Netgate SG-1000 microFirewall

Author Topic: WAN and LAN IPv6  (Read 905 times)

0 Members and 1 Guest are viewing this topic.

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
WAN and LAN IPv6
« on: November 29, 2017, 08:35:10 am »
So I think this is pretty non-standard and maybe it's even not intended to work how I am using it, I don't know enough about IPv6, but hopefully you guys will be able to point me in the right direction with something I can say to my ISP if necessary.

Basically my ISP supply me with a single /64 IPv6 block.  I realised from many topics on here that this is not really good enough and I opened a ticket with them about getting a larger block (I asked for /63 or /60), basically just anything with that was larger.  Instead they offered me a second /64 block.

So now I have two blocks:
AAAA:XXXX:1:YYY::/64 and AAAA:XXXX:1:ZZZ::/64

I configure DHCP6 on my WAN side and I am assigned an address within AAAA:XXXX:1:YYY::/64 on my WAN.  So far so good, connectivity works from pfSense.

Next step is I set static IPv6 on my LAN to give the LAN an address of AAAA:XXXX:1:ZZZ::1 and to give out remaining addresses to LAN clients.  All clients do receive an address, but IPv6 doesn't work at all.

Pings from pfSense to the outside world work with either the LAN or WAN address set as the source, but the LAN clients don't have any IPv6 connectivity whatsoever.  Any help with why would be much appreciated.

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #1 on: November 29, 2017, 09:45:41 am »
Just got a further response back from my ISP and they said:

"Yes, AAAA:XXXX:1:ZZZ::/64 is a "routed prefix" over WAN Address. You can use it on the LAN side, Just need to configure static route at WAN device for AAAA:XXXX:1:ZZZ::/64 pointing towards your LAN or AAAA:XXXX:1:ZZZ::/64 should be directly connected network according to your LAN interface of WAN device."

Which I think is not worded amazingly but it seems like if it's true then I am just missing a configuration step.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #2 on: November 29, 2017, 10:10:15 am »
And have you entered a static route and gateway?

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #3 on: November 29, 2017, 11:53:29 am »
And have you entered a static route and gateway?

That's the thing I am struggling with, I am not really sure where I need to make a route from and to in order to fix this.  I can see that I can add static routes in Routing in pfSense, and I have the option of a destination network and a gateway.  Right now though I can't even ping AAAA:XXXX:1:ZZZ::1 from LAN clients with addresses in the AAAA:XXXX:1:ZZZ::/64 range, which seems like it should be fixable from client side as a test?

I tried ip -6 route add default via AAAA:XXXX:1:ZZZ::1 on a linux client but no help.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #4 on: November 29, 2017, 01:05:02 pm »
Look in the System Menu, there's an option called Gateways, make sure you have a Gateway for your IPV6 there.

I run statics on WAN and LAN, admitted I have a /48 I can play with but I have /64 on my WAN  and I pick a /64 on my LAN, the same as you.

Trick is to find your gateway, it's usually the link local address of your ISP's router, the next hop. When you are setting the WAN Static address you had to add an IPv6 Upstream gateway, if you did not have one defined in System->Routing then you need to set the Gateway first, then set it in the WAN Static IPv6 Configuration.

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #5 on: November 29, 2017, 01:41:35 pm »
Thanks for your help so far - so in my Gateways section I have a WAN_DHCP6 gateway set as a default, with an fe80 address set as the gateway itself.

I'm a little confused about what exactly I need to add for the static route.  My WAN is automatically assigned some address in the AAAA:XXXX:1:YYY::/64 when it connects, and I can see that in Status -> Interfaces.

For LAN I am trying to statically assign AAAA:XXXX:1:ZZZ::1 to that interface.  When I do that in Interfaces -> LAN, I have an option to set the "Upstream Gateway", but WAN_DHCP6 is not an option here.  I can't add another gateway with the same fe80 address as it complains that gateway IP already exists.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #6 on: November 29, 2017, 02:21:27 pm »
You should not need it, I have no static route defined. Did you not say that you can ping an ipv6 like google.com from pfsense
?

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #7 on: November 29, 2017, 02:36:49 pm »
I think the problem is that the /64 blocks are distinct maybe?  I don't have a /48 or a /56 or anything I just have two /64 blocks, and apparently one is routed via the other.

So in block 1 which is the non-routed block, I get assigned a random address from it on WAN via DHCP6.

In block 2 which is the routed block, I assign the first IP as static on the LAN and the rest given out to LAN clients via DHCPv6 or whatever.

In Diagnostics -> Ping I can choose WAN or LAN as the source address and try to ping an IPv6.  When doing this, it correctly pings from block 1 (WAN) or block 2 (LAN) as the source and I get a response.  The problem is that absolutely no IPv6 works on the LAN.  The LAN clients all have addresses from block 2 but they can't ping the static IPv6 on the LAN or anything, there's no v6 connectivity at all.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #8 on: November 29, 2017, 02:38:37 pm »
Have you set up target?

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #9 on: November 29, 2017, 02:39:36 pm »
That should read RADVD damn autocorrect!

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #10 on: November 29, 2017, 02:48:59 pm »
I have it set to Assisted with no further configuration options.  Do I need to make an addition to "RA Subnets" or anything?

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #11 on: November 29, 2017, 02:55:59 pm »
Thanks for your help so far - so in my Gateways section I have a WAN_DHCP6 gateway set as a default, with an fe80 address set as the gateway itself.

I'm a little confused about what exactly I need to add for the static route.  My WAN is automatically assigned some address in the AAAA:XXXX:1:YYY::/64 when it connects, and I can see that in Status -> Interfaces.

For LAN I am trying to statically assign AAAA:XXXX:1:ZZZ::1 to that interface.  When I do that in Interfaces -> LAN, I have an option to set the "Upstream Gateway", but WAN_DHCP6 is not an option here.  I can't add another gateway with the same fe80 address as it complains that gateway IP already exists.

There is no upstream gateway on the LAN, but it should be set on the WAN, is that the case?

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #12 on: November 29, 2017, 03:11:05 pm »
Thanks for your help so far - so in my Gateways section I have a WAN_DHCP6 gateway set as a default, with an fe80 address set as the gateway itself.

I'm a little confused about what exactly I need to add for the static route.  My WAN is automatically assigned some address in the AAAA:XXXX:1:YYY::/64 when it connects, and I can see that in Status -> Interfaces.

For LAN I am trying to statically assign AAAA:XXXX:1:ZZZ::1 to that interface.  When I do that in Interfaces -> LAN, I have an option to set the "Upstream Gateway", but WAN_DHCP6 is not an option here.  I can't add another gateway with the same fe80 address as it complains that gateway IP already exists.

There is no upstream gateway on the LAN, but it should be set on the WAN, is that the case?

So there's no specific gateway set on the WAN because it's assigned via DHCP6 from ISP rather than statically on my end, but a gateway is defined by DHCP6 and it does work for connectivity from pfSense to the internet - it's an fe80 address.  For the static assignment on the LAN the gateway is set to "None" in the dropdown as it's the only option I have.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #13 on: November 29, 2017, 03:24:21 pm »
If you look in Routing/Gateways, there should be two entries, one for ipv4, one for ipv6, both are created automatically, are they there?

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #14 on: November 29, 2017, 03:32:31 pm »
I want you to try something else. I suspect you can set your LAN to track your WAN interface. In WAN settings, you have it set to dhcp6. I think you should find that the LAN side will work if you set it track the WAN, so in LAN, set the IPV6 config type to "Track Interface", then  further down the page set the Track IPv6 interface to WAN, leave the prefix ID at 0.

Try that and then tell me what you see on the dashboard for addresses on the LAN interface.