IPv6 not working when pfsense is behind ISPs Router
-
I appreciate everyone's input this far, but nothing is clear on how to actually make this work.
Please allow me to explain my situation in some detail:
-
ATT uVerse recently enabled ipv6 on some of their RGs, including mine
-
This first implementation appears to support only stateless autoconfig of LAN clients
-
Only /64s are being handed out on the LAN side
-
The RG itself is claiming it has a /60 delegation
So, assuming that some part of that /60 can be re-delegated to the LAN side of the RG (which is where my pfSense ALIX is plugged in), how would that be done?
Currently the nibble at bit positions 60-63 is zero. And all ipv6 addresses handed out on the LAN side always have a zero in that field. So I'm thinking the LAN side of pfSense would have a value of something other than zero in the 60-63 nibble.
BTW, I totally get that AT&T's current ipv6 implementation is not "router friendly". But it could be years (seriously) before many home users will see "correctly" implemented ipv6 in their homes. I've spent hours with different iterations of static addressing and trying ways to get pfSense to use a subnet of that /60, but I can't ping out from the pfSense LAN side no matter what I try.
-
-
I appreciate everyone's input this far, but nothing is clear on how to actually make this work.
Please allow me to explain my situation in some detail:
- ATT uVerse recently enabled ipv6 on some of their RGs, including mine
Assuming by RG you mean a router.
@gloomrider:-
This first implementation appears to support only stateless autoconfig of LAN clients
-
Only /64s are being handed out on the LAN side
-
The RG itself is claiming it has a /60 delegation
SLAAC (autoconfig) needs /64s that's why it hands out /64s. A /60 has 16 /64s.
@gloomrider:So, assuming that some part of that /60 can be re-delegated to the LAN side of the RG (which is where my pfSense ALIX is plugged in), how would that be done?
No stop, that's not the way to do it.
@gloomrider:Currently the nibble at bit positions 60-63 is zero. And all ipv6 addresses handed out on the LAN side always have a zero in that field. So I'm thinking the LAN side of pfSense would have a value of something other than zero in the 60-63 nibble.
BTW, I totally get that AT&T's current ipv6 implementation is not "router friendly". But it could be years (seriously) before many home users will see "correctly" implemented ipv6 in their homes. I've spent hours with different iterations of static addressing and trying ways to get pfSense to use a subnet of that /60, but I can't ping out from the pfSense LAN side no matter what I try.
For simplicity's sake I'll explain it in hexadecimal, so you don't have to fiddle around with converting bits to hexadecimal. Subnet used is the subnet reserved for documentation, as shown in RFC3849.
/60:
2001:0db8:0000:0000:0000:0000:0000:0000(first address)-2001:0db8:0000:000f:ffff:ffff:ffff:ffff(last address).
The blue part is the per client interface part. You should never ever touch unless assigning static IPs.
The red part shows the /60. It can only contain 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e and f (16 characters=16 /64s (part in blue)).Your ISP's router knows that (any of all combinations of red+blue) the blue part above lies somewhere in the red part, and it can reach them through a smaller subnet (ISP's router WAN side).
What you need to do:
Let clients pick from 0-9 of the red part. This allows you plenty of growing space.Assign a (character) to pfsense's WAN. For simplicity's sake use 2001:0db8:0000:000a:0000:0000:0000:0001 as pfsense's WAN IP, subnet /64.
Assign b (character) to pfsense's LAN. For simplicity's sake use 2001:0db8:0000:000b:0000:0000:0000:0001 as pfsense's LAN IP, subnet /64.
Assign c (character) to OPT1 and so on and so forth until f (if needed).Create appropriate allow rules in the interfaces.
IF you are lucky and the ATT router properly implements IPv6 it should work, since IPv6 routers are supposed to "peek" around them and figure out the routing.
If you are unlucky, you'll need to tell the ATT router that the default gateway to networks b-f is pfsense's WAN IP.
Use DHCPv6 (if needed, SLAAC should get you going) internally on pfsense.
Admittedly I haven't tested this exact scenario. Don't stone me to death, just say I'm wrong.
EDIT:
On second thought, use 0-7 (red part) for the ISP's router LAN (a /61), b for pfsense's WAN (/64) and for pfsense's LAN c,d,e and f (/62). Technically that's more valid that what I said above. It also leaves 8,9 an "a" as spares. -
So, assuming that some part of that /60 can be re-delegated to the LAN side of the RG (which is where my pfSense ALIX is plugged in), how would that be done?
In theory you might have nibble=2^4=16 subnets with your Residendial Gateway. BUT this depends on the RG cooperating though. What I have done, in cooperation with a "ATT free" router:
SET: pfSense WAN / DHCP6 / Prefix Delegation size: =64 / Send IPv6 prefix hint =True
This should get your WAN a /64 address that looks as follows: the first 64 bits the same as your RG (-LAN group) and the last 64 bits the MAC from your pfSense WAN iface.SET: pfSense LAN / Track Interface / IPv6 Prefix ID: =0
This should get you your LAN a /64 address where only first 60 bits are the same as your RG(WAN). The bits 61 tru 64 are different are delegated and decided by the RG. The last 64 bits are the MAC of your LAN iface.Then this LAN iface can play SLAAC and accept all the clients in your pfSense LAN. Thats it !
Your RG-LAN is now as a DMZ w.r.t. the pfSense.As evidence: My "RG"(AVM FB7360) has subnet value :1: and my pfSense has subnet value :ff:
-
@hda:
So, assuming that some part of that /60 can be re-delegated to the LAN side of the RG (which is where my pfSense ALIX is plugged in), how would that be done?
In theory you might have nibble=2^4=16 subnets with your Residendial Gateway. BUT this depends on the RG cooperating though. What I have done, in cooperation with a "ATT free" router:
SET: pfSense WAN / DHCP6 / Prefix Delegation size: =64 / Send IPv6 prefix hint =True
This should get your WAN a /64 address that looks as follows: the first 64 bits the same as your RG (-LAN group) and the last 64 bits the MAC from your pfSense WAN iface.SET: pfSense LAN / Track Interface / IPv6 Prefix ID: =0
This should get you your LAN a /64 address where only first 60 bits are the same as your RG(WAN). The bits 61 tru 64 are different are delegated and decided by the RG. The last 64 bits are the MAC of your LAN iface.I've done exactly this and the pfSense LAN interface never gets an ipv6 address.
EDIT: I see this in the system log (vr2 is the pfSense LAN interface): radvd[32948]: no auto-selected prefix on interface vr2, disabling advertisementsMy assumption is that because the Residential Gateway is using SLAAC (not DHCPv6, that option is currently greyed out on the RG) on its LAN interface (which maps to pfSense WAN interface), the whole "track interface" paradigm won't work.
-
My assumption is that because the Residential Gateway is using SLAAC (not DHCPv6, that option is currently greyed out on the RG) on its LAN interface (which maps to pfSense WAN interface), the whole "track interface" paradigm won't work.
Ah yes, that can be the issue. In my "streetrouter" network settings w.r.t. IPv6 I can set:
"Enable DHCPv6 server in the "streetrouter" for the home network"
"Announce "streetrouter" as DNS server via DHCPv6. Parts of the IPv6 network assigned by the Internet service provider are passed on to downstream routers"
At least now you have a spec. for ATT ;)
-
@jflsakfja:
Your ISP's router knows that (any of all combinations of red+blue) the blue part above lies somewhere in the red part, and it can reach them through a smaller subnet (ISP's router WAN side).
Note that with DHCP-PD, in the general case, your WAN-side prefix does not have to be in any way related to the delegated (LAN-side) prefix. Point in case, as of right now, my WAN prefix is of the form 2001:558:…/128, while my delegated prefix is 2601:9:.../60.
What you need to do:
Let clients pick from 0-9 of the red part. This allows you plenty of growing space.Assign a (character) to pfsense's WAN. For simplicity's sake use 2001:0db8:0000:000a:0000:0000:0000:0001 as pfsense's WAN IP, subnet /64.
Assign b (character) to pfsense's LAN. For simplicity's sake use 2001:0db8:0000:000b:0000:0000:0000:0001 as pfsense's LAN IP, subnet /64.
Assign c (character) to OPT1 and so on and so forth until f (if needed).… except the delegated prefix is assigned dynamically with DHCP-PD, so a static setup like you suggest is not feasible. And as I mentioned earlier in the thread, the only way (to my knowledge) to dynamically assign prefixes to downstream interfaces in pfSense is via DHCP-PD / "track interface".
Admittedly I haven't tested this exact scenario. Don't stone me to death, just say I'm wrong.
Done.
-
so since i probably can not make ipv6 for the client network work with my current setup i want to get ridd of the ISPs router (speedport w724v) completely and let pfsense handle everything solely (as it was before we switched to voip).
what i need is some sort of DECT base station that does VOIP or can "forward" VOIP to a asterisk (i'm not exactly sure how this would look like, voip is new to me)
are there all-in-one boxes that can do this and don't require to be the main router to the internet? (so i just have to open the ports for it in the firewall/NAT)
i could also set up an VM with asterisk, but i somehow need the hardware to connect the phones via DECT and if the hardware has to be plugged in the server it has to work when on pci-passthrough on vmware esxi