VDSL ipvsh mit pfsense

Hello everyone

I have been successfully running a pfsense firewall on my Swisscom VDSL Anschluss for a long time. The firewall is connected to a Vigor 165 Bridge from DrayTek.

Until now I only ever had ipv4 active on the WAN interface. Since Swisscom has now completed the rollout of Dualstack, I would also like to activate ipv6. However, I can’t currently get an ipv6 address on the WAN interface.

I connected my IB2 as a test and I can activate ipv6 and the connection type is set to dualstack, so the Anschluss seems OK.

Does anyone already have such a configuration running and knows the correct settings for the interface in the pfsense firewall?

Show original language (German)

@macaholic

I found this guide online, it might help:

  1. Check whether IPv6 is enabled on the WAN interface of the pfsense firewall. To do this, go to “Interfaces” > “WAN” and make sure that “IPv6 Configuration Type” is set to “DHCP6” or “SLAAC”.

  2. Make sure the firewall has received a valid IPv6 address from the Swisscom network. To do this, go to “Status” > “Interfaces” and look for the WAN interface. If an IPv6 address is displayed, it means the firewall has received a valid IPv6 address.

  3. Check whether the firewall has a firewall rule for IPv6 traffic. To do this, go to “Firewall” > “Rules” and look for a rule for the WAN interface. Make sure the rule is configured for IPv6 traffic and that it is not blocked.

  4. Make sure the firewall’s LAN interface is configured for IPv6. To do this, go to “Interfaces” > “LAN” and make sure that “IPv6 Configuration Type” is set to “Track Interface” or “DHCP6”.

Show original language (German)

@macaholic wrote:

Does anyone already have such a configuration running and knows the correct settings for the interface in the pfsense firewall?

Hello @macaholic

Enter pfsense in the search field at the top.

This will give you a quick overview of who is using a pfsense (and, with a bit of luck, a concrete solution to your problem) 😉

Show original language (German)

@hed

Unfortunately, I fail at point 2. The WAN interface is set to SLAAC but I don’t receive an IP assigned by the Swisscom network.

If this configuration is sufficient, then something on the bridge will probably not quite fit.

@kaetho

I’ve already searched but couldn’t find anything about pfsense in connection with DualStack.

Show original language (German)

@“x”#234740Thanks for the link, I took a look but other than the problem at the end with the NDP tables, I didn’t see much new. I’ve checked in the meantime and my bridge doesn’t appear in the NDP table on pfsense, so that’s good so far.

@“x”#226505Yes ipv6 is active in the settings.

Show original language (German)

@mabu1 here is the current configuration of the WAN interface. DHCPv6 server is currently not active. I can’t activate it at all because I don’t have an ipv6 address on an interface.

macaholic_0-1679315666467.png

macaholic_1-1679315719815.png

Show original language (German)

@macaholic: I once had a lengthy discussion about IPV6 and Fritzboxes instigated. The hypothesis is that I had deactivated IPv6 with an old IB (Fritzbox “behind” IB), disposed of the IB after releasing the SIP credentials and now need an IB again to activate v6 on my Anschluss.

Maybe you have a similar problem?

Äs Greetings

Android

👽

Show original language (German)

@“x”#297727Yes, I had that problem too at first. Fortunately, I still have my IB in storage and after a bit of back and forth with Swisscom support, I was able to activate ipv6 (there are probably limitations in connection with the Internet Booster, which was sent to me without asking).

With the IB on Anschluss, ipv6 is active and works as expected. But unfortunately not with the pfsense 😕

Show original language (German)

@hed no, the booster was never used by me. I normally never have the IB in use and without it it doesn’t do anything. But I had to have Swisscom Support remove it completely from my connection config. Before that, it didn’t even work with the IB.

Show original language (German)
  • hed likes that.
8 days later

@macaholic

Hast du mal mit iIPv6 Configuration Type DHCP6 und der Option

Request only an IPv6 prefix X Only request an IPv6 prefix, do not request an IPv6 address

und/oder

Send IPv6 prefix hint X Send an IPv6 prefix hint to indicate the desired prefix size for delegation

versucht eine Prefix zu bekommen?

Show original language (German)
8 days later

@macaholic

What happened next in this matter?

Today I also tried to activate IPv6 on my PFsense with Zyxel Bridge. But unfortunately without success.

I also found an old IB standard, updated the firmware and successfully activated IPv6 there and saw the DualStack config as active.

On the Pfsense I tried the WAN interface on DHCPv6 client with various other options. However without success.

Show original language (German)

Request only an IPv6 prefix = enabled

DHCPv6 Prefix Delegation size = 58

Send IPv6 prefix hint = disable

Do not wait for a RA = enabled
Apr 5 21:33:13dhcp6c72448script “/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh” terminated
Apr 5 21:33:13dhcp6c73166dhcp6c renew, no change - bypassing update on igb0
Apr 5 21:33:13dhcp6c72448executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
Apr 5 21:33:13dhcp6c72448status code for PD-0: success
Apr 5 21:33:13dhcp6c72448update a prefix 2a02:1210:2a8a:3600::/56 pltime=7200, vltime=21600
Apr 5 21:33:13dhcp6c72448update an IA: PD-0
Apr 5 21:33:13dhcp6c72448dhcp6c Received INFO
Apr 5 21:33:13dhcp6c72448status code: success
Apr 5 21:33:13dhcp6c72448get DHCP option status code, len 9
Apr 5 21:33:13dhcp6c72448IA_PD prefix: 2a02:1210:2a8a:3600::/56 pltime=7200 vltime=21600
Apr 5 21:33:13dhcp6c72448get DHCP option IA_PD prefix, len 25
Apr 5 21:33:13dhcp6c72448IA_PD: ID=0, T1=3600, T2=5760
Apr 5 21:33:13dhcp6c72448get DHCP option IA_PD, len 54
Apr 5 21:33:13dhcp6c72448DUID: fe:80:00:00:00:00:00:00:02:00:5e:ff:fe:00:01:2c
Apr 5 21:33:13dhcp6c72448get DHCP option server ID, len 16
Apr 5 21:33:13dhcp6c72448DUID: 00:01:00:01:2b:c0:58:9b:00:0d:b9:42:69:a8
Apr 5 21:33:13dhcp6c72448get DHCP option client ID, len 14
Apr 5 21:33:13dhcp6c72448receive reply from fe80::200:5eff:fe00:12c%igb0 on igb0
Apr 5 21:33:13dhcp6c72448send renew to ff02::1:2%igb0
This post is in English

@macaholic

Ich hab es hinbekommen…

WAN Interface:

IPv6 Configuration Type = DHCP6

Request only an IPv6 prefix = yes

DHCPv6 Prefix Delegation size = 62

Send IPv6 prefix hint = no

Do not wait for a RA = yes

DHCPv6 Server & RA

DHCPv6 Server

DHCPv6 Server = Enable DHCPv6 server on interface LAN

Subnet = Delegated Prefix: WAN/0 (2a02:1210:2a8b:f300::/62)

Range =::ffff:ffff:ffff:0000 -::ffff:ffff:ffff:ffff

Router Advertisements

Router Mode = Assisted

Firewall Rules

LAN Interface: IPv6 Any Proto, Source LAN Net, Destination any, allow

This post is in English
13 days later

Hello @macaholic

Have you been able to check tohil’s feedback and could it help you find a solution? If this is the case, we would be happy if you mark the comment as a solution or share further details.

Show original language (German)

@tohil

Thanks for the tip, I can’t seem to quite figure it out yet. Can you tell me what you have set as the ipv6 connection type on your LAN interface?

Another question to ask is that the prefix delegation size shouldn’t be higher than just /62?

Show original language (German)
  • Werner has responded to this post.