Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Switched to AT&T fiber, IPv6 tunnel broken

    Scheduled Pinned Locked Moved General pfSense Questions
    44 Posts 6 Posters 2.9k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      marcg @JKnott
      last edited by marcg

      @JKnott said in Switched to AT&T fiber, IPv6 tunnel broken:

      -p is port, not protocol.

      6in4 is protocol 41. It is not UDP (17) or TCP (6). You'd use the port number as part of a UDP or TCP packet, not 6in4.

      For nmap with -sO, -p specifies protocol.

      This surprised me at first, too.

      BiloxiGeekB 1 Reply Last reply Reply Quote 0
      • BiloxiGeekB Offline
        BiloxiGeek @marcg
        last edited by

        I do not have a static IP. I just connected my linux system directly to one of the 1G ports on the BGW320. I get a 192.168 address. That’s to be expected I figure since I’ve set the passthrough mode to DHCPS-Fixed and given it the pfSense mac address.

        I do get two IPv6 addresses on eth0, one is a prefix::49/128 and another the same /64 prefix with the last half of the address defined based on my mac address. I can ping over IPv6 to tunnelbroker.net so it looks like IPv6 native is okay.

        With those two addresses on my linux system should I be able to get pfSense to request a /64 and then use that prefix to set up static IPv6 addresses on my LAN systems? I think I tried that a few days ago and it never worked, but I may have made various changes between then and now. That’s the end result I’d like to get to. I’d prefer to use the addresses I got from he.net if possible but if I have to use this native stack it wouldn’t be too bad. I’d have to keep track of the delegation they give me cause if it changes I’d have to go back to he.net’s free DNS and update everything there.

        M 1 Reply Last reply Reply Quote 0
        • M Offline
          marcg @BiloxiGeek
          last edited by marcg

          @BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

          I do get two IPv6 addresses on eth0, one is a prefix::49/128 and another the same /64 prefix with the last half of the address defined based on my mac address. I can ping over IPv6 to tunnelbroker.net so it looks like IPv6 native is okay.

          With those two addresses on my linux system should I be able to get pfSense to request a /64 and then use that prefix to set up static IPv6 addresses on my LAN systems? I think I tried that a few days ago and it never worked, but I may have made various changes between then and now. That’s the end result I’d like to get to. I’d prefer to use the addresses I got from he.net if possible but if I have to use this native stack it wouldn’t be too bad. I’d have to keep track of the delegation they give me cause if it changes I’d have to go back to he.net’s free DNS and update everything there.

          Sounds like the pfSense WAN interface has both routeable DHCPv6 and SLAAC addresses on the segment connecting it to the BGW. Mine does, too, even though the interface is configured for DHCPv6. If you use DDNS, one or the other will get registered. Either one will work.

          To get a delegated /64 prefix to use on one LAN-side interface, use Track Interface. If you need prefixes for multiple LAN-side interfaces -- the BGW can hand out up to eight -- this thread explains how to request multiple /64s. There's another explanation of the steps here.

          To enable inbound access from the Internet with dynamic prefixes/addresses, I run parallel ULAs and GUAs on my LAN networks. I have static ULAs for key machines internally. On the WAN interface, there are port forwards/NATs that direct incoming traffic on the pfSense WAN address to the ULA of the appropriate internal host. Since the ULAs are fixed, inbound traffic for a particular service always lands on the correct internal host regardless of what the WAN address is at that time. Works well for my simple network.

          I don't pay attention to the GUAs of internal hosts other than making sure firewall rules are correctly configured, and that v6 is working for them.

          Also worth noting that my ATT prefixes haven't changed in several years -- across reboots, etc. -- even though they're dynamic.

          BiloxiGeekB 1 Reply Last reply Reply Quote 0
          • BiloxiGeekB Offline
            BiloxiGeek @marcg
            last edited by

            @marcg

            I finally got the PD on the pfSense and I'm working through the reservations I had set to the tunnel so they get an reserved address within the PD. I had wanted to keep the tunnel from he.net but I never could get that working.

            If the BGW320 ever gets a different prefix I'll have to change any AAAA records at he.net's free DNS services. Won't be too difficult and I could script it through their API if it starts to happen often enough.

            I've had the same prefix for about a week now. Same IPv4 since I put the SG4200 online. I don't expect any changes but since I'm on the gulf coast it's somewhat likely that I could lose power and/or network for multiple days if a hurricane rolls through town. That could cause a change in the leases.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.