IPv6 best practices

My ISP gave me a /48 block of IPv6 addresses and they gave me their gateway’s address. When I configure pfsense wan port’s IP address with the /48 subnet, my WAN can talk to the ISP’s gateway but I am unable to configure anything on my LAN because all addresses would be on the same subnet as my WAN. When I change the WAN’s subnet to a /64, I can configure addresses on my LAN but pfsense is unable to route traffic from the LAN to the ISP’s gateway, though I can still ping6 outside my network from the pfsense command line.

I created a private network on xenserver with 2 pfsense VMs and two Windows 10 VMs. When I changed the VM representing my ISP’s gateway to a /64 then all of my traffic between the two networks became routable.

Is having my ISP change their gateway from a /48 to a /64 subnet the “right” way to do this or is there a way to get pfsense to route from a /64 to a /48 when the two networks have overlapping address spaces?

For instance, can pfsense route from 1234:5678:9a::2 /64 to 1234:5678:9a::1 /48 or does the latter need to be a /64?

The /48 (luxury!) addresses you’ve got are for your LAN spaces - so you can allocate a /64 subnet or even a /56 subnet to each LAN/VLAN segment. The WAN address is allocated on the ISP’s network - in my case I’ve set to get it via DHCPv6, but in practice it just gets a link local address assigned.

Internally, you need devices to get an address within your LAN subnet - use DHCPv6 or one of the other methods…

Equivalent in IP4 land - ISP assigns ip4 address to WAN interface - could be static, could be dynamic - but it’s your public IP, then you setup your private address 192… etc space) . Diffference with IPv6 is that each device is addressable from the world (firewall rules permitting) - and no NAT.

Google/Bing/Duck pfsense + IPV6 and you’ll get a few work throughs? e.g.

How to Setup IPv6 with Pfsense - Mark Allison

That help?

Thank you for the reply. I think that I didn’t do a very good job of communicating my question. I’ve been working on this for a couple of weeks now.

My ISP gave me three pieces of information: the block of IPv6 addresses, the addresses of their DNS servers and the address of their gateway. I’ve tried using both SLAAC and DHCP6 on my WAN interface and neither one works. I’m 99% certain that my ISP doesn’t have a DHCP6 server or Router Advertisements running on their gateway.

My best guess about the problem, is that my ISP has the IP6 address on their gateway configured with a /48 subnet. Here’s an example of what I’m talking about.

ISP gateway address 1234:5678:9a::1 /48
My pfsense WAN address: 1234:5678:9a::2 /64
LAN address block: 1234:5678:9a:1:: /64
pfsense LAN interface address: 1234:5678:9a:1::1 /64

If I set my WAN address to be on the /48 subnet, then I can’t assign any addresses on my local network. If I set my WAN address to the /64 subnet then it’s no longer on the same subnet as my ISP Gateway and, is thus, unable to route traffic to the gateway. That’s what I think is happening but I’m not 100% sure.

I think you need to be clearer on what you have been provided at present all your “obfuscated” addresses are same subnet and you’ve indicated a /48 for the ISP’s gateway - whereas previously you said they’d provided you the /48 network. And from above it suggests you have a /64 block for the LAN?

So yes change some the characters in the addresses provided so these are obscured a bit, but need more clarity as to what you’ve been provided…

So, if I’m reading you correctly, you’re saying that the following two addresses are on the same subnet?
1234:5678:9a::1 /48
and
1234:5678:9a::2 /64

It doesn’t seem to me like that would be the case but I’ve never encountered such a situation before. They are, of course, in the same /48 block of IP6 addresses but that’s not necessarily the same thing as being in the same subnet.

Yes as you’ve provided two addresses - in IPV4 land you’ve said something like

192.168.0.1/16 and
192.168.0.1/24

If your ISP really has provided a /48 then your LAN /64 subnets would be, eg

(V)LAN1 1234:5678:9a:1::/64
(V)LAN2 1234:5678:91:2::/64

so set a static LAN gateway IP 1234:5678:9a:1::254, 1234:5678:9a:2::254 etc.

The WAN side the ISP will be configured to route to your WAN NIC - mine I think uses the link local address for that - addresses starting fe80. If you check the pfsense status of the WAN interface you should see something like

Status
up
PPPoE
up
Uptime
34d 07:44:03
IPv4 Address
my.ipv4.wan.addr
Subnet mask IPv4
255.255.255.255
Gateway IPv4
my.ipv4.gw.addr
IPv6 Link Local
fe80::xxxx:yyyy:fe21:3859%pppoe0
Gateway IPv6
fe80::xxxx:yyyy:fe77:3300%pppoe0

Edit: After re-reading your post. I guess that the same IP address was a typo so if you read my original response you can disregard.

The two address are in different subnets and from what I’ve read you can, technically, route traffic between two such subnets but it doesn’t look like pfsense will let you do so, at least not through the web interface.

I don’t disagree but I would also add that 1234:5678:9a:0::/64 (which can also be written 1234:5678:9a:: /64)is also a valid subnet within that /48 address space.

As I’ve said before, I’ve been doing this for two weeks, now. So far, you haven’t told me anything that I haven’t read/tried multiple times. If this were a tech support call then what you’ve been doing, so far, is making sure that my computer is plugged in and that everything has been rebooted. That’s fine but I’m 99% sure that I’ve covered the basics.

Below I have posted my pfsense routing table. Link#1 is my WAN adapter. Link#2 is my LAN adapter. Link#6 is my loopback. Link#3 is not being used. Notice that link#1 on the IPv6 has both a /64 and a /48. I have not currently assigned it a /48. When I did assigned it a /48, in the past, pfsense gave me some version of this error: “IPv6 address 1234:5678:9a::2/48 is being used by or overlaps with: LAN (1234:5678:9a:2::1/64)” when I try to assign anything on my LAN. If I change the LAN prefix to /48 it’s the same error.

To summarize, statically assigning an address with the /48 prefix doesn’t work. Breaking the /48 into bunch of /64 subnets and statically assigning addresses in pfsense within those /64 subnets ALSO doesn’t work. I’ve created gateways using the link local addresses. I’ve assigned static routes. At this point, I don’t think there are too many settings that I haven’t tried. My default position in a situation like this is that the problem is on my end rather than the ISP’s. There’s a couple of things I’ve read recently that are leading me to the conclusion that the problem is on the ISP side. There are workarounds that I could implement on my side to get it working but they would be workarounds and not actual fixes.

Edit: In case I wasn’t clear, I’m pretty sure that /48 in my routing table is coming from my ISP.

Destination        Gateway            Flags     Netif Expire
default            123.456.78.201     UGS        igb0
10.0.0.0/24        link#2             U          igb1
10.0.0.1           link#6             UHS         lo0
10.10.10.1         link#6             UH          lo0
127.0.0.1          link#6             UH          lo0
123.456.78.1/30  link#1             U          igb0
123.456.78.2     link#6             UHS         lo0

Internet6:

Destination                       Gateway                       Flags     Netif Expire
default                           1234:5678:9a::1               UGS        igb0
::1                               link#6                        UHS         lo0
1234:5678:9a::/64                 link#1                        U          igb0
1234:5678:9a::/48                 link#1                        U          igb0
1234:5678:9a::2                   link#6                        UHS         lo0
1234:5678:9a:2::/64               link#2                        U          igb1
1234:5678:9a:2::1                 link#6                        UHS         lo0
fe80::%igb0/64                    link#1                        U          igb0
fe80::6662:66ff:fe21:12b0%lo0     link#6                        UHS         lo0
fe80::%igb1/64                    link#2                        U          igb1
fe80::6662:66ff:fe21:12b1%lo0     link#6                        UHS         lo0
fe80::%igb2/64                    link#3                        U          igb2
fe80::6662:66ff:fe21:12b2%lo0     link#6                        UHS         lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0

OK - so I’ve got these in my routes (below) - trimmed a lot out - but my FTTP comes in as pppoe - the bane of UK ISP users. And have included one of my VLANs (10) Key difference to what you have is my default gateway is completely different address to my allocated subnet - so its my ISPs router - and this nothing I’ve configured - just comes dynamically as part of the ISP setup. My ISP’s router will have a route configured to send traffic to my allocated subnet to my pfsense’s WAN link local address.

IF 1234:5678:9a::1 really is the ISP’s box and is therefore in your address space, then I agree what might be missing is any way for the ISP’s router to “know” that your pfsense box is doing the routing for any subnets you create? But that seems at odds with what most other iSPs seem to do? Double check with ISP, and if this IS your setup, then may be pfsense isn’t going to play nice - it’s designed as a gateway/firewall so makes assumptions about the expected WAN interface behaviour? Certainly the GUI assumes that IPv6 Router Advertisements are limited to the LAN side of things.

BTW - digging and using “radvdump” from the shell shows that my pfsense does appear to advertise my /56 subnet over the pppoe connection. So maybe exploring setup with your pfsense advertising a /56 space and then /64 subnets within it on the LAN?

Maybe worth a poke around in the reddit IPV6 community too?

AND hope you’ve remembered to setup the IPV6 firewall rules - ALL traffic blocked by default otherwise!!

Good luck -

Destination Gateway Flags Uses MTU Interface
default e80::a66c:2aff:fe77:3300%pppoe0 UG 31 1492 pppoe0
xyz1:abc8:ad5c:fe00::/56 link#16 U 30 1492 pppoe0
xyz1:abc8:ad5c:fe10::/64 link#9 U 7 1500 igb2.10
fe80::%igb2.10/64 link#9 U 7 1500 igb2.10
fe80::%pppoe0/64 link#16 U 30 1492 pppoe0

Thank you for your help.

Hope you win the battle in the end. IPv6 is getting more prevalent and at some point I guess will become mandatory?

TBH - At moment there are very limited “must have” benefits - best one I’ve seen is on my daughter’s Xbox which uses IPv6 for preference - on IPv4 I believe actually tunnels IPv6 over IPv4! And obviously peer-to-peer gaming would benefit.

IPv6 is one of those too clever by half things designed by committee - if there’d been a nice IP4 “plus” solution…

My ISP gave me a /126 block for my WAN adapter and their gateway address and everything works now.

The level 1 support guy told me the their level 2 support said that there wasn’t anything wrong with what they originally gave me but that the simplest solution was to just give me a gateway and a WAN address that was outside of my /48 block. I wish I had managed to figure it out but I think I was closer to giving altogether than to figuring it out.

I’m glad I went through all this, though, it was a much better learning experience than just setting DHCP 6, or SLAAC, on my WAN adapter would’ve been.

1 Like

Glad it’s sorted - sounds like a more common setup now - though /126 means u have 4 public ipv6 addresses if u want? I’d quite like that - could have a production and a test/dev router without disturbing the family!

That shouldn’t be a problem, even if your main router only has one address on its interface since all IPv6 addresses routed to you are “public”. You can use one /64 from the routed /48 block for internal routers and delegate smaller networks (e.g., /56) to them so they can manage their own /64’s.