DHCPv6 PD, static internal addresses [SOLVED]
-
Greetings,
a few weeks ago i switched to a new provider and after realising that my poor m0n0wall is not able to provider the full throughput i built a new system and also made the switch from m0n0 to pfSense. My provider assigned a static prefix (2a02:168:40xx::/48) of which i would like to assign a /64 to my internal network (all devices will get static addresses). Please see this image for a more visual representation of what i'd like to achieve: https://www.dropbox.com/s/7bdwuaxd7s2hhyt/ipv6.png
My provider told me that i have to use DHCPv6 prefix delegation and that i could assign a static /64 to the lan adapter of my router. Ha, sounds easy, i'll get that done in five minutes!
… hours passing, not working ... days passing, not working ...
and here we are, i'm out of ideas and need your help :)
What i've done:
-
Interfaces:
-
WAN:
- IPv6 Configuration Type: DHCP
- Request only a IPv6 prefix: check
- DHCPv6 Prefix Delegation size: 48
- Send IPv6 prefix hint: check
-
LAN:
- IPv6 Configuration Type: Static
- IPv6 address: 2a02:168:40xx:1::1 / 64
-
Router advertisements:
- Router advertisements: Router only
- Router Priority: Normal
- RA Subnet: 2a02:168:4008:1:: / 64
-
Client (for testing):
- fixed IP: 2a02:168:40xx:1::2 / 64
What does work: the internal traffic. I can ping the pfSense from the client and vice versa.
What does not work: communication/traffic from/to the internet.Now my ultimate question is: is this setup even possible? Based on my (poor) knowledge about IPv6 this should work … And if it does work, what the ... am i doing wrong?
Will be very, very, very thankful for any ideas, hints or even a "you stupid!" :D
Solution in post #12.
-
-
…
Router advertisements:
...- RA Subnet: 2a02:168:4008:1:: / 64
...
This is not needed in my config.
No typo's in static IP for LAN ?
Do you need to use a PPPoE IPv4 connection to ask the IPv6/48 ?
And… allowance or firewall issues ?
- RA Subnet: 2a02:168:4008:1:: / 64
-
Thanks for your hints hda!
I remove the subnet from the RA config and, as far i know, i don't need a PPPoE connection, but i'll ask the provider.
The firewall shouldn't be a problem too, as i don't filter outgoing connections while doing this ipv6-config-thingie.Here's the output of a tracepath try:
tracepath6 2404:6800:400a:801::1003
1?: [LOCALHOST] pmtu 1500
1: 2a02:168:4008:1::1 0.640ms
1: 2a02:168:4008:1::1 0.605ms
2: no reply
3: no reply
4: no replyWhen doing a tracepath from outside it always (ipv4/v6) ends at the same router on the providers side, so it really seems to be a problem *) with the pfSense config, right?
*) problem = stupid user trying to configure ipv6 :D
-
The config looks good. So…
You did set: System: Advanced: Networking: Allow IPv6 ?
Allowed for WAN IPv6 ICMP I/O ?
-
Yes, allow IPv6 is checked and there's a rule to allow ICMP (v4+v6) on the WAN interface.
-
Have you tried if it works if you actually use PD (i.e., set IPv6 to "track interface" in the LAN config)? Won't give you the desired static addresses, but maybe a good first step to make sure everything else is in order?
-
Also, what's the deal with 4008 vs. 40xx? In your config above, the "xx" will have to be "08" or it won't work for sure.
-
Good morning,
i switched the "IPv6 Configuration Type" to "Track Interface" and rebooted (just to be sure). Now the lan interface has only the link local address but doesn't show any others. Does that mean that the pd doesn't work?
(and sorry for the xx, it was a feeble attempt to obfuscate the address :) )
-
It would appear so. Anything relevant in the logs?
-
The dhcp log is quite inconspicuous, just the messages regarding the assignment of the ipv4 address, but i found the following lines in the router log:
radvd[18174]: IPv6 forwarding setting is: 0, should be 1
radvd[18174]: IPv6 forwarding seems to be disabled, but continuing anyway.
radvd[18174]: no auto-selected prefix on interface em0, disabling advertisements
radvd[18374]: sendmsg: Can't assign requested addresserm … ipv6 forwarding seems to be disabled? I checked it again, ipv6 is enabled in the system -> advanced -> network settings. Is there any other checkbox i didn't see?
-
If running LAN all static, then one need Services: Router advertisements(Router Only)
Have DNS-servers override if DHCP-PD to ISP ?
How do you request your IP's (IPv4&6) from ISP. Do you have an IPv6 showing in Status: Interfaces ?
Is it a public /64 or /128 ? or a local fe80:: ? -
@hda:
If running LAN all static, then one need Services: Router advertisements(Router Only)
Yes, "Router Advertisements" is on "Router Only".
@hda:
Have DNS-servers override if DHCP-PD to ISP ?
Sorry, don't know what you mean. But what impact could dns servers have on such a low level?
@hda:
How do you request your IP's (IPv4&6) from ISP. Do you have an IPv6 showing in Status: Interfaces ?
Is it a public /64 or /128 ? or a local fe80:: ?Straight from the interface status page:
IPv6 Link Local fe80::6a05:caff:fe2e:4dc7
IPv6 address fe80::6a05:caff:fe2e:4dc7
Subnet mask IPv6 64
Gateway IPv6 fe80::223:33ff:fe74:6e3f -
Problem solved dance :D
i was browsing the forum and found the following in another thread (https://forum.pfsense.org/index.php?topic=65724.15):
- I would also uncheck the "Block bogon networks" box on both the WAN and the LAN, as there have been issues with these being overly broad for IPv6 and blocking legitimate (and required) traffic.
I unchecked the boxed and voilà:
ping6 2a02:168:4008:1::1
PING 2a02:168:4008:1::1(2a02:168:4008:1::1) 56 data bytes
64 bytes from 2a02:168:4008:1::1: icmp_seq=1 ttl=52 time=26.6 ms
64 bytes from 2a02:168:4008:1::1: icmp_seq=2 ttl=52 time=27.3 ms
64 bytes from 2a02:168:4008:1::1: icmp_seq=3 ttl=52 time=26.5 ms
64 bytes from 2a02:168:4008:1::1: icmp_seq=4 ttl=52 time=26.6 ms
64 bytes from 2a02:168:4008:1::1: icmp_seq=5 ttl=52 time=26.5 ms
(pinged from an external host)Thank you all for your help and assistance, really appreciate it!
-
Good for you. So a lack of register ;)