[solved] WAN gets IPv6 but LAN can't

crazypotato142

@eagle61
Alright. I finally got my IPv6 back.

First I updated it to 2.7.2 from 2.7.0. When I installed pF I thought I installed the version 2.7.2 because even on updates page 2.7.2 was selected. I used the command "certctl rehash" and it finally got fixed, let me update to 2.7.2.

When the update was done, it was all the same. Later I updated it to 2.8.0 from the update page again, which made the link-local IP's disappear from the Interfaces wigdet after the update.

I went back to WAN interface settings and selected the checkmark to request IPv6 prefix thru IPv4 connectivity. And finally it got the prefix, both LAN and WAN had IP's, and all my devices connected to internet.

So it was pF itself since the beginning. Thank you everyone!

eagle61

@crazypotato142
May i ask what DHCPv6 Prefix Delegation size you are now request for? If in any case possible and supported by your ISP it shall not be /64, but /62 /60 or even better /56

With a DHCPv6 Prefix Delegation size of only /64 your pfsense can't delegate prefixes for LAN and other local Networks.

crazypotato142

@eagle61
My ISP provides only /64.

Made it sure, it doesn't work with other prefixes selected.

eagle61

@crazypotato142
This means that your ISP is unfortunately very stingy.

With a /60 prefix you would be able to provide 16 /64 subnets, my ISP provides a /56 prefix so i am able to crate 256 /64 subnets with my pfsense.

crazypotato142

@eagle61

This means that your ISP is unfortunately very stingy.

I know. Tho my ISP provides symmetric gigabit internet & static IP for only €15 so I'll ignore that. :D Also they are the only ISP provides IPv6 for home users right now.

@eagle61

With a /60 prefix you would be able to provide 16 /64 subnets, my ISP provides a /56 prefix so i am able to crate 256 /64 subnets with my pfsense.

Sounds good. I'm not planning to have any subnets for home yet so it doesn't seem like a problem for now. Thank you anyway.

Bob.Dig

@eagle61 said in WAN gets IPv6 but LAN can't:

No, first step is WAN-Intertface needs a IPv6-Adress.

Technically it doesn't. There are some ISP around the globe, which will give you only a prefix and not a WAN-address. In the other Sense, you can configure your WAN to use one /64 of that prefix, don't know how this is done in pfSense.

@crazypotato142 You could use NPt to give many interfaces the capability to have IPv6 outbound. You would use ULAs in your LANs and then NAT everything with that one /64 you got.

crazypotato142

@Bob-Dig said in WAN gets IPv6 but LAN can't:

You could use NPt to give many interfaces the capability to have IPv6 outbound. You would use ULAs in your LANs and then NAT everything with that one /64 you got.

Useful info. Can I create an OpenVPN tunnel with that? For example, I wanted my phone to work with IPv6 even the network I connected (mainly my cellular) has no IPv6. Is there a workaround for that? I set my OpenVPN server as IPv4 + IPv6 and my phone seems to have a local IP right now.

Gertjan

@crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

I wanted my phone to work with IPv6 even the network I connected (mainly my cellular) has no IPv6. Is there a workaround for that? I set my OpenVPN server as IPv4 + IPv6 and my phone seems to have a local IP right now

A OpenVPN server (pfSense side) and the OpenVPN client (the phone side) will be using tunnel that can only be IPv4. After all, your phone service provider doesn't do IPv6.
So, the tunnel uses an IPv4. You can see this tunnel as a virtual wire. What goes into this tunnel, IPv4 packets or IPv6, that up to you to decide.
Typically, if your phone supports IPv6 and you have a prefix for your your OpenServer, then the OpenVPN server can assign to your phone and IPv4 and an IPv6 out of this prefix.
Normally, you would be using a dedicated prefix for your LAN and another dedicated prefix for your, for example, DMZ, and yet another one for your OpenVPN server.
ISPs most often have avaible for you a /56 or 256 prefixes. So, in theory, your pfSense could have 256 LANs with a usable IPv6 connectivity ^^

If you have only one prefix, and want to share that over several local pfSense networks ("LANs") like LAN, DMZ, OPT, and OpenVPN then things get a bit ... not sure .... messy.

@crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

(mainly my cellular) has no IPv6

Then no need to make the OpenVPN answer the line over IPv4 and IPv6. IPv4 will be the only one being used for the tunnel.

That's a bit strange, more and more phone carriers are created, and the recent ones don't have any IPv4 for their clients. Only IPv6 - as there are no more IPv4 left. If they offer your phone an Ipv4, then that will be a CGNAT or DSlite type of IPv4. This would work just fine for OpenVPN, though.

eagle61

@crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

Tho my ISP provides symmetric gigabit internet & static IP for only €15 so I'll ignore that

This is really very affordable. Here we have to pay at least three times as much for a fiber and not less then € 30 for a simple old DSL copper cable.

crazypotato142

@Gertjan
But the device gets IPv6 over OpenVPN tunnel. Wouldn't that mean it has the connectivity and with a prefix translation I could use IPv6? Like Teredo or HE.

@eagle61

This is really very affordable. Here we have to pay at least three times as much for a fiber and not less then € 30 for a simple old DSL copper cable.

That's unfortunate. I'm just lucky because they only offer that only over their own infrastructure and it's not very wide. The carrier and the other 2 popular ISP's have way more expensive prices but still not as much as yours.

Gertjan

@crazypotato142 said in [solved] WAN gets IPv6 but LAN can't:

Wouldn't that mean it has the connectivity and with a prefix translation I could use IPv6? Like Teredo or HE.

Imho : don't invest any time in using Toredo. That's a dying concept.
HE (tunnel broker) is something else. I've been using it for years, as they implement a clean and close to perfect, one of the best IPv6 implementations. Their services are not free ! That is, it won't cost you any money, and they even send you a free (yes) T-Shirt when you finish their IPv6 certification process. It's back to school-time-again, and do their multiple choice exam.
They offer a /64 to start with, but don't bother, go for the whopping /48 right way 65535 prefixes.
Your WAN will have a IPv6 GUA.
Downsides :
The POP needs to be close to you.
The connection can be interpreted by the site you visit as some sort of VPN connection (there is a work around available if you use pfBlockerng).
The POPs can be crowed, so the speed won't be stellar.