Fritzbox and Pfsense



  • I have a /48 subnet ( 2001:xxx:xxxx::/48 ) via my ISP (native and static). When directly connected to my Fritzbox 7340, IPv6 works fine. But when I put my Pfsense box (2.1.5) between my PC and the FB. I can only use IPv6 from the Pfsense box.

    • The WAN on PFsense (2001:xxx:xxx:1:xxx:xxx:xxx:489b ) uses DHCPv6 to get the ip address
    • On the LAN side I defined a static IPv6 address (2001:xxx:xxx:f:xxx:xxx:xxx:254 /64)
    • Allowed IPv6 traffic on Pfsense (the checkbox)
    • Activated Router Advertisement (Unmanaged)
    • The default IPv6 allow rule is active
    • IPv6 DNS works also on clients
    • IPv4 is fine

    Sometimes when I ping a host (using hostname or IP) on the WAN side using IPv6 on a client, I get one response, the rest times out.

    Do you guys have any idea how to fix this, so that I'll have internet access on my cliënts?



  • Sure, solutions can be found on this forum. Browse my contributions if you like  :)



  • Wow, I just saw a post of you sugesting to use a prefix hint <64 , and using track interface. It works! Thank you!



  • @Maarten90:

    … sugesting to use a prefix hint <64...

    Well, you are in a cascading setup. pfSense askes a /64 and receives an unique other subnetvalue from the FB.
    The FB has the authority over the /48 from your ISP. pfSense will do RA for /64 to its clients.
    Evidence: my FB-LAN has subnetvalue :1: and my pfSense-LAN-ONE has :ff:



  • @hda:

    @Maarten90:

    … sugesting to use a prefix hint <64...

    Well, you are in a cascading setup. pfSense askes a /64 and receives an unique other subnetvalue from the FB.
    The FB has the authority over the /48 from your ISP. pfSense will do RA for /64 to its clients.
    Evidence: my FB-LAN has subnetvalue :1: and my pfSense-LAN-ONE has :ff:

    Thanks for the clarification. One strange thing though, test-ipv6.com is telling me that there's a problem with big packets, which may cause websites not to load. And thats exactly what I am experiencing currently. Searched thew forum here, and some say that setting a MTU of 1492 fixes this (tried on both the LAN and WAN interface (not simultaneously)), but that doesnt work for me. Someone else suggests setting MSS clamping to 1220, but that also breaks my IPv6 connection. The last thing I found on the forum was someone that said that changing the default allow any rule for IPv6 from 'LAN Net' to 'Any' worked for him. However that also doesnt work. Do you have any idea whats going wrong here? I am able to surf the web but sites just dont load completely.



  • @Maarten90:

    … some say that setting a MTU of 1492 fixes this...

    Salvation of (jumbo) MTU issues for IPv6 are actually beyond control of the end-user; RFC4638 must come into effect first at all locations. The other problem is that many global server-admins block IPv6 ICMP signals. So the test is useless or excluded.

    The best you can do, I think, is maybe set the value to 1492 at the first host which is your FB. [see FB>Internet>Account Info>IPv6>Addtional Settings>] So then the FB announces the right thing to pfSense (and you let that box to the default 1500)

    (Sofar I experience no webpage problems, my ISP FB-config ships max MTU 1492 as a temp. solution)

    N.B. some config changes require a reboot in download sequence of the 2 cascading boxes, and then a DHCP6(PD) ISP refresh-cycle (upto 1 or 2 hrs). So look & wait until your pfSense-LAN IPv6 number is back and up…


Log in to reply