Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipv6 static /48

    Scheduled Pinned Locked Moved IPv6
    20 Posts 5 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andi-ch
      last edited by

      Hi
      I got a ipv6 / 48 net. 2A00:xxxx:aaaa/48
      Following settings are done:

      • system - advanced - networking = "allow ipv6" ticked
      • Firewall rule WAN - allow IPv6 ICMP * * * */
      • Firewall rule LAN - allow IPv6 any to any
      • Interface WAN 2a00:xxxx:aaaa:::2 /48 - gateway 2a00:xxxx:aaaa:::1 (I was told so by my ISP)
      • Interface WAN "Block private networks" un-ticked
      • Interface LAN 2a00:xxxx:aaaa:3::1 /64

      netstat -rn

      Internet6:
      Destination                      Gateway                      Flags      Netif Expire
      default                          2a00:xxxx:aaaa::1              UGS        em1
      ::1                              link#5                        UH          lo0
      2a00:xxxx:aaaa::/48                link#2                        U          em1
      2a00:xxxx:aaaa::2                  link#2                        UHS        lo0
      2a00:xxxx:aaaa:3::/64              link#1                        U          em0
      2a00:xxxx:aaaa:3::1                link#1                        UHS        lo0

      Diagnostics - ping -ipv6 choosing Interface default I can ping google.com - my Gateway
      Diagnostics - ping -ipv6 choosing Interface WAN I can ping google.com - my Gateway
      Diagnostics - ping -ipv6 choosing Interface LAN I can ping WAN address of pfsense, thats it.

      If I do ping6 -I em0 google.com (em0 is LAN)
      ping6: sendmsg: No route to host
      ping6: wrote google.com 16 chars, ret=-1

      What do i miss?

      Thanks for any help.
      Andi

      1 Reply Last reply Reply Quote 0
      • A
        andi-ch
        last edited by

        no one any thoughts?  :'(

        1 Reply Last reply Reply Quote 0
        • H
          hda
          last edited by

          Think about & study the logic of the gateway. Why is it within your prefix ?

          1 Reply Last reply Reply Quote 0
          • A
            andi-ch
            last edited by

            I changed the WAN to /64
            My provider gave me the /48 net and informed me that 2a00:xxxx:aaaa::1 is my gateway.

            Internet6:
            Destination                      Gateway                      Flags      Netif Expire
            default                          2a00:bd80:144::1              UGS        em1
            ::1                              link#5                        UH          lo0
            2a00:xxxx:aaaa::/64                link#2                        U          em1
            2a00:xxxx:aaaa::/48                link#2                        U          em1
            2a00:xxxx:aaaa::2                  link#2                        UHS        lo0
            2a00:xxxx:aaaa:3::/64              link#1                        U          em0
            2a00:xxxx:aaaa:3::1                link#1                        UHS        lo0

            I'm asking myself, why that it shows:
            2a00:xxxx:aaaa::/64  link#2                        U          em1
            and
            2a00:xxxx:aaaa::/48  link#2                        U          em1

            1 Reply Last reply Reply Quote 0
            • H
              hda
              last edited by

              Prerequisite: Do not use CLI with pfSense when in setup. Do not fiddle with Gateway(s).

              OK now the gateway looks reasonable. Now flush your connection and wait to get /48 & /64 on WAN expired…
              Then use GUI WAN to config the IPv6.

              1 Reply Last reply Reply Quote 0
              • A
                andi-ch
                last edited by

                Thank you
                I did make all configuration using the GUI.
                Only use cli for commands like ping, netstat, etc.

                But you're right, the routing etc. is also nice done via GUI.
                Here the result after flushing

                Destination Gateway Flags Use Mtu Netif Expire
                default 2a00:xxxx:aaaa::1 UGS 27139 1500 em1
                ::1 link#5 UH 14 16384 lo0
                2a00:xxxx:aaaa::/64 link#2 U 1297 1500 em1
                2a00:xxxx:aaaa::2 link#2 UHS 0 16384 lo0
                2a00:xxxx:aaaa:3::/64 link#1 U 54 1500 em0
                2a00:xxxx:aaaa:3::1 link#1 UHS 0 16384 lo0

                1 Reply Last reply Reply Quote 0
                • H
                  hda
                  last edited by

                  And did it work ? Report with GUI results preferred. Not from CLI.

                  Got the /48 on WAN (use Advanced config (Send Options=ia-pd0, Prefix Delegation=checked)) ?
                  Made a static LAN (in GUI) and subnet choice, as 2a00:xxxx:aaaa:3::1 mask /64 ?
                  Set [Services: Router advertisements] (router only) ?
                  Got to a host on your LAN(-switch) and created a static IP there, say 2a00:xxxx:aaaa:3::11 (/128) ?

                  Or you made use of other methods like DHCP6-server, SLAAC (or Track Interface) ?

                  1 Reply Last reply Reply Quote 0
                  • A
                    andi-ch
                    last edited by

                    No still not working.

                    Made a static LAN (in GUI) and subnet choice, as 2a00:xxxx:aaaa:3::1 mask /64 ?
                    Yes,
                    Set [Services: Router advertisements] (router only) ?
                    Yes
                    Got to a host on your LAN(-switch) and created a static IP there, say 2a00:xxxx:aaaa:3::11 (/128) ?
                    Clients receiving ipv6 address. I can ping up to the pfsense wan address. 2a00:xxxx:aaaa::2

                    Got the /48 on WAN (use Advanced config (Send Options=ia-pd0, Prefix Delegation=checked)) ?
                    No, here I'm lost.
                    Is this not if you "track interface"? I have native - static IPV6.

                    Also to make sure, that my provider gave me really /48 net. Just for test, I changed my WAN to the last IP of my range: 2a00:xxxx:aaaa:ffff:ffff:ffff:ffff:fffd and selected /48 (just for test)
                    I was able to ping this IP from http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php
                    That confirmed me, that I have the whole range.

                    WAN is now changed back to 2a00:xxxx:aaaa::2 / 64

                    1 Reply Last reply Reply Quote 0
                    • H
                      hda
                      last edited by

                      Most likely method is an ISP issueing numbers with a DHCP6-server, collected by your use of a DHCP6-client (PD).
                      See [Interfaces: WAN] (IPv6 Configuration Type=DHCP6).

                      So how, by what method, does your ISP want you to connect with them … ?

                      1 Reply Last reply Reply Quote 0
                      • A
                        andi-ch
                        last edited by

                        Assuming they routed the 2A00:xxxx:aaaa/48 via interface / 48 net. 2A00:xxxx:aaa1

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          Instead of assuming, why don't just give them a call and ask? Because your assumptions clearly don't work.

                          1 Reply Last reply Reply Quote 0
                          • H
                            hda
                            last edited by

                            It will not work with assumptions. Good Luck… Contemplate reply#2 & reply#8 again.

                            1 Reply Last reply Reply Quote 0
                            • A
                              andi-ch
                              last edited by

                              With assuming I meant, they told me so, it means I have to trust them.

                              1 Reply Last reply Reply Quote 0
                              • A
                                andi-ch
                                last edited by

                                I'm used to cisco, simple routing.

                                R1#configure terminal
                                R1(config)#interface gigabitEthernet 0/0
                                R1(config-if)#ipv6 address 2001:db8:0:1::1/64
                                R1(config-if)#no shutdown
                                R1(config-if)#exit
                                R1(config)#interface serial 1/0
                                R1(config-if)#ipv6 address fe80::1 link-local
                                R1(config-if)#no shutdown
                                R1(config-if)#exit
                                R1(config)#exit
                                R1#

                                R2#configure terminal
                                R2(config)#interface gigabitEthernet 0/0
                                R2(config-if)#ipv6 address 2001:db8:0:2::1/64
                                R2(config-if)#no shutdown
                                R2(config-if)#exit
                                R2(config)#int serial 1/0
                                R2(config-if)#ipv6 address fe80::2 link-local
                                R2(config-if)#no shutdown
                                R2(config-if)#exit
                                R2(config)#interface serial 1/1
                                R2(config-if)#ipv6 address fe80::2 link-local
                                R2(config-if)#no shutdown
                                R2(config-if)#exit
                                R2(config)#exit

                                and so on

                                we are connected via fiber, so they have a cisco router, simple routed our /48 to "our" gateway interface.
                                So DHCP is not a option.

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hda
                                  last edited by

                                  Ofcourse it is an option ! Did you try/test it …?

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    andi-ch
                                    last edited by

                                    Not yet, looking for an cisco router….
                                    Let you know.

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      hda
                                      last edited by

                                      Well, I meant to say do test WAN-DHCP6(PD) with pfSense on the fiber-line with native IPv6…

                                      Anyway, I think you want for an "Upstream Gateway" number outside your /48 domain.

                                      And how do you connect by IPv4 ?

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        Your ISP is routing the /48 to something.  That something is how your WAN interface's IPv6 should be configured.

                                        It might be DHCPv6, it might be static, it might be link-local.  Only they know.

                                        It it's really a static /48 you'll be good to go once you get it sorted out.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          Given the settings in the OP, it's static. The first /64 of the /48 is for WAN.

                                          Looks like the only mistake made in the first post is that the prefix length on WAN should be /64 not /48. It's common for ISPs to use the first /64 of a routed block such as a /48 for the interconnect.

                                          On the outside chance that the ISP actually made the /48 on WAN that's an error on their part, it should have the /48 routed to your 2a00:xxxx:aaaa:::2 with prefix set to /64.

                                          Run a packet capture on WAN as you attempt to ping from a host on LAN, see what happens. If the ping leaves but doesn't come back at all, that's upstream routing. If the ping leaves and you see an NDP request on WAN for the LAN address, they fudged the prefix.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            andi-ch
                                            last edited by

                                            Yes /48 on the WAN was definitely wrong.

                                            I had again contact with my ISP. They gave me now a transfernet /126 for my WAN. They routed the /48 to my WAN IP.
                                            But still not working, I believe or better sure this is not a pfsense or my config error. I don't have confidence in my provider now.

                                            I'm able to ping from LAN side, even from a host (computer) to they're router - my gateway.

                                            Asked them now to send there "show running-config ipv6", which they won't give me….

                                            caputre:
                                            no NDP request found. No response seen to ICMPv6 request in frame 38.
                                            That's all about I see.

                                            Keep you posted.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.