WAN and LAN setup for IPv6
Solution 1
You've got the right idea here, and you need to ask your ISP exactly what they're routing to you.
Usually if you're getting subnet of addresses then your edge router's WAN address will be on a small assigned linknet /64 so you have the larger /48 on your LAN side interface without losing any nets for the purposes of talking to your ISP, then you can subnet off the smaller nets as required and the ISP will always send the traffic to your edge router's WAN interface.
Solution 2
You have many many /64 inside a /48. Use the first /64 (the one where the gateway is) as your point-to-point subnet (in a IPv4 environment, this would be the /30 you use for the ppp connection to your central office).
You can start allocating subnets to your lan starting from the next /64 (1::/64)
If they allocated you that /48, they already have a static route in place that throws all the traffic for it towards your pipe.
Practical example:
My WAN IPv6 gateway (with which i talk through wan0) is 2001:470:1f0a:314::1/64
My WAN IPv6 is 2001:470:1f0a:314::2/64 (the very next ip, assigned to wan0)
Be sure you have a default route set for wan0 on your router.
If after this, you have connectivity on your router, it means your wan is working properly. If it doesn't, you have to fix it with your isp and it has nothing to do with routes on your LAN and whatnot.
My LAN Subnet is 2001:470:1f0b:314::/64
Simply configure 2001:470:1f0b:314::1 as your eth0 IP on the router.
Assign 2001:470:1f0b:314::2 to a PC on the same lan as eth0 and set on that pc 2001:470:1f0b:314::1 (your router address) as your default gateway.
If you don't have any iptables rule in place that blocks this kind of traffic, your border router (which we're assuming is a linux box) will simply route any incoming packet for 2001:470:1f0b:314::/64 from wan0 to eth0 because this is a directly connected network and thus the routing table already "knows" it.
On eth0, if the router knows the MAC address of the end destination (your officepc that you're theorically pinging from the internet), it will send it directly there. Otherwise, it will make an arp request asking "WHO THE HECK HAS THIS ADDRESS?" and if target pc is online and has this address properly configured and it has the default gateway set, it will answer establishing communication.
Remember that most common knowledge about IPv4 applies to IPv6 too. Do not assume things work differently all the time :P
EDIT #2:
My answer gives many assumptions. Keep in mind that you don't need to declare explicitly directly connected networks. Have you assigned an IP of your LAN subnet to your router? Do you have that IP as your default gateway on the LAN computers you're testing from?
I guess i fell aswell in the "overcomplicate ipv6" trap :P
EDIT #3:
This part was silly wrong if we are talking about directly connected. Disregard it.
Simply add a route for this last subnet to eth0 like this
route -A inet6 add 2001:470:1f0b:314::/64 eth0.
Related videos on Youtube
07 : 45
10 : 16
18 : 45
01 : 09
28 : 21
Comments
-
Dexter Cato over 1 year
We just got a IPv6 /48 range (a gateway and an IP address) for our company, but I'm unsure about how to set it up. We use FreeBSD 8.4 (pfSense 2.1) as a router/firewall.
Currently we have IPv4 setup with a WAN towards the internet, and a NAT-ed LAN behind it for office PCs.
We want to keep the LAN network for security, and we want IPv6 addresses from the /48 for all office PCs (without NAT).
The WAN is configured with the IPv6 gateway 1111:2222:3333::1/48 and interface address 1111:2222:3333::2/48. But when it's configured this way, I guess it's impossible to fit the LAN on a /64 within the /48?
I believe I should configure the WAN subnet on 1111:2222:3333:1::/64 and the LAN on a subnet like 1111:2222:3333:2::/64. Is this something I can configure myself, or do I have to ask the ISP to configure that routing for me?
Current test setup:
- WAN gateway 1111:2222:3333::1/48
- WAN interface (em3) 1111:2222:3333::2/64
- LAN interface (em1) 1111:2222:3333:1::1/64
- Test client on LAN 1111:2222:3333:1::abcd/64
netstat -r shows:
Destination Gateway Flags Netif Expire default 1111:2222:3333::1 UGS em3 localhost localhost UH lo0 1111:2222:3333:: link#4 U em3 1111:2222:3333::2 link#4 UHS lo0 1111:2222:3333:1:: link#2 U em1 1111:2222:3333:1::1 link#2 UHS lo0I can ping the WAN gateway from the router. From the test client I can ping the LAN & WAN interfaces, but not the WAN gateway.
If I try to add an explicit route, I get an error:
$ route add -inet6 -net 1111:2222:3333:1::/64 1111:2222:3333::2 route: writing to routing socket: File exists add net 1111:2222:3333:1::/64: gateway 1111:2222:3333::2: route already in table-
ItsGC over 11 yearsI explained the last error in my last comment. You do not add routes for directely connected nets. Delete it. You never mentioned if you set up 1111:2222:3333:1::1/64 as gateway on the test client. You need to.
-
Dexter Cato over 11 yearsThat route wasn't added, since it returned an error. The only active routes are those pasted above. I can traceroute an external ipv6 host from the router, and I've set the gateway on the test client. I still cannot reach the gateway (or external hosts) from the test client.
-
ItsGC over 11 yearsCan you please try pinging 2607:f358:1:fed5:22:b120:d3a7:ece5 ? It's one of my hosts. From your router.
-
Dexter Cato over 11 yearsSure, that works just fine from the router (not from the test client). You're about 163 ms away.
-
ItsGC over 11 yearshow about ping -I em1 2607:f358:1:fed5:22:b120:d3a7:ece5? Not sure if pfsense's version of ping use this syntax but -I allows you to specify from which interface does ping starts. If the syntax is different, look for "source address" in the manpage of your version of ping.
-
Dexter Cato over 11 yearsThat gives me
ping6: sendmsg: No route to host. With-I em3it works fine. -
ItsGC over 11 yearshow about with -I 1111:2222:3333:1::1 (lan interface router ip address)
-
Dexter Cato over 11 yearsI cannot use
-Iwith an address, but with-S(source address) it just drops packets (no answers). I use ping6, by the way: freebsd.org/cgi/man.cgi?query=ping6 -
ItsGC over 11 yearsJust for the sake of OCD, i'm downloading pfSense. I'll give it a spin tonight so i can guide you better. If we find a solution i think we should really edit both the question and my answer so this it not stupidly confusing to readers.
-
Dexter Cato over 11 yearsWow, thanks for the effort! Anyway, I have "pass all" rules for IPv6 on both interfaces. The interfaces are not configured as IP aliases.
-
Dexter Cato over 11 yearsThanks! They've allocated and routed the full /48 for us, so I guess I should be able to route the LAN. I'm struggling with the route, though. Are you able to provide an example using /sbin/route?
-
Dexter Cato over 11 yearsNow I'm able to ping both the WAN interface address (1111:2222:3333::2/64) and the LAN interface address (1111:2222:3333:1::2/64) from a LAN address (1111:2222:3333:1::abcd). But I'm not able to ping the WAN gateway address (1111:2222:3333::1), so I guess I lack that route.
-
ItsGC over 11 yearsIf you're good with IPv4, try to replace in your mind any IPv6 address with an IPv4 one. let's use 192.168.1.0 as your lan subnet and 192.168.0.0 as your wan. assign 192.168.1.1 to your router eth0. then assign 192.168.1.2 to one of your test computers and set 192.168.1.1 as your default gateway. If your wan ip is 192.168.0.2 and your wan gateway 192.168.0.1 and you configured them on wan0, it should work out of the box.
-
ItsGC over 11 yearsgosh i screwed up this answer big time. But current version is legit :P
-
Dexter Cato over 11 yearsIn your example, the WAN and LAN /64 networks are within two different /48 networks (2001:470:1f0a and 2001:470:1f0b). Would your example still work if the LAN was on 2001:470:1f0a:315::?
-
ItsGC over 11 yearsyes absolutely, i just copied the addresses from my HurricaneEletric tunnel :P as long as the subnet mask is correct and they belong to two different networks (of any size, including same /48 but different /64).
-
Dexter Cato over 11 yearsThere's stills something wrong with the routing from LAN, as you can see in the updated question. This guy claims that I need to involve my ISP: forum.pfsense.org/index.php/…
