Pfsense edpnet (belgium) native ipv6
-
I seem to be doing something wrong however i can't seem to put my finger on it.
# netstat -rn -f inet6 Routing tables Internet6: Destination Gateway Flags Netif Expire illegal prefixlen ::/15 2a02:578:x::1 UGS vr2 => default fe80::207:7dff:fe56:5900%pppoe0 UGS pppoe0 ::1 ::1 UH lo0 2a02:578:x::/48 link#3 U vr2 2a02:578:x::1 link#3 UHS lo0 2a02:578:8401:x::/64 link#11 U pppoe0 2a02:578:8401:x:x:x:x:x link#11 UHS lo0 fe80::%vr0/64 link#1 U vr0 fe80::20d:b9ff:fe2b:7f74%vr0 link#1 UHS lo0 fe80::%vr2/64 link#3 U vr2 fe80::20d:b9ff:fe2b:7f76%vr2 link#3 UHS lo0 fe80::%lo0/64 link#7 U lo0 fe80::1%lo0 link#7 UHS lo0 fe80::%vr2_vlan10/64 link#8 U vr2_vlan fe80::20d:b9ff:fe2b:7f74%vr2_vlan10 link#8 UHS lo0 fe80::%vr2_vlan20/64 link#9 U vr2_vlan fe80::20d:b9ff:fe2b:7f74%vr2_vlan20 link#9 UHS lo0 fe80::%vr2_vlan30/64 link#10 U vr2_vlan fe80::20d:b9ff:fe2b:7f74%vr2_vlan30 link#10 UHS lo0 fe80::%pppoe0/64 link#11 U pppoe0 fe80::20d:b9ff:fe2b:7f74%pppoe0 link#11 UHS lo0 fe80::91f2:4358:15d2:ad55%pppoe0 link#11 UHS lo0 ff01::%vr0/32 fe80::20d:b9ff:fe2b:7f74%vr0 U vr0 ff01::%vr2/32 fe80::20d:b9ff:fe2b:7f76%vr2 U vr2 ff01::%lo0/32 ::1 U lo0 ff01::%vr2_vlan10/32 fe80::20d:b9ff:fe2b:7f74%vr2_vlan10 U vr2_vlan ff01::%vr2_vlan20/32 fe80::20d:b9ff:fe2b:7f74%vr2_vlan20 U vr2_vlan ff01::%vr2_vlan30/32 fe80::20d:b9ff:fe2b:7f74%vr2_vlan30 U vr2_vlan ff01::%pppoe0/32 fe80::20d:b9ff:fe2b:7f74%pppoe0 U pppoe0 ff02::%vr0/32 fe80::20d:b9ff:fe2b:7f74%vr0 U vr0 ff02::%vr2/32 fe80::20d:b9ff:fe2b:7f76%vr2 U vr2 ff02::%lo0/32 ::1 U lo0 ff02::%vr2_vlan10/32 fe80::20d:b9ff:fe2b:7f74%vr2_vlan10 U vr2_vlan ff02::%vr2_vlan20/32 fe80::20d:b9ff:fe2b:7f74%vr2_vlan20 U vr2_vlan ff02::%vr2_vlan30/32 fe80::20d:b9ff:fe2b:7f74%vr2_vlan30 U vr2_vlan ff02::%pppoe0/32 fe80::20d:b9ff:fe2b:7f74%pppoe0 U pppoe0# ping6 -c1 google.be PING6(56=40+8+8 bytes) 2a02:578:8401:x:x:x:x:x --> 2a00:1450:4013:c00::5e 16 bytes from 2a00:1450:4013:c00::5e, icmp_seq=0 hlim=57 time=14.734 ms --- google.be ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 14.734/14.734/14.734/0.000 ms ## ping6 -S 2a02:578:x::1 -c1 google.be PING6(56=40+8+8 bytes) 2a02:578:x::1 --> 2a00:1450:4013:c00::5e --- google.be ping6 statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss ## ping6 -S 2a02:578:x::1 -c1 2a02:578:8401:x:x:x:x:x PING6(56=40+8+8 bytes) 2a02:578:x::1 --> 2a02:578:8401:x:x:x:x:x 16 bytes from 2a02:578:8401:x:x:x:x:x, icmp_seq=0 hlim=64 time=1.140 ms --- 2a02:578:8401:1500:20d:b9ff:fe2b:7f74 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.140/1.140/1.140/0.000 ms #2a02:578:8401
xx:x is wan ip
2a02:578:x::1/48 prefix -
Can you tell me what your network setup is hardware wise and what you are using VDSL or ADSL ?
Where do you do the Logon with EDPNet ?
Also just something I see, you are using the /48 on your firewall. It is better to split it up is separate /64 from the beginning especially if you want to put also ipv6 on your vlan's. And that could already solve your issue.
Can you also post the firewall rules you have for IPv6 on the Internal side's ?
-
wan and lan have pass * for ipv6 no real rules, in place and it is an adsl line.
edit: sorry for the late responds, ..
/48 on the firewall, ..? no vlans won't be using ipv6 for now, .. unless maybe a different prefix, hardware ALIX.2D13.
-
Well like I already said. You have configured the /48 prefix that EDPNet has delivered to you complete on your interface vr3
If you take into account how they split up the prefixes for ipv6 then it says that a /48 prefix is normally given to a Customer this /48 can be split up into multiple /64 which are actually individually LAN's
So what you must do is change the prefect on your vr3 from /48 to /64 and if your rules are ok then it should work.
PS> Auto Configure and router advertisement in IPv6 works only for a /64 prefix if I remember correctly
I hope this brings you more on track to make it work. If not just let me know.
-
so what you're trying to say is that i can't setup the prefix on the lan interface to 48 but i need to set it up on 64 however when i go to the dhcp i can only go as low as prefixlen 64 to distribute, .. meaning if i assign an ip i immediately assign the whole range to one client !?
And it has no effect, I've just tried it.
Also within the LAN within the prefix i can communicate just fine it's when i go to the outside that something is wrong.
Also with your way i need to pass the router everytime i want to go from one computer to an other cause you've just given everyone a 64 prefix that's not routed if i understand correctly
I'm not saying that you're wrong i'm just trying to understand how and what it is you're trying to do.
-
Well officially you can use /48 prefix on the LAN part but then it is available just on 1 VLAN so if you need multiple VLAN's then you need to split up the /48 in /64. Also what I try to say if I remember correctly the IPv6 rules say the following:
- /48 is usually used for a customer network
- /64 is used for a (v)LAN
That is how it is build in the minds of the creators of the protocol. And if I remember correctly automatic router advertisement does not work good with something else than a /64.
For your routing part, yes each IPv6 /64 range you use will be routed on your firewall and only go to the outside when the addresses are not part of your assigned /48.
I also do remember that I was never able to get 1 big /48 to work directly on the LAN site I could choose different /64 ranges and configure them on individual (v)lans.
But as said before my situation is that I have my VDSL modem -> Cisco Router (who does the connection with EDPNET) -> pfsense firewall -> LAN's
This you can see in the following traceroute from 1 of my client servers:
[root@xxxxx: ~]$ traceroute6 ipv6.google.com traceroute to ipv6.l.google.com (2a00:1450:4013:c01::93) from 2a02:578:xxxx:xxxx::x:x, 30 hops max, 24 byte packets 1 firewall.xxxxx.xx (2a02:578:xxxx:xxxx::x) 0.158 ms 0.237 ms 0.125 ms 2 cisco_router.xxxxx.xx (2a02:578:xxxx::x) 0.935 ms 0.829 ms 0.67 ms 3 2a02:578:1:3c::2 (2a02:578:1:3c::2) 20.181 ms 20.417 ms 19.746 ms 4 2a02:578:1:3c::1 (2a02:578:1:3c::1) 20.078 ms 20.412 ms 20.321 ms 5 2a02:578:1:1d::1 (2a02:578:1:1d::1) 23.484 ms 23.639 ms 23.441 ms 6 amsix-router.google.com (2001:7f8:1::a501:5169:1) 23.607 ms 23.514 ms 22.855 ms 7 2001:4860::1:0:8 (2001:4860::1:0:8) 136.28 ms 23.182 ms 23.529 ms 8 2001:4860::8:0:2daf (2001:4860::8:0:2daf) 23.386 ms 23.548 ms 58.794 ms 9 2001:4860::2:0:66f (2001:4860::2:0:66f) 27.961 ms 27.229 ms 27.476 ms [root@xxxxx: ~]$And this is the routing table on my firewall:
[2.1-RC0][admin@firewall.xxxxx.xx]/root(2): netstat -rn -f inet6 Routing tables Internet6: Destination Gateway Flags Netif Expire default 2a02:578:xxxx::x UGS em0 ::1 ::1 UH lo0 2a02:578:xxxx::/64 link#1 U em0 2a02:578:xxxx::x link#1 UHS lo0 2a02:578:xxxx:xxxx::/64 link#2 U em1 2a02:578:xxxx:xxxx::x link#2 UHS lo0 2a02:578:yyyy::/64 link#3 U em2 2a02:578:yyyy::y link#3 UHS lo0 2a02:578:yyyy:yyy::/64 2a02:578:yyyy::y UGS em2 2a02:578:yyyy:yyyy::/64 2a02:578:yyyy::y UGS em2 fe80::%em0/64 link#1 U em0 fe80::250:56ff:febf:236d%em0 link#1 UHS lo0 fe80::%em1/64 link#2 U em1 fe80::250:56ff:febf:236e%em1 link#2 UHS lo0 fe80::%em2/64 link#3 U em2 fe80::250:56ff:febf:236f%em2 link#3 UHS lo0 fe80::%lo0/64 link#7 U lo0 fe80::1%lo0 link#7 UHS lo0 ff01::%em0/32 fe80::250:56ff:febf:236d%em0 U em0 ff01::%em1/32 fe80::250:56ff:febf:236e%em1 U em1 ff01::%em2/32 2a02:578:yyyy::y U em2 ff01::%lo0/32 ::1 U lo0 ff02::%em0/32 fe80::250:56ff:febf:236d%em0 U em0 ff02::%em1/32 fe80::250:56ff:febf:236e%em1 U em1 ff02::%em2/32 2a02:578:yyyy::y U em2 ff02::%lo0/32 ::1 U lo0 [2.1-RC0][admin@firewall3.xxxxx.xx]/root(3):Note: all the "x" replacements are part of my first IPv6 /48 Range
all the "y" replacements are part of my second IPv6 /48 RangeOn my firewall there is no /48 configured, on my router there is no /48 configured I only use /64 which are part of my /48.
And no I do not give each computer a /64 range, I give each (v)LAN a /64 range to use. And radv will give together with DHCPv6 each DHCP enabled system 2 address 1 IPv6 in range "fe80" which is local and private non routable and 1 IPv6 from the /64 range and nothing more. I have also a few servers who have fixed configuration with all information about routing configured manually.
PS> I do not know if it is related but on my router the default gw for IPv6 is not a FE80 range address.
I hope it helps.
-
I'll give it a shot for sure. Thank you for your efforts.