Community Fibre - pfSense setup help

Been using pfSense to run a dual WAN setup for a few years. Recently switched from Virgin to CommunityFibre 150, but the use of CGNAT has caused issues with a reverse proxy supporting a docker I run.

Figured it might be time to learn IPv6, but I can't get it to work. I've found a few guides/posts and tried to do what they've said but all I get is the AdTran reporting the link-local address for the gateway and all ping6 requests telling me 'no route to host'.

I think I know enough to be dangerous, but not enough to actually understand why this isn't working.

This is what I've done so far:

System --> Advanced --> Networking --> Allow IPv6 ticked

Interfaces --> WAN --> DHCP6 Client Configuration --> DHCPv6 Prefix Delegation size="48" --> Save

Interfaces --> LAN --> General Configuration --> IPv6 Configuration Type="Track Interface"
Interfaces --> LAN --> Track IPv6 Interface --> IPv6 Interface="WAN"
Interfaces --> LAN --> Track IPv6 Interface --> IPv6 Prefix ID="0" --> Save

Services --> DHCPv6 Server & RA --> Router Advertisements --> Router mode="Managed" --> Save

Services --> DHCPv6 Server & RA --> DHCPv6 Server --> "Enable DHCPv6 server on interface LAN"
Services --> DHCPv6 Server & RA --> DHCPv6 Server --> Range from="::1000" to="::2000"
Services --> DHCPv6 Server & RA --> DHCPv6 Server --> Prefix Delegation Size="64" -- > Save

System --> Routing --> Added 'WAN_DHCP6' gateway against WAN interface
System --> Routing --> Default gateway --> Default gateway IPv6 --> WAN_DHCP6

Firewall --> Rules --> LAN --> Allow all IPv6 traffic from LAN net using WAN_DHCP gateway

I've tried the PD on the WAN interface to be /48 and on the DHCPv6 server as /64 as suggested in posts on this forum and other posts. Spoke to CF and they've said to use /64, but that doesn't work either.

Have rebooted MODEM, reset MODEM, restarted router and got CF to clear their MAC Address cache.

In all scenarios I just get a link-local address from the MODEM. Attempts at ping from the router all fail with 100% packet loss.

Does anyone have any suggestions about where/what is wrong?

There's a thread on ISPreview from rain111 who had a CF IPv6 problem. The thread drifts to something else then returns with this post. That may help if you have a similar setting on your router.

In the full thread it appears that the WAN prefix and delegation setting are both /64 but check that yourself in case I misread.

Don't forget that if you set a thinkbroadband BQM to ping the address it detects, on IPv6 that is the WAN address of the device you are connecting to tbb from at the time. You need to know the address assigned to your router by CF and set the BQM to ping that.

Edited by pluralist (Thu 09-Mar-23 11:09:51)

Hey pluralist

Thanks for that, I've seen that post and been through it, but the solution on his Asus router is to change from 'Passthrough' to 'Native'. Wish it was that simple in pfSense.

Tried both /48 & /64 on the WAN side, neither made a difference that I can see - still getting just a link-local (FE80:: ) address out.

Starting to suspect that I might just have to set it up with defaults and then not play with it for 8+ days to see if something happens on the CF side.

UPDATE:
Frustrating thing is that if I plug their Velop in, I can see and use IPv6, so I know the issue lies in my pfSense setup.

Edited by nwootton2000 (Thu 09-Mar-23 13:28:34)

When you have the Velop plugged in with IPv6 working, can you or a friend do an IPv6 tracert to one of your devices from outside your network? Maybe one of your devices tethered to your mobile?

That should give the IPv6 WAN address of the router on the penultimate hop and to what extent the prefix on that is reflected through to your LAN. That might help your pfSense configuring.

In reply to a post by nwootton2000:

all I get is the AdTran reporting the link-local address for the gateway

That is *completely OK* and expected. You do NOT need your WAN iface to have a routeable gateway. Mine is fe80: too, and v6 works without issues.

Edited by toph3r (Thu 09-Mar-23 22:57:58)

In reply to a post by pluralist:

When you have the Velop plugged in with IPv6 working, can you or a friend do an IPv6 tracert to one of your devices from outside your network? Maybe one of your devices tethered to your mobile?

That should give the IPv6 WAN address of the router on the penultimate hop and to what extent the prefix on that is reflected through to your LAN. That might help your pfSense configuring.

You are not understanding v6. You do NOT NEED a wan v6 address. That is not how v6 works. Why do you need a wan v6 ip? v6 doesn't use NAT. Learn v6.

Edited by toph3r (Thu 09-Mar-23 23:27:52)

Interfaces > WAN
ipv6 conf type - DHCP6

Request only an ipv6 prefix - check
DHCPv6 Prefix Delegation size - your ISP needs to confirm this, but I suspect /56
Send ipv6 preix hint - check
Do not wait for a RA - check (almost certainly you're not using PPPoE on an Altnet?)

Interfaces > LAN
ipv6 interface - WAN
ipv4 config type - static IPv4
ipv6 configuration type - track interface
ipv6 Prefix ID - (anything you want, from 0 to ff)

That should do the trick. Please understand you should NOT expect (or need!) v6 on your WAV iface. That makes no sense in an ipv6 world.

And yet many people on this forum have BQMs on IPv6 where the thinkbroadband FireBrick is pinging the user's router .
As I did for over two years on AAISP.

I didn't mention NAT. You are the one not understanding the original question by the OP and the problem they had.

Here's the latest example on these forums, a user on NOW. (The graph linked to has been deleted for the reason that becomes clear in that thread, where a later router-targeted one appears).They couldn't get an IPv6 BQM working precisely because the IP address detected by thinkbroadband was that of the device from which they connected when setting it up.

Turned that device off and use another two or three or many and the BQM became solid red. Turn that device back on and the BQM became normal.

If you want an IPv6 BQM you need to find the router's IPv6 address and edit the tbb BQM to ping that address.

Simples.

Here's an older example with the method that I suggested here and also a generalised solution for BQM on IPv6 where the user has the more common single /64 or /56.

I was with AAISP. They allocate a static /128 address on their "internal" network to the user's router. For the customer's use they allocate a /48 block and withing that an initial /64. The customer can (or could at the time) then if they wished set up as many additional /64s as they desire. Excellent for businesses with many subnets. AAISP route all your /64s to the /128.

This is how we route and assign IPv6 on DSL connections.

Allocations
Customers are allocated a /48 block of addresses - this is usually per customer, and so a customer with multiple circuits or sites will have a /64 allocated from the larger /48 block. A /48 contains 65536 /64's and a /64 subnet is 18 million trillion addresses.

Logging in
(Here, Customer Premises Equipment (CPE) refers to the router belonging to the customer which is being used at their end of the broadband line, and L2TP Network Server (LNS) refers to our equipment at our end of the broadband link.)

When the CPE logs in and negotiates PPP, we use IPV6CP to negotiate an interface identifier - this happens at the same time as IPCP happens to negotiate V4 connectivity. Once this has been negotiated, the CPE should perform an ICMPv6 Router Solicitation - our LNSes will then reply with a ICMPv6 Router Advertisement in order to negotiate the Link Local address in the form of FE80::, and will be based on the MAC address of the interface. At this stage, there should be basic IPv6 connectivity to link-local, and if static routes and manually assigned addresses in place you should have a working connection. Our LNSes continue to send ICMPv6 Router Advertisements approximately once an hour (every 4096 seconds).

Optionally, if routes and addresses have not been configured statically, DHCPv6 can be used for automatic negotiation of the IPv6 WAN and LAN prefixes - using DHCPv6 is usually the default for our routers (i.e. the ZyXEL) that we supply. When DHCPv6 is enabled, the CPE sends a DHCPv6 Solicitation to the IPv6 broadcast address, containing a list of options that it requires. Once we receive the DHCPv6 Solicitation, the LNS you are connected to will send a reply containing responses to the options requested. The CPE can then take the options and apply them as appropriate.

WAN Address
In the DHCPv6 Solicitation, you would usually request DHCPv6 IA (Option 3, Identity Association for Non-temporary Address) to assign your IPv6 'WAN' address. This address is a single IPv6 address in the form of:

2001:8b0:1111:1111:0:ffff:[your IPv4 WAN in HEX]
LAN /64 Blocks
We also respond to DHCPv6 Prefix Delegation (Option 25, Identity Association for Prefix Delegation, responded to by Option 26, IA Prefix) from the CPE and we'll tell the CPE one of the /64 Blocks. -this may be requested multiple times by the CPE. A Client Identifier (Option 1) is also present in the DHCPv6 transaction, optionally DNS recursive name server (Option 23) can be requested.

At this point we will be routing any IPv6 blocks to your /128 WAN address. Usually a line will have at least one /64 block routed.

Customers can add additional /64 blocks on the Control Pages that will be routed.

If you want the whole /48 routed, untick the routing on all of the /64s you have, they disappear, and then tick the line routing on the /48 you have. Alternatively Support staff can help.

Your router will have to reconnect to AAISP before the new block is routed to your /128 WAN address. You will have to allow the new block through any firewall you have, and then route the new block appropriately on your local network.

Maybe you should tell AAISP and Sky support that they are not understanding how to use IPv6.

In reply to a post by pluralist:

]Maybe you should tell AAISP and Sky support that they are not understanding how to use IPv6.

I'd be happy to, given I work for one of the worlds most prominent internet companies, with *huge* v6 allocations. However, I don't need to - everything you've cited from AAISP is accurate and inline with how v6 works.

It is you - and others - not understanding the fundamental fact that you do not require a wan iface to be allocated a routable v6 address. If you want to remote into your router, open up a firewall rules for a LAN interface on it. Done.

Why don't you understand that? It's v6 basics.

Edited by toph3r (Fri 10-Mar-23 05:19:36)

You may be extremely well-versed in how IPv6 works but it would be good if you could comprehend @pluralist's point rather than trying to belittle him about something he is not saying.

The point @pluralist is making is generic and would apply equally well if anyone had a range of external IPv4 addresses for their kit. If it has all been TLDR previously, the simple point being made is that if you want to run ThinkBroadBand BQM you need to point the connection from the TBB Firebrick to a fixed point in your network. With IPv4 and NAT, to use your word "simples". If you are on IPv6 you need to identify your fixed point (usually your router). Does this match your elevated understanding of IPv6?