Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 with HE Issues

    Scheduled Pinned Locked Moved IPv6
    8 Posts 2 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wiz561
      last edited by

      Hi!

      I've been fighting with IPv6 for a few days now.  My ISP assigned me just one /64 address range, and I've been trying to get it working.  I got it working on my pfsense box, but can't get it to my local LAN.  After fighting with this for a few days, I thought I would sign up with HE.net and see if I can get it working through there first, then once I understand the basics, attempt to get it to work with the /64 my ISP assigned.  I figured that lots of people have it working with HE.net, so maybe try that first and see what happens.

      Now I am having issues with getting HE.net to work with my pfsense box.  I've followed the directions here…

      http://iserv.nl/files/pfsense/ipv6/

      and went through all the pages of the ipv6 thread here as well.  I've triple checked everything, but for some reason, I can't get it to work.  I've configured everything through the GUI, and it all exists there.  Upon reboot though, it seems like it doesn't exist all the way.  Here is my configuration...

      --
      $ ifconfig gif0
      gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1280
      tunnel inet 192.x.x.x --> 209.51.181.2
      inet6 fe80::219:bbff:fe2e:3ebc%gif0 prefixlen 64 scopeid 0xb
      nd6 options=3 <performnud,accept_rtadv>options=1 <accept_rev_ethip_ver>--
      $ netstat -anr (just ipv6 stuff)

      Internet6:
      Destination                      Gateway                      Flags      Netif Expire
      ::1                              ::1                          UH          lo0
      2001:470:<foo>:c57::/64            link#7                        U      bge1_vla
      2001:470:<foo>:c57::1              link#7                        UHS        lo0
      fe80::%bge0/64                    link#1                        U          bge0
      fe80::219:bbff:fe2e:3ebc%bge0    link#1                        UHS        lo0
      fe80::%bge1/64                    link#2                        U          bge1
      fe80::219:bbff:fe2e:3ebb%bge1    link#2                        UHS        lo0
      fe80::%lo0/64                    link#3                        U          lo0
      fe80::1%lo0                      link#3                        UHS        lo0
      fe80::%bge1_vlan101/64            link#7                        U      bge1_vla
      fe80::219:bbff:fe2e:3ebc%bge1_vlan101 link#7                        UHS        lo0
      fe80::%bge1_vlan140/64            link#8                        U      bge1_vla
      fe80::219:bbff:fe2e:3ebc%bge1_vlan140 link#8                        UHS        lo0
      fe80::%bge1_vlan130/64            link#9                        U      bge1_vla
      fe80::219:bbff:fe2e:3ebc%bge1_vlan130 link#9                        UHS        lo0
      fe80::%bge1_vlan120/64            link#10                      U      bge1_vla
      fe80::219:bbff:fe2e:3ebc%bge1_vlan120 link#10                      UHS        lo0
      fe80::%gif0/64                    link#11                      U          gif0
      fe80::219:bbff:fe2e:3ebc%gif0    link#11                      UHS        lo0
      ff01:1::/32                      fe80::219:bbff:fe2e:3ebc%bge0 U          bge0
      ff01:2::/32                      fe80::219:bbff:fe2e:3ebb%bge1 U          bge1
      ff01:3::/32                      ::1                          U          lo0
      ff01:7::/32                      fe80::219:bbff:fe2e:3ebc%bge1_vlan101 U      bge1_vla
      ff01:8::/32                      fe80::219:bbff:fe2e:3ebc%bge1_vlan140 U      bge1_vla
      ff01:9::/32                      fe80::219:bbff:fe2e:3ebc%bge1_vlan130 U      bge1_vla
      ff01🅰:/32                      fe80::219:bbff:fe2e:3ebc%bge1_vlan120 U      bge1_vla
      ff01🅱:/32                      fe80::219:bbff:fe2e:3ebc%gif0 U          gif0
      ff02::%bge0/32                    fe80::219:bbff:fe2e:3ebc%bge0 U          bge0
      ff02::%bge1/32                    fe80::219:bbff:fe2e:3ebb%bge1 U          bge1
      ff02::%lo0/32                    ::1                          U          lo0
      ff02::%bge1_vlan101/32            fe80::219:bbff:fe2e:3ebc%bge1_vlan101 U      bge1_vla
      ff02::%bge1_vlan140/32            fe80::219:bbff:fe2e:3ebc%bge1_vlan140 U      bge1_vla
      ff02::%bge1_vlan130/32            fe80::219:bbff:fe2e:3ebc%bge1_vlan130 U      bge1_vla
      ff02::%bge1_vlan120/32            fe80::219:bbff:fe2e:3ebc%bge1_vlan120 U      bge1_vla
      ff02::%gif0/32                    fe80::219:bbff:fe2e:3ebc%gif0 U          gif0

      --
      $ ping6 2001:470:c116:4f20:216:3eff:fe1d:4a1a
      ping6: UDP connect: No route to host
      $

      OK, it looks like all the addresses and routes aren't being filled in properly.  Again, all my info exists in the GUI, but for whatever reason, it's not working.  With that aside, I've attempted to put the information in by hand...

      $ ifconfig gif0 inet6 2001:470:<foo>:c57::2 2001:470:<foo>:c57::1 prefixlen 128
      $ route -n add -inet6 default 2001:470:<foo>:c57::1
      add net default: gateway 2001:470:<foo>:c57::1
      $ ifconfig gif0 down
      $ ifconfig gif0 up
      $ ifconfig gif0
      gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1280
      tunnel inet 192.x.x.x --> 209.51.181.2
      inet6 fe80::219:bbff:fe2e:3ebc%gif0 prefixlen 64 scopeid 0xb
      inet 192.x.x.x --> 209.51.181.2 netmask 0xffffff00
      inet6 2001:470:<foo>:c57::2 --> 2001:470:<foo>:c57::1 prefixlen 128
      nd6 options=3 <performnud,accept_rtadv>options=1 <accept_rev_ethip_ver>$


      But now when I do a ping on the pfsense box, I get the following....

      $ ping6 2001:470:c116:4f20:216:3eff:fe1d:4a1a
      PING6(56=40+8+8 bytes) 2001:470:1f10:c57::2 --> 2001:470:c116:4f20:216:3eff:fe1d:4a1a
      ping6: sendmsg: Network is unreachable
      ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
      ping6: sendmsg: Network is unreachable
      ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
      ping6: sendmsg: Network is unreachable
      ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
      ping6: sendmsg: Network is unreachable
      ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
      ping6: sendmsg: Network is unreachable
      ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
      ^C
      --- 2001:470:c116:4f20:216:3eff:fe1d:4a1a ping6 statistics ---
      13 packets transmitted, 0 packets received, 100.0% packet loss

      $


      Does anybody happen to have any ideas of what to look for or diagnose?

      Thanks in advanced...</accept_rev_ethip_ver></performnud,accept_rtadv></foo></foo></up,pointopoint,running,multicast></foo></foo></foo></foo></foo></foo></accept_rev_ethip_ver></performnud,accept_rtadv></up,pointopoint,running,multicast>

      1 Reply Last reply Reply Quote 0
      • D
        databeestje
        last edited by

        @wiz561:

        Hi!

        I've been fighting with IPv6 for a few days now.  My ISP assigned me just one /64 address range, and I've been trying to get it working.  I got it working on my pfsense box, but can't get it to my local LAN.  After fighting with this for a few days, I thought I would sign up with HE.net and see if I can get it working through there first, then once I understand the basics, attempt to get it to work with the /64 my ISP assigned.  I figured that lots of people have it working with HE.net, so maybe try that first and see what happens.

        So you have a WAN from your isp with a native /64 network on it and a gateway. That's good. If you can't ping ipv6.google.com you can stop here.

        If this works and the isp doesn't send you another network to use behind the router you can use this 1:1 nat hack below.

        boo hiss

        Go to the tab on the NAT page that says "network prefix translation (NPT)".
        Generate a random /64 network from the fc00::/10 range at sixxs.net here http://www.sixxs.net/tools/grh/ula/

        Use a generated /64 network from that range on the LAN, then add a network mapping for the WAN interface that would translate the fc something network to your public /64 something. Try that.

        1 Reply Last reply Reply Quote 0
        • W
          wiz561
          last edited by

          interesting….thank you for the tips.  I will definitely try this out.  One question.  You mention about generating a random /64 net from the fc00 range at sixxs.  I plugged my mac in and got...

          Generated ULA= fdbc:0c93:<foo>::/48

          is that what I want to plugin the "random /64 NPT" page?

          thanks again for the help!</foo>

          1 Reply Last reply Reply Quote 0
          • W
            wiz561
            last edited by

            I attempted to create a NPt rule, but that did not work.  I used…

            Int: LAN
            Internal IPv6 Prefix: fd9a.....  (one I got from the sixxs web page after I put my MAC in)
            Destination IPv6 Prefix: 2001...  (one of the addresses from the space allocated to me)

            It seems like my machine never receives an IPv6 IP when doing it this way.  I don't know if I have to configure rtadvd in order for my machine to see an IPv6, but it didn't work...

            thanks

            1 Reply Last reply Reply Quote 0
            • D
              databeestje
              last edited by

              You have to enable dhcpv6 on the lan to enable radvd on the lan so that it will autoconfigure.

              1 Reply Last reply Reply Quote 0
              • W
                wiz561
                last edited by

                Yup, I've enabled dhcpv6 on the lan and rtadvd, and still nothing.

                After being frustrated, I ended up reinstalling and then everything (Hurrican Electric-wise) worked fine.  I had a pretty complicated config with multiple internal vlan's and fw rules between them.  Who knows, maybe something was blocking something else.  Nonetheless, with a fresh install and a single internal vlan, everything worked fine.

                I would still like to get the /64 single space working.  I still have a hard time believing that every vlan internally would require it's own routable block.  I've been reading that comcast will assign every user a /64 ipv6 space, so I would imagine people would run into the same situation I am.

                Addition to all my problems, it turns out that my ISP is upgrading their ipv6 infrastructure to better support something or other.  This might be another reason why I had so many issues.

                Just so I understand things correctly. 
                    - Configure the pfsense box with ipv6 and get that working
                    - Generate a network space from sixxs.  This is equivalent to a 'private ipv6 network'. 
                          - Generated number is fdbc:0c93:<foo>::/48
                    - Enable ipv6 forwarding through sysctl. 
                    - Assign that sixxs private subnet to the "LAN" interface in the GUI.  Choose "ipv4 + ipv6".
                          - Number to assign to LAN IP would be fdbc:0c93:<foo>::1/48 (Add '1' to the sixxs address?)
                    - Configure rtadvd.
                          - Listen on bge1/internal LAN NIC
                          - Address in config would be "fdbc:0c93:<foo>::/48"
                    - Configure dhcpv6
                          - Just fill in the 'range' section and leave the 'gateway' blank.

                Are these pretty much how you would configure everything, without going through hurricane electric?  I'm still going to try to get it working without going through it, but I'm sure I'll run into additional problems.  Any comments on the above numbers and configuration will help me troubleshoot things easier.

                Thanks</foo></foo></foo>

                1 Reply Last reply Reply Quote 0
                • D
                  databeestje
                  last edited by

                  @wiz561:

                  I would still like to get the /64 single space working.  I still have a hard time believing that every vlan internally would require it's own routable block.  I've been reading that comcast will assign every user a /64 ipv6 space, so I would imagine people would run into the same situation I am.

                  Yes, you will need a routable block for each internal vlan. Comast is deploying with 1 /64 now, in the hopefully near future they will start sending networks your way through dhcp-pd. You will get a /56 or larger. Comcast was not really considering a /60 but is not ruling it out either.

                  Addition to all my problems, it turns out that my ISP is upgrading their ipv6 infrastructure to better support something or other.  This might be another reason why I had so many issues.

                  Just so I understand things correctly. 
                      - Configure the pfsense box with ipv6 and get that working
                      - Generate a network space from sixxs.  This is equivalent to a 'private ipv6 network'. 
                            - Generated number is fdbc:0c93:<foo>::/48</foo>

                  this prefix holds 65k possible prefixes. Pick one by filling in the 4th octet. E.g. fdbc:0c93:<foo>:1010::/64

                  • Enable ipv6 forwarding through sysctl.

                  This enabled on boot with pfSense 2.0 + v6 branch.

                  • Assign that sixxs private subnet to the "LAN" interface in the GUI.  Choose "ipv4 + ipv6".
                              - Number to assign to LAN IP would be fdbc:0c93:<foo>::1/48 (Add '1' to the sixxs address?)</foo>

                  If you want stateless configuration to work the lan network needs to be a /64 range.

                  • Configure rtadvd.
                              - Listen on bge1/internal LAN NIC
                              - Address in config would be "fdbc:0c93:<foo>::/48"
                        - Configure dhcpv6
                              - Just fill in the 'range' section and leave the 'gateway' blank.

                  Are these pretty much how you would configure everything, without going through hurricane electric?  I'm still going to try to get it working without going through it, but I'm sure I'll run into additional problems.  Any comments on the above numbers and configuration will help me troubleshoot things easier.

                  Thanks</foo>

                  Because you split /64 networks out of the /48 provided you can assign those to the different vlans. Something to keep note of though. Because using network prefix translation maps one or more private ranges over the outside public /64 you must caution to hit duplicate addresses. So if your gateway on the WAN is ::1, don't use that address on the internal network.

                  The rule is that you must not use any static address more then once on any interface right from the network prefix.

                  The network mapping would look like this
                  Interface WAN, source network fdbc:0c93:<foo>:1010::/64, destination network 2001:<foo>::/64

                  The stateless autoconfig uses the mac address plus another 16 bits, the chances of collision on that near nill. Although not mathmetically impossible depending on the number of devices on the LAN.</foo></foo></foo>

                  1 Reply Last reply Reply Quote 0
                  • W
                    wiz561
                    last edited by

                    Thanks all for the help.

                    Just a status update.  I've been working with my ISP, who's never really done this before for anybody yet.  They've made a number of changes and assigned me two /64 blocks.

                    After I assigned the 64 addresses to the two interfaces, added the default route, and configured rtadvd, everything worked fine.  I'm now able to ipv6.

                    Thanks again for the help.  I think the problem was part with me and part with my ISP.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.