Can't get native IPv6 working behind pfSense

  • Hey,

    I'm trying to get native IPv6 going behind pfSense.

    Our ISP has assigned us a /56 as follows:

    2a00:xxxx:xxxx:800::1 is the gateway

    Initially I tried to add 2a00:xxxx:xxxx:800::4/56 as the WAN interface, which worked, but then adding, for example, 2a00:xxxx:xxxx:801::1/64 on the LAN interface caused a multicast storm that killed the port to the ISP.

    I did some more reading and from my understanding, the WAN subnet and LAN subnet should both be /64s (arguably /126 on WAN).

    So I setup 2a00:xxxx:xxxx:800::4/64 on WAN and 2a00:xxxx:xxxx:801::1/64 on LAN. ::2 and ::3 are reserved for VRRP purposes at the ISP end.

    All the autoconf and RA stuff seems to work - clients get an IP that's in the right subnet etc. however they can't ping out.

    I can ping the Internet from the pfSense box, but not from a client on the LAN.

    I can ping the pfSense's LAN and WAN interface addresses from the LAN.

    Does this suggest it's a routing issue at the ISP end?

  • How is the ISP assigning your IPv6 range, is it static or DHCP?

    If it is DHCP, then you need to set pfSense to DHCP6 on the WAN interface, and set the DHCPv6 prefix delegation size to something longer than 56, eg: 60, and check Send IPv6 prefix hint.
    Then set the LAN interface IPv6 Configuration type to Track Interface.  You can also set IPv6 prefix ID if you want to control where in the delegated block the prefix will be requested.
    This will auto-configure a non-adjustable (hopefully to be fixed in future versions) DHCPv6 server on the LAN interface that will assign prefix::1000 thru prefix::2000, along with the name servers obtained on the WAN side and domain name configured on the box.  Clients could also use SLAAC addressing, but won't show up in the DHCPv6 leases table.
    Additionally, it will configure the radvd daemon to send router advertisements, with prefix::SLAAC_address of the LAN interface.
    That is enough to get most clients working on the LAN side.
    Important: If you've already tried DHCPv6 on the LAN interface, you should flush the leases table to avoid having old data confuse things.
    See this post: for more details.

    If static assignment, you'll need the ISP to set a /64 on the WAN gateway, and route the remaining subnets to ::4, or preferably a single /64 on the link between their gateway and your router, then route the whole /56 to your router's IP.
    In the end, IPv6 works the same way as IPv4; you must have same subnet mask (prefix length) on each node of the link, and you must route traffic that is outside the scope of the current subnet.

  • Awesome, it's static.

    My thinking then is that they haven't routed the remainder of the /64 anywhere, just sort of lumped it on me.

    I'll drop them a line :)

Log in to reply