can see that my wan port now has an IPv6 address. However, my WAN_DHCP6 address that is showing up in my gateway is still my link local address. I reset my router and tried to delete and create a new gateway and it wont let me. How do i clear this error?

Is there any issue with my below configuration? D

I checked all the following options…

System → Advanced → Networking

• list itemAllow IPv6
• IPv6 DNS entry
• Do not allow PD/Address (the post mentions this is in WAN.)
• Hardware Large Receive Offloading

Interfaces → WAN

• IPv6 Config Type DHCP6
• DHCPv6 Prefix Delegation size 64
• Do not wait for RA
• Block private networks and loopback addresses
• Block bogon networks

Services → DHCPv6 SERVER

• Enable DHCPv6 server on LAN interface
• Prefix was already set
• Address range ::1000 to ::2000
• Enable DNS Provide DNS servers to DHCPv6 clients
• Cloudflare DNS:
• 2606:4700:4700::64 AND 2606:4700:4700::6400

Services → Router Advertisements

• Router Mode: Managed - RA Flags [Managed, other stateful], prefix flags [online, router]
• priority: normal
• DNS Server 1: 2606:4700:4700::64

Firewall → Rules → Lan

• IPv6 rule automatically created and mirrors the IPv4 rule

System → Routing → Gateways

• WAN_DHCP6 gateway automatically created

Intefaces → Lan

• IPv6 Configuration type = track interface
• Under the Track IPv6 interface section select WAN as the IPv6 Interface

Gertjan

@CatSpecial202

What you've show above looks good.
For myself, I never had to visit "System → Advanced → Networking" and check or uncheck things.

On the Interfaces-> WAN interface, I don't have

Block private networks and loopback addresses
Block bogon networks

as my ISP does what it should do : it can't and won't route RFC1918, and I never saw 'bogons' IPs neither.

Services → DHCPv6 SERVER

Cloudflare DNS:
2606:4700:4700::64 AND 2606:4700:4700::6400

Not needed.
You've invested your time, efforts, blood and tears to put in place a pfSense that can handle just fine.
And the you tell your LAN clients to do their DNS 'elsewhere'.
Why ?

Firewall → Rules → Lan
Like this :

You could also group these two rules together.

To do :

Check 'basic' IPv6 of your ISP and ISP router first.
On pfSense, what does Status > Interfaces show ? Did the WAN get an 'IPv6 Address' ?

Like this :

Access the ISP router GUI.
Any info about IPv6 is shown over there ?

eagle61

@CatSpecial202 said in Setting up IPv6 on my Netgate:

Interfaces → WAN

DHCPv6 Prefix Delegation size 64

WIth Prefix Delegation size 64 you can't get any valid smaller prefix for lan or other local networks.

What is the prefix size your ISP offers you: usually they offer /56 (at least here in Germany), sometime /48 or /60 and seldom just /64
If your ISP offers you a /56 you shall also ask for a /56 if you are directly connected to the ISP. If you have a Router inbetween (eg. ISP -> router -> pfsense) you shall then ask for a /57 prefix, since the router will use the /56 prefix.

Here you will find more helpfull informations:
https://docs.opnsense.org/manual/how-tos/ipv6_dsl.html
https://docs.opnsense.org/manual/how-tos/ipv6_fb.html

And this seems to be comcast specific:
https://forum.netgate.com/topic/165929/comcast-residential-64-delegation

JKnott

@CatSpecial202 said in Setting up IPv6 on my Netgate:

However, my WAN_DHCP6 address that is showing up in my gateway is still my link local address

Are you sure it's your link local address? Or the gateway? Go to a command prompt and run ifconfig to see what yours is. I suspect that it's different from the gateway address shown in your example. Also, it's entirely normal to have a public IPv6 address on the WAN interface, but use a link local address for the gateway.

eagle61

@JKnott said in Setting up IPv6 on my Netgate:

Are you sure it's your link local address? Or the gateway?

You are right its his gateway-adress, what is usually a link local address.
The point I think what makes his problems is visible in his first scree shot he posted. His WAN Address starts with 2001: but his LAN IPv6 Address starts with 2601:
That's false If the LAN tracks the WAN its shall be same.
In my case right now
WAN is starting 2a01:c23:
LAN is starting 2a01:c23:
OPT1 is starting 2a01:c23:
OPT2 is starting 2a01:c23:
all tracks the WAN to create its own prefix and IP-Adresses

JKnott

@eagle61 said in Setting up IPv6 on my Netgate:

His WAN Address starts with 2001: but his LAN IPv6 Address starts with 2601:
That's false If the LAN tracks the WAN its shall be same.

One has nothing to do with the other, beyond being within the ISPs overall address block. The WAN is in a /64 prefix used by the ISP. The LAN is in the block belonging to the customer. What "track" means is the LAN prefix follows whatever is assigned with DHCPv6-PD. You can see what's assigned by capturing the full DHCPv6 sequence and examining the capture with Wireshark.

eagle61

@JKnott

Not sure i can explain what i see as his problem correct in english. But it seems he got by his ISP just an /64-Prefix.
Now he want to create an Subnet with his own prefix. This Subnet Prefix is smaller then the /64-Prefix he got or request on WAN-Interface.
So it shall be a /65 Prefix. But that is not supported by pfsense because (as far as i know) then there is not enough space anymore for the 48 bits for the site prefix, in addition to 16 bits for the subnet ID

But correct me if i am wrong.

In my case i don't have this problem, since my ISP supports me a /56-Prefix on my WAN-Interface and so i never run into this problem

JKnott

@eagle61 said in Setting up IPv6 on my Netgate:

But it seems he got by his ISP just an /64-Prefix.

Where are you seeing that? If on the WAN status, that's normal, as the link local address is within a /64. What I don't see is what prefix size he's requesting or getting.

The point I think what makes his problems is visible in his first scree shot he posted. His WAN Address starts with 2001: but his LAN IPv6 Address starts with 2601:
That's false If the LAN tracks the WAN its shall be same.

No, that's incorrect. I have the same thing here and it's been working fine for years. As I mentioned the WAN address is part of the ISPs /64, not his assigned prefix.

My WAN public address starts with 2607:f798:804:90 but my LAN prefix starts with 2607:fea8:4c82:5900.

eagle61

@JKnott said in Setting up IPv6 on my Netgate:

But it seems he got by his ISP just an /64-Prefix.

Where are you seeing that? If on the WAN status

@CatSpecial202 said in Setting up IPv6 on my Netgate:

Interfaces → WAN

IPv6 Config Type DHCP6
**DHCPv6 Prefix Delegation size 64**

In my case, since iknow my ISP delivers /56 Prefixes i choose there

• DHCPv6 Prefix Delegation size 56 second i did read this
• https://forum.netgate.com/topic/165929/comcast-residential-64-delegation
  and it seems from that post Comcast deliver depending on type of contract /60 or /64-Prefixes. From headline Re: How to setup IPv6 for Comcast or similar ISP? i suspect Comcast is ISP of CatSpecial202

JKnott

@eagle61 said in Setting up IPv6 on my Netgate:

DHCPv6 Prefix Delegation size 64

That's the size he's requesting. Mine's set to 56, as you show in your own example. I don't know what Comcast offers, but /60 sounds right. He should try that. If he requests a /64, then that's all he'll get.

CatSpecial202

@Gertjan I actually plan to do a separate post about my DNS setup. I was working on troubleshooting and testing that a bit before i responded here.

Thank you to everyone for all the responses. Just to be clear I am passing all the tests on https://test-ipv6.com/ with a 10/10. Oh, and my modems only option is bridge mode it's a very basic Netgear CM600.

Maybe I should have initially requested a 60 block? I just attempted to get a new one. I only changed the below options. I then went to my WAN interface and released my wan interface and asked to renew it but it looks like I got a response with the same configuration. I wasn't expecting it to work.

ChatGPT gave me two options for potentially getting a new WAN.

#1: I could turn off my modem and firewall for a few hours and then maybe my existing WAN IP will get reassigned to someone else and when i come back and turn it on I'll get a new assignment.

#2: I could change my mac address in the spoof mac address section and my ISP will think i have a new device and assign me a new wan.

What do you think about these options?

Should i be unselecting this option? What exactly does this do?
Do not allow PD/Address release
dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent

Here are all the options i have selected. I also got removed the blocking portion.

Interfaces -> WAN

• IPv6 Config Type DHCP6
• USE IPv4 connectivity as parent interface
• DHCPv6 Prefix Delegation size 60
• Send IPv6 prefix Hint
• Do not wait for RA

The result of my wan interface being released. I also included the LAN

@eagle61 here is my ifconfig output

Why is my gateway interface that link local address? How can i get that to go away and actually monitor my IPv6 wan?

JKnott

@CatSpecial202 said in Setting up IPv6 on my Netgate:

Why is my gateway interface that link local address? How can i get that to go away and actually monitor my IPv6 wan?

Using the link local address is entirely normal with IPv6. It's the same with mine. You use the global address for stuff like VPNs, etc. The link local address should be the address for your gateway, not your own own router.

CatSpecial202

@JKnott Why is it normal to have IPv6 and then link local on the gateway? What exactly is the difference between the gateway and the WAN? Is this just weird looking because of IPv6?

Ohhhh, I think i just realized.

Is this the default gateway for my network? We wont be able to visibly distinguish gateways like we do with IPv4?

With IPv4 if I have the IP address 10.10.10.14. My default gateway is 10.10.10.1?

fe80::21c:73ff:fe00:99%mvneta0 <--- this is the gateway for my IPv6 WAN address?
2001:xxx:xxx:xx:5d33:xxx:c499:69b5 <--- Address on wan

2601:xx:xxxx:xxxx:92ec:77ff:fe5b:35db <--- this is the address on my LAN

What is the gateway for this LAN address?

I went into my gateway settings and updated it with a different monitoring IP. I forgot I did this with my IPv4 gateway when i set everything up.

and now i have

eagle61

@CatSpecial202 said in Setting up IPv6 on my Netgate:

I went into my gateway settings and updated it with a different monitoring IP. I forgot I did this with my IPv4 gateway when i set everything up.

I don't think that was the reason for the 100% Packetloss of the Gateway "WAN_DHCP6 (default)"
Actually today mine shows also a 100% Packetloss

But at same time all ipv6-connections runs fine

as you can see above
ping6 works as wells as traceroute (ipv6) like i would expect.

I am not sure why it is but i suspect its related to historical reasons. IPv6 is much younger then IPv4. In your as well as in my configuration that is taken in account here:

We both select Use IPv4 connectivity as parent interface (Request a IPv6 prefix/information through the IPv4 connectivity link)
As far as i understand this, it means the initial setup of IPv6 uses the IPv4 connectivity.If that is correct, at this time the pfsense can't have any IPv6-gateway with a non link-local address.
And it seems also this link-local gateway-address is not used anymore after IPv6-Connectivity is fully established. Why else everything would works fine even if the link-local gateway-address is not reachable anymore after a while?
Finally i checked this:

Its the output of a log of a in Germany very popular Fritz!Box. It does even not show the IPv6-Garteway, just the IPv4 one in its log. Since the Fritz!Box is what most of ISP here deliver to its customers if the order the ONT, Cable-Modem, DSL-Moden in a Router-Device directly from ISP, i suspect the link-local IPv6-gateway address is not of value after you have a running IPv6-connectivity

Oh and when i checked my WAN_DHCP6-Status last time (two or three days in past) it was online, but now its offline. No clue why that changed in time.

CatSpecial202

@eagle61 I did a bit of googling and like you stated earlier yes this is the intended configuration.

The below article was helpful in my understanding. The confusion is in the difference between the two protocols IPv4 and IPv6. There is no equivalent link-local in IPv4, and in IPv6 the link-local is used in the neighbor discovery protocol. Which is the upgraded implementation meant to replace ARP. So, the gateway should ALWAYS have some FE80:1 address and this is by design of the IPv6 protocol. The articles mentions that it's possible to use something else but it's not recommended.

https://blogs.infoblox.com/ipv6-coe/fe80-1-is-a-perfectly-valid-ipv6-default-gateway-address/

Also, an old post in the forums that discuss a similar topic.

https://forum.netgate.com/topic/131599/how-to-retrieve-my-ipv6-default-gateway/6

JKnott

@CatSpecial202 said in Setting up IPv6 on my Netgate:

Is this the default gateway for my network? We wont be able to visibly distinguish gateways like we do with IPv4?

Link local addresses are normal for IPv6 routing, though in some circumstances a global or unique local address can also be used. Remember, routing is normally to the next hop and a link local address is fine for that. In fact, with point to point links, you only need the interface. Check the router for computers on your LAN and you'll find it's a link local address.

As for gateway or router, the terms are more or less interchangeable, with gateway generally referring to your connection to the rest of the world rather than internal routing.

When you look at what a devise says is the route, it will likely be a link local address, with the interface appended.

Here's the route or gateway from the computer I'm using:
fe80::4262:31ff:fe12:b66c dev em1

It lists the link local address of the LAN interface of pfSense and the interface ID on this computer.

And here's the default route or gateway from my pfSense box:
default fe80::217:10ff:fe9 UGS igb0

Again, it lists the gateway link local address and the pfSense interface.

As for the monitor address, it has to be one that responds to pings. On IPv6, I found I had to do a traceroute to Google and picked the 2nd hop address, as the first one, which is my gateway address, didn't respond.

Incidentally, there is a security benefit to using the link local address for routers. It's not reachable from outside.

Gertjan

@CatSpecial202

Not important right now, but, be ware : problems are on the horizon.
The day you install and use pfBlockerng, the pfSense package, you have a LAN problem.
Because :

is also used by pfBlockerng as a virtual IP :

And yes, you can change that 10.10.10.1 in pfBlockerng but as it conflicts with your LAN, the pfSense GUI probably won't work ....

eagle61

@JKnott and @CatSpecial202

thanks to both of you for the helpful explanations and the additional links.

I do use firewalls for more then 10 years now, but i did used a IPFire and this does not supports IPv6 at all. The promised to bring a new IPFire 3.0 supporting IPv6 since some years now. But still no final release on the horizion visible. So i switched in June from IPFire to pfsense and therefor i still have to learn much about IPv6.

I now understand the only problem if the Gateway IPv6 with its fe80:: will be shown as Offline, Packetloss: 100% is it does not respond to a ping6. This can be fixed by using a Monitor IP.
That sounds easy to solve.

But what i still do not understand is why my pfsense fe80:: local link default gateway sometimes seems to answer pings and some times not and from what that is depending?

Some days in past i checked my Status / Gateways every early morning. The status of the pfsense fe80:: local link default gateway was every early morning shown as online. But now in the afternoon it is offline. I did not in the meantime change my pfsense config at all. What happens in my case is my ISP forces every night a reconnect. With this reconnect i get every night a new IPv4- and IPv6-address as well as new IPv6-Prefix.
But i would also think a reconnect shall not effect the link-local addresses and for sure not they answer a ping or not.

@JKnott said in Setting up IPv6 on my Netgate:

As for the monitor address, it has to be one that responds to pings. On IPv6, I found I had to do a traceroute to Google and picked the 2nd hop address, as the first one, which is my gateway address, didn't respond.

This is my traceroute to google from pfsense shell:
traceroute6 google.com
traceroute6 to google.com (2a00:1450:4001:812::200e) from 2a02:3100:XXXX:XXXX:XXXX:ff:XXXX:XXXX, 64 hops max, 28 byte packets
1 2a02:3001::208 7.840 ms 7.976 ms 7.793 ms
2 2a02:3001::13c 6.973 ms 7.041 ms 7.519 ms

Both the No 1 and No 2 answer pings. But those are not link local and maybe might change after the reconnect every night. So that seems not to be a good solution.

Additional i checked out also Status / Interfaces -> WAN Interface:
What I see there are two IPv6 Link Local - Addresses:

• IPv6 Link Local: fe80::XXXX:ff:XXXX:XXXX%pppoe0
• Gateway IPv6: fe80::ae99:29ff:fe6e:30e2%pppoe0

in my case (since use of PPPoE) with the %pppoe0 at the end.
Also the IPv6 Link Local do answer to a ping6 and it is fixed since the use of "Interface-ID" (ex. ::6743:12::f9aa::44a1) or "EUI-64 MAC" (ex. 3C:49:37:12:26:B3) to create the part after fe80:: its a fixed IPv6-Adress, that will never change, except i change the NIC itself.
So is suspect using the IPv6 Link Local address would be best to use as Monitor IP in System / Routing / Gateways for the WAN_DHCP6.

JKnott

@eagle61 said in Setting up IPv6 on my Netgate:

Both the No 1 and No 2 answer pings. But those are not link local and maybe might change after the reconnect every night. So that seems not to be a good solution.

Only the gateway link local address can be used. Any other will be unreachable, as you can't route to them. This means you have to use a routeable public address.

So is suspect using the IPv6 Link Local address would be best to use as Monitor IP in System / Routing / Gateways for the WAN_DHCP6.

The one to use is the one that responds.

eagle61

@JKnott said in Setting up IPv6 on my Netgate:

The one to use is the one that responds.

Yes, as i thought too and i did it on my pfsense in the meantime and now all looks fine.

The IPv6-Address marked with the red dot answer pings, that one with the black dot does not answer pings, but was used as default by pfsense in default configuration and is still used in the next screen shot as Gateway IP

but the Monitor IP is now that one with red dot. Before both was same (the black dot marked one).