IPv6 settings for pfSense with Cerberus FTTP

Hi - I've just had Cerberus FTTP installed and need some help setting up IPv6 on my pfSense router. I can see on my Cerberus NETConnect page an IPv6 subnet so just need to know how this should be set on the WAN and LAN settings.

IPv6 Subnet : 2a01:xxxx:x:xxx::/64

The default DHCP6 setting doesn't seem to pick up the IPv6 address so I assume I need to setup a static IPv6 setting?

Edited by brookheather (Fri 29-Mar-19 17:36:58)

So I can now ping an IPv6 hostname from the pfSense router diagnostics page (ipv6.google.com). I followed these instructions to get an IPv6 address showing for the WAN connection on the status dashboard - they were posted by someone for a BT connection and I just changed the prefix delegation from /56 to /64.

Step 1: Configure your WAN interface�s IPv6 configuration type to be �DHCP6�. In the client configuration, check �Request a IPv6 prefix/information through the IPv4 connectivity link� and �Only request an IPv6 prefix, do not request an IPv6 address�. Set �DHCPv6 Prefix Delegation size� to �64�. Leave all other options as default.

Step 2: Configure your LAN interface�s IPv6 configuration to be �Track interface�. Scroll down, and under the �Track IPv6 Interface� section, select �WAN� from the IPv6 Interface dropdown. Leave �IPv6 Prefix ID� as default (0).

Step 3: Apply changes. And watch the interfaces status screen light up with that magic IPv6 address. RA will publish the prefix information out to your network shortly after connection, and your computer of choice should have an IPv6 address that�s useable.

Step 4 (optional): Reboot your pfSense box. If the interface doesn�t take the new addressing upon reconnecting, a reboot should do the trick.

I am just having a problem pinging this hostname from any of my PCs - I get different results. From the pfSense router:

PING6(56=40+8+8 bytes) 2a01:xxxx:x:xxx:92e2:baff:feef:724f --> 2a00:1450:400c:c0c::65
16 bytes from 2a00:1450:400c:c0c::65, icmp_seq=0 hlim=46 time=8.793 ms
16 bytes from 2a00:1450:400c:c0c::65, icmp_seq=1 hlim=46 time=9.410 ms
16 bytes from 2a00:1450:400c:c0c::65, icmp_seq=2 hlim=46 time=9.438 ms

--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 8.793/9.214/9.438/0.298 ms

but from my PC:

Pinging ipv6.l.google.com [2a00:1450:4009:80c::200e] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2a00:1450:4009:80c::200e:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Edited by brookheather (Fri 29-Mar-19 16:26:55)

In reply to a post by brookheather:

Hi - I've just had Cerberus FTTP installed and need some help setting up IPv6 on my pfSense router. I can see on my Cerberus NETConnect page an IPv6 subnet so just need to know how this should be set on the WAN and LAN settings.

IPv6 Subnet : 2a01:xxxx:1:xxx::/64

The default DHCP6 setting doesn't seem to pick up the IPv6 address so I assume I need to setup a static IPv6 setting?

It depends on how Cerberus have set this up, and I suggest you contact them to clarify as there are a lot of possibilities.

What I would *expect* them to do is to allocate you a /64 for the WAN link, and an additional /56 or /48 for your LAN side. You can then use this to assign /64 subnets to one or more LAN segments on your side.

It's possible they use stateless autoconfiguration or DHCP6 or IP unnumbered for the WAN link, and the /64 they have given you is for your LAN side. That would be very parsimonious of them. End users should get at least a /56, and on a business service I'd expect you to get a /48. If they only gave you a /64, it would be impossible to have even two IPv6 subnets in your house (e.g. one for internal use and one for guests)

It's possible they assigned you a /48, but haven't told you what it is, and expect you to use DHCP6 prefix delegation to assign LAN subnets. That's not ideal for a business service, where you want to configure IPv6 subnets statically.

I recall there's an RFC somewhere which lets them give you a large block, and assign the point-to-point /64 out of the same block. << Digs around: found it, this is RFC6603, "prefix exclude" option for DHCP6 >> But if they were doing that, they would have given you a /48 or /56, not a /64.

So basically: go back and ask specifically what subnets you should use for the WAN point-to-point link and for the LAN subnet(s) behind your router.

Aside: I have come across providers who sell IPv6 but don't understand how to configure it properly. At one office, from a provider who shall remain nameless, they decided to assign us a *flat* /48 network: that is, at the handover point their router was xxxx::1/48 and they expected to see a single LAN with the whole /48 on it. That's totally broken

My WAN interface is showing an IPv6 address of 2a01:xxxx:x:xxx:92e2:baff:feef:724f but my PCs are showing a different prefix - is this normal?

IPv6 Address. . . . . . . . . . . : fda7:4f6c:75bc:1:8974:cfef:fbe6:add5(Preferred)
Temporary IPv6 Address. . . . . . : fda7:4f6c:75bc:1:88e2:c43f:1693:b1c8(Preferred)
Link-local IPv6 Address . . . . . : fe80::8974:cfef:fbe6:add5%10(Preferred)

Any idea what I need to add to pfSense to route IPv6 to the WAN? Should I add a new outbound rule?

In reply to a post by brookheather:

My WAN interface is showing an IPv6 address of 2a01:xxxx:x:xxx:92e2:baff:feef:724f but my PCs are showing a different prefix - is this normal?

IPv6 Address. . . . . . . . . . . : fda7:4f6c:75bc:1:8974:cfef:fbe6:add5(Preferred)
Temporary IPv6 Address. . . . . . : fda7:4f6c:75bc:1:88e2:c43f:1693:b1c8(Preferred)
Link-local IPv6 Address . . . . . : fe80::8974:cfef:fbe6:add5%10(Preferred)

Addresses which begin fd..: are not real IPv6 addresses, these are the equivalent of private RFC1918 addresses in the IPv4 world. You won't be able to reach the Internet using these without using IPv6 NAT (yuk! Don't do it). They only have significance within a site.

Addresses which begin fe80: are link-local, and only have significance between two directly-attached devices. They are the equivalent of 169.254.x.x addresses in the IPv4 world.

So "yes", it's normal that your LAN addresses are from a different subnet than your WAN link, but "no", it's not normal to use non-routable IPv6 addresses on the LAN.

Any idea what I need to add to pfSense to route IPv6 to the WAN? Should I add a new outbound rule?

pfSense will have an "allow all outbound" rule by default, so once the addressing and routing is set up correctly, I'd expect it to just work.

Like I say, there are lots of ways Cerberus could have decided to build their IPv6 service, so you should come back when you have the details.

A *typical* configuration might be:

- provider gives you XXXX:XXXX:XXXX:XXXX::/64 as the WAN P2P link
=> configure your WAN address with XXXX:XXXX:XXXX:XXXX::2/64
=> point default route at XXXX:XXXX:XXXX:XXXX::1

- provider gives you YYYY:YYYY:YYYY::/48 as your local block
=> configure your pfSense LAN interface as YYYY:YYYY:YYYY:1::1/64
=> if you have more local subnets, configure the next interface as YYYY:YYYY:YYYY:2::1/64 etc
=> pfSense should give out IPv6 addresses to client devices from these ranges, using either SLAAC or DHCPv6
=> pfSense should give out its own IP address as default gateway, using Router Advertisements

So I am confused as to why my PCs aren't picking up an IPv6 address from the DHCPv6 Server that is running on the pfSense router. It is configured to use the subnet Prefix Delegation with a range of ::1000 to ::2000 so I would expect my PC to have a local IPv6 address like 2a01:xxxx:x:xxx:1000.

It looks like the PCs aren't asking for an IPv6 address from the DHCPv6 server? Perhaps this setting needs changing from Assisted mode?

Select the Operating Mode for the Router Advertisement (RA) Daemon.
Disabled
RADVD will not be enabled on this interface.
Router Only
Will advertise this router.
Unmanaged
Will advertise this router with stateless autoconfig.
Managed
Will advertise this router with all configuration through a DHCPv6 server.
Assisted
Will advertise this router with configuration through a DHCPv6 server and/or stateless autoconfig.
Stateless DHCP
Will advertise this router with stateless autoconfig and other configuration information available via DHCPv6.

Edited by brookheather (Fri 29-Mar-19 18:59:27)

In reply to a post by brookheather:

So I am confused as to why my PCs aren't picking up an IPv6 address from the DHCPv6 Server that is running on the pfSense router. It is configured to use the subnet Prefix Delegation with a range of ::1000 to ::2000 so I would expect my PC to have a local IPv6 address like 2a01:xxxx:x:xxx:1000.

It looks like the PCs aren't asking for an IPv6 address from the DHCPv6 server? Perhaps this setting needs changing from Assisted mode?

Select the Operating Mode for the Router Advertisement (RA) Daemon.
Disabled
RADVD will not be enabled on this interface.
Router Only
Will advertise this router.
Unmanaged
Will advertise this router with stateless autoconfig.
Managed
Will advertise this router with all configuration through a DHCPv6 server.
Assisted
Will advertise this router with configuration through a DHCPv6 server and/or stateless autoconfig.
Stateless DHCP
Will advertise this router with stateless autoconfig and other configuration information available via DHCPv6.

No, you can't use DHCP6 without radvd. This is because in their infinite wisdom, the designers of DHCP6 decided that it *wouldn't* include a gateway setting. So the only way that DHCP6 clients can pick up a gateway is by listening for router advertisements

As it happens, I do manage a site which uses IPv6, pfSense 2.4.4p2, and DHCP6 instead of SLAAC - but note this is with static LAN address assignment, not using prefix delegation to pick up LAN subnets from upstream. In fact, I don't know if pfSense has the ability to act as DHCP6 client and pick up prefixes to configure the LAN side dynamically; I've not come across any settings for it.

FWIW, the way I have it configured is:

* Services > DHCPv6 server & RA
* LAN tab
* DHCPv6 server tab
* (X) Enable DHCPv6 server on interface LAN
* Range: statically assigned from XXXX:XXXX:XXXX:XXXX::1000 to ::1ffff (matching the LAN prefix, which as I said, was already statically configured; the LAN address is XXXX:XXXX:XXXX:XXXX::1/64)
* Prefix delegation range/size: not required (*)
* Router Advertisements tab
* Router mode: Managed - RA flags [managed, other stateful]

It's the "managed" option which tells the clients to pick up an address via DHCP6, not via SLAAC.

I see you've already made the decision to use DHCP6 instead of SLAAC. In my opinion that's the right one - clients who pick up SLAAC addresses are also forced to use privacy addresses, picking up a new random address every few hours. With DHCP6 they just stick with whatever address was given to them.

(*) This is only used if there are other devices in your LAN which in turn are requesting entire prefixes to be delegated to them. So for example, if Cerberus gave you a /48 XXXX:XXXX:XXXX::/48, then you could configure your DHCP6 server to give out /56 prefixes from this, say XXXX:XXXX:XXXX:0100::/56 to XXXX:XXXX:XXXX:XXXX:ff00::/56. The chances of you ever needing this are extremely low. It would be if you plug in a downstream server or router which wants to pick up more addresses for giving out to clients further downstream (and you want to do this dynamically, not statically).

Thanks - I changed the router mode to Managed but my PC is still getting an IPv6 address starting fda7 so that hasn't changed. On Interfaces / LAN tab how do you have the IPv6 Configuration Type set? Mine is currently Track Interface so it follows the WAN IPv6 address I guess?

I have these options on the DHCPv6 server tab:

DHCPv6 Server Enable DHCPv6 server on interface LAN (checked)
Subnet Prefix Delegation
Subnet Mask 64 bits
Available Range :: to ::ffff:ffff:ffff:ffff
Prefix Delegation subnet will be appended to the beginning of the defined range
Range
::1000
From
::2000
To

In reply to a post by brookheather:

On Interfaces / LAN tab how do you have the IPv6 Configuration Type set?

Static IPv6.

If you send me a PM with the exact configuration E-mail Cerberus sent you (except blank out the PPPoE password if it's shown), I may be able to work out what they're trying to say.

Cerberus didn't send any IPv6 details - on the online portal it just states this:

IPv6 Subnet : 2a01:xxxx:x:xxx::/64

and that is what is picked up on the WAN interface automatically:

WAN 2a01:xxxx:x:xxx:92e2:baff:feef:724f

when I try and configure the LAN with a static IPv6 address of 2a01:xxxx:x:xxx::1/128 I get the folllowing error as this overlaps with the WAN address:

IPv6 address 2a01:xxxx:x:xxx::1/128 is being used by or overlaps with: WAN (2a01:xxxx:x:xxx:92e2:baff:feef:724f/64)

so presumably this means that the LAN needs to be on a different segment so the WAN? I assumed I could assign any IPv6 address on my LAN starting with 2a01:xxxx:x:xxx: - is that not how it works?

Are your WAN and LAN IPv6 addresses on different segments?