Pfsense edpnet (belgium) native ipv6



  • I seem to be doing something wrong however i can't seem to put my finger on it.

    # netstat -rn -f inet6
    Routing tables
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    illegal prefixlen
    ::/15                             2a02:578:x::1              UGS         vr2 =>
    default                           fe80::207:7dff:fe56:5900%pppoe0 UGS      pppoe0
    ::1                               ::1                           UH          lo0
    2a02:578:x::/48                   link#3                        U           vr2
    2a02:578:x::1                    link#3                        UHS         lo0
    2a02:578:8401:x::/64              link#11                       U        pppoe0
    2a02:578:8401:x:x:x:x:x 		  link#11                       UHS         lo0
    fe80::%vr0/64                     link#1                        U           vr0
    fe80::20d:b9ff:fe2b:7f74%vr0      link#1                        UHS         lo0
    fe80::%vr2/64                     link#3                        U           vr2
    fe80::20d:b9ff:fe2b:7f76%vr2      link#3                        UHS         lo0
    fe80::%lo0/64                     link#7                        U           lo0
    fe80::1%lo0                       link#7                        UHS         lo0
    fe80::%vr2_vlan10/64              link#8                        U      vr2_vlan
    fe80::20d:b9ff:fe2b:7f74%vr2_vlan10 link#8                        UHS         lo0
    fe80::%vr2_vlan20/64              link#9                        U      vr2_vlan
    fe80::20d:b9ff:fe2b:7f74%vr2_vlan20 link#9                        UHS         lo0
    fe80::%vr2_vlan30/64              link#10                       U      vr2_vlan
    fe80::20d:b9ff:fe2b:7f74%vr2_vlan30 link#10                       UHS         lo0
    fe80::%pppoe0/64                  link#11                       U        pppoe0
    fe80::20d:b9ff:fe2b:7f74%pppoe0   link#11                       UHS         lo0
    fe80::91f2:4358:15d2:ad55%pppoe0  link#11                       UHS         lo0
    ff01::%vr0/32                     fe80::20d:b9ff:fe2b:7f74%vr0  U           vr0
    ff01::%vr2/32                     fe80::20d:b9ff:fe2b:7f76%vr2  U           vr2
    ff01::%lo0/32                     ::1                           U           lo0
    ff01::%vr2_vlan10/32              fe80::20d:b9ff:fe2b:7f74%vr2_vlan10 U      vr2_vlan
    ff01::%vr2_vlan20/32              fe80::20d:b9ff:fe2b:7f74%vr2_vlan20 U      vr2_vlan
    ff01::%vr2_vlan30/32              fe80::20d:b9ff:fe2b:7f74%vr2_vlan30 U      vr2_vlan
    ff01::%pppoe0/32                  fe80::20d:b9ff:fe2b:7f74%pppoe0 U        pppoe0
    ff02::%vr0/32                     fe80::20d:b9ff:fe2b:7f74%vr0  U           vr0
    ff02::%vr2/32                     fe80::20d:b9ff:fe2b:7f76%vr2  U           vr2
    ff02::%lo0/32                     ::1                           U           lo0
    ff02::%vr2_vlan10/32              fe80::20d:b9ff:fe2b:7f74%vr2_vlan10 U      vr2_vlan
    ff02::%vr2_vlan20/32              fe80::20d:b9ff:fe2b:7f74%vr2_vlan20 U      vr2_vlan
    ff02::%vr2_vlan30/32              fe80::20d:b9ff:fe2b:7f74%vr2_vlan30 U      vr2_vlan
    ff02::%pppoe0/32                  fe80::20d:b9ff:fe2b:7f74%pppoe0 U        pppoe0
    
    
    
    # ping6 -c1 google.be
    PING6(56=40+8+8 bytes) 2a02:578:8401:x:x:x:x:x --> 2a00:1450:4013:c00::5e
    16 bytes from 2a00:1450:4013:c00::5e, icmp_seq=0 hlim=57 time=14.734 ms
    
    --- google.be ping6 statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 14.734/14.734/14.734/0.000 ms
    #
    
    
    
    # ping6 -S 2a02:578:x::1 -c1 google.be
    PING6(56=40+8+8 bytes) 2a02:578:x::1 --> 2a00:1450:4013:c00::5e
    
    --- google.be ping6 statistics ---
    1 packets transmitted, 0 packets received, 100.0% packet loss
    # 
    
    
    
    # ping6 -S 2a02:578:x::1 -c1 2a02:578:8401:x:x:x:x:x
    PING6(56=40+8+8 bytes) 2a02:578:x::1 --> 2a02:578:8401:x:x:x:x:x
    16 bytes from 2a02:578:8401:x:x:x:x:x, icmp_seq=0 hlim=64 time=1.140 ms
    
    --- 2a02:578:8401:1500:20d:b9ff:fe2b:7f74 ping6 statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 1.140/1.140/1.140/0.000 ms
    # 
    
    

    2a02:578:8401❌x❌x:x is wan ip
    2a02:578:x::1/48 prefix



  • Can you tell me what your network setup is hardware wise and what you are using VDSL or ADSL ?

    Where do you do the Logon with EDPNet ?

    Also just something I see, you are using the /48 on your firewall.  It is better to split it up is separate /64 from the beginning especially if you want to put also ipv6 on your vlan's.    And that could already solve your issue.

    Can you also post the firewall rules you have for IPv6 on the Internal side's ?



  • wan and lan have pass * for ipv6 no real rules, in place and it is an adsl line.

    edit: sorry for the late responds, ..

    /48 on the firewall, ..? no vlans won't be using ipv6 for now, .. unless maybe a different prefix, hardware ALIX.2D13.



  • Well like I already said.  You have configured the /48 prefix that EDPNet has delivered to you complete on your interface vr3

    If you take into account how they split up the prefixes for ipv6 then it says that a /48 prefix is normally given to a Customer this /48 can be split up into multiple /64 which are actually individually LAN's

    So what you must do is change the prefect on your vr3  from /48 to /64 and if your rules are ok then it should work.

    PS> Auto Configure and router advertisement in IPv6 works only for a /64 prefix if I remember correctly

    I hope this brings you more on track to make it work.  If not just let me know.



  • so what you're trying to say is that i can't setup the prefix on the lan interface to 48 but i need to set it up on 64 however when i go to the dhcp i can only go as low as prefixlen 64 to distribute, .. meaning if i assign an ip i immediately assign the whole range to one client !?

    And it has no effect, I've just tried it.

    Also within the LAN within the prefix i can communicate just fine it's when i go to the outside that something is wrong.

    Also with your way i need to pass the router everytime i want to go from one computer to an other cause you've just given everyone a 64 prefix that's not routed if i understand correctly

    I'm not saying that you're wrong i'm just trying to understand how and what it is you're trying to do.



  • Well officially you can use /48 prefix on the LAN part but then it is available just on 1 VLAN so if you need multiple VLAN's then you need to split up the /48 in /64.  Also what I try to say if I remember correctly the IPv6 rules say the following:

    • /48 is usually used for a customer network
    • /64 is used for a (v)LAN

    That is how it is build in the minds of the creators of the protocol. And if I remember correctly automatic router advertisement does not work good with something else than a /64.

    For your routing part, yes each IPv6 /64 range you use will be routed on your firewall and only go to the outside when the addresses are not part of your assigned /48.

    I also do remember that I was never able to get 1 big /48 to work directly on the LAN site I could choose different /64 ranges and configure them on individual (v)lans.

    But as said before my situation is that I have my VDSL modem -> Cisco Router (who does the connection with EDPNET) ->  pfsense firewall -> LAN's

    This you can see in the following traceroute from 1 of my client servers:

    
    [root@xxxxx: ~]$ traceroute6 ipv6.google.com
    traceroute to ipv6.l.google.com (2a00:1450:4013:c01::93) from 2a02:578:xxxx:xxxx::x:x, 30 hops max, 24 byte packets
     1  firewall.xxxxx.xx (2a02:578:xxxx:xxxx::x)  0.158 ms  0.237 ms  0.125 ms
     2  cisco_router.xxxxx.xx (2a02:578:xxxx::x)  0.935 ms  0.829 ms  0.67 ms
     3  2a02:578:1:3c::2 (2a02:578:1:3c::2)  20.181 ms  20.417 ms  19.746 ms
     4  2a02:578:1:3c::1 (2a02:578:1:3c::1)  20.078 ms  20.412 ms  20.321 ms
     5  2a02:578:1:1d::1 (2a02:578:1:1d::1)  23.484 ms  23.639 ms  23.441 ms
     6  amsix-router.google.com (2001:7f8:1::a501:5169:1)  23.607 ms  23.514 ms  22.855 ms
     7  2001:4860::1:0:8 (2001:4860::1:0:8)  136.28 ms  23.182 ms  23.529 ms
     8  2001:4860::8:0:2daf (2001:4860::8:0:2daf)  23.386 ms  23.548 ms  58.794 ms
     9  2001:4860::2:0:66f (2001:4860::2:0:66f)  27.961 ms  27.229 ms  27.476 ms
    
    [root@xxxxx: ~]$
    
    

    And this is the routing table on my firewall:

    
    [2.1-RC0][admin@firewall.xxxxx.xx]/root(2): netstat -rn -f inet6
    Routing tables
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    default                           2a02:578:xxxx::x              UGS         em0
    ::1                               ::1                           UH          lo0
    2a02:578:xxxx::/64                link#1                        U           em0
    2a02:578:xxxx::x                  link#1                        UHS         lo0
    2a02:578:xxxx:xxxx::/64             link#2                        U           em1
    2a02:578:xxxx:xxxx::x               link#2                        UHS         lo0
    2a02:578:yyyy::/64                link#3                        U           em2
    2a02:578:yyyy::y                  link#3                        UHS         lo0
    2a02:578:yyyy:yyy::/64             2a02:578:yyyy::y              UGS         em2
    2a02:578:yyyy:yyyy::/64            2a02:578:yyyy::y              UGS         em2
    fe80::%em0/64                     link#1                        U           em0
    fe80::250:56ff:febf:236d%em0      link#1                        UHS         lo0
    fe80::%em1/64                     link#2                        U           em1
    fe80::250:56ff:febf:236e%em1      link#2                        UHS         lo0
    fe80::%em2/64                     link#3                        U           em2
    fe80::250:56ff:febf:236f%em2      link#3                        UHS         lo0
    fe80::%lo0/64                     link#7                        U           lo0
    fe80::1%lo0                       link#7                        UHS         lo0
    ff01::%em0/32                     fe80::250:56ff:febf:236d%em0  U           em0
    ff01::%em1/32                     fe80::250:56ff:febf:236e%em1  U           em1
    ff01::%em2/32                     2a02:578:yyyy::y              U           em2
    ff01::%lo0/32                     ::1                           U           lo0
    ff02::%em0/32                     fe80::250:56ff:febf:236d%em0  U           em0
    ff02::%em1/32                     fe80::250:56ff:febf:236e%em1  U           em1
    ff02::%em2/32                     2a02:578:yyyy::y              U           em2
    ff02::%lo0/32                     ::1                           U           lo0
    [2.1-RC0][admin@firewall3.xxxxx.xx]/root(3):
    
    

    Note:  all the "x" replacements are part of my first IPv6 /48 Range
              all the "y" replacements are part of my second IPv6 /48 Range

    On my firewall there is no /48 configured, on my router there is no /48 configured I only use /64 which are part of my /48.

    And no I do not give each computer a /64 range,  I give each (v)LAN a /64 range to use.  And radv will give together with DHCPv6 each DHCP enabled system 2 address 1 IPv6 in range "fe80" which is local and private non routable and 1 IPv6 from the /64 range and nothing more.  I have also a few servers who have fixed configuration with all information about routing configured manually.

    PS>  I do not know if it is related but on my router the default gw for IPv6 is not a FE80 range address.

    I hope it helps.



  • I'll give it a shot for sure. Thank you for your efforts.


Locked