Pfsense IPv6 help!

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

gigatexal

I'm here to learn
Nov 25, 2012
2,913
607
113
Portland, Oregon
alexandarnarayan.com
I wanted to start moving away from my crappy ISP cable-modem/router/firewall/wireless-AP and have been doing so for a while now. It has been determined that if I call up my ISP they can turn the modem into bridge mode thereby making it, for all-intents-and-purposes a dumb modem and my pfsense box can take over.

Until that happens I have disabled all routing as best as I can tell on the modem, no firewall, no wireless, no DHCP, and am just using DMZ to forward traffic to the pfsense box's WAN interface.

The current flow is as follows:

WWW -> cable modem DMZ (ipv4 and ipv6 addresses per the mgmt interface) -> 192.168.0.2 -> pfsense wan1 interface static IP -> lan etc etc

There are options on the WAN interface in the pfsense UI to setup IPV6 but it seems the DHCPv6 service seems to require a static ipv6 interface ... and this is where I am stuck I seem to be going around in circles.

I can attach or post any and all screenshots or other helpful data if needed.
 

zunder1990

Active Member
Nov 15, 2012
209
71
28
I just check my pfsense and you dont need a static ipv6 on the lan interrface to enable dhcpv6. I have my lan ipv6 set to tracked interface.
 
  • Like
Reactions: gigatexal

llowrey

Active Member
Feb 26, 2018
167
138
43
Bridge mode is definitely what you want. That allows, as you said, for the ISP's all-in-one device to look and act just like a dumb modem.

IPv6 is a different beast in that NAT, as a practical matter, is not a thing. DCHP6 will issue a /128 address for use by the WAN interface and Prefix Delegation (DHCP6-PD) will issue you a subnet to be used by the LAN interface. The subnet is typically a /64 but in my case, Comcast, I am able to request a /60 which means that I get 16 x /64 subnets for use by my VLANs.

1613925771051.png

Then, for each interface I have, I set it to "Track interface":

1613925879488.png

And then to use a specific IPv6 subnet from PD:

1613925916062.png

In the above you can see that I'm selecting subnet #4 of 16 (3 of 0-f as indicated).

PD get's tricky, at least with Comcast, in that the default configuration is to request a /64 which is just one subnet. If you then request a larger PD range, there may not be any adjacent space available and you may not be able to expand. This is due to the DUID causing DHCPv6 to try to re-issue the same addresses to you every time. When that happens, if I change the DUID to a new random, reset the modem and pfsense box at the same time, I am able to get the PD size I've requested:

1613926242207.png

I'm not sure if I helped or added confusion, but this is how I've been operating with IPv6 ~6 years now.
 

ArmedAviator

Member
May 16, 2020
91
56
18
Kansas
I have my setup practically identical to @llowrey . Only differences is I leave the IPv6 Prefix ID set to the default 0 and I request and receive a /56 instead of a /60 prefix on Spectrum Residential. You definitely need to set your modem/router combo to bridge mode. If your modem/router isn't capable of it, consider getting an Arris Surfboard modem which has no routing functionality and is strictly a bridge.
 
  • Like
Reactions: gigatexal

tcpip

New Member
Feb 22, 2021
6
4
3
EU > GER
tcpip.wtf
Had same Headache on my connection after with my ISP. First be sure you run a dual stack from your ISP, not 6in4 or 4in6 tunnel or DS-Lite.
I summed up my settings and so on in a blog post not so long ago maybe it helps.
 
  • Like
Reactions: gigatexal

gigatexal

I'm here to learn
Nov 25, 2012
2,913
607
113
Portland, Oregon
alexandarnarayan.com
Very well done blog post! Thank you!

currently I’m “suffering” with degraded connection speeds with PYUR internet here in Berlin. :(


Had same Headache on my connection after with my ISP. First be sure you run a dual stack from your ISP, not 6in4 or 4in6 tunnel or DS-Lite.
I summed up my settings and so on in a blog post not so long ago maybe it helps.