IPv6 pfsense setup
I have a server from @ShockHosting and it comes with a /64 of IPv6 addresses. I’m using Proxmox and I would like to provide the whole range to my pfsense box so that I can give each VM it’s own IPv6 address. Any tips?
I have a server from @ShockHosting and it comes with a /64 of IPv6 addresses. I’m using Proxmox and I would like to provide the whole range to my pfsense box so that I can give each VM it’s own IPv6 address. Any tips?
Comments
If you've just got the one /64 you can use one address from the range on the host and have the rest routed to the VM, then use that one address as the gateway - I don't have the config to hand unfortunately and I can't quite remember the exact setup I used.
IIRC it was just a case of turning on IPv6 forwarding, giving the host an address from the /64 as an additional IP on vmbr0 (or your relevant interface) - 2001:a:b:c::1 for example - and then assigning another address on the guest (2001:a:b:c::2) and using the other address as the gateway.
You need ndppd
The all seeing eye sees everything...
Care to explain?
The proper way to offer IPv6 would be a /128 + /64. Your pfsense, acting as a router, will have the /128 configured on the 'wan' interface and one from the /64 configured on the 'lan' interface. Your other VMs will attach to the 'lan' interface and they discover each other using neighbor discovery protocol (NDP).
Your upstream will simply route the /64 via the /128.
For example, if you are assigned 2001:db8:aaaa:bbbb:cccc:dddd:1111:2222/128 and 2001:db8:1111:2222::/64, the upstream will have a route configured in their router this way:
Where ens10 is the ethernet port at the upstream router that shares a {v}switch with your machine.
Sometimes the route is discovered using NDP as well. When the upstream router received a packet destined to your /64, it will broadcast a NDP discovery packet asking "who has 2001:db8:1111:2222::3?". Your pfsense checks its interfaces, realizes that the address is part of the /64 configured on the 'lan' port, replies "I have that address" to upstream, the upstream then forwards the packet to your pfsense.
But you have only a /64, and one from the /64 is configured on the 'wan' port. Your pfsense will then assume that the /64
is part of the 'wan' network and will not respond to the NDP packet asking "who has 2001:db8:1111:2222::3?". In order to get pfsense respond to the NDP discovery packet, you'll need a NDP proxy daemon (ndppd).
Since this is not standard, I am not sure if pfsense has it. I would still ask your upstream to assign you a /128.
The all seeing eye sees everything...
@ShockHosting care to help?
Please open a support ticket and we will sort that our for you.
Thanks! @ShockHosting
Ticket #993344 - IPv6
A++ Rating