IPv6 pfsense setup

edited November 2020 in General

I have a server from @ShockHosting and it comes with a /64 of IPv6 addresses. I’m using Proxmox and I would like to provide the whole range to my pfsense box so that I can give each VM it’s own IPv6 address. Any tips?

Comments

  • If you've just got the one /64 you can use one address from the range on the host and have the rest routed to the VM, then use that one address as the gateway - I don't have the config to hand unfortunately and I can't quite remember the exact setup I used.

    IIRC it was just a case of turning on IPv6 forwarding, giving the host an address from the /64 as an additional IP on vmbr0 (or your relevant interface) - 2001:a:b:c::1 for example - and then assigning another address on the guest (2001:a:b:c::2) and using the other address as the gateway.

  • You need ndppd

    Thanked by (1)AaronSS

    The all seeing eye sees everything...

  • @terrorgen said: You need ndppd

    Care to explain? :)

  • The proper way to offer IPv6 would be a /128 + /64. Your pfsense, acting as a router, will have the /128 configured on the 'wan' interface and one from the /64 configured on the 'lan' interface. Your other VMs will attach to the 'lan' interface and they discover each other using neighbor discovery protocol (NDP).

    Your upstream will simply route the /64 via the /128.

    For example, if you are assigned 2001:db8:aaaa:bbbb:cccc:dddd:1111:2222/128 and 2001:db8:1111:2222::/64, the upstream will have a route configured in their router this way:

    2001:db8:1111:2222::/64 via 2001:db8:aaaa:bbbb:cccc:dddd:1111:2222 dev ens10
    

    Where ens10 is the ethernet port at the upstream router that shares a {v}switch with your machine.

    Sometimes the route is discovered using NDP as well. When the upstream router received a packet destined to your /64, it will broadcast a NDP discovery packet asking "who has 2001:db8:1111:2222::3?". Your pfsense checks its interfaces, realizes that the address is part of the /64 configured on the 'lan' port, replies "I have that address" to upstream, the upstream then forwards the packet to your pfsense.

    But you have only a /64, and one from the /64 is configured on the 'wan' port. Your pfsense will then assume that the /64
    is part of the 'wan' network and will not respond to the NDP packet asking "who has 2001:db8:1111:2222::3?". In order to get pfsense respond to the NDP discovery packet, you'll need a NDP proxy daemon (ndppd).

    Since this is not standard, I am not sure if pfsense has it. I would still ask your upstream to assign you a /128.

    The all seeing eye sees everything...

  • edited November 2020

    @ShockHosting care to help? :)

  • ShockHostingShockHosting Hosting Provider

    @aaronstuder said:
    @ShockHosting care to help? :)

    Please open a support ticket and we will sort that our for you.

  • Thanks! @ShockHosting

    Ticket #993344 - IPv6

    A++ Rating :)

Sign In or Register to comment.