pfSense Support Subscription

Author Topic: Rogers pfSense configuration  (Read 3587 times)

0 Members and 1 Guest are viewing this topic.

Offline coolspot

  • Jr. Member
  • **
  • Posts: 71
  • Karma: +1/-0
    • View Profile
Re: Rogers pfSense configuration
« Reply #15 on: October 25, 2016, 05:44:27 pm »
Is it actually down?  You can try ipv6.google.com to verify.  I find that Gateway Monitoring to an address that didn't respond caused that situation.  I just turn off monitoring, as you don't really need it, if you have only one route to the Internet.  Turning it off also cuts down on traffic.  That monitoring sends out a lot of pings.


Turns out that you can't ping Roger's gateway - I replaced the monitor IP with Google's IPV6 IP and now it is online.

But another question - how do clients obtain an IPV6 address. Does the DHCP6 Relay and/or DHCP6 Relay & RA need to be enabled?

Thanks.

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 507
  • Karma: +19/-3
    • View Profile
Re: Rogers pfSense configuration
« Reply #16 on: October 25, 2016, 07:06:47 pm »
But another question - how do clients obtain an IPV6 address. Does the DHCP6 Relay and/or DHCP6 Relay & RA need to be enabled?
If a prefix has been delegated to your router, you should use the dhcpv6 server, not the relay. When you enable the service, you will set the minimum and maximum range, such as ::1000 and ::2000 or whatever. If you will have a stateful and stateless devices on your network, set the router mode to assisted. (Android phones only support SLAAC.)

Offline coolspot

  • Jr. Member
  • **
  • Posts: 71
  • Karma: +1/-0
    • View Profile
Re: Rogers pfSense configuration
« Reply #17 on: October 25, 2016, 07:26:28 pm »
But another question - how do clients obtain an IPV6 address. Does the DHCP6 Relay and/or DHCP6 Relay & RA need to be enabled?
If a prefix has been delegated to your router, you should use the dhcpv6 server, not the relay. When you enable the service, you will set the minimum and maximum range, such as ::1000 and ::2000 or whatever. If you will have a stateful and stateless devices on your network, set the router mode to assisted. (Android phones only support SLAAC.)

Thanks, I got that working as well.

Last question, I have multiple LAN subnets - one regular one and one WiFi LAN ... since Rogers is /64 prefix delegation, is it possible to "split" the IPV6 addresses across two LANs or am I SOL until Rogers changes the prefix delegation?

Thanks.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 984
  • Karma: +36/-4
    • View Profile
Re: Rogers pfSense configuration
« Reply #18 on: October 25, 2016, 08:57:32 pm »
It may be possible to split a prefix, but it will break some things, including SLAAC.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 984
  • Karma: +36/-4
    • View Profile
Re: Rogers pfSense configuration
« Reply #19 on: October 25, 2016, 09:01:27 pm »
Quote
I replaced the monitor IP with Google's IPV6 IP and now it is online.

Why not just turn off monitoring?

Quote
But another question - how do clients obtain an IPV6 address. Does the DHCP6 Relay and/or DHCP6 Relay & RA need to be enabled?

Normally, the router uses Router Advertisements to provide the local prefix.  Then the various devices add another 64 bits to the prefix.  Those 64 bits can be derived from the MAC address or be a random number.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 984
  • Karma: +36/-4
    • View Profile
Re: Rogers pfSense configuration
« Reply #20 on: October 25, 2016, 09:02:50 pm »
Quote
If a prefix has been delegated to your router, you should use the dhcpv6 server, not the relay.

No need for DHCPv6 on the local LAN.  Router Advertisements and SLAAC provide the addresses.

Offline coolspot

  • Jr. Member
  • **
  • Posts: 71
  • Karma: +1/-0
    • View Profile
Re: Rogers pfSense configuration
« Reply #21 on: October 25, 2016, 10:59:59 pm »
Quote
If a prefix has been delegated to your router, you should use the dhcpv6 server, not the relay.

No need for DHCPv6 on the local LAN.  Router Advertisements and SLAAC provide the addresses.

However, if I run a server on a network, DHCP6 would allow me to set a static address correct - this would make it easier to setup firewall rules?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: Rogers pfSense configuration
« Reply #22 on: October 25, 2016, 11:20:24 pm »
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.

And I believe there is no way to turn off DHCP6 on an inside interface set to track.

"Assisted" is generally what you want on the RA settings since some devices (android) are SLAAC-only.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline coolspot

  • Jr. Member
  • **
  • Posts: 71
  • Karma: +1/-0
    • View Profile
Re: Rogers pfSense configuration
« Reply #23 on: October 26, 2016, 12:09:45 am »
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.

And I believe there is no way to turn off DHCP6 on an inside interface set to track.

"Assisted" is generally what you want on the RA settings since some devices (android) are SLAAC-only.

I'm still getting ramped up on IPv6, but it seems that support for DHCP-PD is still weak in pfSense - without the ability for static mappings to track the WAN PD, the entries will become nullified if the ISP updates the modem address assignment.

I guess I got the basics setup - for hosting a server seems like I'll still be on IPv4.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Re: Rogers pfSense configuration
« Reply #24 on: October 26, 2016, 12:19:17 am »
In my opinion support for DHCP-PD is weak on the ISP side.

They're the ones changing what should be static IP addresses.

Use tunnelbroker.net. They manage to issue static /48s. And they don't charge $90+/month.
« Last Edit: October 26, 2016, 12:24:37 am by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Online virgiliomi

  • Sr. Member
  • ****
  • Posts: 557
  • Karma: +74/-4
    • View Profile
Re: Rogers pfSense configuration
« Reply #25 on: October 26, 2016, 06:35:27 am »
I'm still getting ramped up on IPv6, but it seems that support for DHCP-PD is still weak in pfSense - without the ability for static mappings to track the WAN PD, the entries will become nullified if the ISP updates the modem address assignment.

I guess I got the basics setup - for hosting a server seems like I'll still be on IPv4.
Static mappings CAN track the WAN PD. When you create a static DHCPv6 mapping and the interface is set up to track another (i.e. LAN tracking WAN), then the only part of the IPv6 address you're entering is the host portion of the address. I've posted elsewhere that I've set up two hosts on my LAN with ::4001 and ::4002 as the static DHCPv6 addresses. That way if the prefix changes, the DHCPv6 server will adjust and on renewal a valid address will be provided to the host with the new prefix.

The area that still falls short is the firewall, which has no way to create a rule for an address with a dynamic prefix. I suppose you could create an alias with the hostname of your server(s)... but I'd prefer not to have to do that. That's just another piece in a puzzle where if one part fails, you get to figure out what isn't working.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 984
  • Karma: +36/-4
    • View Profile
Re: Rogers pfSense configuration
« Reply #26 on: October 26, 2016, 07:33:22 am »
Quote
However, if I run a server on a network, DHCP6 would allow me to set a static address correct - this would make it easier to setup firewall rules?

With SLAAC, you can have 2 types of address, MAC based and random number "privacy" addresses.  For a server, you'd configure the firewall and DNS for the MAC based address, as it's static.  You may have to configure the server to have a MAC address.  It's usually available in Linux, but with Windows you have to specifically enable it.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 984
  • Karma: +36/-4
    • View Profile
Re: Rogers pfSense configuration
« Reply #27 on: October 26, 2016, 07:35:31 am »
Quote
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.

With SLAAC and MAC based addresses, there's no setup at all.  It just works.


Online virgiliomi

  • Sr. Member
  • ****
  • Posts: 557
  • Karma: +74/-4
    • View Profile
Re: Rogers pfSense configuration
« Reply #28 on: October 26, 2016, 09:04:49 pm »
Quote
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.

With SLAAC and MAC based addresses, there's no setup at all.  It just works.
Except that static DHCP/DHCPv6 also includes hostname resolution in DNS forwarder/resolver, while SLAAC would require a DNS Entry that would need to be changed every time the prefix changes.

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 507
  • Karma: +19/-3
    • View Profile
Re: Rogers pfSense configuration
« Reply #29 on: October 26, 2016, 09:54:20 pm »
Quote
Yes. Though it is arguable that a static config on the server is no more work than setting up a static assignment. At least it's centralized in the DHCP server.

With SLAAC and MAC based addresses, there's no setup at all.  It just works.
Except that static DHCP/DHCPv6 also includes hostname resolution in DNS forwarder/resolver, while SLAAC would require a DNS Entry that would need to be changed every time the prefix changes.

Agreed about the hostnames. Also, it's not like it's difficult to enable dhcpv6. Since it's being used for dhcpv4, you may as well also use it for dhcpv6.