first time attempt ipv6 from router to pfsense
Hello everyone,
Just wanted to get some input with my attempt and configuring native ISP ipv6 on my network. So for an overview of how things are setup, my ISP gives me a Cable Modem which has a static ipv4 and /64 ipv6 which feeds a pfsense and from there everything else. They do not allow me to put the modem in bridged mode.
lets use fd00:0824:2273:a::/64 as stand in for the public ipv6.
If I assign fd00:0824:2273:a::1 to the modem and fd00:0824:2273:a::2 to pfsense on WAN side. How can I go about make all clients on pfsense LAN side have an ipv6.
I have attempted using ULA on LAN side and then using NPt but it does not work. As soon as traffic gets to pfsense it stop. (Yes I have all appropriate pfsense rules and have verified in the logs that it is not simply being blocked)
I have attempted breaking down the /64 into 2 /65 and use 1 for wan and 1 for lan but no luck.
Is there a simpler way of doing this that I am just overlooking? I appreciate any help.
Comments
Tagging the master of IPv6 here @yoursunny
Currently Using Hetzner , OVH , Buyvm , Webhorizon , Hyonix , ConnectIndo
/64 without bridge mode means NDP Proxy is needed you can't just assign an IP from the WAN side if it's not a routed subnet to begin with and /64 simply doesn't play along nicely with SLAAC. and pfSense doesn't support NDP Proxy. as for the ULA it's a bit tricky with pfSense and if you have a dynamic IPv6 on WAN side it will make your life harder with Firewall rules. Actually I think it's not the case if it was Outbound NAT, because the Firewall rules will adapt with the external WAN IP just like with IPv4. someone corrects me if I am wrong
I remember reading some people at OPNsense forum were able to setup traditional Outbound NAT like v4 with success but I couldn't find the link to the forum thread. found it IPv6 Outbound NAT Setup but using ULA with IPv6 is also a bad idea from what I understand, you can try the OPNsense method above in that thread and see if it works for you or not
Can you request a larger prefix like /56 from your ISP in the cable modem config?
RIPE LIR
ULAs are not preferred over IPv4 when going outside. If you're willing to go that route (and forgo the incoming connectivity on IPv6), might as well try NAT66 (NAT the entire LAN to the single IPv6 of the router) -- and do that from a made-up range such as 66::/16, to avoid the mentioned preference issue.
In general, it is certainly possible to make real non-NATed IPv6 work in such situation, but it will involve quite a bit of dirty hacks: if people say above that PFsense cannot do NDProxy, then it will require switching to GNU/Linux and nddpd, and then making your own scripts to dynamically update your router config (such as IPs on LAN/WAN) and restarting LAN-side radvd, on detection when the upstream prefix from the ISP router has changed (as I'm sure it's also a dynamic one...)
Hi, thank you and the outbound NAT trick worked on pfsense. I also read up and was successful using a GIF Tunnel from HE however download/upload speeds via ipv6 were very low. I might just stick with the NAT trick for now.
If anyone knows of how to self host an IPV6 GIF Tunnel then maybe I can just use a VPS with routed ipv6.
I tried NPTv6 on *SENSE and Linux, no luck so far.
Documentation on NPT is sparse.
Your best bet is asking your ISP for a /60 or more.
Try that in your *SENSE first. I remembered there is an option to request a prefix other than a /64.
The all seeing eye sees everything...
You are welcome. HE Tunnel will be very slow as they limit the bandwidth on these tunnels your best bet is to setup a wireguard tunnel and delegate a prefix through it I have not done that before so I don't know how I think the IPv6 god @yoursunny can help in this regard
Requesting a prefix must be done with DHCP-PD in pfSense and in his case he has an on-link address without bridge mode from his modem, I don't think it will work?