IPv6 to PFsense Lan behind Fritz!Box 6360
-
See attached images of the current Fritz!Box(First router) and PFSense(Second router) configs.
Well, you have the /48 on the FB. Good.
Connect pfSense on a FB LAN port.Further on FB config:
"Require certain length for the LAN prefix": 64 bits (this is for your pfSense WAN "home" network)
"Assign DNS server and IPv6 prefix (IA_PD)" (this should work too in your case.)Now, let pfSense WAN ask with "DHCP6" towards the FB.
It should get an IPv6 where the leftmost 64 bits are the same as those from the /48 on the FB.
The rightmost 64 bits are the MAC of the pfSense WAN. (See pfSense Interfaces)Your remark about "DHCPv6 Server can only be enabled…" is relevant only if you use pfSense-LAN DHCPserver, but which is excluded because of your choice of "Track Interface". So non-sense towards FB ;)
-
@hda:
See attached images of the current Fritz!Box(First router) and PFSense(Second router) configs.
Well, you have the /48 on the FB. Good.
Connect pfSense on a FB LAN port.Further on FB config:
"Require certain length for the LAN prefix": 64 bits (this is for your pfSense WAN "home" network)
"Assign DNS server and IPv6 prefix (IA_PD)" (this should work too in your case.)Now, let pfSense WAN ask with "DHCP6" towards the FB.
It should get an IPv6 where the leftmost 64 bits are the same as those from the /48 on the FB.
The rightmost 64 bits are the MAC of the pfSense WAN. (See pfSense Interfaces)Your remark about "DHCPv6 Server can only be enabled…" is relevant only if you use pfSense-LAN DHCPserver, but which is excluded because of your choice of "Track Interface". So non-sense towards FB ;)
PFsense is connected to the FB and I am requesting a /64 but I have also tried with every other /64- /48 option and no go.
PFsense gets the IPv6 IP : 2001:14b8:XXX:0:XXX:XXX:fe01:150c and that would be the first /64 of the full /48 but I am not able to get traffic between the LAN and WAN networks
LAN has the IPv6 static /64 2001:14b8:XXX:1::a and that is the next in line /64 of the assigned /48.I have Rules allowing all IPv6 from and to WAN <-> LAN just to rule out that a rule would be the blocking reason.
-
LAN has the IPv6 static /64 2001:14b8:XXX:1::a and that is the next in line /64 of the assigned /48.
OK. you have an IPv6 on pfSense WAN.
Now, the pfSense-LAN will get another/different subnet value than pfSense-WAN. (your subnet values are from /49 to /64)
You can not decide on a FB subnet value for your pfSense-LAN with Static.
That value, as I wrote earlier, is up to FB to decide with help from LAN "Track Interface".N.B. as I wrote, did you set /64 for FB-LAN in FB ?
-
@hda:
You can not decide on a FB subnet value for your LAN with static.
That value, as I wrote earlier, is upto FB to decide with help from LAN "Track Interface".N.B. as I wrote, did you set /64 for LAN in FB ?
Yes but I can not use "Track Interface" due to I need to set static ip to be the 2001:14b8:XXX:1:: /64 network.
As I am using a DHCPv6 server on the LAN network that is using the 2001:14b8:XXX:1:: /64 network . and even PFsense DHCPv6 requires the use of a static IPv6 on LAN gateway to be set.Is it not possible to use the statically set 2001:14b8:XXX:1::a for the LAN gateway and have WAN <-> LAN traffic?
Is it only possible to use "Track Interface" if I want IPv6 traffic between LAN and WAN ? -
Yes but I can not use "Track Interface" due to I need to set static ip to be the 2001:14b8:XXX:1:: /64 network.
As I am using a DHCPv6 server on the LAN network that is using the 2001:14b8:XXX:1:: /64 network . and even PFsense DHCPv6 requires the use of a static IPv6 on LAN gateway to be set.Why do you insist on doing these settings which for sure will not function ? What told you so ?
My advice is to let go about DHCPserver on LAN. Let go about Static. First try is to work with SLAAC.Obviously you follow the proposed instructions or you are on your own to experiment using trial & horror :)
You can succeed or find out if you answer exactly or stick to close-reading what is written.
And when you change pfSense WAN & LAN config, then reboot. But first reboot the FB too. Start clean memories.
It can take several minutes before pfSense reports correctly [Status > Interfaces] -
Is it not possible to use the statically set 2001:14b8:XXX:1::a for the LAN gateway and have WAN <-> LAN traffic?
Is it only possible to use "Track Interface" if I want IPv6 traffic between LAN and WAN ?True. A FritzBox is in command and is programmed a certain way to manage subnetting.
FB has subnet "0", "1" and "2" reserved for itsself. Sometimes "fc" seems to work as static, but is not reliable.The question is "how to get the subnet value and the cooperation from the FB" for your pfSense-LAN.
While you think maybe "1" is ok, FB will not accept that by static request and would like to supply (by DHCP6 client request), say, "ff". -
Ok, Tanx for the help anyway.
The "Track interface" solution does not work for me and I need to have static gateway/ /64. If that is something that does not work with PFsense then I guess I will have to wait until its works or until someone can explain how to make it work in a similar way not using "track interface".
-
… I need to have static gateway /64....
This does not make sense to me.
Can you explain on that w.r.t. doing DHCP6 towards FB, because FB+pfSense can take care of that automatically. (DNS & GW) -
@hda:
This does not make sense to me.
Can you explain on that w.r.t. doing DHCP6 towards FB, because FB+pfSense can take care of that automatically. (DNS & GW)The network is not just a home network, I'm running a full AD environment.
Its more or less a proving ground for different network setups and Domain controller setups.So I have Windows servers running and managing all aspects of the network. pfSense is just there as a firewall. Now to get the DirectAccess working in Win. Server 2012 R2 IPv6 is required and that setup has to be static so I cant have my network switching IPs and networks. I am also using other features that require statically assigned IPv6 addresses.
Now if I just wanted to enable IPv6 for some home laptop and whatnot then I would be fine with "Track Interface" but I need the control of the /64 to be in the hands of the AD servers and not on the pfSense.
Hope that answers your question.
-
Now to get the DirectAccess working in Win. Server 2012 R2 IPv6 is required and that setup has to be static so I cant have my network switching IPs and networks. I am also using other features that require statically assigned IPv6 addresses.
But first you still need to negotiate the leftmost 64 bits for your pfSense-LAN, because AIUI that part you will need to use for your serverpark…
i.e. I have FB-LAN == pfSense-WAN as 2001:babe:face:1:: /64 and pfSense-LAN as 2001:babe:face:ff:: /64.
The subnet value "ff" is not my choice but supplied by FB. -
Yes but how to make that without using "track interface" is the big question.
-
Yes but how to make that without using "track interface" is the big question.
No big question at all. Remove the FB !
Because, as you apparently misunderstand, the (FB-pfSense) setup will not work (reliably) without Track Interface.You might though guess & succeed with trying the subnet value "fc", but as soon as you reboot FB such will be lost.
-
Would be nice if you could comment without the attitude.. no misunderstanding.
I am simply asking the question Can It Be Done Now and if no then is it in the pipeline for pfSense for this type of scenario.
As your opinion is use "Track Interface" or loose then I will simply wait until I can get a firmware update for the FB that would allow me to bridge/switch ISP router or pfSense makes a hail mary.
-
You're basically asking for instructions on how to statically configure a dynamically assigned prefix. This is not a missing feature in pfSense; it just doesn't make sense.
-
Also, what you really want is not getting rid of track interface, but rather allowing DHCP6 settings to be configured on a tracking interface. It's already running a DHCP6 server; this is purely a GUI limitation. I opened an issue on this in Redmine over a year ago, but going by the complete lack of responses, it doesn't seem like this is on anyone's radar at ESF.
-
Well, thank you for the response/info anyway.
My questions have been answered, my current setup can not be solved at this stage for this network setup.
So options are to somehow get FB out of the picture or wait for a feature that might or might not be added. -
You can definitely use a private address on the pfsense WAN. That will work.
And if you must have IPV6 on the pfsense, you can get a GIF interface from Hurricane Electric.
That way you can assign a static /48 ipv6 to pfsense.As long as you can open ICMP for ping on the router connected directly to the internet it should work.
Its not exactly what you asked about but it gets you both IPV4 and 6 on pfsense and your fritzbox.
-
You can definitely use a private address on the pfsense WAN. That will work.
And if you must have IPV6 on the pfsense, you can get a GIF interface from Hurricane Electric.
That way you can assign a static /48 ipv6 to pfsense.As long as you can open ICMP for ping on the router connected directly to the Internet it should work.
Its not exactly what you asked about but it gets you both IPV4 and 6 on pfsense and your fritzbox.
I have tested HE and SixXS on the pfSense using GIF but have not been able to get it to work behind the FB. The connection from FB to pfSense is a "Exposed Host" connection so FB is not blocking anything but I am still not able to get the GIF connection to work.
Will try to set it up again as that would indeed fix my issue and that was the first configuration I tried the first time almost a year ago (and a few times since then with different pfSense versions.
-
It can be done - Trust me.
For example, I have a home network here that is crap.
Its a DSL connection and access to things like allowing ICMP is blocked.
Basic port forwarding is all that can happen in this apartment, so not able to set up HE here or IPV6.
Soooooo - I took a machine, installed a Linux Mint VM and a pfsense VM.
Then I set pfsense as openvpn client to a server I have running in the USA.
Then I set the endpoint of the HE tunnel as the machine in the USA.
But all the rest of the HE IPV6 settings I installed on the pfsense VM running here.
So, I get USA IPV4 and a /48 here, on this pfsense, but the GIF interface is tunneled through my machine in the USA.
All that because my ISP here blocks ICMP by default.
Where there is a will, there is a way.
-
I have tested HE and SixXS on the pfSense using GIF but have not been able to get it to work behind the FB. The connection from FB to pfSense is a "Exposed Host" connection so FB is not blocking anything but I am still not able to get the GIF connection to work.
Note that forwarding TCP and UDP (which is most likely what your "exposed host" setting does) is not sufficient; you'll need to forward protocol 41 (6in4) as well.