IPv6 setup via Comcast/pfsense, working from WAN of pfsense, but not LAN



  • Hey guys, figured I'd give IPv6 a shot on comcast, and interestingly enough, it… half works. I can ping ipv6.google.com via the WAN interface of the pfsense, but not the LAN (And thusly, no LAN devices can ping ipv6.google, etc. They can resolve the ipv6 IP, but no traffic seems to be passing between the WAN/LAN for IPv6. Is there.... a route I am missing somewhere? The WAN_DHCP6 gateway is up, and responding nicely... and IPv6 addresses are given TO the LAN interface and devices, but no traffic's passing. Ideas? Any help would be appreciated. Thank you!

    Do I HAVE to have a IPv6 broker?

    ![ss (2015-06-20 at 10.24.33).png](/public/imported_attachments/1/ss (2015-06-20 at 10.24.33).png)
    ![ss (2015-06-20 at 10.24.33).png_thumb](/public/imported_attachments/1/ss (2015-06-20 at 10.24.33).png_thumb)



  • What about searching the IPv6 section for experience ?



  • I searched for 'comcast ipv6 pfsense' on both google and in the forums, and tried a number of things, including using the ipv6 broker, but nothing worked.



  • Just to confirm… Your pfSense LAN interface has an IPv6 address, your local systems have IPv6 addresses, and you can ping the IPv6 address of the LAN interface from your local hosts?



  • Ooh, good point, hadn't noticed that one. Though looking at the screenshot I had, the WAN_DHCP6 gateway began with fe80:: … which is a local IP, as far as I understand. So maybe that's a help somewhere?

    @dennypage:

    Just to confirm… Your pfSense LAN interface has an IPv6 address, your local systems have IPv6 addresses, and you can ping the IPv6 address of the LAN interface from your local hosts?



  • fe80 is a link local address used for discovery. It isn't routable. As a general rule, IPv6 is generally used without NAT, so you need address space from your ISP to route. You probably want to read up on IPv6 before proceeding further.



  • The gateway that shows up in pfSense WILL be fe80:… for Comcast, but your LAN address should NOT be fe80:...

    Your WAN address COULD be an fe80:... address, if you have the option to request a prefix only checked. This isn't the default setting, but it will work just fine with it enabled, provided you account for it on any connections your router needs to make out to the internet... they should be using the LAN interface, since it should be a globally routeable address under IPv6. To keep things simple though, don't check this option.

    An additional question... Do you have a firewall rule on your LAN interface to allow IPv6 traffic through? If not, then IPv6 traffic will be blocked by the firewall. Your router will get the gateway address, its WAN address, and LAN prefix, since those all go over the WAN... and it will send the prefix to your LAN via router advertisements... but if there's no rule to allow IPv6 traffic from the LAN through the firewall, then any IPv6 requests from your hosts get blocked.



  • As an example of my above post regarding addresses and gateways…




  • How have you configured your WAN and your LAN?
    At least in my area, Comcast will hand out a /64 prefix or a /60.
    If you want the simplest config,

    • your WAN interface should be set up to use DHCP6

    • leave "DHCPv6 Prefix Delegation size" at 64

    • check the "Send IPv6 prefix hint" checkbox

    then for IPv6 on your LAN interface set it up to "track interface" pointing to the WAN interface with the "IPv6 Prefix ID" set to 0 (you can't change it if you requested a /64 on the WAN).

    That should be enough to get legitimate IPv6 addresses on your LAN.

    Tim