Ipv6 static /48

andi-ch

Hi
I got a ipv6 / 48 net. 2A00:xxxx:aaaa/48
Following settings are done:

• system - advanced - networking = "allow ipv6" ticked
• Firewall rule WAN - allow IPv6 ICMP * * * */
• Firewall rule LAN - allow IPv6 any to any
• Interface WAN 2a00:xxxx:aaaa:::2 /48 - gateway 2a00:xxxx:aaaa:::1 (I was told so by my ISP)
• Interface WAN "Block private networks" un-ticked
• Interface LAN 2a00:xxxx:aaaa:3::1 /64

netstat -rn

Internet6:
Destination                      Gateway                      Flags      Netif Expire
default                          2a00:xxxx:aaaa::1              UGS        em1
::1                              link#5                        UH          lo0
2a00:xxxx:aaaa::/48                link#2                        U          em1
2a00:xxxx:aaaa::2                  link#2                        UHS        lo0
2a00:xxxx:aaaa:3::/64              link#1                        U          em0
2a00:xxxx:aaaa:3::1                link#1                        UHS        lo0

Diagnostics - ping -ipv6 choosing Interface default I can ping google.com - my Gateway
Diagnostics - ping -ipv6 choosing Interface WAN I can ping google.com - my Gateway
Diagnostics - ping -ipv6 choosing Interface LAN I can ping WAN address of pfsense, thats it.

If I do ping6 -I em0 google.com (em0 is LAN)
ping6: sendmsg: No route to host
ping6: wrote google.com 16 chars, ret=-1

What do i miss?

Thanks for any help.
Andi

andi-ch

no one any thoughts?  :'(

hda

Think about & study the logic of the gateway. Why is it within your prefix ?

andi-ch

I changed the WAN to /64
My provider gave me the /48 net and informed me that 2a00:xxxx:aaaa::1 is my gateway.

Internet6:
Destination                      Gateway                      Flags      Netif Expire
default                          2a00:bd80:144::1              UGS        em1
::1                              link#5                        UH          lo0
2a00:xxxx:aaaa::/64                link#2                        U          em1
2a00:xxxx:aaaa::/48                link#2                        U          em1
2a00:xxxx:aaaa::2                  link#2                        UHS        lo0
2a00:xxxx:aaaa:3::/64              link#1                        U          em0
2a00:xxxx:aaaa:3::1                link#1                        UHS        lo0

I'm asking myself, why that it shows:
2a00:xxxx:aaaa::/64  link#2                        U          em1
and
2a00:xxxx:aaaa::/48  link#2                        U          em1

hda

Prerequisite: Do not use CLI with pfSense when in setup. Do not fiddle with Gateway(s).

OK now the gateway looks reasonable. Now flush your connection and wait to get /48 & /64 on WAN expired…
Then use GUI WAN to config the IPv6.

andi-ch

Thank you
I did make all configuration using the GUI.
Only use cli for commands like ping, netstat, etc.

But you're right, the routing etc. is also nice done via GUI.
Here the result after flushing

Destination Gateway Flags Use Mtu Netif Expire
default 2a00:xxxx:aaaa::1 UGS 27139 1500 em1
::1 link#5 UH 14 16384 lo0
2a00:xxxx:aaaa::/64 link#2 U 1297 1500 em1
2a00:xxxx:aaaa::2 link#2 UHS 0 16384 lo0
2a00:xxxx:aaaa:3::/64 link#1 U 54 1500 em0
2a00:xxxx:aaaa:3::1 link#1 UHS 0 16384 lo0

hda

And did it work ? Report with GUI results preferred. Not from CLI.

Got the /48 on WAN (use Advanced config (Send Options=ia-pd0, Prefix Delegation=checked)) ?
Made a static LAN (in GUI) and subnet choice, as 2a00:xxxx:aaaa:3::1 mask /64 ?
Set [Services: Router advertisements] (router only) ?
Got to a host on your LAN(-switch) and created a static IP there, say 2a00:xxxx:aaaa:3::11 (/128) ?

Or you made use of other methods like DHCP6-server, SLAAC (or Track Interface) ?

andi-ch

No still not working.

Made a static LAN (in GUI) and subnet choice, as 2a00:xxxx:aaaa:3::1 mask /64 ?
Yes,
Set [Services: Router advertisements] (router only) ?
Yes
Got to a host on your LAN(-switch) and created a static IP there, say 2a00:xxxx:aaaa:3::11 (/128) ?
Clients receiving ipv6 address. I can ping up to the pfsense wan address. 2a00:xxxx:aaaa::2

Got the /48 on WAN (use Advanced config (Send Options=ia-pd0, Prefix Delegation=checked)) ?
No, here I'm lost.
Is this not if you "track interface"? I have native - static IPV6.

Also to make sure, that my provider gave me really /48 net. Just for test, I changed my WAN to the last IP of my range: 2a00:xxxx:aaaa:ffff:ffff:ffff:ffff:fffd and selected /48 (just for test)
I was able to ping this IP from http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php
That confirmed me, that I have the whole range.

WAN is now changed back to 2a00:xxxx:aaaa::2 / 64

hda

Most likely method is an ISP issueing numbers with a DHCP6-server, collected by your use of a DHCP6-client (PD).
See [Interfaces: WAN] (IPv6 Configuration Type=DHCP6).

So how, by what method, does your ISP want you to connect with them … ?

andi-ch

Assuming they routed the 2A00:xxxx:aaaa/48 via interface / 48 net. 2A00:xxxx:aaa1

doktornotor

Instead of assuming, why don't just give them a call and ask? Because your assumptions clearly don't work.

hda

It will not work with assumptions. Good Luck… Contemplate reply#2 & reply#8 again.

andi-ch

With assuming I meant, they told me so, it means I have to trust them.

andi-ch

I'm used to cisco, simple routing.

R1#configure terminal
R1(config)#interface gigabitEthernet 0/0
R1(config-if)#ipv6 address 2001:db8:0:1::1/64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 1/0
R1(config-if)#ipv6 address fe80::1 link-local
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#exit
R1#

R2#configure terminal
R2(config)#interface gigabitEthernet 0/0
R2(config-if)#ipv6 address 2001:db8:0:2::1/64
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int serial 1/0
R2(config-if)#ipv6 address fe80::2 link-local
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 1/1
R2(config-if)#ipv6 address fe80::2 link-local
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#exit

and so on

we are connected via fiber, so they have a cisco router, simple routed our /48 to "our" gateway interface.
So DHCP is not a option.

hda

Ofcourse it is an option ! Did you try/test it …?

andi-ch

Not yet, looking for an cisco router….
Let you know.

hda

Well, I meant to say do test WAN-DHCP6(PD) with pfSense on the fiber-line with native IPv6…

Anyway, I think you want for an "Upstream Gateway" number outside your /48 domain.

And how do you connect by IPv4 ?

Derelict

Your ISP is routing the /48 to something.  That something is how your WAN interface's IPv6 should be configured.

It might be DHCPv6, it might be static, it might be link-local.  Only they know.

It it's really a static /48 you'll be good to go once you get it sorted out.

jimp

Given the settings in the OP, it's static. The first /64 of the /48 is for WAN.

Looks like the only mistake made in the first post is that the prefix length on WAN should be /64 not /48. It's common for ISPs to use the first /64 of a routed block such as a /48 for the interconnect.

On the outside chance that the ISP actually made the /48 on WAN that's an error on their part, it should have the /48 routed to your 2a00:xxxx:aaaa:::2 with prefix set to /64.

Run a packet capture on WAN as you attempt to ping from a host on LAN, see what happens. If the ping leaves but doesn't come back at all, that's upstream routing. If the ping leaves and you see an NDP request on WAN for the LAN address, they fudged the prefix.

andi-ch

Yes /48 on the WAN was definitely wrong.

I had again contact with my ISP. They gave me now a transfernet /126 for my WAN. They routed the /48 to my WAN IP.
But still not working, I believe or better sure this is not a pfsense or my config error. I don't have confidence in my provider now.

I'm able to ping from LAN side, even from a host (computer) to they're router - my gateway.

Asked them now to send there "show running-config ipv6", which they won't give me….

caputre:
no NDP request found. No response seen to ICMPv6 request in frame 38.
That's all about I see.

Keep you posted.