IPv6 to PFsense Lan behind Fritz!Box 6360
-
Hi,
The situation is as follows:
ISP Cable Internet (IPv4)
|
Fritz!Box 6360 with Heartbeat tunnel from Sixxs (2001:14b8:YYY:XXX::2)
|
WLAN DMZ Network (192.168.178.1/24) and 2001:14b8:XXX::/48
|
pfSense Router for internal network (10.0.1.0/24) and 2001:14b8:XXX:1::aThe Fritz!Box can not be bridged(not available in the ISP specific firmware) so I have set up a IPv6 Heartbeat tunnel from Sixxs in the Fritz!Box and not on the PFsense like I would like to.
The Fritz!Box Lan has working IPv6 and any device connected gets 10/10 from the IPv6 tests run from test-ipv6.com.
Now the tunnel from Sixxs is the Routed /64 Subnet plus one /48.
I am at the moment using DHCPv6 on the PFsense WAN and the options:
1. Request a IPv6 prefix/information through the IPv4 connectivity link.
2. DHCPv6 Prefix Delegation size = 48.
3. Send an IPv6 prefix hint to indicate the desired prefix size for delegation = true.WAN IPv6 adress is set to 2001:14b8:XXX:0:215:5dff:fe01:150c, the PFsense GateWay is fe80::2665:11ff:fef9:98ba.
On PFsense LAN I have a static IPv6 adress set 2001:14b8:XXX:1::a and devices on the LAN network are serviced by a DHCPv6 server giving out the /64 2001:14b8:XXX:1::
Now when I ping ipv6.google.com from the PFsense web interface "Diagnostics->ping" using the WAN or default network everything is ok:
PING6(56=40+8+8 bytes) 2001:14b8:XXX:0:215:5dff:fe01:150c –> 2a00:1450:4010:c04::66
16 bytes from 2a00:1450:4010:c04::66, icmp_seq=0 hlim=51 time=35.793 ms
16 bytes from 2a00:1450:4010:c04::66, icmp_seq=1 hlim=51 time=37.058 ms
16 bytes from 2a00:1450:4010:c04::66, icmp_seq=2 hlim=51 time=37.560 ms--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 35.793/36.804/37.560/0.743 msBut using PFsense LAN as the Source Address to ping from the web interface gets stuck in limbo(continuously loads/waits) and does not return anything. restarting the web interface is the only exit.
I have also tried setting the PFsense WAN interface to /52 /56 /60 /62 /64 just to rule out all options.
So where am I having a brain fart and what should I be doing instead?
It is not a option to use "track interface" on the LAN site as I am assigning IPv6 addresses to the clients from another DHCPv6 server in the internal network from the /64 mentioned.
Also tried SLAC from the Fritz!Box but getting the same results.
Please help anyone who can because this is driving me nuts :)
PS. running on PFsense firmware: 2.2-ALPHA (amd64) built on Sat Aug 30 11:37:28 CDT 2014 FreeBSD 10.0-STABLE
-
I am at the moment using DHCPv6 on the PFsense WAN and the options:
1. Request a IPv6 prefix/information through the IPv4 connectivity link.
2. DHCPv6 Prefix Delegation size = 48.
3. Send an IPv6 prefix hint to indicate the desired prefix size for delegation = true.But you write your long story as your FB having the authority w.r.t. IPv6…?
i.e. FB has the Sixxs connect on a /64 ? Why is that ?
Is it meant to use the /48 OR the /64, but not both at the same time?This 1st router will delegate to the 2nd router pfSense on request, provided the FB can act as an IPv6 DHCP server.
So, therefore ask the FB for a delegation of size /64, if your FB-Lan runs (likely) /64.
Then next in combination with pfSense-Lan do Track Interface (SLAAC and not DHCPserver) -
Then I´m just explaining it badly..
New to IPv6 so still using IPv4 mindset when trying to understand the way to set up subnets.
The solution I want to have is 1 internal LAN behind the PFsense using 10.0.1.0/24) and public IPv6 2001:14b8:XXX:1::/64
The Fritz!Box will have to be the IPv6 authority(first Router connected to Sixxs) as I can not get Sixxs to work directly with the PFsense behind the Fritz!Box without being able to bridge the Fritz!Box.
How can I have a LAN using the specific 2001:14b8:XXX:1::/64 if I enable "Track Interface" ?
Or do you mean that by using "Track Interface" I can then use a Windows DHCPv6 server on the LAN giving out the 2001:14b8:XXX:1::/64 range and all will work fine?
Unfortunately I have tried using "Track Interface" also but the Lan network is not able to ping or trace-route over to the WAN.
How do I know what address do define as "default gateway" in the Windows DHCPv6 server in the LAN if the LAN is using "Track Interface" and does not have a specified IPv6 address?
-
How can I have a LAN using the specific 2001:14b8:XXX:1::/64 if I enable "Track Interface" ?
Try to get the /48 on the FB. Then i.e. for subnet values something will happen like:
FB WAN will get 2001:14b8:xxx:0::
FB LAN will get 2001:14b8:xxx:1:: (config FB as /64 LAN ).Config your FB as DHCPserver for the homenetwork.
pfSense WAN will get 2001:14b8:xxx:1:aMAC with pfSense DHCP6 prefix delegation (/64) from FB.
pfSense LAN will get 2001:14b8:xxx:z:aMAC with pfSense Track Interface (the value of 'z' is upto FB).Then pfSense-LAN will allow connect the other clients if with SLAAC.
-
@hda:
How can I have a LAN using the specific 2001:14b8:XXX:1::/64 if I enable "Track Interface" ?
Try to get the /48 on the FB. Then i.e. for subnet values something will happen like:
FB WAN will get 2001:14b8:xxx:0::
FB LAN will get 2001:14b8:xxx:1:: (config FB as /64 LAN ).Config your FB as DHCPserver for the homenetwork.
pfSense WAN will get 2001:14b8:xxx:1:aMAC with pfSense DHCP6 prefix delegation (/64) from FB.
pfSense LAN will get 2001:14b8:xxx:z:aMAC with pfSense Track Interface (the value of 'z' is upto FB).Then pfSense-LAN will allow connect the other clients if with SLAAC.
The issue with what you suggest is that FB requires a static IPv6 IP to be set before you can use the DHCPv6 server (same as DHCPv4):
"The DHCPv6 Server can only be enabled on interfaces configured with static IP addressesOnly interfaces configured with a static IP will be shown."See attached images of the current Fritz!Box(First router) and PFSense(Second router) configs.
-
See attached images of the current Fritz!Box(First router) and PFSense(Second router) configs.
Well, you have the /48 on the FB. Good.
Connect pfSense on a FB LAN port.Further on FB config:
"Require certain length for the LAN prefix": 64 bits (this is for your pfSense WAN "home" network)
"Assign DNS server and IPv6 prefix (IA_PD)" (this should work too in your case.)Now, let pfSense WAN ask with "DHCP6" towards the FB.
It should get an IPv6 where the leftmost 64 bits are the same as those from the /48 on the FB.
The rightmost 64 bits are the MAC of the pfSense WAN. (See pfSense Interfaces)Your remark about "DHCPv6 Server can only be enabled…" is relevant only if you use pfSense-LAN DHCPserver, but which is excluded because of your choice of "Track Interface". So non-sense towards FB ;)
-
@hda:
See attached images of the current Fritz!Box(First router) and PFSense(Second router) configs.
Well, you have the /48 on the FB. Good.
Connect pfSense on a FB LAN port.Further on FB config:
"Require certain length for the LAN prefix": 64 bits (this is for your pfSense WAN "home" network)
"Assign DNS server and IPv6 prefix (IA_PD)" (this should work too in your case.)Now, let pfSense WAN ask with "DHCP6" towards the FB.
It should get an IPv6 where the leftmost 64 bits are the same as those from the /48 on the FB.
The rightmost 64 bits are the MAC of the pfSense WAN. (See pfSense Interfaces)Your remark about "DHCPv6 Server can only be enabled…" is relevant only if you use pfSense-LAN DHCPserver, but which is excluded because of your choice of "Track Interface". So non-sense towards FB ;)
PFsense is connected to the FB and I am requesting a /64 but I have also tried with every other /64- /48 option and no go.
PFsense gets the IPv6 IP : 2001:14b8:XXX:0:XXX:XXX:fe01:150c and that would be the first /64 of the full /48 but I am not able to get traffic between the LAN and WAN networks
LAN has the IPv6 static /64 2001:14b8:XXX:1::a and that is the next in line /64 of the assigned /48.I have Rules allowing all IPv6 from and to WAN <-> LAN just to rule out that a rule would be the blocking reason.
-
LAN has the IPv6 static /64 2001:14b8:XXX:1::a and that is the next in line /64 of the assigned /48.
OK. you have an IPv6 on pfSense WAN.
Now, the pfSense-LAN will get another/different subnet value than pfSense-WAN. (your subnet values are from /49 to /64)
You can not decide on a FB subnet value for your pfSense-LAN with Static.
That value, as I wrote earlier, is up to FB to decide with help from LAN "Track Interface".N.B. as I wrote, did you set /64 for FB-LAN in FB ?
-
@hda:
You can not decide on a FB subnet value for your LAN with static.
That value, as I wrote earlier, is upto FB to decide with help from LAN "Track Interface".N.B. as I wrote, did you set /64 for LAN in FB ?
Yes but I can not use "Track Interface" due to I need to set static ip to be the 2001:14b8:XXX:1:: /64 network.
As I am using a DHCPv6 server on the LAN network that is using the 2001:14b8:XXX:1:: /64 network . and even PFsense DHCPv6 requires the use of a static IPv6 on LAN gateway to be set.Is it not possible to use the statically set 2001:14b8:XXX:1::a for the LAN gateway and have WAN <-> LAN traffic?
Is it only possible to use "Track Interface" if I want IPv6 traffic between LAN and WAN ? -
Yes but I can not use "Track Interface" due to I need to set static ip to be the 2001:14b8:XXX:1:: /64 network.
As I am using a DHCPv6 server on the LAN network that is using the 2001:14b8:XXX:1:: /64 network . and even PFsense DHCPv6 requires the use of a static IPv6 on LAN gateway to be set.Why do you insist on doing these settings which for sure will not function ? What told you so ?
My advice is to let go about DHCPserver on LAN. Let go about Static. First try is to work with SLAAC.Obviously you follow the proposed instructions or you are on your own to experiment using trial & horror :)
You can succeed or find out if you answer exactly or stick to close-reading what is written.
And when you change pfSense WAN & LAN config, then reboot. But first reboot the FB too. Start clean memories.
It can take several minutes before pfSense reports correctly [Status > Interfaces] -
Is it not possible to use the statically set 2001:14b8:XXX:1::a for the LAN gateway and have WAN <-> LAN traffic?
Is it only possible to use "Track Interface" if I want IPv6 traffic between LAN and WAN ?True. A FritzBox is in command and is programmed a certain way to manage subnetting.
FB has subnet "0", "1" and "2" reserved for itsself. Sometimes "fc" seems to work as static, but is not reliable.The question is "how to get the subnet value and the cooperation from the FB" for your pfSense-LAN.
While you think maybe "1" is ok, FB will not accept that by static request and would like to supply (by DHCP6 client request), say, "ff". -
Ok, Tanx for the help anyway.
The "Track interface" solution does not work for me and I need to have static gateway/ /64. If that is something that does not work with PFsense then I guess I will have to wait until its works or until someone can explain how to make it work in a similar way not using "track interface".
-
… I need to have static gateway /64....
This does not make sense to me.
Can you explain on that w.r.t. doing DHCP6 towards FB, because FB+pfSense can take care of that automatically. (DNS & GW) -
@hda:
This does not make sense to me.
Can you explain on that w.r.t. doing DHCP6 towards FB, because FB+pfSense can take care of that automatically. (DNS & GW)The network is not just a home network, I'm running a full AD environment.
Its more or less a proving ground for different network setups and Domain controller setups.So I have Windows servers running and managing all aspects of the network. pfSense is just there as a firewall. Now to get the DirectAccess working in Win. Server 2012 R2 IPv6 is required and that setup has to be static so I cant have my network switching IPs and networks. I am also using other features that require statically assigned IPv6 addresses.
Now if I just wanted to enable IPv6 for some home laptop and whatnot then I would be fine with "Track Interface" but I need the control of the /64 to be in the hands of the AD servers and not on the pfSense.
Hope that answers your question.
-
Now to get the DirectAccess working in Win. Server 2012 R2 IPv6 is required and that setup has to be static so I cant have my network switching IPs and networks. I am also using other features that require statically assigned IPv6 addresses.
But first you still need to negotiate the leftmost 64 bits for your pfSense-LAN, because AIUI that part you will need to use for your serverpark…
i.e. I have FB-LAN == pfSense-WAN as 2001:babe:face:1:: /64 and pfSense-LAN as 2001:babe:face:ff:: /64.
The subnet value "ff" is not my choice but supplied by FB. -
Yes but how to make that without using "track interface" is the big question.
-
Yes but how to make that without using "track interface" is the big question.
No big question at all. Remove the FB !
Because, as you apparently misunderstand, the (FB-pfSense) setup will not work (reliably) without Track Interface.You might though guess & succeed with trying the subnet value "fc", but as soon as you reboot FB such will be lost.
-
Would be nice if you could comment without the attitude.. no misunderstanding.
I am simply asking the question Can It Be Done Now and if no then is it in the pipeline for pfSense for this type of scenario.
As your opinion is use "Track Interface" or loose then I will simply wait until I can get a firmware update for the FB that would allow me to bridge/switch ISP router or pfSense makes a hail mary.
-
You're basically asking for instructions on how to statically configure a dynamically assigned prefix. This is not a missing feature in pfSense; it just doesn't make sense.
-
Also, what you really want is not getting rid of track interface, but rather allowing DHCP6 settings to be configured on a tracking interface. It's already running a DHCP6 server; this is purely a GUI limitation. I opened an issue on this in Redmine over a year ago, but going by the complete lack of responses, it doesn't seem like this is on anyone's radar at ESF.