guybrush82

546 would be the local port not the sender port.

Has no address been configured as a gateway on the LAN?

Then you just have to do a bit of trial and error.

You can also try with a config like this. Simply with prefix 56 and not 52!

You don’t have to configure the RA so that local clients can use IPv6. Is that already clear?

@Tux0ne

> You don’t have to configure the RA so that local clients can use IPv6. Is that already clear?

No, that’s not clear to me, just to out myself as an IPv6 noob. 🙈😄

And I imagined it would be somehow easier with the IPv6 thing.

Actually, I would only want to use IPv6 out of interest anyway, but I have no problem switching it off if (from what I read here) many providers (including Swisscom) still make it more complicated than necessary.

Because I’m still a little bit ambitious, I’d like to make a few more attempts.

And to get closer to the diagnosis: No, no IPv6 address has been configured on the internal (LAN) interface.

The DHCP server doesn’t run on the firewall either, it’s outsourced to internal servers behind it and isn’t configured for IPv6 (if that were necessary), or I see here that RAs seem to be part of the DHCP6 server.

However, before I approach the I Pv6 configuration of local clients, I would like to have the part on the router working correctly.

Tux0ne Even with all the additional options, the WAN interface only has a fe80:: address, which probably corresponds to the link-local and indicates that a “real” IPv6 address is not even obtained. 😞

So I’ve never done this setup that you’re working on on a PF, but I suspect that the second hack is wrong @guybrush82 you don’t want to get the v6 over the v4,….

@ChristianEb This was just to test based on advice from @Tux0ne.

I’ve now taken it out again, but it hasn’t changed anything.

Hello

O.T.

Speaking of reading, I can recommend the following books:

“Technology of IP networks”

IPv6 books by Silvia Hagen

Best regards

Silvia Hagen’s books are very good, but unfortunately no longer completely up to date. Sure, the basics of IPv6 are still valid, but a lot has happened in the last few years in terms of practical implementation/concepts .

Yes, if the Zyxel router is in bridge mode, the downstream device receives the public IP.

If the Zyxel is in bridge mode, the downstream router does the registration. If the Zyxel is in router mode, it logs in and with IPv4 you can only do NAT on the downstream router.

Yes, PPPoE is a bit more computationally intensive.
Even 10GE requires strong hardware for pfsense. Whether DHCP or PPPoE doesn’t matter now. Depending on whether you only do NAT and FW. IDS is another story again.

You can look up approaches to what is needed and what is possible from the Netgate Appliances. There are some that reach almost 10GE.

Does init7 now also offer the “10GE” via XGS PON? That was still limited to 1GE. Have you adjusted the connections and contracts?

I recommend using standardized and very common open source products such as pfSense or OPNsense that have been specifically developed for use as a firewall, router, next gen firewall, IDS/IPS, VPN gateway, etc. Just pay attention to the instructions and manuals from Netgate (https://docs.netgate.com/pfsense/en/latest/) respectively. pfSense (https://docs.opnsense.org/). The OPNsense and pfSense communities are in no way inferior to any tinkering solutions with iptables. If every user configures a router on their favorite Linux, this won’t work out well. Too many configuration errors can lead to security problems. The FreeBSD or HardenedBSD base of OPNsense and pfSense has also been specially hardened for use as a firewall appliance. They are standardized, commercially supported and very common products that I can recommend to every “advanced user”. The web interface in particular makes the configuration intuitive and reduces possible pitfalls and errors.

OPNsense and pfSense can also be virtualized. I have been running both solutions in a Proxmox VE cluster for years. The suggested optimization measures in the documentation ([https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html](https://docs.netgate.com/pfsense/en/latest /recipes/virtualize-proxmox-ve.html)) should be noted. I also achieve a virtualized routing performance of 10 Gbit/s among the various VLANs. The 1 Gbit/s data rate of my UPC Business Internet 1000 DOCSIS 3.1 WAN uplink is reached.

For CLI lovers: If you are looking for a high-performance software router on “off the shelf” hardware, Netgate also offers TNSR ([https://www.tnsr.com/](https://www.tnsr. com/)) found it. TNSR does not have a WebUI, but can only be configured via the CLI. The barriers to entry are greater, but the performance with the same hardware is better than with pfSense. TNSR is also free for home users.

If you are looking for dedicated hardware, you will find it at Netgate (https://www.netgate.com/appliances). The devices can be ordered via Contria GmbH (https://www.contria.ch/) in Langenthal. The company also has very competent support and good sales advice.

---

@Anonymous wrote:

Thank you very much for the answers. Of course, I realize that I hardly need the entire line. Yes, I have already virtualized Pfsense running on an Esxi but that is a bit risky because if the Esxi no longer runs etc. I am offline.

I will therefore take official hardware from Netgate (https://shop.netgate.com/products/7100-max-pfsense) . As already described, I will not use a firewall, which may be ultimately good or the opposite and run it on a self-made box without a GUI for the simple reason: I still want to live 😉.

@Tux0ne-> Yes Init 7 offers XGS-PON with 10 Giga.

---

Well, during the last (unsuccessful) hypervisor upgrade from Proxmox 6.4 to 7.0, the WAF was briefly in the “basement” for 3 hours. I have now ordered a Netgate 6100 from Contria GmbH. This means I can approach the next upgrade with “a little” more peace of mind. Oh no.. the DNS and DHCP server from Univention still runs on the Proxmox cluster 😆, luckily redundant with my Synology DS.

I still find the 6600 attractive for up to 10GE. I’m still thinking about ordering these. But init7 is behind schedule with the expansion of their POPs. So don’t rush. I’m unlikely to build 25GE for now. I still think that’s too uneconomical vs. useful. Or with tnsr you can also do this with x86. However, there are still a lot of features missing as a pfSense replacement.

The advantage of pfSense is that you can run everything on one machine.

VPN in all flavors again with Wireguard (experimental).

Adblock including relatively good DoH block with pfblocking

DNS resolver, routing, fw, etc. it’s all there one way or another.

I see the purpose of VM already. You can also virtualize pfSense.

But to let all instances such as VPN, resolver, blocking, etc. run everything separately. Well, many POF. You can do it. But it’s more of a craft.

I think your option @Anonymous is great, what could be nicer than having PPPoe, then please build PPPoe with MTU 1500byte, or set the int of the PF (where the PPP traverses) to 1508Byte so that the PPP header goes through without problems.
if this solution will be yours then with the static /48 v6…..

So my choice would be… @Tux0ne would certainly agree with me, wouldn’t you 🙂

and I personally also find the HW from [https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount/](https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount /) great, for example [https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount/ANR-DNV3N3-8C](https://www.acrosser.com/en/Products/Networking-Appliance/Rackmount/ANR- DNV3N3-8C) my personal favorite which is also in the rack at home….

So I “know” both Chris. So Hybrid7 not directly. But that’s also PPPoE.
Both work too. And I use both. One in business, the other private.

People like to have a nice time at home. I won’t say anything more 😉

But PPPoE with inOne KMU or SBCON can be done like this. [https://www.tuxone.ch/2016/10/pppoe-passthrough-mit-swisscom-my-kmu.html](https://www.tuxone.ch/2016/10/pppoe-passthrough-mit- swisscom-my-kmu.html)