Software, electronics and anything else

pfSense and IPv6 – Ebox.ca

msmith
Pfsense

Note: this is copied from its original location here. When I wrote it, this blog didn’t even exist…

My current internet provider here in Montreal provides native IPv6 support, and has for a few years. As I use pfSense as a router instead of the one provided by them, though, I needed to set it up myself. This is a guide on how to do it if you are with Ebox.ca or another provider that does things similarly. As far as I can tell, they follow standard practice.

Note that this assumes you have a DSL connection with Ebox. At the time of writing, IPv6 on cable is still non-existent. I also assume you have an existing (and working) PPPoE connection from your pfSense machine.

WAN setup

Modify the WAN page as shown in the above image.

  • IPv4 type: PPPoE
  • IPv6 type: DHCP6
  • Request a IPv6 prefix/information through the IPv4 connectivity link: Yes
  • Only request an IPv6 prefix, do not request an IPv6 address: Yes
  • DHCPv6 Prefix Delegation size: 56
  • Send an IPv6 prefix hint to indicate the desired prefix size for delegation: Yes

Ebox provides a /56 IPv6 prefix delegation block to you. This is assigned via DHCP to pfSense but is in fact static on their end, so it will never change. This is great for setting up servers.

I should also mention that if you do not check the “request only an IPv6 prefix”, it will still work, but your pfSense box will needlessly request a WAN address through DHCP and be told “no addresses available”. Ebox provides the WAN address via SLAAC, and unless you’ve modified your router in some weird way, it will be automatically assigned without you needing to do anything.

More WAN settings

Finally, I did have to uncheck the boxes at the end of the page for blocking reserved networks. There is technically nothing wrong with leaving them checked, but I had some weird behavior where multiple PPPoE reconnects were required to get my IPv4/IPv6 traffic to route to Ebox properly.

Save the WAN settings, and wait for it to reconnect. You can now modify the LAN interface, where you have two options: Track Interface or Static IPv6.

Using Track Interface is simpler when first making sure everything is working:

LAN settings – Track Interface option

Simply set the IPv6 interface to track to WAN and set a prefix from 0 to ff, which is in hexadecimal. This is available as Ebox assigns you a /56, which can be split into 256 /64 sub-networks. In IPv6 space, a /64 sub-network is the equivalent of a /24 e.g. 192.168.0.0/24, except with a lot more addresses available. You can’t really get any smaller than a /64 without pulling all kinds of hacks, so there is no point. Thus, this Prefix ID is your choice of which of these 256 networks to assign to LAN. Other interfaces you may have can get other prefix IDs.

Save the settings, and you should now see that both your WAN and LAN have IPv6 addresses.

It is also possible to assign the LAN a static IPv6 address once you know what your assigned prefix is and picking an address in one of those 256 /64 sub-networks assigned to you. This helps avoid the issue where your pfSense machine will lose its IPv6 LAN address if the internet connection goes down.

There is one last step: giving other computers on your LAN their IPv6 addresses. To do this, go to Services → DHCPv6 Server & RA. Select the LAN interface, and check the box for Enable. You will also need to set the range of DHCP addresses; you can pick something simple such as ::0000 to ::ffff

LAN DHCPv6 settings

Finally, go to the Router Advertisements page and set it as follows:

Router Advertisements setting

The Router mode is critical – if set incorrectly, some devices may not be able to get IPv6 addresses. For example, Windows can use either DHCPv6, where it talks to a DHCP server just like in IPv4 and gets an address, or SLAAC. SLAAC is new to IPv6, and basically amounts to a given machine getting a packet from the router saying “this is the range of addresses you can pick from”. It then picks one, asks if any other computer has it, and if not, keeps it. It can also do fun things such as use more than one address from a pool of “privacy” addresses it keeps rotating to make tracking you harder. Android phones for example can only use SLAAC.

Setting it to assisted allows for both SLAAC and DHCPv6 and is the most compatible configuration possible. The pfSense manual has a good summary of what each setting does.

At this point, you should be able to ping IPv6 websites such as google.ca from any machine on your LAN:

PING google.ca(yul02s04-in-x03.1e100.net (2607:f8b0:4020:804::2003)) 56 data bytes
64 bytes from yul02s04-in-x03.1e100.net (2607:f8b0:4020:804::2003): icmp_seq=1 ttl=120 time=6.24 ms
64 bytes from yul02s04-in-x03.1e100.net (2607:f8b0:4020:804::2003): icmp_seq=2 ttl=120 time=6.24 ms
64 bytes from yul02s04-in-x03.1e100.net (2607:f8b0:4020:804::2003): icmp_seq=3 ttl=120 time=6.15 ms
64 bytes from yul02s04-in-x03.1e100.net (2607:f8b0:4020:804::2003): icmp_seq=4 ttl=120 time=5.97 ms
--- google.ca ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 5.975/6.154/6.244/0.145 ms

You should also be able to ping IPv6 websites from pfSense itself. If that works, you can then add IPv6 DNS servers such as the ones from CIRA to your DNS Forwarder setup if you have one running on pfSense.

Leave a Reply

Your email address will not be published. Required fields are marked *