Static IPv6 (got a /48)

  • Hi everyone,

    I think there's a huge flaw in my setup and I just don't see it. Hopefully someone can enlighten me about my mistake…

    I got a /48 from my ISP and want to use the first /64 for several pfSense boxes and all networks behind them get their own /64 (taken from the original /48).

    So e.g. if I have aaaa:bbbb:cccc::/48 and aaaa:bbbb:cccc::1 is my default gateway, I take aaaa:bbbb:cccc::2/64 for thw WAN interface of my first pfSense Box, aaaa:bbbb:cccc::3/64 for the second and so on.
    On the LAN interfaces I use aaaa:bbbb:cccc:1::/64 for the first network,  aaaa:bbbb:cccc:2::/64 for the second and so on (giving the LAN interface aaaa:bbbb:cccc:X::1 as address).

    Using this setup I can:

    • Enable RA's on the inside and recieve automatic configuration

    • ping6 the LAN address of that pfSense

    • ping6 the WAN address of that pfSense

    • ping6 the default gateway of the pfSense from its WAN interface

    However, I can not ping6 the WAN default gateway from the LAN side. I cannot ping6 any other system in the WAN network of the pfSense boxes either.
    As said, I don't see what is going wrong here. For testing purposes I allow any outgoing IPv6 traffic at the moment. Maybe anyone has an idea?

    Thanks in advance!

  • the Wan default gateway needs to have a route for the /48 pointing to your pfsense Wan ::2

    e.g. for all the networks behind your pfsense

  • Hello databeestje,

    Thanks a million for your quick answer!
    I gave it a nights sleep and feel really stupid right now.

    That means my ISP would have to make a routing for every firewall I run, that is of course not doable.
    I will ask the ISP for an interconnect subnet and place my own router, then I can do those routings myself.


  • Hello,

    Just FYI: I now not a /64 for routing purposes and can use the whole /48 as expected.
    Everything works fine now.

    Thanks again and Greetings,

Log in to reply