Troublesome tweaking



  • I cant wrap my head around how stuff is supposed to work, as i cant claim to be any sort of guru :P

    Oki.. here goes:
    If i set WAN to DHCP6, and tick "only request an prefix", and LAN to track interface, the WAN interface ofc do not get a ipv6 address, but the LAN and clients get their ipv6 address (sometimes with a small delay). All fine and dandy you might think.. But there is some instability of sorts that sometimes make things stop.. I have to either reboot the router or kill dhcp6c and re-save WAN settings to fire it up again.
    Not sure why this happens.. perhaps some problems from my ISP? Ofc windows computers loosing their ipv6 address and trying to connect to things on the internet will be uber-slow cos default priority is ipv6 > ipv4 and so on..

    So, i thought id fiddle around with stuff a bit, but have a couple of questions:

    1. Is it "normal" that i HAVE to tick the "request prefix" and are unable to get a ipv6 address on my WAN? If i dont do this i get a ipv6 address on my WAN, and sometimes i get it on the LAN… but are not able to ping anything ipv6 related.
    2. Would it be a higher chance of stability if i set up static ip on LAN + run DHCP6 server locally? (Have tried this, but cant get this to work stable at all)
    3. Any chance to verify what prefix i actually get? My ISP (Telenor) charges like 3 euro/min on the phone to answer "advanced technical questions" like that :(

    C



  • What is your connection hardware & protocol to ISP ?  MoDem ? Fiber PPPoE ?

    Prefer to use WAN IPv6 Advanced (Send Options = ia-pd 0; prefix delegation = checked)

    If you have a (quasi-)static number from ISP, then stop doing Track Interface and make Static LAN numbers.



  • Right: Using Pfsense 2.2.4 Stable.
    Fiber connection.

    I have no other details about the ipv6 addresses from my ISP other than what i get from DHCP6… As im not thaaaaat keen on paying 3 euto/minute on the phone to get that answered. I guess ill try it if i cant get this working tho :)

    Can try the advanced options and see what happens :)

    C



  • Just got info from my ISP and ill try to translate to the best of my knowledge:

    Telenor IPv6 addresses begin with 2001: 46XX:

    • A router will usually get a / 128 IA_NA address (Identity Association for Nontemporary Addresses) and a / 48 IA_PD (Identity Association for Prefix Delegation) that clients behind router make their own IPv6 addresses from.

    • A "PC" behind a Bridged modem or connected to the ONT (fiber modem) will only get IA_NA address (not IA_PD)

    • If your router gets IA_PD with prefix 2001: 4640: 91 :: / 48 will all client IP addresses (except IA_NA address of the router) starting with 2001: 4640: 91, it is up to the client to decide what they use

    • The prefix is semipermanent for private customers (changed only if the customer switches MX (central)), permanently for business customers.

    So i guess i get a /48 prefix that is "semi-permanent" (as many other ISP's seem to use).

    Next question is then:

    Lets say my LAN gets 2001:4640:91🔢1234::1234/48 by dhcp, can i then set it to a static ipv6 of 2001:4640:91::1 and it should work? and make a dhcp6 scope from 2001:4640:91:0::10 - 2001:4640:91:0:ffff:ffff:ffff:ffff /64 ?

    Probably way off here, but just looking for hints to what im doing wrong :)

    One other "thing":
    When i try to set the prefix delegation on WAN to /48, the LAN ip gets a /64 address… if i set it to /64, the LAN gets a /48 (atleast when i read what is said on the "Interfaces" page on the webui). Is this some sort of bug, or just me that "don't get it"? :)

    C


  • Rebel Alliance Global Moderator

    Dude if your isp ipv6 is not ready for prime time.. Just get a free tunnel.. Stable, clickity clickity to setup.  https://tunnelbroker.net/



  • @Cybdex:


    Probably way off here
    ...

    No, you're not :)

    Looks good to get a /48 on the WAN. And when semi-permanent, then do static on your LAN's.

    So, your property "frontdoor" is 2001:4640:91::/48
    All 2001:4640:91:1::1/64 upto 2001:4640:91:FFFF::1/64 are theoretically for your 65535 LAN subnets.
    Therfore you could make one static LAN with, say, 2001:4640:91🅰:1/64 (subnet LAN = "a")
    Then a DHCP6-Server with range 2001:4640:91🅰:1000/64 to 2001:4640:91🅰:FFFF/64

    All routing public go easy with mask /64. Stick to it unless you know what you're doing ;)



  • Done some more testing, but are still at #1 :(

    If i enable dhcp6 on my WAN, it gets an address. I cant ping/trace any outside ipv6 addresses.
    If i then enable "track interface" on my LAN, it gets an ipv6 address, but still no outside connection (nothing in the fw logs).
    One small strangeness is that the WAN and LAN is on different subnets it seems. Ie. WAN gets: 2001🔡abcd::abcd, while LAN gets 2001🔡abdd::abff. Does not matter what i put in the "delegation size" really. LAN clients also gets a dhcp6 address on the same subnet as the router LAN and can ping the router LAN + routers WAN, but not outside.

    If i put WAN to "request prefix only", the WAN gets a link-local address, with a link-local gateway address. Traffic from router now goes outside. The LAN and LAN clients keep the same ipv6 subnet as before, and everyone can connect out.
    If i then take the LAN address and make it a "static address", in the type of 2001🔡abdd🅰:1, connection still up. Set up dhcp6 server, and give clients ipv6 addresses from 2001🔡abdd🅰:10 -> 2001🔡abdd🅰ffff:ffff:ffff:ffff / 64, everything works for a while, then just dies. Or if i reboot the router, ipv6 connectivity will be dead when the router comes up. I then have to do the whole thing over again to get back my connectivity (including using "track interface") or else i wont get back outside with ipv6.

    I tried to put in the "advanced" settings you listed (tried i tell ya!), but dunno whats supposed to be in all the boxes, and never got a ipv6 address at all doing that - Not on WAN nor on LAN.

    C



  • If you want static config for your LAN and the DHCP6-Server or Static for your clients, then you need to find a way with pfSense-WAN & Advanced config. The standard interface-WAN screen is for Track-Interface out-of-the-box…

    If you can request and get the /48 with DHCP6c, then it could work with Advanced as I indicated earlier. Not all fields need an filling, but depend on your ISP. Good luck with your ISP, let them read this thread ;)



  • Thx for your help HDA :)

    Dont really mind extremely running things "as-is", as long as it would be 100% solid, but it seems that every now and again dhcp6c gets stuck or something and radvd just vanish into thin air and i loose all ipv6 connectivity (described in several other threads aswell).

    Maybe things just go tits up if my ISP reboots some equipment or whatever?

    • It would be nice to be able to eg. segment my own net into different ipv6 subnets or whatever for laughs and giggles :P

    Will look into some advanced configs and post back if i ever figure this nut out :)

    C



  • Hopefully the attachement of my "Advanced settings" for WAN works…

    Set it up like that for my ISP, static ip + dhcp6 on LAN, and rebooted... atleast ipv6 connectivity was up now, so lets see how this turns out :)

    C

    ![Screen Shot 2015-08-21 at 23.33.05.png](/public/imported_attachments/1/Screen Shot 2015-08-21 at 23.33.05.png)
    ![Screen Shot 2015-08-21 at 23.33.05.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-21 at 23.33.05.png_thumb)



  • Hi, Cybdex.

    Did you get this to work?

    I have also got Telenor Fiber (Norway), and are struggeling with IPv6.

    A couple of month ago, I tried getting it up and running on my Linux server, running side-by-side with the modem, but I failed, also after calling the very expensive "advanced technical support" ;-)

    I ended up running the server behind the modem again, since the modem managed iPv6 correctly.

    I have now ended my TV-subscription, and have therefor no need for the (shitty!) modem any longer. I have installed pfSense on a little machine, and are running that as the gateway. But I have once again trouble setting up IPv6 correctly.

    If you got it to work, with pfSense as the gateway, could you help me by telling which settings you've got?

    Kind regards
    Jørn



  • @jorno:

    If you got it to work, with pfSense as the gateway, could you help me by telling which settings you've got?

    Kind regards
    Jørn

    I sent you a PM with some tips to get you started :)

    C



  • Oki, a little update to my current config that seem to be working well (atm atleast) with static ipv6 on LAN.

    Ive masked my ip, but as you can see i get 2001:4641:xxxx:/48 delegated from my ISP (Telenor Fiber in Norway). Lets say you get 2001:4641:1234::/48, so edit accordingly :)

    I set up WAN with "Advanced config", inputting the prefix under "prefix ipv6-prefix" with "pltime:infinity". And the rest as the picture.
    Then you set your LAN interface to static ipv6. I used ::1 to the end just to keep things simple (eg. 2001:4641:1234::1)

    Enable dhcp6. I just used one /64 for my lan, but you can ofc use more, or separate /64 nets or whatever, but ive not tested that to any degree.. Reason i start at ::200 is to allow for 200 manually configured addresses for servers or whatever that you wont put as dhcp.

    On the "Router Advertisements" tab, i put "Unmanaged" to get SLAAC to work especially with android devices afaik they dont support dhcpv6 addresses.

    This setup may change on the next version of pfSense, as i understand they might be working on a different setup where you are "allowed" to use dhcp6/slaac setup with the lan set to "Track interface", but as of 2.2.6-Release this is not possible :)

    C










  • Using the example above, you can then, lets say, put your https webserver to a static address of : 2001:4641:1234::60 , and allow traffic on port 443 like this picture. (Dont mind the comment saying "NAT", as you wont use NAT when you open for traffic on ipv6, i just copied my ipv4 nat rule and forgot to change the comment when i changed it to ipv6…)

    C




  • Upgrading to pfSense v2.3 broke my IPv6-connectivity. :-)  Need to take a look at it when I get home tonight.

    EDIT: Sorry. A new reboot was needed. Everything working again. Not sure why it never came up the first time.