Private IPv6 addressing on my LAN?



  • Hi there, my question is quite simple.

    I got a pfsense box running. (2.2 BETA to be specific) I want to grab an IPv6 address for my WAN interface from Comcast. Then I want to run my LAN with an IPv6 address pool.

    How would do this?

    Do I get all of my addresses from Comcast? Do I assign my self a private IP address space?

    I already have use the "track interface" option in the LAN interface but I am looking to try running a full blown IPv6 subnet so I can toy with it and learn.

    Any insight would be appreciated.

    I found this link, I am not sure if it is much use to me or not.

    Just to clarify I have a native IPv6 address coming to me from Comcast.



  • All IPv6 hosts have a link-local address - these are not routable and only work on the local segment (ethernet, usually).

    If you don't need the hosts to have internet access, then this is all you need for an IPv6 network.

    If you want them to be able to route to the internet, then you bring a globally-routable prefix through from your provider (comcast) and use RADVD or DHCPv6 on pfsense to assign addresses to the local LAN. Each host then has its own link-local address AND a globally-routable address. The idea of NAT'ing private addresses isn't really applicable for IPv6 -there is no need for it.

    Even though each host would then have a globally-routable IP, that doesn't mean that they are exposed to the internet - your pfsense box will firewall them just as it does for IPv4 NAT hosts, it's just that when configuring things like port forwarding, you don't have to do the NAT part with IPv6 - you just open the port direct to the globally-routable host IPv6 address.

    Hope that helps,

    leeph



  • Ok I follow you somewhat. This is where things get a little new for me.

    So I set my WAN interface to request a prefix from Comcast. Right? The prefix allows me to route traffic from my LAN to Comcast?

    But how do I make the leap from prefix from Comcast to a static address assigned to my LAN interface?

    Does my question make sense?


  • LAYER 8 Netgate

    Ask Comcast for an IPv6 /48 routed to your IPv6 interface address and see what they say.

    If they say yes, take it.  If they say, "no, but here's a /56," take it.

    Please let us know what they say - especially if it's something other than either of these two choices.

    (What exactly did they give you as a config when they turned on IPv6?)



  • Comcast will let you request no more than a /60. 16 /64 subnets on a personal network should be more than enough for most people.

    Business class service may be able to request larger allocations, but consumer service can request anything from /64 to /60 only, depending on how many subnets you need (1 to 16, based on number of bits).

    Because of pfSense's IPv6 implementation with DHCPv6 on the WAN, there is no way to set up a static IPv6 address for your router on your LAN. You set up "Track Interface", "WAN", then select which subnet you want to use (which will only be 0 if you request a /64, could be 0-F if you request a /60). The LAN interface gets a SLAAC address based on the interface's MAC address.



  • So…. yeah.  Comcast is telling me that do not allocate IPv6 blocks of any kind to residential connections. This I believe means I need to keep bugging them. I don't think the person I spoke to through their chat program knew what I was after.

    Just in case they say no, is there any other options I have?

    Can I do anything by requesting a prefix from them? I was able to get my router to do that and bind it to the WAN interface.



  • There is absolutely NO WAY Comcast is going to assign static IPv6 addressing to a residential customer.  What's wrong with a DHCP-PD /60?  Even business customers get their /56 via DHCP-PD.

    virgiliomi explained how it works very clearly.  It not like your DHCP-PD assignment is going to be changing.

    If you want true assigned static IPv6 address space, then you need to move to a tunnelbroker like Hurricane Electric.


  • LAYER 8 Netgate

    I am labbing this up right now using two pfSense VMs.  One posing as the ISP, the other as an ISP client.

    I am running into something I am not sure how to deal with.  That is DHCPv6/RA configuration for the ISP client's subnets.

    DHCPv6 is out because you can't set up DHCPv6 on a dynamic interface, which a "Track Interface/WAN" is.

    Because you can't get into that menu, you can't set any RA characteristics for that segment either.

    And while it will relieve us of NAT, we are still going to be stuck with Dynamic DNS if we are going to advertise any services at all.

    Just because DHCP-PD is the mechanism for setting the router's IPv6 addresses doesn't mean Comcast cannot say "This is your /60" and assign the same addresses every time.




  • @Derelict:

    I am running into something I am not sure how to deal with.  That is DHCPv6/RA configuration for the ISP client's subnets.

    Indeed that should be available with dynamic too, if cascading is in the basic design specs. ?

    I.e. I have a cascaded setup with AVMfritzbox7360 and a pfSensebox. It works because the 7360 can act as a DHCPv6 server for the homenetwork, which has the pfSensebox among others.

    The 7360 gets its IPv6 (/48), "static", from ISP by delegation (PD) AIUI. Next the pfSensebox-LAN gets a /64 prefix (other subnet than 7360-LAN, decided/issued by 7360) from the 7360 with pfSense WAN DHCPv6(PD)+TrackIface.



  • So I should be able to have my WAN interface grab an address from Comcast. Have the LAN interface track the interface. Then run RA on the LAN interface to divvy up the IPv6 subnet assigned to me to all of my LAN clients?

    So I have this right?



  • @solignis:

    So I should be able to have my WAN interface grab an address from Comcast. Have the LAN interface track the interface.

    Sofar yes.
    If Comcast says /60, then set pfSense-WAN DHCP6 and to /60 and "prefix hint". And set pfSense-LAN to Track Interface.

    Result should be the pfSense-LAN gets a /64 prefix assigned.
    The last 64 bits is for your client(s) using RA and SLAAC to have its/(their) own unique 128 bit number(s).



  • Ok I get it now… at least somewhat. Looks I got some configuration to play with tonight.


  • LAYER 8 Netgate

    For what it's worth, I spent considerable time thinking I wasn't getting SLAAC when I checked the "Only request a IPv6 prefix, do not request a IPv6 address" box.  Status->Interfaces and the dashboard show the link-local address so I thought it was failing.  But the SLAAC address is assigned.  You just have to look at the ifconfig.

    I have also taken to rebooting when changing these settings.  I don't think everything that needs to be reset is getting reset.  Seems to work fine once it's set.



  • @Derelict:

    I have also taken to rebooting when changing these settings.  I don't think everything that needs to be reset is getting reset.  Seems to work fine once it's set.

    Important point. You have to respect the DHCP-server lease-time renewal and IP regs. pfSense-LAN does halfanhour. My ISP does 1h for prefix and 2 hours for acceptance of a new subnetvalue ( /57 ~ /63 ). So yes, if no respect then flush-all by rebooting.



  • @Derelict:

    DHCPv6 is out because you can't set up DHCPv6 on a dynamic interface, which a "Track Interface/WAN" is.

    Because you can't get into that menu, you can't set any RA characteristics for that segment either.

    There is a way to run DHCPv6 on a dynamic LAN interface.  It is probably considered unsupported and exploitation of a bug.  But, mine has been running this way for over a year.  This is with 2.1.x

    1. Configure your LAN for a static IPv6 address (just make something up).

    2. Enable DHCPv6 Server/RA.

    3. Go back and change the LAN interface to dynamic with WAN Tracking.    It will prompt you to disable DHCPv6 Server.  Do so and then finish the LAN interface configuration.

    config.xml will be left with a remnant like …

     <dhcpdv6><lan><ramode>assist</ramode>
    		<rapriority>high</rapriority>
    		 <rainterface><radomainsearchlist><range><prefixrange><defaultleasetime><maxleasetime><netmask><failover_peerip><domain><domainsearchlist><ddnsdomain><tftp><ldap><nextserver><filename><rootpath><dhcpv6leaseinlocaltime>yes</dhcpv6leaseinlocaltime></rootpath></filename></nextserver></ldap></tftp></ddnsdomain></domainsearchlist></domain></failover_peerip></netmask></maxleasetime></defaultleasetime></prefixrange></range></radomainsearchlist></rainterface></lan> 
    
    4) The DHCPv6 Server will continue to run and hand out address on the dynamic IPv6 network.  To make any changes to the DHCPv6 Server/RA you need to directly edit the config.xml.
    
    **Caveats**
    
    + I have not tried to make a lot of edits to the config,  have just let it run on "auto-pilot".   No advanced configurations.
    
    + This is apparently "unsupported" and may stop working at anytime, due to code changes to the base system.
    
    + Not recommended to production environments.  
    
    **Other** 
    
    This explains why I noticed this behavior:  https://forum.pfsense.org/index.php?topic=83534.0
    
    It is possible that this behavior lead to major problem when I upgraded to 2.2-BETA:  https://forum.pfsense.org/index.php?topic=83256.0</dhcpdv6> 
    

Log in to reply