IPv6 not working when pfsense is behind ISPs Router
-
@jflsakfja:
The 49-54 characters (in BITS) are "official" subnetting bits. And by that I mean that if you want a subnet, it has to be a /64, which can only come from the /48 (bits 49-54 in the IPv6 address).
No matter how you count, "49-54" is definitely wrong (note that that's six bits). The first 64 bits in a global unicast v6 address are split into n bits of global routing prefix and m bits of subnet ID (with some exceptions). Other than n+m = 64, there is no strict requirement for the size of either; see RFC 3513 and RFC 3587. Residential ISPs typically delegate something between /56 and /60.
-
I don't think you quite understand the OP's setup. He has an ISP-provided router on his premises (note the part about VoIP / DECT phones). That router is set up for DHCP-PD; i.e., it gets delegated a /56 dynamically from the ISP; this is a common setup for residential / SOHO internet. He now wants to set up pfSense behind that router; i.e., as a second level of routing in his home. Since the prefix delegated by the ISP is not (guaranteed to be) static, he can't just configure it as such on the pfSense box, and the only way to do dynamic v6 prefix assignment for LANs on pfSense is via DHCP-PD. For that to work, though, his first router (again, this is a router box in his home, not something on the ISP side) would have to re-delegate some part of the /56 it received from the ISP to the pfSense box. His ISP-provided residential gateway may or may not support doing that; like I said, I know pfSense would not.
(As a side note, why would you think it would have to be at least a /48? Anything larger than a /64 can be sub netted, and most residential ISPs will only give you a /56 or less.)
What I would personally do is 1) bridge the ISP router 2) set up pfsense as a transparent firewall. 1 means finding what vlans are using what (voip/video/etc) and letting pfsense handle that, and 2 means accepting that all IPs assigned by pfsense will come from the /64 assigned to the ISP router.
Without a post from the OP it's very difficult to come up with a working scenario, since all I can do is speculate (and get criticized about it).
Besides the ISP router not allowing custom routing tables, nothing stops you (besides a broken keyboard) from using any addresses (even addresses not assigned to you) to route anything within your network. The only thing that breaks is traceroute.
@jflsakfja:
The 49-54 characters (in BITS) are "official" subnetting bits. And by that I mean that if you want a subnet, it has to be a /64, which can only come from the /48 (bits 49-54 in the IPv6 address).
No matter how you count, "49-54" is definitely wrong (note that that's six bits). The first 64 bits in a global unicast v6 address are split into n bits of global routing prefix and m bits of subnet ID (with some exceptions). Other than n+m = 64, there is no strict requirement for the size of either; see RFC 3513 and RFC 3587. Residential ISPs typically delegate something between /56 and /60.
Well spotted. 5 is next to 6 ;)
RFC3513 has been obsoleted.Following the updated RFCs doesn't specify where you must NOT use /48s.
RFC3587 (and your post) says exactly what I'm saying. 64 bits end up in the interface, 48 bits end up in the grobal routing, which leaves 16 bits for the subnet. As long as your prefix is withing those bits, it can be assigned to a site. A site is anything that needs more than one /64, in other words a router with more than 2 interfaces.
They assign the /56s and /60s because most people will never need anything larger than that. A /56 has 256 /64s, which means the router behind it can only have 255 interfaces (1 /64 for ISP router > residential router). A /60 has 16 /64s, which means 15 interfaces. The smallest subnet they can drop to is /63, since it only allows for 2 subnets => 1 "internal" interface.
It's not as easy to just "drop down" a prefix and be done with it. If prefix 1 was routed to a client A and prefix 2 was routed to client B, if the client wishes to get 2 different subnets, the ISP would need to forget 1, and route 3 and 4. I don't see anything wrong with a /56 and a /60 for most residential users.
-
@jflsakfja:
… If prefix 1 was routed to a client A and prefix 2 was routed to client B, if the client wishes to get 2 different subnets, the ISP would need to forget 1, and route 3 and 4....
As I like to read, IF (…) Then (...) Else (...)
So for (cold or hot) sake, what were you trying to say about subnetting and 2 routers in series ? -
@hda:
So for (cold or hot) sake, what were you trying to say about subnetting and 2 routers in series ?
Take a large subnet and split it in 2. 1 small subnet for the router>router and 1 for the 2nd router's "clients".
-
@jflsakfja:
Take a large subnet and split it in 2. 1 small subnet for the router>router and 1 for the 2nd router's "clients".
Yeah right…
But the question was how-to-do, isn't it ? Your bridging taking and splitting, in this specific OP case, is likely not possible or at least not operational defined. -
I appreciate everyone's input this far, but nothing is clear on how to actually make this work.
Please allow me to explain my situation in some detail:
-
ATT uVerse recently enabled ipv6 on some of their RGs, including mine
-
This first implementation appears to support only stateless autoconfig of LAN clients
-
Only /64s are being handed out on the LAN side
-
The RG itself is claiming it has a /60 delegation
So, assuming that some part of that /60 can be re-delegated to the LAN side of the RG (which is where my pfSense ALIX is plugged in), how would that be done?
Currently the nibble at bit positions 60-63 is zero. And all ipv6 addresses handed out on the LAN side always have a zero in that field. So I'm thinking the LAN side of pfSense would have a value of something other than zero in the 60-63 nibble.
BTW, I totally get that AT&T's current ipv6 implementation is not "router friendly". But it could be years (seriously) before many home users will see "correctly" implemented ipv6 in their homes. I've spent hours with different iterations of static addressing and trying ways to get pfSense to use a subnet of that /60, but I can't ping out from the pfSense LAN side no matter what I try.
-
-
I appreciate everyone's input this far, but nothing is clear on how to actually make this work.
Please allow me to explain my situation in some detail:
- ATT uVerse recently enabled ipv6 on some of their RGs, including mine
Assuming by RG you mean a router.
@gloomrider:-
This first implementation appears to support only stateless autoconfig of LAN clients
-
Only /64s are being handed out on the LAN side
-
The RG itself is claiming it has a /60 delegation
SLAAC (autoconfig) needs /64s that's why it hands out /64s. A /60 has 16 /64s.
@gloomrider:So, assuming that some part of that /60 can be re-delegated to the LAN side of the RG (which is where my pfSense ALIX is plugged in), how would that be done?
No stop, that's not the way to do it.
@gloomrider:Currently the nibble at bit positions 60-63 is zero. And all ipv6 addresses handed out on the LAN side always have a zero in that field. So I'm thinking the LAN side of pfSense would have a value of something other than zero in the 60-63 nibble.
BTW, I totally get that AT&T's current ipv6 implementation is not "router friendly". But it could be years (seriously) before many home users will see "correctly" implemented ipv6 in their homes. I've spent hours with different iterations of static addressing and trying ways to get pfSense to use a subnet of that /60, but I can't ping out from the pfSense LAN side no matter what I try.
For simplicity's sake I'll explain it in hexadecimal, so you don't have to fiddle around with converting bits to hexadecimal. Subnet used is the subnet reserved for documentation, as shown in RFC3849.
/60:
2001:0db8:0000:0000:0000:0000:0000:0000(first address)-2001:0db8:0000:000f:ffff:ffff:ffff:ffff(last address).
The blue part is the per client interface part. You should never ever touch unless assigning static IPs.
The red part shows the /60. It can only contain 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e and f (16 characters=16 /64s (part in blue)).Your ISP's router knows that (any of all combinations of red+blue) the blue part above lies somewhere in the red part, and it can reach them through a smaller subnet (ISP's router WAN side).
What you need to do:
Let clients pick from 0-9 of the red part. This allows you plenty of growing space.Assign a (character) to pfsense's WAN. For simplicity's sake use 2001:0db8:0000:000a:0000:0000:0000:0001 as pfsense's WAN IP, subnet /64.
Assign b (character) to pfsense's LAN. For simplicity's sake use 2001:0db8:0000:000b:0000:0000:0000:0001 as pfsense's LAN IP, subnet /64.
Assign c (character) to OPT1 and so on and so forth until f (if needed).Create appropriate allow rules in the interfaces.
IF you are lucky and the ATT router properly implements IPv6 it should work, since IPv6 routers are supposed to "peek" around them and figure out the routing.
If you are unlucky, you'll need to tell the ATT router that the default gateway to networks b-f is pfsense's WAN IP.
Use DHCPv6 (if needed, SLAAC should get you going) internally on pfsense.
Admittedly I haven't tested this exact scenario. Don't stone me to death, just say I'm wrong.
EDIT:
On second thought, use 0-7 (red part) for the ISP's router LAN (a /61), b for pfsense's WAN (/64) and for pfsense's LAN c,d,e and f (/62). Technically that's more valid that what I said above. It also leaves 8,9 an "a" as spares. -
So, assuming that some part of that /60 can be re-delegated to the LAN side of the RG (which is where my pfSense ALIX is plugged in), how would that be done?
In theory you might have nibble=2^4=16 subnets with your Residendial Gateway. BUT this depends on the RG cooperating though. What I have done, in cooperation with a "ATT free" router:
SET: pfSense WAN / DHCP6 / Prefix Delegation size: =64 / Send IPv6 prefix hint =True
This should get your WAN a /64 address that looks as follows: the first 64 bits the same as your RG (-LAN group) and the last 64 bits the MAC from your pfSense WAN iface.SET: pfSense LAN / Track Interface / IPv6 Prefix ID: =0
This should get you your LAN a /64 address where only first 60 bits are the same as your RG(WAN). The bits 61 tru 64 are different are delegated and decided by the RG. The last 64 bits are the MAC of your LAN iface.Then this LAN iface can play SLAAC and accept all the clients in your pfSense LAN. Thats it !
Your RG-LAN is now as a DMZ w.r.t. the pfSense.As evidence: My "RG"(AVM FB7360) has subnet value :1: and my pfSense has subnet value :ff:
-
@hda:
So, assuming that some part of that /60 can be re-delegated to the LAN side of the RG (which is where my pfSense ALIX is plugged in), how would that be done?
In theory you might have nibble=2^4=16 subnets with your Residendial Gateway. BUT this depends on the RG cooperating though. What I have done, in cooperation with a "ATT free" router:
SET: pfSense WAN / DHCP6 / Prefix Delegation size: =64 / Send IPv6 prefix hint =True
This should get your WAN a /64 address that looks as follows: the first 64 bits the same as your RG (-LAN group) and the last 64 bits the MAC from your pfSense WAN iface.SET: pfSense LAN / Track Interface / IPv6 Prefix ID: =0
This should get you your LAN a /64 address where only first 60 bits are the same as your RG(WAN). The bits 61 tru 64 are different are delegated and decided by the RG. The last 64 bits are the MAC of your LAN iface.I've done exactly this and the pfSense LAN interface never gets an ipv6 address.
EDIT: I see this in the system log (vr2 is the pfSense LAN interface): radvd[32948]: no auto-selected prefix on interface vr2, disabling advertisementsMy assumption is that because the Residential Gateway is using SLAAC (not DHCPv6, that option is currently greyed out on the RG) on its LAN interface (which maps to pfSense WAN interface), the whole "track interface" paradigm won't work.
-
My assumption is that because the Residential Gateway is using SLAAC (not DHCPv6, that option is currently greyed out on the RG) on its LAN interface (which maps to pfSense WAN interface), the whole "track interface" paradigm won't work.
Ah yes, that can be the issue. In my "streetrouter" network settings w.r.t. IPv6 I can set:
"Enable DHCPv6 server in the "streetrouter" for the home network"
"Announce "streetrouter" as DNS server via DHCPv6. Parts of the IPv6 network assigned by the Internet service provider are passed on to downstream routers"
At least now you have a spec. for ATT ;)
-
@jflsakfja:
Your ISP's router knows that (any of all combinations of red+blue) the blue part above lies somewhere in the red part, and it can reach them through a smaller subnet (ISP's router WAN side).
Note that with DHCP-PD, in the general case, your WAN-side prefix does not have to be in any way related to the delegated (LAN-side) prefix. Point in case, as of right now, my WAN prefix is of the form 2001:558:…/128, while my delegated prefix is 2601:9:.../60.
What you need to do:
Let clients pick from 0-9 of the red part. This allows you plenty of growing space.Assign a (character) to pfsense's WAN. For simplicity's sake use 2001:0db8:0000:000a:0000:0000:0000:0001 as pfsense's WAN IP, subnet /64.
Assign b (character) to pfsense's LAN. For simplicity's sake use 2001:0db8:0000:000b:0000:0000:0000:0001 as pfsense's LAN IP, subnet /64.
Assign c (character) to OPT1 and so on and so forth until f (if needed).… except the delegated prefix is assigned dynamically with DHCP-PD, so a static setup like you suggest is not feasible. And as I mentioned earlier in the thread, the only way (to my knowledge) to dynamically assign prefixes to downstream interfaces in pfSense is via DHCP-PD / "track interface".
Admittedly I haven't tested this exact scenario. Don't stone me to death, just say I'm wrong.
Done.
-
so since i probably can not make ipv6 for the client network work with my current setup i want to get ridd of the ISPs router (speedport w724v) completely and let pfsense handle everything solely (as it was before we switched to voip).
what i need is some sort of DECT base station that does VOIP or can "forward" VOIP to a asterisk (i'm not exactly sure how this would look like, voip is new to me)
are there all-in-one boxes that can do this and don't require to be the main router to the internet? (so i just have to open the ports for it in the firewall/NAT)
i could also set up an VM with asterisk, but i somehow need the hardware to connect the phones via DECT and if the hardware has to be plugged in the server it has to work when on pci-passthrough on vmware esxi