Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)pfsense - what IPv6 configuration type should I be using for my lan interface?
andicniko

10 posts

Wannabe Geek
+1 received by user: 1


#289821 30-Sep-2021 22:55
Send private message

Hello. I recently obtained a static IPv6 prefix from my ISP (2degrees).

 

On the WAN side, the static prefix is obtained the same way I used to get the dynamic prefix - using the DHCPv6 IPv6 configuration type. Same delegation size of /56, same settings, just a static prefix. So far so good.

 

On the LAN side, I currently have the IPv6 configuration type set to "track interface", tracking the WAN. This is left over from before, and is working OK. But I'm unsure if this is still right/useful now that I have a static prefix?

 

The only real issue is I can't give interface itself a static IPv6 address (which means, for example, I can't point to that address as a gateway or DNS etc).

 

Question 1: Does "track interface" just mean the LAN uses whatever prefix the WAN obtains, or is there more to it?

 

Question 2: Can I use "static IPv6" for the LAN's configuration type without any issue? Should I?

 

For example, if I know my static prefix will always be 1000:1000:1000:1000::/56, is it OK to just give the LAN interface a static IPv6 of 1000:1000:1000:1000::1/56? Or should that be /64?

 

When I try this, it seems to stop the DHCPv6 functioning and my clients stop getting addresses within the range I specify (::1000 to ::2000). I see a few addresses outside of that, and none within.

 

Maybe I just need to wait longer for clients to grab new addresses (it took ages for statically mapped addresses to actually take...).

 

And I could just be seeing SLAAC or temporary IPv6 addresses (which I understand would be outside of my specified range).


Filter this topic showing only the reply marked as answer Create new topic
fe31nz
1294 posts

Uber Geek
+1 received by user: 423


  #2787447 1-Oct-2021 01:10
Send private message

 

The only real issue is I can't give interface itself a static IPv6 address (which means, for example, I can't point to that address as a gateway or DNS etc).

 

Question 2: Can I use "static IPv6" for the LAN's configuration type without any issue? Should I?

 

 

I presume that you are talking about the WAN interface here.  The only reason that you would want the WAN interface to have a global unicast IPv6 address is if there is a need to talk to the pfsense router box from the Internet.  Packets being routed in and out of the WAN interface use the link-local IPv6 address as they only need to travel between the router and your ISP's next hop router over that local subnet.

 

But you are still embedded in IPv4 thinking here.  Your router presumably has more than one Ethernet port - one for WAN and at least one for LAN.  The LAN port will already have a global unicast IPv6 address, and as all global unicast IPv6 addresses are able to be used from the Internet, you just use that address to access the router.  This is impossible in a NATed IPv4 network as the only IPv4 address that is globally routable is the one on your WAN port.  You do need to set up firewall to allow whatever ports you want to be accessible, that that is all that is needed.  So, for example, if you want to run an IPv6 OpenVPN server on the pfsense box, just open port 1194 on the LAN IPv6 address to access from the Internet.  Then you will need to set up your external DNS with an AAAA record to point to the LAN port address, such as openvpn.6.my.domain.nz.  Or you can run such a server on any of your devices that does IPv6 in the same way, as they are all directly accessible from the Internet.

 

If you really do need a global unicast IPv6 address on the WAN port, or just want to do it for the sake of completeness as I did, then you need to sacrifice one of your subnets for use with this sort of special purpose address.  I chose my 0 subnet.  Then you just pick one of the addresses on that subnet and statically assign it to the WAN port.  You use a mask of /128 to tell the router that it is a single IPv6 address, not a subnet.  The other IPv6 addresses on the chosen subnet can be used for other single addresses if you find a need for one, such as the endpoint addresses of VPNs and tunnels.  Use of such single addresses on other boxes would require that you add specific routing to them as a routing rule.  Using them on the router itself, it will see them directly and be able to route to them without a rule.  The alternative to specific routing rules is to set up a routing protocol such as OSPFv6 or RIPv6 on the router and any box that has addresses other then the one connecting it to the router.  Then such boxes and the router will automatically exchange routing data and all the addresses they know about will be shared and accessible to each other.  This has the advantage that traffic to such other addresses will not be forced to go via the router if there is a better path.

 

 

Question 1: Does "track interface" just mean the LAN uses whatever prefix the WAN obtains, or is there more to it?

 

 

I do not know pfsense, so I can not give a definitive answer, but I would expect that the "track interface" option would just get its prefix from the interface it tracks.  All IPv6 routers have such an option, but they all seem to use different names for it, and different ways of configuring it.  There should be another option, or it might be as part of the "track interface" option, which allows you to specify the subnet number and netmask for the LAN interface.  Always use a /64 subnet mask for any subnet you create yourself, unless you are trying to delegate a larger address space to another router.  In my ER4, these options are in the prefix delegation section of the WAN interface, where each LAN port gets a delegation specification.  But it looks like pfsense puts the settings on the LAN ports, and the setting then specifies the WAN port to get the delegation from.



andicniko

10 posts

Wannabe Geek
+1 received by user: 1


  #2787474 1-Oct-2021 08:07
Send private message

Thanks fe31nz. I was talking about giving the LAN interface an IPv6 address of my choosong (not WAN, sorry should have been more specific). I only need to access the interface on my local network.

The LAN interface correctly uses the static prefix, but is generating the rest of it's own address (I think). But I don't know if it is static or liable to change.

Zeon
3926 posts

Uber Geek
+1 received by user: 759

Trusted

  #2787507 1-Oct-2021 09:16
Send private message

Personally I set a static subnet and address on the LAN side and ALWAYS try to use a /64 space. Usually I use ::1 for the router within any subnet. If you go to the DHCP service page there is an area for router advertisement for your clients to use SLAAC inside the LAN side. The interface probably has a link-local which you could use for DNS etc. but personally feel its easier just to remember my subnet and know my router is a ::1 after it :)




Speedtest 2019-10-14



andicniko

10 posts

Wannabe Geek
+1 received by user: 1


  #2787625 1-Oct-2021 12:20
Send private message

OK I have set my LAN's IPv6 configuration type to "static IPv6", and it successfully get the address ::1.

But it seems to have broken the DHCPv6 on LAN. Clients are no longer getting leases, and seem to be obtaining IPv6 addresses some other way (maybe slaac as is enabled on my setup).

This would also explain why clients are getting IPv6 addresses outside of the ::1000 to ::2000 range I specified in the DHCPv6 server settings. Statically mapped addresses still work/get used.

Does anyone know what I might be doing wrong?

andicniko

10 posts

Wannabe Geek
+1 received by user: 1


  #2787659 1-Oct-2021 14:07
Send private message

Zeon:

 

Personally I set a static subnet and address on the LAN side and ALWAYS try to use a /64 space. Usually I use ::1 for the router within any subnet. If you go to the DHCP service page there is an area for router advertisement for your clients to use SLAAC inside the LAN side. The interface probably has a link-local which you could use for DNS etc. but personally feel its easier just to remember my subnet and know my router is a ::1 after it :)

 

 

This is exactly what I'm trying to do but seem to be breaking things in the process.

 

Would you be able to share a screenshot of the relevant settings? I could compare and see what I have done wrong.

nbroad
320 posts

Ultimate Geek
+1 received by user: 39


  #2787662 1-Oct-2021 14:23
Send private message

edit: I don't have static IPv6 but posted this just in case any of it helps.

 

I use pfsense.

 

On WAN interface:

 

IPv6 configuration type = DHCP6

 

DHCP6 client configuration, request only an IPv6 prefix = ticked

 

On LAN interface:

 

IPv6 configuration type = Track Interface

 

Track IPv6 Interface = set to WAN

 

Under services, DHCPv6 Server and RA:

 

DHCPv6 server is not enabled.

 

Under Router Advertisements, router mode is "assisted"

 

DNS Configuration, provide DNS configuration via radvd is ticked.

 

 

 

Hope that helps

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
andicniko

10 posts

Wannabe Geek
+1 received by user: 1


  #2788703 3-Oct-2021 18:17
Send private message

nbroad:

 

edit: I don't have static IPv6 but posted this just in case any of it helps.

 

I use pfsense.

 

On WAN interface:

 

IPv6 configuration type = DHCP6

 

DHCP6 client configuration, request only an IPv6 prefix = ticked

 

On LAN interface:

 

IPv6 configuration type = Track Interface

 

Track IPv6 Interface = set to WAN

 

Under services, DHCPv6 Server and RA:

 

DHCPv6 server is not enabled.

 

Under Router Advertisements, router mode is "assisted"

 

DNS Configuration, provide DNS configuration via radvd is ticked.

 

 

 

Hope that helps

 

 

Thanks nbroad, it does help. It's working for me and gets all my devices a SLAAC address successfully.  

andicniko

10 posts

Wannabe Geek
+1 received by user: 1


  #2788738 3-Oct-2021 19:45
Send private message

OK after trying various settings, and trawling many forums... I have DHCPv6 working! Many thanks to everyone for helping.

 

I'll include my working pfsense settings in full below, in case it helps someone in the future. The two things that solved my issues are underlined - both seem to be necessary.

 

pfsense settings for 2degrees fibre:

 

  • Note: Settings work on pfsense 2.5.2-RELEASE (amd64). Any settings that aren't mentioned are left as default.
  • Interfaces / WAN

     

    • General Configuration

       

      • IPv4 Configuration Type = PPPoE
      • IPv6 Configuration Type = DHCP6
      • MTU = 1508

         

        • Note: I am on 2degrees fibre in Wellington, on Chorus' network, which I understand is provisioned differently to other places. Your MTU may vary!
    • DHCP6 Client Configuration

       

      • Use IPv4 connectivity as parent interface = TRUE
      • Request only an IPv6 prefix = TRUE
      • DHCPv6 Prefix Delegation size = 56
      • Do not wait for a RA = TRUE
    • PPPoE Configuration

       

      • Username = [the username you use to log in to 2degrees broadband]@snap.net.nz
      • Password = [the password you use to log in to 2degrees broadband]
  • Interfaces / VLANs

     

    • Note: Create a VLAN, it seems the setup wizard won't ask you/do this for you.
    • Parent Interface = [select the interface you used for WAN, e.g. igb0]
    • VLAN Tag = 10
  • Interfaces / PPPs

     

    • Note: Edit your PPPoE interface created by the set up wizard, and set it to use the VLAN you just created.
    • Link Interface(s) = [e.g. igb0.10]
  • Interfaces / Interface Assignments

     

    • Note: Check (and if needed edit) your WAN interface to use the PPPoE/VLAN you edited/created above. 
    • WAN = [e.g. PPPOE0(igb0.10) - [your username]@snap.net.nz]
  • Interfaces LAN

     

    • General Configuration

       

      • IPv4 Configuration Type = Static IPv4
      • IPv6 Configuration Type = Static IPv6 [or Track interface, if you don't want to bother with static IPv6]
      • MTU = 1500

         

        • Note: I am on 2degrees fibre in Wellington, on Chorus' network, which I understand is provisioned differently to other places. Your MTU may vary!
    • Static IPv4 Configuration

       

      • IPv4 Address = [e.g. 192.168.1.1/24]
    • Static IPv6 Configuration (only if IPv6 Configuration Type = Static IPv6)

       

      • IPv6 address = [e.g. 1111:2222:3333:4444::1/64]

         

        • Note: This assumes your prefix is 1111:2222:3333:4444 and is static. You have to specifically ask 2dgrees for static IPv6 (otherwise they will assume you just want static IPv4).
      • Use IPv4 connectivity as parent interface = FALSE

         

        • Note: This is the default. I am only mentioning it because this is the one setting I am not sure about - things still work whether it is set to TRUE or FALSE for me, but I haven't read anything to indicate this is needed.
    • Track IPv6 Interface (only if IPv6 Configuration Type = Track interface)

       

      • IPv6 Interface = WAN
      • IPv6 Prefix ID = 0 [or other, not 2degrees provides a generous /56 prefix delegation]
  • THE END (if IPv6 Configuration Type = Track interface)
  • Services / DHCPv6 Server & RA / LAN / DHCPv6 Server

     

    • DHCPv6 Options

       

      • Range = [your desired IPv6 range in full, e.g. 1111:2222:3333:4444::5000 to 1111:2222:3333:4444::6000]

         

        • Note: DO NOT omit the prefix when stating the range. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default, the range is stated excluding the prefix, e.g. ::5000 to ::6000. I'm not sure why this should matter, because the subnet field is already populated and aware of 1111:2222:3333:4444, and omitting the prefix does no harm when the LAN interface is set to IPv6 Configuration Type = Track interface.
      • Note: I had some trouble keeping the "Provide DNS servers to DHCPv6 clients" checkbox ticked. It is ticked by default, but seemed to untick by itself when changing and saving settings on this page. When ticking it again and saving, it would just disappear. However, it was ticked after navigating to another page and coming back. So I didn't have an issue in the end.
    • Services / DHCPv6 Server & RA / LAN / Router Advertisements

       

      • Subnets = [your IPv6 prefix 1111:2222:3333:4444::/64]

         

        • Note: DO NOT leave this blank. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default this is blank, and it does no harm leaving it blank when the LAN interface is set to IPv6 Configuration Type = Track interface. I'm not sure why this should matter.
    • THE END.

I really hope that helps someone and is easy to find. In the end a reddit post from earlier this year happened to explain the underlined info (maybe one day Kage159 will see this and find out they helped?).

Filter this topic showing only the reply marked as answer Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright