Hmm my static IPv6 seems to be not working, looks like it stopped around 25/10 (judging by the inbound rules last used). 

vulcannz:

 

Hmm my static IPv6 seems to be not working, looks like it stopped around 25/10 (judging by the inbound rules last used). 

 

PM me your customer account number so I can investigate.

Spent some time on it last night, it was simply needing stateless autoconfig enabled.

Here's what I don't understand, and maybe somebody more experienced in v6 can school me. My configuration was completely static. I had static IP/subnet/gateway/DNS assigned. LL addresses were all the same. I could see the router in the NDR list. I could see traffic routing internally, but nothing was going out over the WAN. Once I enabled stateless address autoconfig (still with static settings) it just worked.

Looks like I jumped the gun a bit. Rebooted my box as I was updating the firmware, and I lost the static v6 connectivity.

I can get DHCPv6 going, but my WAN interface doesn't get assigned an autonomous IP.

When I had static configured I was using

WAN IP: 2406:e001:2:3900::2  (/56)

WAN Gateway: 2406:e001:2:3900::1

This is my v6 config (yes a Sonicwall)

Everything internally sits on a 2406:e001:2:3901::: subnet and is NAT'd outbound, with NAT's inbound for web and mail. Yes I know the v6 puritans hate NAT but it makes multiple WAN connections easier, as well as DNS records for services.

I don't mind admitting I got something wrong as I'm primarily running v6 to educate myself on it more.

vulcannz:

 

I can get DHCPv6 going, but my WAN interface doesn't get assigned an autonomous IP.

 

There is no need for the router WAN port to have a global unicast IPv6 address.  It normally does not use that address anyway - it uses its link-local IPv6 address to route IPv6 packets to and from 2D's next hop router.  The only reason to have a global unicast IPv6 address on your WAN port is if the router itself needs to be able to send IPv6 packets further than the local subnet.  So if you log into your router and want it to be able to do IPv6 pings and traceroutes to the wider Internet, or to be able to download a new version of firmware for itself via IPv6, then you would want it to have a global unicast IPv6 address.  And routers are often able to use a global unicast IPv6 address from one of their LAN ports as the source address anyway if they need to connect beyond the local subnet.

fe31nz:

 

vulcannz:

 

I can get DHCPv6 going, but my WAN interface doesn't get assigned an autonomous IP.

 

 

There is no need for the router WAN port to have a global unicast IPv6 address.  It normally does not use that address anyway - it uses its link-local IPv6 address to route IPv6 packets to and from 2D's next hop router.  The only reason to have a global unicast IPv6 address on your WAN port is if the router itself needs to be able to send IPv6 packets further than the local subnet.  So if you log into your router and want it to be able to do IPv6 pings and traceroutes to the wider Internet, or to be able to download a new version of firmware for itself via IPv6, then you would want it to have a global unicast IPv6 address.  And routers are often able to use a global unicast IPv6 address from one of their LAN ports as the source address anyway if they need to connect beyond the local subnet.

 

It is a nice to have, and I also like to have a well defined border. I did workaround the issue simply using some NAT66 policies.

I must say IPv6 seems to have had very little thought put into it for practical security purposes (enterprise security and below) especially when it comes to windows (temporary v6 addresses are just silly). It's going to be very hard for enterprise, medium and SMB to move to v6 without encountering a bucketload of problems.

I'm no IPv6 expert, but temporary IPv6 addresses only appear when using SLAAC. If you run a DHCPv6-only network, all clients will only have a single address, the one which is assigned. Except Android clients, which won't get an address at all. Thanks google.

ripdog:

 

I'm no IPv6 expert, but temporary IPv6 addresses only appear when using SLAAC. If you run a DHCPv6-only network, all clients will only have a single address, the one which is assigned. Except Android clients, which won't get an address at all. Thanks google.

 

If you have rooted your Android devices, install the DHCPv6 app.  Otherwise you will likely need to run a separate SSID with SLAAC on it for your Android devices to get IPv6.

As for temporary IPv6 addreses, I would think that sane business networks would be installing a group policy that turns them off.  If you want to do it yourself, see this page:

https://knowledge.zomers.eu/misc/Pages/How-to-disable-temporary-IPv6-address-allocation-at-a-Windows-PC.aspx

Cheers for that, I've tried disabling SLAAC to see how it goes. Unfortunately I've already manually disabled the temporary IPv6 addresses, so need to wait for the next windows patch to see if it works (everytime they patch it seems to turn back on).

The other problem I'm encountering is Windows 10 will happily be on v6 but my browsers (chrome/firefox/ie/edge) will stick to v4 on some machines. It's quite odd. I checked nslookups, pings, everything under the hood is fine. Older Windows versions like 2008r2 are completely fine, iirc 2008r2 has a different network stack to Windows 10.

Does anyone have setup for WAN/LAN for IPv6 on pfsense?