6rd support added



  • 6rd support has been added over the past week and I'm searching for pfSense users that have access to such a connection.

    The current limitations of our 6rd support is that it will only work with ISPs that embed the entire IPv4 address in the 6rd address. So if the ISP uses a 6rd prefix longer then 32 bits I would like to know.

    I'm also looking for a list of various ISPs that employ 6rd and their respective settings.

    France: Free.fr 2a01:0e3::/28 ->64.98.1.1 ? = delegated /60
    Switzerland: Swisscom. 2a02:1200::/28 -> 6rd.swisscom.com (193.5.122.254) = delegated /60
    America: Charter 2602💯:/32 -> 68.114.165.1 = delegated /64
    Japan: Sakura 2001:e41::/32 -> 61.211.224.125 = delegated /64
    America: ATT Uverse 2602:300::/28 -> 12.83.49.81 = delegated /60
    Japan: Softbank –-
    Netherlands: Telfort Pilot ---- 2a00:cd8::/32 ? = delegated /64
    Netherlands: Lijbrandt Unsupported 2A02:80C0:FF00::/41 -> 188.142.72.5 IPv4 masklength 17 = delegated /56
    Canada: Videotron Unsupported 2607:fa48:6dc0::/42 -> 74.59.126.1 IPv4 masklength 18 = delegated /60
    Italy: FastWeb ---- 2001:b07::/32 = delegated /64

    If others can add to this list, please.



  • Canada/Videotron seems to be using multiple 6RD prefixes, and needs to be discovered via DHCP option 212.

    Example of option 212 output (you need to tell your dhcp client to request option-212):
    11:2d:26:7:fa:48:6e:c0:0:0:0:0:0:0:0:0:0:0:18:30:0:1

    (based on http://tools.ietf.org/html/rfc5969)

    Which translates to (simple hex-to-decimal conversion of tokens 1,2,19,20,21,22):
    17 45 2607:f148:6ec0 24.48.0.1

    Consequently, the interpretation would be:
    2607:f148:6ec0::/45 -> 24.48.0.1 IPv4 masklength 17, delegated / 60

    The delegated prefix seems to be calculated like this:
    32 - 17(IPv4MaskLen) + 45 (6rdPrefixlen) = 60

    How to pick-up dhcp option-212?
    Create a dhclient.conf in /etc:
    echo 'request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, option-212;' > /etc/dhclient.conf
    echo 'script "/etc/dhclient.script";' >> /etc/dhclient.conf

    Create a dhclient.script in /etc:
    echo '#!/bin/sh' > /etc/dhclient.script
    echo 'echo $new_option_212 >/tmp/6rd-212.log' >>/etc/dhclient.script
    chmod 755 /etc/dhclient.script

    Restart your DHCP client by specifying your dhcp configuration file
    /sbin/dhclient -c /etc/dhclient.conf <waninterfacename>(you will have to kill the pid if the process exists already)

    Consult /tmp/6rd-212.log for your 6RD parameters
    cat /tmp/6rd-212.log and decode it based on the above sample.</waninterfacename>



  • Which still wouldn't work because our 6rd interface does not yet support prefix lenghts larger then 32 bits.



  • America: CenturyLink 2602:0::/24 -> 205.171.2.64 = delegated /64  Gateway does not respond to ICMP so I'm monitoring 2 hops further away.  I'll see if I can get their access-list loosened up a bit.



  • Some of the 6rd relays reply on 6rdrelay::1and not on address 0. Try that.



  • I'm trying to set this up on my UVerse connection… I'm getting this error in the logs:
    php: : The interface IPv4 '99.74.122.32' address on interface 'sk0' is not public, not configuring 6RD tunnel

    It IS a public address, although the ip address is issued by a 'LAN' dhcp server (192.168.1.254). Other people report success using ipv6 with 6rd on the 2wire modems... But nobody with pfsense apparently. Any tips on how to start digging in and tweaking this so it'll work?

    Example: https://supportforums.cisco.com/docs/DOC-25121



  • I'll have to look into that check and why it is triggering the private address check.

    Strange.

    You are right though, it should just work.



  • Do you need to see any additional log entries to help troubleshoot this? I started working on getting HE setup, but if 6rd 'should' work I'll clear all that config off so I can be ready to try something.



  • no time yet



  • Well, I think I found why it detects my ip as 'private':
    function is_private_ip($iptocheck) {
            $isprivate = false;
            $ip_private_list=array(
                  "10.0.0.0/8",
                  "172.16.0.0/12",
                  "192.168.0.0/16",
                  "99.0.0.0/8"
            );
            foreach($ip_private_list as $private) {
                    if(ip_in_subnet($iptocheck,$private)==true)
                            $isprivate = true;
            }
            return $isprivate;

    This is located in pfsense-utils.inc. Rather odd. I'm going to upgrade to the latest snapshot, and then adjust that ip to see if 6rd works.



  • Removing the ip fixed the private ip issue (and Chris changed MASTER to remove the bad ip range), and the firewall now appears to auto-config the correct ips (as best as I can tell), however I'm not getting a default route for some reason. I guess I'll fiddle with this some more over the weekend. Almost there.

    EDIT: typing this in: route add -inet6 default 2602:300:c533:1510::
    fixed my default route issue, once I put that in, everything (even PCs on the LAN) can ping ipv6 stuff. Yay!

    So the major issue is fixed, with the private ip being detected wrongly… the minor issue, 6rd isn't auto-setting the default route properly.

    Speed test comes back a bit slow, probably because I'm pulling from Calif, and I'm in the Louisville area.




  • Australia: iiNet 2001:4479::/32 ->203.0.178.66 = delegated /64

    Still trying to get this working, just fiddling with my pfSense settings at the moment.

    Paste of the forum post below of their example Cisco config:

    –---------------------------------------------------------------------------

    Hi,

    If you have Cisco hardware capable of running a version of IOS that supports 6rd (minimum: 15.1(3)T) you will be able to add the following information to your config to get IPv6 connectivity.

    This is provided 'as is' and at your own risk. No support will be offered by iiNet, nor will any responsibility be taken for unsecured networks resulting from adding this to your config.

    It is your own responsibility to obtain the appropriate version of IOS and secure it appropriate. This will not be supported by iiNet.

    !
    ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0
    ipv6 unicast-routing
    ipv6 cef
    !
    interface Tunnel0
    description 6RD Tunnel interface
    no ip address
    no ip redirects
    ipv6 enable
    ipv6 mtu 1280
    tunnel source Dialer1                          (OR DIALER0 etc.. whatever you have configured for WAN interface)
    tunnel mode ipv6ip 6rd
    tunnel 6rd prefix 2001:4479::/32
    tunnel 6rd br 203.0.178.66
    !
    Int bvi1                                        (OR VLAN1 etc.. .. you lan interface)
    ipv6 address DELEGATED_PREFIX ::/64 eui-64
    !
    ipv6 route 2001:4479::/32 Tunnel0
    ipv6 route ::/0 Tunnel0 2001:4479:CB00:B242::1
    !

    Matt Hutchinson
    Project Officer - Operations
    iiNet Ltd.



  • America: Charter Communications (Cable internet)

    i havent tried this YET as i have a Tunnel running at the moment here at home but this is from there
    web page.

    6RD Configuration Settings
    As part of Charter's IPv6 Trials we have made available a Public 6rd Border Relay. If you are interested in participating in our early trials and own a device that supports 6RD use this configuration information to begin experiencing the Next Generation Internet:

    6rd Prefix = 2602💯:/32
        Border Relay Address = 68.114.165.1
        6rd prefix length = 32
        IPv4 mask length = 0

    Primary DNS Address = 2607:f428:1::5353:1
    Secondary DNS Address = 2607:f428:2::5353:1

    Best regards



  • @SunCatalyst:

    America: Charter Communications (Cable internet)

    i havent tried this YET as i have a Tunnel running at the moment here at home but this is from there
    web page.

    6RD Configuration Settings
    As part of Charter's IPv6 Trials we have made available a Public 6rd Border Relay. If you are interested in participating in our early trials and own a device that supports 6RD use this configuration information to begin experiencing the Next Generation Internet:

    6rd Prefix = 2602💯:/32
        Border Relay Address = 68.114.165.1
        6rd prefix length = 32
        IPv4 mask length = 0

    Primary DNS Address = 2607:f428:1::5353:1
    Secondary DNS Address = 2607:f428:2::5353:1

    Best regards

    I have recent used Charter's 6RD setup and noticed a quirk on my side… My lan is setup as a TRACK for IPv6 and it does get an address and then each client gets an IPv6 address without issues from there. However I've noticed in my setup the IPv6 DNS server isn't coming across in windows. My DHCP server in PFSense (IPv4) is setup to send the IPv4 LAN address which is able to resolve IPv6 DNS servers but how do I allow my DHCP to send a IPv6 DNS server also?



  • @pyrodex:

    how do I allow my DHCP to send a IPv6 DNS server also?

    How do you have DNS items configured in pfSense DHCP server page?



  • @wallabybob:

    How do you have DNS items configured in pfSense DHCP server page?

    They are blank which would mean they inherit they are setup as the IPv4 LAN address. But in my case is the PFSense DHCPv4 actually issuing DHCP to my IPv6 clients or is Charter's 6RD platform?



  • I haven't tried it myself, but in Canada, Rogers offers this:

    Setting Confirmation Required
    Provider Prefix 2607:F090
    Provider Prefix Sites 32
    Mask Bits 0
    Relay Address 66.185.95.192



  • I guess i am a little too nooby to get all this,

    My isp information is:
    Altibox 6RD border relay: 213.167.115.92
    15 bits prefix.

    Can someone explain how this thing works, or is there an article i cant find on the wiki?

    -Kristoffer



  • Please note that Swisscom will change the IP of its 6rd Border Relays to 193.5.29.1 at April 9th, 08:00. This change will be reflected in the DNS name 6rd.swisscom.com at the same time (plus some propagation time through DNS).



  • Altibox/Lyse, Norway
    6RD IPv6 Prefix: 2a01:79c::/30
    6RD Border Relay: 213.167.115.92
    6RD IPv4 Prefix length: 0

    Results in a /62.

    They're using dhcp option 212 to distribute the configuration to the devices that support it.

    I haven't managed to get it to work myself yet. It adds the correct address to the interface - the one I've been told I'm supposed to get - but I can't actually reach anything from it. Not entirely sure if the problem is on my end or with my ISP. Running Pfsense 2.1-RC0 (amd64) built on Tue Jun 4 20:54:59 EDT 2013.



  • Hi Nulani,

    As far as I know 6RD has been broken in 2.1 since mid-January.

    You can find some additional details in this post:

    http://forum.pfsense.org/index.php/topic,62629.0.html

    -Will


  • Rebel Alliance Developer Netgate

    Some commits were made this week that others reported fixed the issue. Are you still seeing a problem on a current snapshot?



  • @jimp:

    Some commits were made this week that others reported fixed the issue. Are you still seeing a problem on a current snapshot?

    I'll update this weekend and see. It isn't working in June 4th.



  • Hi jimp,

    I just gave the June 6th RC-0 build a try and if anything it was working even worse. Ordinarily I can reach the http://test-ipv6.com/ website and confirm that 6RD isn't working but with the RC-0 build I couldn't even do that.

    This was with a straight update from Jan 18th to June 6th using the instructions in the sticky.

    Rolling back the vm to my Jan 18th build got me right back up & running.

    I've been keeping track of the ticket I opened for this: https://redmine.pfsense.org/issues/2882 so I was unaware of any change that had been made that might have fixed 6RD.

    -Will



  • No difference in 2.1-RC0 (amd64) built on Thu Jun 6 21:08:57 EDT 2013.



  • Should work with tomorrow's snapshot, my test system is working now.



  • Hi cmb,

    I just updated to the Wed, June 12th snapshot and 6RD is still not working.

    Please let me know if there is anything I can do or provide to help fix this.

    -Will



  • I upgrade all my systems with 6rd to today's snapshot and they all work. Do you have a default v6 route listed under Diag>Routes? Getting a v6 IP assigned to the LAN from the PD? radvd running and assigning IPs on the LAN?



  • Hi Chris,

    I can't answer your question right this moment because I gave rolled back to my Jan 18th snap where it all works perfectly. All I do is run the upgrade and the gateway monitor stays down & I can't do any ipv6. It does feel like the rest of the box is dragging when I run the June 12th snap.

    Gimme a few minutes to update again and I should be able to get some answers.

    -Will



  • Still no change. Gateways shows as down.

    2.1-RC0 (amd64) built on Sat Jun 15 05:06:20 EDT 2013



  • Well, gateway down could be caused by the gateway not responding on ICMP.

    You should instead try to ping6 some ipv6 site on the Internet.

    6RD has been working for me since the june 12:th build.



  • Can't ping anything but the interface itself across IPv6, I'm afraid.



  • I believe I have spotted what the problem probably is in my case:

    wan_stf: flags=4001 <up,link2>metric 0 mtu 1280
    inet6 2a01:79d:469d:6d78:: prefixlen 30
    nd6 options=3 <performnud,accept_rtadv>v4net 0.0.0.0/0
    v4br 213.167.115.92

    Prefixlen should be 62, not 30. At least, a 62 is what I'm assigned from my ISP. Manually correcting it makes no difference, however.

    
    [2.1-RC0][root@ginnungagap.nulani.net]/etc(40): ifconfig wan_stf inet6 2a01:79d:469d:6d78:: prefixlen 62
    [2.1-RC0][root@ginnungagap.nulani.net]/etc(41): ping6 2a01:79d:469d:6d78::
    PING6(56=40+8+8 bytes) 2a01:79d:469d:6d78:: --> 2a01:79d:469d:6d78::
    16 bytes from 2a01:79d:469d:6d78::, icmp_seq=0 hlim=64 time=0.349 ms
    16 bytes from 2a01:79d:469d:6d78::, icmp_seq=1 hlim=64 time=0.144 ms
    ^C
    --- 2a01:79d:469d:6d78:: ping6 statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 0.144/0.246/0.349/0.102 ms
    
    [2.1-RC0][root@ginnungagap.nulani.net]/etc(42): ping6 -S 2a01:79d:469d:6d78:: google.com
    PING6(56=40+8+8 bytes) 2a01:79d:469d:6d78:: --> 2a00:1450:400f:801::1007
    ^C
    --- google.com ping6 statistics ---
    33 packets transmitted, 0 packets received, 100.0% packet loss
    
    ```</performnud,accept_rtadv></up,link2>


  • You probably need latest snapshot and are missing the default v4 gateway.



  • I'll try again with the latest snapshot, although I do have the default v4 gateway set.



  • Hi ermal,

    I just tried with the July 12th snapshot & still no luck.

    I took a look and the output of the 2 commands you asked me to run in this ticket:

    http://redmine.pfsense.org/issues/2882

    seem to be the same.

    As always, if there is anything I can provide to help resolve this ticket please just let me know!

    -Will



  • From relooking at the redmine posts you put your v6 default gateway is using the wrong interface.
    It should use the wan_stf rather than the underlying interface.

    Can you resave your default gateway for v6?

    Also show config.xml of gateways and your wan interface together with ifconfig, netstat -rn



  • Hi ermal,

    I have updated the ticket here:

    http://redmine.pfsense.org/issues/2882

    with the requested information.

    I took a look at "System: Gateways: Edit gateway" and my ipv6 gateway is listed as "dynamic" I tried to re-save it by hitting the save button but there was no change. Is this the right place to check? Charter doesn't specify a default gateway, so I don't know what I should set it to if not dynamic.

    -Will



  • On centurylink with a PPoE i get the following 6rd errors:

    system.log:Aug 26 21:19:16 pfsense check_reload_status: updating dyndns WAN_6RD
    system.log:Aug 27 20:25:24 pfsense php: rc.bootup: The interface IPv4 '' address on interface 'pppoe0' is not public, not configuring 6RD tunnel
    system.log:Aug 27 20:25:56 pfsense check_reload_status: updating dyndns WAN_6RD
    system.log:Aug 27 23:10:23 pfsense check_reload_status: updating dyndns WAN_6RD

    I don't seem to get an IP address except for these:

    inet6 fe80::260:xxxx:xxxx:10a4%fxp0 prefixlen 64 scopeid 0x1
            inet6 fd00::260:xxxx:xxxx:10a4 prefixlen 64 autoconf

    Any other logs I can look at?

    2.1-RC1 (i386)
    built on Tue Aug 27 16:56:22 EDT 2013
    FreeBSD 8.3-RELEASE-p10

    Kind regards,

    Maurice



  • You guys are running 6rd over pppoe?


Log in to reply