I’ve set up a new firewall with pfsense with 2 separate LANs. I’m unable to get IPv6 addresses for clients on the second LAN. I believe the prefix length is /64 since if I change the length to anything else on my WAN interface I no longer get an IPv6 address on anything. Obviously I’d like to be able to get both LANs on IPv6.
I contacted my ISP asking what the prefix length delegation is, but they told me they only give me an IP address, and that I have to contact the manufacturer of my router to find the prefix length. I suspect customer support didn’t know what I was talking about or I just wasn’t being clear.
Is there a definitive way to figure out what the prefix length is? And, if I’m stuck with /64 and unable to track the WAN on my second LAN, any way to get IPv6 routing on that LAN?
From my experience with ISPs, first level support hardly ever has a clue about what IPv6 or a prefix is. If they only give you a /64 that would indeed be bad news. In that case you could resort to a tunnel provider like https://tunnelbroker.net/.
Otherwise, you could try different common prefix sizes like /56 and /48.
Yeah, I was pretty much expecting that but I thought I’d try. I tried /60/56 and /48 and whenever I use any of them I do not get IPv6 addresses on either of my LANs. Here’s what the output of ifconfig is on the pfsense box:
I’ve played around on my home pfSense. My ISP provides a /56. If I set the prefix delegation size to /64, I get that single /64. If I set it to /60, I get that. This leads me to believe that (at least in the case of my ISP) I will get any prefix up to /56. In turn, if /64 works for you but /63 doesn’t, my conclusion would be that you only get the one network.
I guess as a last restort I can set up a second WAN for my second LAN, since my cable modem has 2 ethernet ports. That should get me another /64 for LAN2.
I don’t think that will work. If your ISP only delegates a /64 to you, that won’t change when you plug in another device into the modem. Also your ISP modem likely only allows one client MAC address at a time.
The important part is the IPv6 Prefix ID and Track Interface (WAN).
Every network should have a uniq prefix id.
In my LAN case i set the same is the vlan id number 22.
It is not mandatory you could have vlan and prefix id’s different numbers.
If you want more networks besides LAN give them all a different uniq IPv6 prefix id.
This is exactly what I’m doing, but if I use any length other than 64 clients do not get IPv6 addresses on either LAN. I can set it to 64 and have LAN1 use 0 for the prefix (only available prefix) and then clients on that LAN get addresses.
What I would do in your case is try to remove the uncertainty of the IPv6 size.
I would contact the provider or in any way get assurance of the IPv6 size.
I don’t think it should be a guessing game.
What is your ISP and country?
maybe i can find something.
In the beginning i had a problem wen i restarted pfSense i got a new IPv6 prefix everytime. Sometimes i got a not working /56 then a working /56 of and on.
Since i set the below settings i have the same IPv6 prefix everytime i reboot all the time the same for over a year.
I’ll try it. I messed around some more last night, I tried checking the “Send IPv6 prefix hint” option and rebooting the firewall, no luck. What I don’t get is why I lose IPv6 on both LANs if I use anything other than /64. If that’s all they give me shouldn’t LAN1 still work with 0 either way? ISP is Midco, btw.
I should also add that pfSense is running on Proxmox, with all hardware interfaces for it being Linux Bridges from the VM host.
I assume your modem is in bridge mode. If this is not the case, you must ensure that your modem is put in bridge mode.
I once also had PFS in proxmox that worked well, but I didn’t have a dual stack at the time, so from experience I can’t say anything about that unfortunately.
For me, the prefix has never changed since I had done all the settings as I have them now. Before that, the prefix changed after every reboot. It has been the same prefix for more than 1 year.
Yes, that should be the case with you too.
I suspect something else is going on, I suspect the modem is not in bridge.
I spent all weekend messing around with it with no luck. I can get IPv6 on LAN1 or LAN2 if I use /64 for my prefix length, but then not both at the same time. Any other length and neither interface gets IPv6. My options are down to trying to get in touch with someone at my ISP who can help (which was a waste the first time I tried) or just giving up. I’m not really missing out on anything anyway, just annoyed that it won’t work.
A simple way to determine whether your modem is in bridge mode is to just look at the WAN IP address of the router that is behind the modem. If it’s a public address, the modem is in bridge mode. If it’s a private address (as specified in RFC 1918), the modem is serving as a router itself.
With my provider i have to ask the helpdesk to switch the modem into bridge mode. so probably thats with your isp and modem the same. I would contact your isp about how to set your modem into bridge mode.
If your modem is set into bridge you have to use your own router pfSense in your and my case. since bridge mode means you disable the router functionality.
@paolo
Is right wen your modem is in bridge mode your pfsense wan interface should receive a public IPv4 adres if your modem is in router mode you wil have a local rfc1918 local address.
You don’t mis out your are right and if you are annoyed with it then put it aside for a while but don;t give up. It is just a great learning thing to get it going and after that playing around with ipv6 is nice to to learn working with IPv6 was rewarding.
I’ve been running IPv6 for a while (FTTP so no modem to worry about, pppoe ugh!) - IP6 for more than one local LAN needs a /56 subnet from the ISP. A /64 is sufficient for a simple network with one LAN. Note that the IPV6 address allocated to the WAN interface will NOT be the allocated /56 or /64 network - mine only has the link local IP addresses - hence I think impossible to discover what your prefix delegation is other than by testing or asking.
FYI - my setup has each LAN being /64 from my /56 allocation and having a static IPv6 address, and using DHCPv6 to allocate/64 IPs and the Route Advertising Service to provide the IPv6 DNS server address. Might be better ways but IIRC I did it that way due to bugs in earlier versions of pfsense! Works → Leaving alone.
You need real support from your ISP to understand what they are doing - and likely need to switch to a different ISP that understands IPv6 and provides the /56 option!
