Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Setting up native IPv6 connectivity

    Scheduled Pinned Locked Moved IPv6
    18 Posts 5 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • samip537S
      samip537
      last edited by

      Allocated blocks:
      2001:2060:4f:c::1/64 (In use.)

      2001:2060:4f:d::1/64
      2001:2060:4f:e::1/64
      (These two for pfSense.)

      The question is how should I add these?

      WAN => Works.

      
      PING6(56=40+8+8 bytes) 2001:2060:4f:d::2 --> 2a00:1450:400f:805::2003
      16 bytes from 2a00:1450:400f:805::2003, icmp_seq=0 hlim=54 time=13.780 ms
      16 bytes from 2a00:1450:400f:805::2003, icmp_seq=1 hlim=54 time=13.306 ms
      16 bytes from 2a00:1450:400f:805::2003, icmp_seq=2 hlim=54 time=13.496 ms
      
      --- google.fi ping6 statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/std-dev = 13.306/13.527/13.780/0.195 ms
      
      

      How do I need to add the LAN IPv6 address? With gateway or without? How do I configure the DHCPv6 server and Router Advertisement?

      Sorry, but I'm pretty noob with IPv6.

      • samip537
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        No different than IPv4.

        Pick an address in one of those blocks, set it as the LAN IPv6 address, no need for a gateway (e.g. 2001:2060:4f:d::1/64).
        Enable DHCPv6 and put in a range of addresses inside the range for the LAN IPv6 subnet (e.g. 2001:2060:4f:d:FFFF:0000 - 2001:2060:4f:d:FFFF:FFFF)
        Enable router advertisements in whatever mode you want. If you use Assisted it will do both DHCPv6 and allow clients to use SLAAC

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • samip537S
          samip537
          last edited by

          @jimp:

          No different than IPv4.

          Pick an address in one of those blocks, set it as the LAN IPv6 address, no need for a gateway (e.g. 2001:2060:4f:d::1/64).
          Enable DHCPv6 and put in a range of addresses inside the range for the LAN IPv6 subnet (e.g. 2001:2060:4f:d:FFFF:0000 - 2001:2060:4f:d:FFFF:FFFF)
          Enable router advertisements in whatever mode you want. If you use Assisted it will do both DHCPv6 and allow clients to use SLAAC

          Okey, they now get IPv6 addresses. IPv6 traffic from LAN does not get out however.

          Routes:
          [Check attachment named IPV6_routes.JPG, it's from pfSense.]

          Routes & Ping6 to google from linux host:
          [Check attachment named: ipv6_not_working_linux.JPG]

          ipv6_not_working_linux.JPG
          IPV6_routes.JPG_thumb
          IPV6_routes.JPG
          ipv6_not_working_linux.JPG_thumb

          • samip537
          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Do you have rules to pass out IPv6 from the local interface(s)? Can the local devices ping their gateway? What about the gateway one hop up from pfSense? (the pfSense WAN gateway)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • samip537S
              samip537
              last edited by

              @jimp:

              Do you have rules to pass out IPv6 from the local interface(s)? Can the local devices ping their gateway? What about the gateway one hop up from pfSense? (the pfSense WAN gateway)

              I think that I have the rules to pass out the IPv6.
              [Attachment named, Firewall_rules.JPG]

              Local devices cannot ping their gateway nor the WAN gateway.
              [Attachment named, cannot_ping_new.JPG]
              I corrected it.

              Are these correct?
              [Attachment named, Interfaces.JPG]

              Interfaces.JPG
              Interfaces.JPG_thumb
              Firewall_rules.JPG
              Firewall_rules.JPG_thumb
              Cannot_Ping_new.JPG
              Cannot_Ping_new.JPG_thumb

              • samip537
              1 Reply Last reply Reply Quote 0
              • D
                David_W
                last edited by

                In cannot_ping.jpg you appear to be mistakenly using ping, not ping6.

                1 Reply Last reply Reply Quote 0
                • samip537S
                  samip537
                  last edited by

                  @David_W:

                  In cannot_ping.jpg you appear to be mistakenly using ping, not ping6.

                  Yeah, I have. I was tired when making that probably, but the problem still is there.

                  • samip537
                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    The screenshot shows the LAN IP address ending in ::1 but the ping test was going to ::3, which is correct?

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • samip537S
                      samip537
                      last edited by

                      @jimp:

                      The screenshot shows the LAN IP address ending in ::1 but the ping test was going to ::3, which is correct?

                      Which screenshot?

                      The LAN IP address on pfSense does not end in ::1, but rather ::3 which is the thing I'm trying to ping.
                      IPv6 gateway ends in ::1 which is unreacheable from the local devices.

                      The ping does work to pfSense.
                      [Check attachment called, Ping_to_pfsense_works.JPG]

                      Traceroute6 to google.fi fails.
                      [Attachment named, traceroute6_fails.JPG]

                      Ping_to_pfsense_works.JPG
                      Ping_to_pfsense_works.JPG_thumb
                      traceroute6_fails.JPG
                      traceroute6_fails.JPG_thumb

                      • samip537
                      1 Reply Last reply Reply Quote 0
                      • awebsterA
                        awebster
                        last edited by

                        Way back at the beginning you said…

                        Allocated blocks:
                        2001:2060:4f:c::1/64 (In use.)

                        2001:2060:4f:d::1/64
                        2001:2060:4f:e::1/64
                        (These two for pfSense.)

                        You haven't mentioned anything about the 2001:2060:4f:c::/64 block, but from the discussions, it looks like whatever is routing traffic to 2001:2060:4f:d::/64 isn't routing 2001:2060:4f:e::/64 to 2001:2060:4f:d::1.

                        Without that, its never going to work.

                        –A.

                        –A.

                        1 Reply Last reply Reply Quote 0
                        • samip537S
                          samip537
                          last edited by

                          @awebster:

                          Way back at the beginning you said…

                          Allocated blocks:
                          2001:2060:4f:c::1/64 (In use.)

                          2001:2060:4f:d::1/64
                          2001:2060:4f:e::1/64
                          (These two for pfSense.)

                          You haven't mentioned anything about the 2001:2060:4f:c::/64 block, but from the discussions, it looks like whatever is routing traffic to 2001:2060:4f:d::/64 isn't routing 2001:2060:4f:e::/64 to 2001:2060:4f:d::1.

                          Without that, its never going to work.

                          –A.

                          I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?

                          • samip537
                          1 Reply Last reply Reply Quote 0
                          • H
                            hda
                            last edited by

                            We could use 3 more GUI screenshots from you, to confirm the total situation:

                            • Interfaces: WAN
                            • Interfaces: LAN
                            • Status: Interfaces
                            1 Reply Last reply Reply Quote 0
                            • awebsterA
                              awebster
                              last edited by

                              @samip537:

                              I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?

                              Ok, but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64 ?

                              If I traceroute this from outside, it stops at 2001:2060:4f::2
                              So somehow there is filtering or a routing missing at 2001:2060:4f::2 to get it any further.

                              –A.

                              1 Reply Last reply Reply Quote 0
                              • samip537S
                                samip537
                                last edited by

                                @hda:

                                We could use 3 more GUI screenshots from you, to confirm the total situation:

                                • Interfaces: WAN
                                • Interfaces: LAN
                                • Status: Interfaces

                                Here are the screenshots requested in the attachments. You should be able to identify each file by file name.

                                P.S IPv4 related WAN properties and information has been censored for privacy and server security purposes.

                                @awebster:

                                @samip537:

                                I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?

                                Ok, but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64 ?

                                If I traceroute this from outside, it stops at 2001:2060:4f::2
                                So somehow there is filtering or a routing missing at 2001:2060:4f::2 to get it any further.

                                What do you mean by "but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64"? I don't understand your point here.

                                The one at  2001:2060:4f::2 is not over my control as you can see from the reverse. (turku-ipv6-gw.woima.eu (2001:2060:4f::2))

                                interfaces_lan.JPG
                                interfaces_lan.JPG_thumb
                                Interfaces_status_lan.JPG
                                Interfaces_status_lan.JPG_thumb
                                Interfaces_status_wan.JPG
                                Interfaces_status_wan.JPG_thumb
                                interfaces_wan.JPG_thumb
                                interfaces_wan.JPG

                                • samip537
                                1 Reply Last reply Reply Quote 0
                                • awebsterA
                                  awebster
                                  last edited by

                                  Talk to your provider, the routing is messed up…

                                  traceroute6 -n 2001:2060:4f:d::1

                                  …
                                  7  2001:2000:6028:2003::1  155.319 ms  145.846 ms  144.258 ms
                                  8  2001:2000:6028:2003::2  148.698 ms  142.799 ms  149.023 ms
                                  9  2001:2060:4f:d::1  142.449 ms  148.295 ms  150.436 ms

                                  Looks good.

                                  traceroute6 -n 2001:2060:4f:d::2

                                  …
                                  7  2001:2000:6028:2003::1  167.166 ms  142.889 ms  146.229 ms
                                  8  2001:2000:6028:2003::2  144.331 ms  144.679 ms  144.495 ms
                                  9  2001:2060:4f::2  153.608 ms  148.259 ms  143.434 ms
                                  10  * * *
                                  11  * * *

                                  Looks good, especially if you aren't allowing inbound traceroute requests.  If you see a bunch from …::55, it's me.
                                  And

                                  ping6 2001:2060:4f:d::2

                                  PING 2001:2060:4f:d::2(2001:2060:4f:d::2) 56 data bytes
                                  64 bytes from 2001:2060:4f:d::2: icmp_seq=1 ttl=50 time=151 ms
                                  64 bytes from 2001:2060:4f:d::2: icmp_seq=2 ttl=50 time=143 ms

                                  Seems to confirm that it is working.

                                  traceroute6 -n 2001:2060:4f:e::1

                                  …
                                  7  2001:2000:6028:2003::1  154.028 ms  143.610 ms *
                                  8  2001:2000:6028:2003::2  149.536 ms  154.901 ms  154.917 ms
                                  9  2001:2060:4f:e::1  150.610 ms  155.257 ms  141.915 ms

                                  ping6 2001:2060:4f:e::1

                                  PING 2001:2060:4f:e::1(2001:2060:4f:e::1) 56 data bytes
                                  64 bytes from 2001:2060:4f:e::1: icmp_seq=1 ttl=51 time=166 ms
                                  64 bytes from 2001:2060:4f:e::1: icmp_seq=2 ttl=51 time=138 ms

                                  But wait!  You said your device is on 2001:2060:4f:e::3, so who is answering ::1 address ?!

                                  traceroute6 -n 2001:2060:4f:e::3

                                  …
                                  7  2001:2000:6028:2003::1  163.236 ms  142.555 ms  152.851 ms
                                  8  2001:2000:6028:2003::2  153.137 ms  153.784 ms  153.791 ms
                                  9  2001:2060:4f::2  154.282 ms  149.070 ms  148.692 ms
                                  10  2001:2060:4f::2  2180.388 ms !H * *

                                  ping6 2001:2060:4f:e::3

                                  PING 2001:2060:4f:e::3(2001:2060:4f:e::3) 56 data bytes
                                  From 2001:2060:4f::2 icmp_seq=1 Destination unreachable: Address unreachable

                                  Also not correct, …e::1 works (but maybe it shouldn't be), and ...e::3 goes somewhere completely different?!

                                  –A.

                                  1 Reply Last reply Reply Quote 0
                                  • samip537S
                                    samip537
                                    last edited by

                                    @awebster:

                                    Talk to your provider, the routing is messed up…

                                    traceroute6 -n 2001:2060:4f:d::1

                                    …
                                    7  2001:2000:6028:2003::1  155.319 ms  145.846 ms  144.258 ms
                                    8  2001:2000:6028:2003::2  148.698 ms  142.799 ms  149.023 ms
                                    9  2001:2060:4f:d::1  142.449 ms  148.295 ms  150.436 ms

                                    Looks good.

                                    traceroute6 -n 2001:2060:4f:d::2

                                    …
                                    7  2001:2000:6028:2003::1  167.166 ms  142.889 ms  146.229 ms
                                    8  2001:2000:6028:2003::2  144.331 ms  144.679 ms  144.495 ms
                                    9  2001:2060:4f::2  153.608 ms  148.259 ms  143.434 ms
                                    10  * * *
                                    11  * * *

                                    Looks good, especially if you aren't allowing inbound traceroute requests.  If you see a bunch from …::55, it's me.
                                    And

                                    ping6 2001:2060:4f:d::2

                                    PING 2001:2060:4f:d::2(2001:2060:4f:d::2) 56 data bytes
                                    64 bytes from 2001:2060:4f:d::2: icmp_seq=1 ttl=50 time=151 ms
                                    64 bytes from 2001:2060:4f:d::2: icmp_seq=2 ttl=50 time=143 ms

                                    Seems to confirm that it is working.

                                    traceroute6 -n 2001:2060:4f:e::1

                                    …
                                    7  2001:2000:6028:2003::1  154.028 ms  143.610 ms *
                                    8  2001:2000:6028:2003::2  149.536 ms  154.901 ms  154.917 ms
                                    9  2001:2060:4f:e::1  150.610 ms  155.257 ms  141.915 ms

                                    ping6 2001:2060:4f:e::1

                                    PING 2001:2060:4f:e::1(2001:2060:4f:e::1) 56 data bytes
                                    64 bytes from 2001:2060:4f:e::1: icmp_seq=1 ttl=51 time=166 ms
                                    64 bytes from 2001:2060:4f:e::1: icmp_seq=2 ttl=51 time=138 ms

                                    But wait!  You said your device is on 2001:2060:4f:e::3, so who is answering ::1 address ?!

                                    traceroute6 -n 2001:2060:4f:e::3

                                    …
                                    7  2001:2000:6028:2003::1  163.236 ms  142.555 ms  152.851 ms
                                    8  2001:2000:6028:2003::2  153.137 ms  153.784 ms  153.791 ms
                                    9  2001:2060:4f::2  154.282 ms  149.070 ms  148.692 ms
                                    10  2001:2060:4f::2  2180.388 ms !H * *

                                    ping6 2001:2060:4f:e::3

                                    PING 2001:2060:4f:e::3(2001:2060:4f:e::3) 56 data bytes
                                    From 2001:2060:4f::2 icmp_seq=1 Destination unreachable: Address unreachable

                                    Also not correct, …e::1 works (but maybe it shouldn't be), and ...e::3 goes somewhere completely different?!

                                    2001:2060:4f:e::1 => Provider's GW. (Working on getting it fixed so it's the pfSense LAN address.)
                                    2001:2060:4f:e::3 => That's the pfSense's LAN interface, pings are not allowed that are originating from WAN interface.

                                    Please use ICMP or TCP, but not UDP when trying to traceroute, might work better.

                                    I have talked to my provider today, they will work on it.

                                    • samip537
                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      hda
                                      last edited by

                                      You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
                                      [The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]

                                      Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
                                      Look in System: (routing) Gateways for your correct route.

                                      For Static on hosts use RA + Router Only
                                      For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
                                      For SLAAC from hosts use RA + Unmanaged

                                      [N.B. subnets are important to differentiate, so :d::/64 is for your WAN and :e::/64 is for your LAN.]

                                      1 Reply Last reply Reply Quote 0
                                      • samip537S
                                        samip537
                                        last edited by

                                        @hda:

                                        You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
                                        [The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]

                                        Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
                                        Look in System: (routing) Gateways for your correct route.

                                        For Static on hosts use RA + Router Only
                                        For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
                                        For SLAAC from hosts use RA + Unmanaged

                                        Everything works now. Ports are reacheable though IPv6.

                                        Final routes can be found from the attachments.

                                        You may do an traceroute6 to mail.sami-mantysaari.com to check. :)

                                        final_IPv6_routes_pfSense.JPG
                                        final_IPv6_routes_pfSense.JPG_thumb
                                        final_IPv6_routes_mail.JPG
                                        final_IPv6_routes_mail.JPG_thumb

                                        • samip537
                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.