Anybody using pfSense with A&A native IPv6 in UK?



  • We're currently trying to configure a pfSense firewall on our new fibre based link from Andrews & Arnold in the UK (aaisp.net).

    The link is IPv6 native (with a small allocation of IPv4 too for legacy use).

    We have the IPv4 up and running, but are struggling with IPv6.

    pfSense is the 2.1-DEV snapshot from December with a gitsync as of this morning.

    If the WAN port is set to DHCP6 then it doesn't appear to auto-configure.

    We're trying to establish the addresses needed to configure everything by hand with static IPv6, but progress is slow so far - so is there anyone else who uses A&A and has made it all work? I think we just need some hints on how they setup the routing based on the customer /48

    Thanks

    Stu



  • I'll answer my own question, in case it helps anyone else :)

    After capturing the RAs we were able to deduce the configuration required - it appears that the IPv6 setup is very similar to their IPv4 setup, in that the first three allocated IPv6 addresses are a virtual router which maps on to one of two physical routers:

    <customer 48="">::0 (Virtual Router)
    <customer 48="">::1 (Physical Router A)
    <customer 48="">::2 (Physical Router B)

    Having assigned <customer 48="">::3 to our pfSense WAN interface, set the IPv6 default gateway to the virtual router and set the DNS to A&A's IPv6 DNS addresses we can now talk to the world from the pfSense box. Clients on the LAN can't do it, but that appears to be a different problem…despite there being an IPv6 LAN pass rule (and the interface stats seem to indicate packets are passing).

    It's also worth noting that the RAs coming from A&A only had a single prefix option which was the /48 with auto bit set - which we think is not right - both OSX and Linux appear to refuse to use this to autoconfigure (presumably because as far as they are concerned the subnet is undefined).

    Stu</customer></customer></customer></customer>



  • Spooky!  This is next on my to-do list now that the 2.1 snapshots appear to be picking up steam - well we have a forum at least!  Is this blog post from Adrian any help in explaining how they are handling things?

    http://revk.www.me.uk/2011/01/ppp-ipv6cp-vs-dhcpv6.html



  • @xhale:

    Spooky!  This is next on my to-do list now that the 2.1 snapshots appear to be picking up steam - well we have a forum at least!  Is this blog post from Adrian any help in explaining how they are handling things?

    http://revk.www.me.uk/2011/01/ppp-ipv6cp-vs-dhcpv6.html

    Thanks for the pointer, but that's really concerned with PPP based connections (presumably over ADSL) whereas we have a fibre based ethernet connection to A&A :)

    Turns out it was a combination of them misconfiguring something when the account was setup, and me mistyping a static route address while trying to persuade it to work - having fixed those it all works perfectly…

    It would probably all auto-configure using BGP, but I haven't worked out how to do that on pfSense yet...



  • Ah my bad, had assumed you were using FTTC.  Glad to hear it all works ok though - itching to get it all set up now.



  • Anyone wanting similar help in the future could do worse than ask their fellow A&A customers in the A&A IRC channel, either daytime (office hours) for some lurkers, or evenings, when a lot of VERY clued-up IPv6 people hang out there. Someone will have a similar setup or at least give suggestions.
    Important: give them an hour or two to reply though, most people lurk in there while they're at work and don't monitor every line that passes.



  • I read that blog post but DHCP6 with prefix delegation is by far the easiest to centrally administer.

    DHCP6 has prefix delegation so that all those devices, regardless how they connect can get a globally routeable network prefix assigned to their lan. And more then 1 is going to be the default.

    This means that your wireless can use a different prefix from your lan, and everything would still work fine too. If you daisy chained routers, as some people do, it would create a double NAT, but with IPv6 and DHCP6 hierarchy would be maintained and subnetworks would still get a global network prefix.

    And DHCP6 works on everything because it uses link local addressing and not the ARP we used before. This means that yes, you could even get a delegated prefix on your laptop tethered to your phone using it's 3G.


Log in to reply